Hacking Toyota’s super duper fantastical secure rolling-code Key Fob.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so today I'm going to demonstrate how easy it is for someone to gain access to your vehicle despite the fact that your vehicle may be using something called rolling code technology on on the fob this is a technology touted by many vehicle manufacturers essentially what it means is the fob transmits a signal which is then verified by the vehicle and then once it's verified that signal will never can never be used again so if it is captured it can never be replayed and used because the vehicle has already verified it and it now moves on or rolls on to the next code this is apparently um one of the most secure features um in modern day key fobs the problem is there's an inherent flaw with it if I were to capture the signal prior to the vehicle authenticating the signal the vehicle will never know whether or not that code has been used before so I can replay it later at my leisure the problem is the only way to gain access to the remote without the vehicle recognizing the signal is is it's one of two ways you could capture the signal while the remote is out of range from the vehicle or you can capture the signal while the vehicle is on because the vehicle then has no need to recognize a signal and authenticate it but for today's example I'm going to turn on the vehicle I'm going to copy the code while I'm in the vehicle I'm going to turn off the vehicle and then I'm going to replay the signal and see what happens this is a hack RF Porter pack it has many features it could receive and transmit signals for the purposes of this demonstration we will use it to lock and unlock the vehicle using a capture and replay attack this is a very common attack used against vehicles that use static codes but even vehicles that use rolling codes are still vulnerable to this type of attack because if I were to if I were so adamant and I wanted to copy this signal all I would need to do is ensure that the vehicle in the remote are not within range so the vehicle and the remote are not within range the two never communicate so there's never any authentication happening so the vehicle will will have not recognized the codes that I'm capturing so the next time they are replayed by the hack RF the vehicle says oh this is a new code so the second way this is done is when thieves use two devices so a secondary hack RF can be deployed to jam your signal and the primary one can be used to capture your signal so again we cut off the communication so the vehicle is on to demonstrate this because when the vehicle is on the remote and the vehicle have no there's no need to communicate so whatever we capture will not have been authenticated by the vehicle so I've tuned the hack RF let's start recording so here's an unlock sorry the lock here is an unlock I will just record a few now look at how many times I can do this it only takes a few seconds and then I can store these codes and use them later at my leisure and I can store many so that if I use the first few I still have many many left over so let's press stop go to replay now I'll turn off the vehicle so that we can play the captured signals and see what happens tuned it to 314.4250 that is the frequency of this fob and we can find that by using the the built-in frequency counter so if we know the range by plugging in the FCC ID of this remote if we have the range we can then find the exact frequency so I'm going to put the fob right here now I'm going to open file I'm going to increase the gain and I'm going to amplify it and now I'll press the plate there's our lock there's another lock there's our unlock there's another unlock and there's the fob there's another unlock there's another unlock there's a lock another unlock another unlock so you get the point that took seconds if someone were so adamant to it would literally take them seconds rolling codes are not not safe not much safer than static codes this fob requires a nine dollar monthly subscription to Toyota and you'd think for a subscription fee you would receive some pretty solid security instead of a fake blanket of security many people many Security Experts will say that rolling codes cannot be copied uh the replay attacks can no longer be used because there's now such a thing called rolling codes that's not the case at all it's literally just been demonstrated and it has been demonstrated before the only difference is instead of somebody capturing the vehicle just locked because it realized that I left it unlocked the only way now is you know if a thief were to were to have access to your fob without it being arranged to your vehicle or by using a Jammer to jam the signal and then capture your signal so the vehicle never communicates with the pub so what is the most secure way currently there's a rash of thefts of Range Rovers Hondas and Toyota's all over Canada and North America they are very easy targets as archaic as it sounds perhaps the best method is to just use a key until we receive some practical solutions that actually work stay safe
Info
Channel: TINYTX INC.
Views: 43,769
Rating: undefined out of 5
Keywords:
Id: 7WeOkWDC7mg
Channel Id: undefined
Length: 6min 54sec (414 seconds)
Published: Tue Oct 25 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.