Opening and Starting Honda Civic Vehicles with a HackRF Replay Attack

A few months ago University student Ayyappan Rajesh and HackingIntoYourHeart reported cybersecurity vulnerability CVE-2022-27254. This vulnerability demonstrates how unsecure the remote keyless locking system on various Honda vehicles is, and how it is easily subject to very simple wireless replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.

Most car manufacturers implement rolling code security on their wireless keyfobs which makes replay attacks significantly more difficult to implement. However, it appears that Honda Civic models (LX, EX, EX-L, Touring, Si, Type R) from years 2016-2020 come with zero rolling code security:

This is a proof of concept for CVE-2022-27254, wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.

In the videos on the GitHub demonstration page they show a laptop with GNU Radio flowgraph and a HackRF SDR being used to turn the engine of a Honda civic on, and to lock and unlock doors.

Various news agencies reported on the story, with "The Record" and bleepingcomputer contacting Honda for comment. Honda spokesperson Chris Martin replied that it “is not a new discovery” and “doesn’t merit any further reporting.” further noting that "legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”. Martin went on to further note that Honda has no plans to update their vehicles to fix this vulnerability at this time.

Laptop and HackRF used to turn on a Honda Civic Engine via simple Replay Attack.

In the past we've seen similar car hacks, but they have mostly been more advanced techniques aimed at getting around rolling code security, and have been difficult to actually implement in the field by real criminals. This Honda vulnerability means that opening a Honda Civic could be an extremely simple task achievable by almost anyone with a laptop and HackRF. It's possible that a HackRF and laptop is not even required. A simple RTL-SDR, and Raspberry Pi with the free RPiTX software may be enough to perform this attack for under $100.

More information about the hack can be found on HackingIntoYourHeart's GitHub page. He writes:

Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINE Whenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.

Tweet31
Share
Reddit1
Vote
Email
32 Shares

Lon.TV Demonstrates Decoding Various Digital Signals with RTL-SDR

Tech YouTuber Lon.TV has recently uploaded a video demonstrating how to identify and decode various digital transmissions with an RTL-SDR dongle. In the video he explains how to use VB Cable to pipe audio from SDR# into various decoders, and then goes on to show DMR, APRS, POCSAG, L-Band AERO, FT8, and JS8/JS8CALL all being decoded via an RTL-SDR Blog V3 dongle.

Software Defined Radio Part 2 - Decoding Digital Transmissions with an RTL-SDR USB Radio

Tweet16
Share
Reddit2
Vote
Email
18 Shares

Controlling a Toy RC Car with a HackRF

Over on his blog Radoslav has created a post showing how he has used a HackRF to wirelessly control a toy RC car by reverse engineering the wireless control protocol, and generating the control signals in a C++ program.

Having already created the rf-car HackRF RC car control software on GitHub a few years ago, Radoslav was easily able to modify it for a new RC car that his daughter received. The process was to simply look up the FCC data on it, finding that it operated with 2.4 GHz and used GFSK modulation. He then used the Inspectrum signal analysis tool to determine the bit strings used to control the car. Finally using, his C++ interface to the HackRF he implemented the new bit string and GFSK modulation.

The video below demonstrates Radoslav controlling the RC car with the keyboard on his laptop.

Controlling 2.4GHz FSK car with HackRF

In the past we've posted about another project that also used a HackRF and computer to control a RC drift car, and another project that used the RPiTX software to control an RC toy car with GNU Radio and a Raspberry Pi.

[Project also seen on Hackaday]

Tweet12
Share
Reddit
Vote
Email
12 Shares

SDR# and other Hobbyist Ham Radio Software Spotted in Netflix TV Show Yakamoz S-245

Thanks to all who submitted, we recently received some interesting tip offs about the Netflix TV Show Yakamoz S-245 featuring a scene with various hobbyist SDR and ham radio programs clearly visible. Yakamoz S-245 is a show about a submarine research mission, and the scene appears to depict military intelligence specialists using the programs.

In the scene we've spotted SDR#, MMSSTV, FUNcube dashboard, SATPC-32, and Orbitron. For those interested, the scene is in episode one time 11:20 - 12:00. 

Tweet12
Share
Reddit
Vote
Email
12 Shares

SDRSharp Guide V4.2 Released

Paolo Romani (IZ1MLL) has recently released version 4.2 of his SDRSharp PDF Guide. The book is available for download on the Airspy downloads page, just scroll down to the title "SDR# Big Book in English".

As before the document is a detailed guide about how to use SDRSharp, which is the software provided by Airspy. While intended for Airspy devices, SDRSharp also supports a number of third party SDRs, including the RTL-SDR, and it is the software we recommend starting with when using an RTL-SDR.

