Category: Security

Opening and Starting Honda Civic Vehicles with a HackRF Replay Attack

A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.

Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:

This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.

In the videos on the GitHub demonstration page they show a laptop with GNU Radio flowgraph and a HackRF SDR being used to turn the engine of a Honda civic on, and to lock and unlock doors.

Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.

Laptop and HackRF used to turn on a Honda Civic Engine via simple Replay Attack.

In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.

More information about the hack can be found on HackingIntoYourHeart's GitHub page. He writes:

Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINE Whenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.

Financial Times Story about Ukraine Radio Monitoring with WebSDRs

The Financial Times has recently run a video story on how hobbyist WebSDR setups are being use to record Russian radio communications during the war on Ukraine.

In these modern times, we would expect the Russian military to be making full use of encrypted radio communications on the battlefield. But early on in the invasion it came to be clear that much of the Russian forces are much less advanced than first thought, and are using cheap civilian unencrypted radios that anyone nearby can listen to with an RTL-SDR or via a web connected SDR.

The FT story focuses on how open source contributors from all over the world are helping to monitor internet connected WebSDRs that are close enough to receive Russian radio communications. And how volunteers are helping translate, confirm authenticity, and collect information about possible war crimes. 

If you are interested, previously we posted about a similar video story from the New York Times, and have covered various bits of radio related news from the war in two previous posts [1][2].

Ukraine's battle of the airwaves | FT

Running GR-GSM and IMSI Catcher on a Raspberry Pi 4 with Dragon OS

DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. The creator Aaron also runs a YouTube channel showing how to use the various packages installed. 

In his latest video Aaron tests his Pi64 image with GR-GSM and IMSI Catcher running with the GNU Radio 3.10 platform on a Raspberry Pi 4. He tests operation with an RTL-SDR and LimeSDR.

GR-GSM is a GNU Radio based program capable of receiving and analyzing mobile GSM data. We note that it cannot decode actual messages without additional information about the encryption key, but it can be interesting to investigate the metadata. GSM is mostly outdated these days, but still used in some areas by some older phones and devices. IMSI Catcher is a script that will record all detected GSM 'IMSI' numbers received by the mobile tower which can be used to uniquely identify devices.

Short video setting up and testing GR-GSM on DragonOS Pi64 w/ GNU Radio 3.10 and the RTL-SDR. The current DragonOS Pi64 build has GNU Radio 3.8 and all the necessary tools to accomplish what's shown in this video. If you'd like to test the build shown in this video, it's temporarily available here until I finish and put it on Source Forge.

https://drive.google.com/drive/u/1/fo...

A LimeSDR and DragonOS Focal's Osmo-NITB-Scripts was used to create the GSM900 lab environment. The RTL-SDR was able to see and decode the GSM900 network and although only briefly shown in the video, the IMSI Catcher script works.

Here's the fork used for this video and for testing. There's also a pull request on the main GR-GSM repo for this code to be added.

https://github.com/bkerler/gr-gsm

DragonOS Pi64 Testing GR-GSM + IMSI Catcher w/ GNU Radio 3.10 (RTLSDR, Pi4, LimeSDR, OSMO-NITB)

Tesla Charging Ports Opened with HackRF Replay Attack

The charging port on Tesla electric vehicles is protected via a cover that can be opened by charging stations via a wireless signal transmitted at 315 MHz. It turns out that the command to open the port is totally without any security. This means it's possible to record or recreate the signal, and play it back anywhere using a transmit capable SDR device like a HackRF.

Twitter user @IfNotPike has done just that, managing to open the Tesla charging port using a handheld HackRF with Portapack setup. If you cannot record the signal, a repo hosting a valid signal file is available on GitHub from jimilinuxguy. Interestingly jimilinuxguy notes "The range for this is INSANE. I was able to perform this from VERY far away." and the same signal can be used to "open any and all Tesla vehicle charging ports in range"

Fortunately for Tesla owners, the level of damage a malicious party could cause through the charging port is limited, since the charging port is not active until a correct charging cable is connected. It also seems that the charging port on most models will automatically close after some time if no charger is connected.

Tesla Charging Port Opened with HackRF and Portapack | Credit: @IfNotPike

Receiving Analog TV from Turkmenistan Unintentionally Bouncing off a Russian Military Satellite

Over on Twitter @dereksgc has been monitoring the 'Meridian' communications satellites, which are Russian owned and used for civilian and military purposes. The satellites are simple unsecure repeaters, meaning that actually anyone with the hardware can transmit to them, and have their signal automatically rebroadcast over a wide area. This has been taken advantage of recently by anti-Russian invasion war activists who have been trolling the satellite with SSTV images of the Ukrainian flag, as well as audio.  

