Search results for: rolljam

Using a HackRF and JavaScript Browser App to Perform Rolljam Replay Attacks on a Car

Over on her website, Charlie Gerard has uploaded a page showing how she was able to perform a replay attack on a car's wireless entry system using a HackRF and a JavaScript browser app she wrote.

Previously, Charlie had already written a JavaScript browser app for ADS-B tracking with an RTL-SDR. To achieve this she used the WebUSB API, which allows USB devices to connect to JavaScript apps in a web browser.

Having recently purchased a HackRF she wanted to see if something similar was possible with the HackRF. In her post, Charlie shows and explains the JavaScript code required to connect to the HackRF from a Chrome browser, and how settings like gain, frequency and sample rate can be adjusted. She then shows how to use the Canvas API to visualize the received data. Finally, she shows how to use the File System Web API to record data, and ultimately retransmit the recorded data with the HackRF.

The replay attack itself is based on the rolljam idea. She uses two HackRF's, with one sitting closer to the car's receiver and jamming it, and another recording the car's keyfob. This prevents the car from incrementing the keyfob's rolling code, allowing it to be recorded and used again at a later time.

Charlie has also posted a video of her tests, which we embedded below.

Hacking my friend's car using JavaScript

Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR

Over on his hackaday.io blog, Gonçalo Nespral has written about his experiences in recreating Samy Kamkars now famous low cost rolljam attack. A rolljam attack allows an attacker break into a car by defeating the rolling code security offered by wireless keyfobs. Back at Defcon 2015, an information security conference, Samy Kamkar presented a method for creating a $32 Rolljam device that consisted of two 433 MHz transceiver modules controlled by an Arduino.

In his version, Gonçalo was able to recreate the attack using a Yardstick One and an RTL-SDR. The RTL-SDR receives the signal, whilst the Yardstick One performs the jamming and retransmit functions.

Actually using this attack in a real scenario would be difficult due to the need to properly jam and receive the keyfob signal, which could prove tricky in an uncontrolled environment. However, there have been reports of criminals entering high end cars with wireless devices before and this could be one such attack method in use.

The important thing to learn is to be suspicious if your car key fob doesn't work on the first press while you are definitely in range of the car. To mitigate the possibility of wireless keyfob attacks, always use a manual key and if you must use the wireless keyfob, only unlock the car when standing right next to it, so that the keyfob signal is strong enough to overcome the jammer. Although it is still plausible that an attacker could attach the rolljam device to the car itself for greater jamming power, and then retrieve it later.

[First seen on Hackaday]

How RollJam Works
How RollJam Works

Bypassing Rolling Code Systems – CodeGrabbing/RollJam

A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.

Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:

  1. Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
  2. Target presses the remote, car does NOT lock and the attacker obtains the first keypress
  3. Target presses the remote a second time and the attacker obtains the second keypress
  4. Attacker then sends the first key press to lock the car, car locks as per normal
  5. Target assumes all is well and carries on about their day
  6. Attacker then sends the second keypress to the car, unlocking it
  7. Profit.
  8. Target returns to the vehicle and remote works as per normal

In the video below Andrew uses an SDR to help demonstrate the RollJam attack.

6. jam and replay rolling code rolljam codegrabbing

Showing how the RollJam attack works.
Showing how the RollJam attack works.

Breaking into cars wirelessly with a $32 homemade device called RollJam

At this years Def Con conference speaker Samy Kamkar revealed how he built a $32 device called “RollJam” which is able to break into cars and garages wirelessly, by defeating the rolling code protection offered by wireless entry keys. Def Con is a very popular yearly conference that focuses on computer security topics.

A rolling code improves wireless security by using a synchronized pseduo random number generator (PRNG) on the car and key. When the key is pressed the current code is transmitted, and if the code matches what the car is expecting the door opens. The seed for the PRNG in the car and key is then incremented. This prevents replay attacks.

The RollJam hardware currently consists of a Teensy 3.1 microcontroller and two CC1101 433 MHz RF transceiver modules. It works by recording the wireless key signal, but at the same time jamming it so that the car does not receive the signal. When the key is pressed a second time the signal is first jammed and recorded again, but then the first code is replayed by the RollJam device. Now you have an unused code stored in RollJam that can be used to open the car. Samy shows how this works using an SDR and waterfall display graph in the following slide.

How RollJam Works
How RollJam Works

Samy’s full set of presentation slides can be downloaded from samy.pl/defcon2015. Also several large publications including networkworld.coWired.com and forbes.com have also covered this story with longer more in depth articles that may be of interest to readers.

