Hacking Car Key Fobs with SDR

Car Hacking

The attack surface on vehicles are increasing exponentially as cars are. becoming more connected and self-driving features are been added through artificial intelligence. All of those features are brings many nice features to all of us including safety but from a cyber security perspective they are also bringing some risks.

I’m. going to show you how to hack wireless signals to open car doors using Software Defined
Radio – SDR. The same technique works for other devices like remote controls, garage doors, wireless doorbells and so on.

As we’re focusing on car hacking let’s jump directly to our target device: key fobs.

They were introduced to the market in 1992 by Renault Fuego and used an RFID signal – Radio Frequency Identification and become very popular in 1995.

Wow it Works?

The key fob uses a transponder that transmits a signal to the vehicle to lock/unlock the car door or even start the vehicle. The signal communicates with an immobilizer preventing it to accept the key fob command unless it receives the correct code or token.

Older key fobs used static codes to lock/unlock the door. Every time you were pressing the button exactly the same code were generated. Now, cars are using a rolling code or challenge-response system in an attempt to become more secure. Every time you press the button, a new code is generated and the immobilizer is expecting a specific code as they’re both synced

This can prevent simple record & replay attacks that could be used on old key fobs systems but they are also not perfect. There are ways to bypass this security feature.

What You Will Need for This Exercise

  • An SDR Device
  • System running preferably Linux
  • Gqrx
  • Gnu Radio Companioin

For the SDR device there are a couple of options starting from the cheapest $20 RTL-SDR device to $2,000 more powerful and sophisticated devices like the one from Ettus Research.

Another good option is the HackRF One that costs around $400. The differences between then are basically the following:

  • Price
  • Only Receives Signals
  • Both Transmit and Receives Signals
  • Sample Rate
  • Processor Speed
  • Others

Now let’s analyze the radio signal between the key fob and the vehicle. I’m using a HackRF One for this.

HackRF One

Key Fobs operates on a standard frequency at ˜315MHz in US and 433MHz in Europe. But let’s say we don’t know it. There are basically 2 ways to determine it. One way is using a Spectrum Analyzer to identify the signal and it’s frequency. On this particular case I’d used an application called gqrx.

gqrx

Another way is using the FCC Website. All wireless signals must be licensed by FCC and you can find lot’s of good information on the FCC website including not only the frequency the device operates but schematics, internal and external pictures and other useful information.

FCC Website

From there you now can open your gnu radio companion application using a similar flow I used to listen to the radio signal while you are pressing the key fob button and save the data to a file.

Than you can use a different flow from gnu radio companion to now transmit the recorded data through your SDR device (my case the HackRF One).

With this simple method you can open car doors that are using old key fobs, insecure garage doors and do many other things. But as I mentioned before, newer key fobs uses a rolling code and in order to hack it or bypass it you have a couple of options:

  • Pulling Response Code from Memory
  • Brute Forcing
  • Forward Prediction Attacks
  • Dictionary Attacks
  • Jamming

Jamming is the most common method used. What it does is adding a noise/jamming to the signal while at the same time recording the original code from your key fob and if the noise is strong enough it will avoid the immobilizer to understand the signal generated. Now you have one valid code stored that was not used yet and if you replay that code you’ll be able to open your car door.

jamming

For more information also check the video of this post on our YouTube Channel below and don’t forget to subscribe to our channel.

Related Articles

CryptoLocker Ransomware

Author: Keith Jarvis, Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence Date: 18 December 2013 URL:http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/ Background In mid-September 2013, the Dell SecureWorks CTU(TM) research team observed a…