Apart from intentional abuse, a side effect of being an open repeater is that sometimes the satellite can pick up powerful terrestrial signals unintentionally, such as analogue broadcast TV from Turkmenistan. Over on his blog, @dereksgc has written up an excellent post documenting the background behind this finding, his entire setup involving the hardware he's using and how he's aligning with the satellite, and what software he is using to decode the TV signal. In his hardware setup he notes that he uses a HackRF, but that a RTL-SDR would suffice.

New York Times Story on Intercepted Russian Forces Radio Communications

The New York Times have recently run an incredible video story about how Russian radio communications are being intercepted and recorded by ham radio operators and open source radio monitoring hobbyists in Ukraine. Some of the communications reveal the extent of the logistical issues experienced by the invading forces, and perhaps have even recorded evidence for war crimes.

It appears that much of the invading Russian forces use simple unencrypted analogue voice over HF channels that can be intercepted and recorded by anyone with an HF software defined radio, or anyone willing to monitor nearby web-based SDRs like KiwiSDRs and WebSDRs. In the video screenshots of recordings played back in SDR# and various WebSDRs are displayed.

The story focuses mostly on the audio recordings that highlight communications between Russian forces discussing attack plans, including plans to bombard residential areas with artillery. These recordings are cross-referenced with reports and videos of actual tank sightings and destruction in the areas discussed on the radio.

A later recording highlights communications from a distressed Russian vehicle under attack, requests for air support being unfulfilled, and urgent requests for supplies like fuel, food and water. 

Russia Struggled to Capture a Ukrainian Town. Intercepted Radio Messages Show Why.

Some of the monitoring projects involved are highlighted in the story and they include, Project Owl, Ukrainian Radio Watchers, ShadowBreak and NSRIC (Number Stations Research and Information Center). We are also aware of at least one other organization attempting to record communications within Ukraine as well that may be making use of RTL-SDRs, HackRFs and other SDRs.

Mapping GPS/GNSS Interference Through ADS-B Data

Websites like adsbexchange.com log ADS-B aircraft tracking data from contributors located all over the world and aggregate it all onto a single map. Typically an RTL-SDR is the receiver of choice for contributors receiving ADS-B signals. One piece of data that is recorded with each packet is GPS/GNSS accuracy.

Over on Twitter John Wiseman @lemonodor has been using the aggregated ADS-B data provided by adsbexchange to highlight regions where ADS-B GPS inaccuracies are significant. This may allow us to use crowd sourced data to detect regions of GPS interference or jamming. In one of his latest findings he noted extreme GPS inaccuracy that noticed around the Baltic regions (Poland, Lithuania, Latvia, Kaliningrad).

As John and others reported in subsequent Tweets, this GPS interference was noticed by others too, with some flights needing to be cancelled or needing to return during their journey, and a NOTAM warning being issued to pilots regarding the interference. Reuters also reported on the GPS disturbance a few days later.

NOTAM: GPS INTERFERENCE DETECTED IN THE EASTERN PARTS OF HELSINKI FIR. AFFECTED AREA SECTOR N, SFC-FL200

It is well known that Russia routinely utilizes GPS spoofing or jamming around Kremlin landmarks, sensitive areas and during military operations. However, others noted that NATO exercises in the Baltic could also be the cause.

To further add to this story, the satellite intelligence operator Hawkeye 360 also recently detected significant GPS interference within or around Ukraine.

Hawkeye360 Detects GPS Interference near or within Ukraine.

Samy Kamkar Talks Hardware Security on Hackster Café

Samy Kamkar is famous in the wireless and hardware information security scene for his research on various security exploits including methods to defeat rolling code security, and using a children's toy to open wireless garage doors. In a recent Hackster.io Hackster Café interview Samy talks about various security related topics including software defined radios.

Samy Kamkar first became notorious for software and hardware security exploits – including SkyJack, a custom drone that could take control of other UAVs, and OpenSesame, a hacked child's toy that can open remote-controlled garage doors. He now brings this deep experience to Openpath, the touchless access control company he co-founded in 2016. From security celebrity to founder, we sit down for a chat with Samy on this episode of Hackster Café (new episodes every Tuesday at 10am Pacific).

Samy Kamkar on Hardware Security // Hackster Café