Drive it Like you Hacked it
-
Upload
stanley-smith -
Category
Documents
-
view
141 -
download
16
description
Transcript of Drive it Like you Hacked it
![Page 1: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/1.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 1/71
DRIVE IT LIKE
YOU HACKED IT
DEFCON 23 [2015]
@SamyKamkar
http://samy.pl
![Page 2: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/2.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 2/71
Security Researcher
Lorem Ipsum Dolor
![Page 3: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/3.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 3/71
SkyJack Combo Breaker
MySpace WormKeySweeperevercookie
OwnStarOpenSesame
ProxyGambit
pwnat
USBdriveby
![Page 4: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/4.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 4/71
Other Works! Charlie Miller & Chris Valasek
!
2010: UCSD/UW Research(CD player, Bluetooth, etc)
! Relay Attacks (Amplification)on PKES
! Tesla talk later today!
! Cryptographic attacks onKeeLoq
! HiTag2 Immobilizer Disabling
! OpenGarages
! iamthecavalry
! Lots of others…
![Page 5: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/5.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 5/71
Thanks EFF!
![Page 6: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/6.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 6/71
![Page 7: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/7.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 7/71
![Page 8: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/8.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 8/71
![Page 9: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/9.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 9/71use fcc.io, thanks Dominic Spill!
![Page 10: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/10.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 10/71
![Page 11: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/11.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 11/71
![Page 12: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/12.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 12/71
![Page 13: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/13.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 13/71
1 MHz - 6 GHzhalf-duplex transceiverraw I/Q samplesopen source software / hardwareGNU Radio, SDR#, moredope as shit
HackRF Onefrom Michael Ossmann
![Page 14: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/14.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 14/71
Replay Attack w/HackRF
! hackrf_transfer -r 390_data.raw -f 390000000 # listen
! hackrf_transfer -t 390_data.raw -f 390000000 # transmit
! # profit
! Don’t need baud rate
! Don’t need modulation/demodulation
! Can be within 20MHz
! Can act as a “raw” code grabber/replayer…but it’s
more interesting than that.
![Page 15: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/15.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 15/71
RTL-SDR
24 - 1766 MHz
raw I/Q samples
RX onlyRTL2832U
![Page 16: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/16.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 16/71
Lorem Ipsum Dolor
GNU Radio
(the stick shift of SDR)
![Page 17: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/17.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 17/71
GQRX waterfall viewsdemodulationsave to WAV
prettyLinux & OS X Only
![Page 18: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/18.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 18/71
![Page 19: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/19.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 19/71
SDR# Works on Windows
Sorta kinda on OS X
![Page 20: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/20.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 20/71
rtl_fmterminal based
quick and easy
demodulates
![Page 21: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/21.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 21/71
![Page 22: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/22.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 22/71
Test Report
![Page 23: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/23.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 23/71
Modulation Schemes
![Page 24: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/24.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 24/71
Modulation Schemes
ASK
(OOK)
2FSK
2FSK
![Page 25: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/25.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 25/71
1 1 0 1 0 1 0 0 0 0
ASK (OOK)10-bit Garage
![Page 26: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/26.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 26/71
Fixed CodeGarages
8 - 12 bit code~2ms per bit + ~2ms delay5 signals per transmission
(((2 ** 12)*12) +((2 ** 11)*11) +((2 ** 10)*10) +((2 ** 9)*9) +((2 ** 8)*8)) = 88576 bits
88576 bits * (2ms signal + 2msdelay) * 5 transmissions =1771520ms = 1771secs =
29.5 minutes
![Page 27: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/27.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 27/71
Lorem Ipsum Dolor
1 1 0 1 0 1 0 0 0 0
1771 secs / 5 = 354.2 = 6 mins
![Page 28: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/28.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 28/71
Thanks Mike Ryan!Saturday, 3pm, Track TwoHacking Electric Skateboards
Mike Ryan & Richo Healey
354.2 secs / 2 = 177 secs = 3 mins
![Page 29: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/29.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 29/71
Where does one code endand the other begin?
Bit shift register?
![Page 30: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/30.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 30/71
Bit Shift Register
Code only clears one
bit at a time while
pulling in next bit
A 13 bit code tests twodifferent 12 bit codes!
