The attack surface on vehicles is increasing exponentially as cars are becoming more connected and self-driving features are been added through artificial intelligence. All of those features are bringing many benefits to all of us, including safety, but from a cyber security perspective, they are also bringing some risks. In this post, we’re going to showcase hacking car key-fobs frequency
I’m. going to show you how to hack wireless signals to open car doors using Software Defined
Radio – SDR. The same technique works for other devices like remote controls, garage doors, wireless doorbells, and so on.
As we’re focusing on car hacking let’s jump directly to our target device: key fobs.
They were introduced to the market in 1992 by Renault Fuego and used an RFID signal – Radio Frequency Identification and became very popular in 1995.
How does it work?
The key fob frequency scanner app uses a transponder that transmits a signal to the vehicle to lock/unlock the car door or even start the vehicle. The signal communicates with an immobilizer preventing it to accept the key-fob command unless it receives the correct code or token.
Older key fobs used static codes to lock/unlock the door. Every time you pressed the button, the same code was generated. Now, cars are using a rolling code or challenge-response system to become more secure. Every time you press the button, a new code is generated, and the immobilizer is expecting a specific code as they’re both synced
This can prevent simple record & replay attacks that could be used on old key fobs systems but they are also not perfect. There are ways to bypass this security feature.
What You Will Need for This Exercise
- An SDR Device
- System running Linux, preferably
- Gnu Radio Companion
For the SDR device, there are a couple of options starting from the cheapest $20 RTL-SDR device to $2,000 more powerful and sophisticated devices like the one from Ettus Research.
Another good option is the HackRF One, which costs around $400. The differences between them are basically the following:
- Only Receives Signals
- Both Transmit and Receives Signals
- Sample Rate
- Processor Speed
Now let’s analyze the radio signal between the key fob and the vehicle. I’m using a HackRF One for this.
Key Fobs operates on a standard frequency at ˜315MHz in US and 433MHz in Europe. But let’s say we don’t know it. There are basically 2 ways to determine it. One way is using a Spectrum Analyzer to identify the signal and its frequency. In this particular case, I’d used frequency scanner app called gqrx.
Another way is using the FCC Website. All wireless signals must be licensed by FCC and you can find lot’s of good information on the FCC website including not only the frequency the device operates but schematics, internal and external pictures and other useful information.
From there you now can open your gnu radio companion application using a similar flow I used to listen to the radio signal while you are pressing the key fob button and save the data to a file.
Than you can use a different flow from gnu radio companion to now transmit the recorded data through your SDR device (my case the HackRF One).
With this simple method you can open car doors that are using old key fobs, insecure garage doors and do many other things. But as I mentioned before, newer key fobs uses a rolling code and in order to hack it or bypass it you have a couple of options:
- Pulling Response Code from Memory
- Brute Forcing
- Forward Prediction Attacks
- Dictionary Attacks
Jamming is the most common method used. What it does is adding a noise/jamming to the signal while at the same time recording the original code from your key fob and if the noise is strong enough it will avoid the immobilizer to understand the signal generated. Now you have one valid code stored that was not used yet and if you replay that code you’ll be able to open your car door.
For more information, also check the video of this post on our YouTube Channel below, and don’t forget to subscribe to our channel.