Paolo writes:

My new v4.2 SDRsharp PDF is out. The guide is now 139 pages long, and covers all the settings, UI customization, included and third party plugins, and use of some external decoders and software, now with Spyserver integration with Raspberry Pi 3/4, etc etc...

Tweet41
Share
Reddit
Vote
Email
41 Shares

Financial Times Story about Ukraine Radio Monitoring with WebSDRs

The Financial Times has recently run a video story on how hobbyist WebSDR setups are being use to record Russian radio communications during the war on Ukraine.

In these modern times, we would expect the Russian military to be making full use of encrypted radio communications on the battlefield. But early on in the invasion it came to be clear that much of the Russian forces are much less advanced than first thought, and are using cheap civilian unencrypted radios that anyone nearby can listen to with an RTL-SDR or via a web connected SDR.

The FT story focuses on how open source contributors from all over the world are helping to monitor internet connected WebSDRs that are close enough to receive Russian radio communications. And how volunteers are helping translate, confirm authenticity, and collect information about possible war crimes. 

If you are interested, previously we posted about a similar video story from the New York Times, and have covered various bits of radio related news from the war in two previous posts [1][2].

Ukraine's battle of the airwaves | FT

Tweet12
Share
Reddit
Vote
Email
12 Shares

Running GR-GSM and IMSI Catcher on a Raspberry Pi 4 with Dragon OS

DragonOS is a ready to use Ubuntu Linux image that comes preinstalled with multiple SDR software packages. The creator Aaron also runs a YouTube channel showing how to use the various packages installed. 

In his latest video Aaron tests his Pi64 image with GR-GSM and IMSI Catcher running with the GNU Radio 3.10 platform on a Raspberry Pi 4. He tests operation with an RTL-SDR and LimeSDR.

GR-GSM is a GNU Radio based program capable of receiving and analyzing mobile GSM data. We note that it cannot decode actual messages without additional information about the encryption key, but it can be interesting to investigate the metadata. GSM is mostly outdated these days, but still used in some areas by some older phones and devices. IMSI Catcher is a script that will record all detected GSM 'IMSI' numbers received by the mobile tower which can be used to uniquely identify devices.

Short video setting up and testing GR-GSM on DragonOS Pi64 w/ GNU Radio 3.10 and the RTL-SDR. The current DragonOS Pi64 build has GNU Radio 3.8 and all the necessary tools to accomplish what's shown in this video. If you'd like to test the build shown in this video, it's temporarily available here until I finish and put it on Source Forge.

https://drive.google.com/drive/u/1/fo...

A LimeSDR and DragonOS Focal's Osmo-NITB-Scripts was used to create the GSM900 lab environment. The RTL-SDR was able to see and decode the GSM900 network and although only briefly shown in the video, the IMSI Catcher script works.

Here's the fork used for this video and for testing. There's also a pull request on the main GR-GSM repo for this code to be added.

https://github.com/bkerler/gr-gsm

DragonOS Pi64 Testing GR-GSM + IMSI Catcher w/ GNU Radio 3.10 (RTLSDR, Pi4, LimeSDR, OSMO-NITB)

Tweet41
Share
Reddit
Vote
Email
41 Shares

Lightweight Windows Software uSDR Updated to Version 1.5.0

Since 2021 we've posted about Viol Tailor's "uSDR" (microSDR) software a couple of times. uSDR is a lightweight general purpose multimode program for Windows that supports the RTL-SDR, Airspy, BladeRF, HackRF and LimeSDR radios. The software can be downloaded from SourceForce.

Viol notes that recently the project has been updated to V1.5.0 which brings the following new features and changes.

  • lock device frequency on zoom option
  • keep waterfall history – the very great option, do not lose any rare signals
  •  advanced passband IQ recorder
  • passband IQ TCP server for remote processing, C/C++ client source examples included
  • advanced audio player, auto selectable sample rate, separate left/right channels
  • CTCSS decoder
  • markers import option convenient for merge markers 
  • Ctrl+Shift+Drag Up/Down – change spectrum magnitude offset
  • Ctrl+Shift+Mouse Wheel – change spectrum magnitude range (vertical zoom)
  • Ctrl+Mouse Hover – highlight nearest marker
  • Ctrl+Double Click– tune to highlighted nearest marker
  • band plan visualization, simple text format
  • frontend interface improvements
  • GUI improvements
  • spectrum and waterfall popup menus improvements
  • a lot of bug fixes
uSDR aka microSDR. A lightweight SDR receiver program from Windows.
Tweet12
Share
Reddit1
Vote
Email
13 Shares