In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.
Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.
The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.
A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.
Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:
Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
Target presses the remote, car does NOT lock and the attacker obtains the first keypress
Target presses the remote a second time and the attacker obtains the second keypress
Attacker then sends the first key press to lock the car, car locks as per normal
Target assumes all is well and carries on about their day
Attacker then sends the second keypress to the car, unlocking it
Target returns to the vehicle and remote works as per normal
In the video below Andrew uses an SDR to help demonstrate the RollJam attack.
6. jam and replay rolling code rolljam codegrabbing
At this years Def Con conference speaker Samy Kamkar revealed how he built a $32 device called “RollJam” which is able to break into cars and garages wirelessly, by defeating the rolling code protection offered by wireless entry keys. Def Con is a very popular yearly conference that focuses on computer security topics.
A rolling code improves wireless security by using a synchronized pseduo random number generator (PRNG) on the car and key. When the key is pressed the current code is transmitted, and if the code matches what the car is expecting the door opens. The seed for the PRNG in the car and key is then incremented. This prevents replay attacks.
The RollJam hardware currently consists of a Teensy 3.1 microcontroller and two CC1101 433 MHz RF transceiver modules. It works by recording the wireless key signal, but at the same time jamming it so that the car does not receive the signal. When the key is pressed a second time the signal is first jammed and recorded again, but then the first code is replayed by the RollJam device. Now you have an unused code stored in RollJam that can be used to open the car. Samy shows how this works using an SDR and waterfall display graph in the following slide.
Samy’s full set of presentation slides can be downloaded from samy.pl/defcon2015. Also several large publications including networkworld.co, Wired.com and forbes.com have also covered this story with longer more in depth articles that may be of interest to readers.
Over on YouTube popular science content creator Steve Mould has uploaded a video showing how he was able to open his own car using a HackRF software defined radio. In the video Steve first uses the Universal Radio Hacker software to perform a simple replay attack by using his HackRF (and also an RTL-SDR V3) to record the car's keyfob signal away from the car and replay it near the car.
Steve goes on to note that most cars use rolling code security, so a simple replay attack like the above is impractical in most situations. Instead he notes how a more advanced technique called "rolljam" can be used, which we have posted about a few times in the past. Later in the video Steve interviews Samy Kamkar who was the security researcher who first popularized the rolljam technique at Defcon 2015.
Over on his YouTube channel Kalle Hallden has uploaded a video demonstrating how to perform a replay and "rolljam" attack on a wireless car key with an RTL-SDR and Yardstick One. His first experiment is a simple replay attack which involves recording the unlock signal from the car key with the Yardstick One in a place far away from the car so that it is not received, then replaying it close by.
This works well, but Kalle then explains rolling code security and how this would easily thwart any replay attack in the real world. However, he then goes on to explain and demonstrate the "rolljam" technique, which is one known way to get around rolling code security. The demonstrations are obviously not full tutorials, but are just high level overviews of how wireless security can be defeated.
McAfee Advanced Threat Research have recently uploaded a blog post describing how they investigated Chamberlain’s MyQ Hub, a “Universal” IoT garage door automation platform. Such a device allows you to operate and monitor the status your garage door remotely via an app. This can allow you to open and close the garage door for couriers, or for couriers to do it themselves if they are on the app.
Whilst they found that the internet based network side was secure, they discovered a flaw in the way that the MyQ hub communicates with the remote sensor over RF radio frequencies.
Although the system utilizes rolling codes for security, McAfee researchers made use of the "rolljam" technique, which is one well known method for breaking rolling code security. The basic idea is to use an SDR or other RF device to jam the signal, collect the second rolling code after two key presses, then play back the first. Now the attacker has the second unused rolling code ready to be played back at any time.
In their threat demonstration they utilized a SDR running GNU Radio on a computing platform which sits outside the target garage door. The method used in the demonstration actually only involves jamming and not the use of a replay. It exploits a method that confuses the state of the MyQ device, allowing the garage door to be mistakenly opened by the owner when he thinks that he is closing it. They write:
With our jamming working reliably, we confirmed that when a user closes the garage door via the MyQ application, the remote sensor never responds with the closed signal because we are jamming it. The app will alert the user that “Something went wrong. Please try again.” This is where a normal user, if not in direct sight of the garage door, would think that their garage door is indeed open, when in reality it is securely closed. If the user believes the MyQ app then they would do as the application indicates and “try again” – this is where the statelessness of garage doors comes into play. The MyQ Hub will send the open/closed signal to the garage door and it will open, because it is already closed, and it is simply changing state. This allows an attacker direct entry into the garage, and, in many cases, into the home.
McAfee Advanced Threat Research Demo Chamberlain MyQ
Over on YouTube user ModernHam has uploaded a video showing how to perform a replay attack on a car key fob using a Raspberry Pi running RPiTX and an RTL-SDR. A replay attack consists of recording an RF signal, and then simply replaying it again with a transmit capable radio. RPiTX is a program that can turn a Raspberry Pi into a general purpose RF transmitter without the need for any additional hardware.
The process is to record a raw IQ file with the RTL-SDR, and then use RPiTX V2's "sendiq" command to transmit the exact same signal again whenever you want. With this set up he's able to unlock his 2006 Toyota Camry at will with RPiTX.
We note that this sort of simple replay attack will only work on older model cars that do not use rolling code security. Rolling code security works by ensuring that an unlock transmission can only be utilized once, rendering replays ineffective. However, modern rolling code security systems are still susceptible to 'rolljam' style attacks.
In the video below ModernHam goes through the process from the beginning, showing how to install the RTL-SDR drivers and RPiTX. Near the end of the video he shows the replay attack in action.
Unlock Cars with a Raspberry Pi And SDR - Replay attack
In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.