Flipper Zero DarkWeb Firmware Bypasses Rolling Code Security

Over on YouTube Talking Sasquach has recently tested custom firmware for the Flipper Zero that can entirely break the rolling code security system used on most modern vehicles. Rolling code security works by using a synchronized algorithm between a transmitter and receiver to generate a new, unique code for each transmission, preventing replay attacks and unauthorized access.

In the past we've discussed an attack against rolling code security systems called RollJam, which works by jamming the original keyfob signal so the vehicle cannot receive it, and at the same time recording it for later use. However, this attack is difficult to perform in reality.

For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob's functions, including lock, unlock, and unlock trunk. A consequence of this is that the original keyfob gets out of sync, and will no longer function.

According to the Talking Sasquatch, the attack works by simply reverse engineering the rolling code sequence, either through sequence leaks or prior brute forcing of the sequence from a large list of known codes. However, another article mentions that the firmware is based on the "RollBack" attack, which works by playing back captured rolling codes in a specific order to initiate a 'rollback' of the synchronization system.

Regardless of the method, videos demonstrating the attack show that only a single capture is needed to emulate a keyfob completely.

Affected vehicles include Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru. As of yet, there appears to be no easy fix for this, other than mass vehicle recalls.

Canada Moves to Ban Flipper Zero and Possibly Software Defined Radios

Dominic LeBlanc, Canada's Minister of Public safety has recently declared that they plan to ban devices "used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero". The text specifically calls out the Flipper Zero, however the wording appears to imply that any device that can copy a signal will be banned. This means the ban could extend to RX/TX SDRs like the HackRF and possibly even RX only SDRs like RTL-SDRs.

The Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. There are many CC1101 devices on the market, but the Flipper Zero has gained huge popularity on social media because of it's excellent software support, as well as its cute marketing tactic. In the past it was even featured on the popular Linus Tech Tips YouTube channel.

Flipper Zero has had a long line of setbacks including PayPal freezing 1.3M of its cash, and US customs temporarily seizing its shipments, then passing a $70,000 bill on to them for storage fees and Amazon banning the product on their marketplace.

In our opinion, we believe that the ban appears to be misguided. The Flipper Zero is a basic device that can only perform a simple replay attack, which is to record a signal, and replay it at a later time. These sorts of attacks do not work on vehicles built after the 90's which now use rolling codes or more sophisticated security measures. To defeat rolling code security, a more sophisticated attack called Rolljam can be used. A Rolljam device can be built for $30 out of an Arduino and two cheap transceiver modules.

However, according to arstechnica the biggest cause for concern in terms of car theft is a different sort of attack called "signal amplification relay".

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

This sort of attack is a lot less sophisticated in many ways as all you are doing is amplifying a signal, and no clever hardware like the Flipper Zero or a software defined radio is even required. The X video below demonstrates such a hack where a criminal holds up a loop antenna to a house. The loop antenna is connected to a signal amplifier which amplifies the keyfob signal, tricking the car into thinking the keyfob is nearby, and allowing the door to be unlocked by touching the handle, and then turned on with the push to start button.

Flipper zero note that they have not been consulted about the ban, and replied on X stating that they are not aware of the Flipper Zero being used for car theft.

Samy Kamkar Talks Hardware Security on Hackster Café

Samy Kamkar is famous in the wireless and hardware information security scene for his research on various security exploits including methods to defeat rolling code security, and using a children's toy to open wireless garage doors. In a recent Hackster.io Hackster Café interview Samy talks about various security related topics including software defined radios.

Samy Kamkar first became notorious for software and hardware security exploits – including SkyJack, a custom drone that could take control of other UAVs, and OpenSesame, a hacked child's toy that can open remote-controlled garage doors. He now brings this deep experience to Openpath, the touchless access control company he co-founded in 2016. From security celebrity to founder, we sit down for a chat with Samy on this episode of Hackster Café (new episodes every Tuesday at 10am Pacific).

Samy Kamkar on Hardware Security // Hackster Café

Steve Mould Hacks Into his Car with a HackRF

Over on YouTube popular science content creator Steve Mould has uploaded a video showing how he was able to open his own car using a HackRF software defined radio. In the video Steve first uses the Universal Radio Hacker software to perform a simple replay attack by using his HackRF (and also an RTL-SDR V3) to record the car's keyfob signal away from the car and replay it near the car.

Steve goes on to note that most cars use rolling code security, so a simple replay attack like the above is impractical in most situations. Instead he notes how a more advanced technique called "rolljam" can be used, which we have posted about a few times in the past. Later in the video Steve interviews Samy Kamkar who was the security researcher who first popularized the rolljam technique at Defcon 2015. 

I Hacked Into My Own Car