10000000000011000000000001000000000001
![Page 31: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/31.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 31/71
De Bruijn Sequence
0011000110
0011000110
vs 00011110
00110 (5 bits) tests all 4different 2-bit sequences
instead of 8 bits total
![Page 32: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/32.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 32/71
![Page 33: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/33.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 33/71
De Bruijn Sequence
((2 ** 12) + 11) *
4ms / 2 =8214ms =8.214 seconds
For every 8 to 12
bit garage code
![Page 34: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/34.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 34/71
Yard Stick One rfcat by Michael Ossmann
TI CC1111 chipset
by atlasFriday, 5pm, Track TwoFun with Symboliks
![Page 35: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/35.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 35/71
![Page 36: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/36.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 36/71
#ImAnEngineer
![Page 37: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/37.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 37/71
Mattel IM-ME Previously hacked by:
Dave
Michael Ossmann
Travis Goodspeed
Hacker Barbie
TI CC1101 chipset
sub-GHz transceiver
screen, backlight, keyboard, stylish
![Page 38: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/38.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 38/71
Lorem Ipsum Dolor
GoodFETby Travis Goodspeed
open source JTAG
adapter / universal
serial bus interface
O S
![Page 39: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/39.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 39/71
OpenSesame
based off of Michael Ossmann’s opensesame ASK transmitter
https://github.com/mossmann/im-me/tree/master/garage
![Page 40: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/40.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 40/71
![Page 41: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/41.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 41/71
![Page 42: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/42.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 42/71
Lessons
! Don’t use a ridiculously small key
space (duh)! Require a preamble/sync word for
beginning of each key! Use rolling codes…
![Page 43: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/43.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 43/71
![Page 44: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/44.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 44/71
![Page 45: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/45.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 45/71
![Page 46: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/46.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 46/71
![Page 47: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/47.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 47/71
Lorem Ipsum Dolor
RemoteLink Login
![Page 48: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/48.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 48/71
RemoteLink Login(base64 decoded)
![Page 49: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/49.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 49/71
SSL MITMA
! Raspberry Pi
! FONA GSM board
! mallory (SSL MITMA)
! dns spoofing (api.gm.com)
! iptables
! Alfa AWUS036h
! Edimax Wifi dongle
! pre-paid SIM card
![Page 50: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/50.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 50/71
![Page 51: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/51.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 51/71
802.11 Probe Requests
![Page 52: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/52.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 52/71
![Page 53: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/53.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 53/71
OwnStar
![Page 54: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/54.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 54/71
OwnStar
![Page 55: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/55.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 55/71
OwnStar
![Page 56: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/56.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 56/71
Lessons
! Validate certificates from CA
! Better yet, use certificate pinning and ignoreCAs altogether
!
Hash password with random salt onauthentication (challenge-response)
! Always assume you’re on a hostile network
![Page 57: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/57.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 57/71
BAD TO THE PWN
![Page 58: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/58.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 58/71
Key Fobs &
Rolling Codes
![Page 59: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/59.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 59/71
National Semiconductor“High Security RollingCode” chip
Thanks Michael Ossmann for
helping decipher this!
![Page 60: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/60.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 60/71
Rolling Codes
! PRNG in key and car
! Synced seed + counter
! Hit button, key sends code
! Hit button again, key sendsnext code
! If Eve replays the code, carrejects it because already used
! Should be difficult to predict
! Prevents replay attacks
![Page 61: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/61.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 61/71
Replaying Rolling Codes
! Capture signal whileremote out of range
from vehicle/garage! Replay later
! This is lame since we
have to have access tothe key, and it has to be far from the car
![Page 62: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/62.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 62/71
We’re Jammin
![Page 63: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/63.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 63/71
Jam + Listen, Replay
! Jam at slightly deviated frequency
! Receive at frequency with tight
receive filter bandwidth to evade
jamming
! User presses key but car can’t
read signal due to jamming
! Once we have code, we stop
jamming and can replay
! But…once user does get a
keypress in, new code invalidates
our code!
Car’s
Receive
Window Jammin Signal
My
Receive
WindowReceive
Window Jammin Signal
Car’s
Receive
Window Jammin Signal
My
Receive
Window
![Page 64: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/64.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 64/71
Jam+Listen(1), Jam+Listen(2), Replay (1)
! Jam at slightly deviated frequency
! Receive at frequency with tight
receive filter bandwidth to evade
jamming! User presses key but car can’t read
signal due to jamming
! User presses key again — you now
have two rolling codes
! Replay first code so user gets into
car, we still have second code
Receive
Window Jammin Signal
Car’s
Receive
Window Jammin Signal
My
Receive
Window
0/11 bits 0/8 bits 0/20/24 bits 4 bits 24/36 bits 0/8 bits 1 bit
![Page 65: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/65.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 65/71
PreambleSync Key ID Data Dynamic Parity Stop
Field Field Field Code Field Bit
FIGURE 4. Normal Data Frame Configuration
Protocol Abuse
DYNAMIC CODE FIELD
The dynamic code field is transmitted with every frame, and
its length is programmable. If DynSize e 0, a 24-bit field is
sent; if DynSize e 1, a 36-bit field is sent. Its function is to
provide a secure dynamic code which changes with each
new transmission. The field is the result of combining the
The primary use of the data field is to indicate which key
switch has been pressed. Since each key switch input can
be associated with a particular application, the decoder can
determine which function to initiate.
![Page 66: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/66.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 66/71
Teensy 3.1
CC1101
RollJam
(I’m bad at names)
![Page 67: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/67.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 67/71
National Semiconductor“High Security RollingCode” chip
Thanks Michael Ossmann for
helping decipher this!
![Page 68: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/68.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 68/71
![Page 69: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/69.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 69/71
![Page 70: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/70.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 70/71
Lessons
! Encrypt/hash the button/action
! HMAC to prevent bit flipping if encrypted
! Use time-based algorithm (e.g. RSA SecurID[20 years old] , “Dual KeeLoq” does this as of 2014)
! OR challenge/response via transceivers instead of
one-way communication! Many vehicles have keys that RX+TX yet the remote
unlock signal is still one-way and not timing based
Thank You!!!
![Page 71: Drive it Like you Hacked it](https://reader034.fdocuments.us/reader034/viewer/2022050700/5695d0c91a28ab9b0293dde6/html5/thumbnails/71.jpg)
7/21/2019 Drive it Like you Hacked it
http://slidepdf.com/reader/full/drive-it-like-you-hacked-it 71/71
Thank You !!!
YOU!EFF
Michael Ossmann
Travis Goodspeed Andy Greenberg
atlas of d00m
My momDefcon
TI
#hackrf#ubertooth
Charlie MillerChris Valasek
Mike Ryan
Andrew Crocker Nate Cardozo
Kurt Opsahl
@SamyKamkar http://samy.pl
http://samy.pl/youtube