Drive it Like you Hacked it
-
Upload
stanley-smith -
Category
Documents
-
view
140 -
download
16
description
Transcript of Drive it Like you Hacked it
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 1/71
DRIVE IT LIKE
YOU HACKED IT
DEFCON 23 [2015]
@SamyKamkar
http://samy.pl
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 2/71
Security Researcher
Lorem Ipsum Dolor
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 3/71
SkyJack Combo Breaker
MySpace WormKeySweeperevercookie
OwnStarOpenSesame
ProxyGambit
pwnat
USBdriveby
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 4/71
Other Works! Charlie Miller & Chris Valasek
!
2010: UCSD/UW Research(CD player, Bluetooth, etc)
! Relay Attacks (Amplification)on PKES
! Tesla talk later today!
! Cryptographic attacks onKeeLoq
! HiTag2 Immobilizer Disabling
! OpenGarages
! iamthecavalry
! Lots of others…
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 5/71
Thanks EFF!
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 6/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 7/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 8/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 9/71use fcc.io, thanks Dominic Spill!
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 10/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 11/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 12/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 13/71
1 MHz - 6 GHzhalf-duplex transceiverraw I/Q samplesopen source software / hardwareGNU Radio, SDR#, moredope as shit
HackRF Onefrom Michael Ossmann
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 14/71
Replay Attack w/HackRF
! hackrf_transfer -r 390_data.raw -f 390000000 # listen
! hackrf_transfer -t 390_data.raw -f 390000000 # transmit
! # profit
! Don’t need baud rate
! Don’t need modulation/demodulation
! Can be within 20MHz
! Can act as a “raw” code grabber/replayer…but it’s
more interesting than that.
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 15/71
RTL-SDR
24 - 1766 MHz
raw I/Q samples
RX onlyRTL2832U
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 16/71
Lorem Ipsum Dolor
GNU Radio
(the stick shift of SDR)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 17/71
GQRX waterfall viewsdemodulationsave to WAV
prettyLinux & OS X Only
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 18/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 19/71
SDR# Works on Windows
Sorta kinda on OS X
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 20/71
rtl_fmterminal based
quick and easy
demodulates
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 21/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 22/71
Test Report
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 23/71
Modulation Schemes
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 24/71
Modulation Schemes
ASK
(OOK)
2FSK
2FSK
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 25/71
1 1 0 1 0 1 0 0 0 0
ASK (OOK)10-bit Garage
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 26/71
Fixed CodeGarages
8 - 12 bit code~2ms per bit + ~2ms delay5 signals per transmission
(((2 ** 12)*12) +((2 ** 11)*11) +((2 ** 10)*10) +((2 ** 9)*9) +((2 ** 8)*8)) = 88576 bits
88576 bits * (2ms signal + 2msdelay) * 5 transmissions =1771520ms = 1771secs =
29.5 minutes
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 27/71
Lorem Ipsum Dolor
1 1 0 1 0 1 0 0 0 0
1771 secs / 5 = 354.2 = 6 mins
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 28/71
Thanks Mike Ryan!Saturday, 3pm, Track TwoHacking Electric Skateboards
Mike Ryan & Richo Healey
354.2 secs / 2 = 177 secs = 3 mins
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 29/71
Where does one code endand the other begin?
Bit shift register?
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 30/71
Bit Shift Register
Code only clears one
bit at a time while
pulling in next bit
A 13 bit code tests twodifferent 12 bit codes!
10000000000011000000000001000000000001
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 31/71
De Bruijn Sequence
0011000110
0011000110
vs 00011110
00110 (5 bits) tests all 4different 2-bit sequences
instead of 8 bits total
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 32/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 33/71
De Bruijn Sequence
((2 ** 12) + 11) *
4ms / 2 =8214ms =8.214 seconds
For every 8 to 12
bit garage code
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 34/71
Yard Stick One rfcat by Michael Ossmann
TI CC1111 chipset
by atlasFriday, 5pm, Track TwoFun with Symboliks
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 35/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 36/71
#ImAnEngineer
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 37/71
Mattel IM-ME Previously hacked by:
Dave
Michael Ossmann
Travis Goodspeed
Hacker Barbie
TI CC1101 chipset
sub-GHz transceiver
screen, backlight, keyboard, stylish
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 38/71
Lorem Ipsum Dolor
GoodFETby Travis Goodspeed
open source JTAG
adapter / universal
serial bus interface
O S
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 39/71
OpenSesame
based off of Michael Ossmann’s opensesame ASK transmitter
https://github.com/mossmann/im-me/tree/master/garage
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 40/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 41/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 42/71
Lessons
! Don’t use a ridiculously small key
space (duh)! Require a preamble/sync word for
beginning of each key! Use rolling codes…
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 43/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 44/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 45/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 46/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 47/71
Lorem Ipsum Dolor
RemoteLink Login
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 48/71
RemoteLink Login(base64 decoded)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 49/71
SSL MITMA
! Raspberry Pi
! FONA GSM board
! mallory (SSL MITMA)
! dns spoofing (api.gm.com)
! iptables
! Alfa AWUS036h
! Edimax Wifi dongle
! pre-paid SIM card
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 50/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 51/71
802.11 Probe Requests
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 52/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 53/71
OwnStar
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 54/71
OwnStar
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 55/71
OwnStar
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 56/71
Lessons
! Validate certificates from CA
! Better yet, use certificate pinning and ignoreCAs altogether
!
Hash password with random salt onauthentication (challenge-response)
! Always assume you’re on a hostile network
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 57/71
BAD TO THE PWN
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 58/71
Key Fobs &
Rolling Codes
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 59/71
National Semiconductor“High Security RollingCode” chip
Thanks Michael Ossmann for
helping decipher this!
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 60/71
Rolling Codes
! PRNG in key and car
! Synced seed + counter
! Hit button, key sends code
! Hit button again, key sendsnext code
! If Eve replays the code, carrejects it because already used
! Should be difficult to predict
! Prevents replay attacks
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 61/71
Replaying Rolling Codes
! Capture signal whileremote out of range
from vehicle/garage! Replay later
! This is lame since we
have to have access tothe key, and it has to be far from the car
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 62/71
We’re Jammin
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 63/71
Jam + Listen, Replay
! Jam at slightly deviated frequency
! Receive at frequency with tight
receive filter bandwidth to evade
jamming
! User presses key but car can’t
read signal due to jamming
! Once we have code, we stop
jamming and can replay
! But…once user does get a
keypress in, new code invalidates
our code!
Car’s
Receive
Window Jammin Signal
My
Receive
WindowReceive
Window Jammin Signal
Car’s
Receive
Window Jammin Signal
My
Receive
Window
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 64/71
Jam+Listen(1), Jam+Listen(2), Replay (1)
! Jam at slightly deviated frequency
! Receive at frequency with tight
receive filter bandwidth to evade
jamming! User presses key but car can’t read
signal due to jamming
! User presses key again — you now
have two rolling codes
! Replay first code so user gets into
car, we still have second code
Receive
Window Jammin Signal
Car’s
Receive
Window Jammin Signal
My
Receive
Window
0/11 bits 0/8 bits 0/20/24 bits 4 bits 24/36 bits 0/8 bits 1 bit
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 65/71
PreambleSync Key ID Data Dynamic Parity Stop
Field Field Field Code Field Bit
FIGURE 4. Normal Data Frame Configuration
Protocol Abuse
DYNAMIC CODE FIELD
The dynamic code field is transmitted with every frame, and
its length is programmable. If DynSize e 0, a 24-bit field is
sent; if DynSize e 1, a 36-bit field is sent. Its function is to
provide a secure dynamic code which changes with each
new transmission. The field is the result of combining the
The primary use of the data field is to indicate which key
switch has been pressed. Since each key switch input can
be associated with a particular application, the decoder can
determine which function to initiate.
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 66/71
Teensy 3.1
CC1101
RollJam
(I’m bad at names)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 67/71
National Semiconductor“High Security RollingCode” chip
Thanks Michael Ossmann for
helping decipher this!
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 68/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 69/71
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 70/71
Lessons
! Encrypt/hash the button/action
! HMAC to prevent bit flipping if encrypted
! Use time-based algorithm (e.g. RSA SecurID[20 years old] , “Dual KeeLoq” does this as of 2014)
! OR challenge/response via transceivers instead of
one-way communication! Many vehicles have keys that RX+TX yet the remote
unlock signal is still one-way and not timing based
Thank You!!!
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 71/71
Thank You !!!
YOU!EFF
Michael Ossmann
Travis Goodspeed Andy Greenberg
atlas of d00m
My momDefcon
TI
#hackrf#ubertooth
Charlie MillerChris Valasek
Mike Ryan
Andrew Crocker Nate Cardozo
Kurt Opsahl
@SamyKamkar http://samy.pl
http://samy.pl/youtube