I Hacked Into My Own Car

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Locks keep honest and lazy people out

👍︎︎ 1 👤︎︎ u/tatortot574 📅︎︎ Dec 05 2020 🗫︎ replies
Captions
- Let's press play on here, see what happens. Yes. So good. So I figured out how to unlock my car, using my laptop. And I don't have a fancy Tesla or anything like that where you can unlock it from an app on your phone. It's a 2014 Mini, has a really simple locking mechanism with a really simple key, like one of these, but I've figured out how to do it for my laptop instead. Why did I bother? Well, there's an arms race going on between hackers and people who make devices. And the humble car key is a wonderful example of that arms race. So, when you press the button on your car key it sends a code in binary over radio to your car. And if the car recognizes that code, then it unlocks. And in the old days, the way it used to work was, every single car had a unique code. And if you wanted to unlock the car then you had to send that specific code. And if your car key didn't send that code the car wouldn't unlock. But that system called static codes is really vulnerable. It's vulnerable to something called a replay attack. And this is the first step in the arms race from the hackers. What you do is, you hide near the car when someone's pressing the button to unlock it. And you record that code that is sent over radio. And then at a later date, perhaps at night, when no one's around, you replay that code to the car and unlock it. So how do you patch the vulnerability of a replay attack? Well, manufacturers came up with something called rolling codes. That's where every time you press the button on your car key it plays a different code and sends it to the car. So inside the key is a long list of codes and inside the car is a matching long list of codes. So you press the button, it sends the first code in the list. The car looks at the first code in the list. They match, the car unlocks and then crucially the car crosses that code off the list, that is now an invalid code. So if you try to replay that code the car won't unlock. The next time you press the button on your car key, it plays the next code in the list that matches the next code in the list on the car and so on and so on. By the way, it's almost certainly not like a giant spreadsheet inside the key and inside the car. What will most likely be is, there'll be an algorithm for generating the next code in the list and it'll be a secret algorithm and the car and the key share that secret algorithm for generating codes. For the next step in the arms race, enter Samy Kamkar and his roll jam attack. Samy Kamkar is a famous information, security researcher. He's done loads of amazing stuff with radio, wifi, all sorts of different things. Before we get into the roll jam attack and how it works. Let's just do the replay attack as a proof concept using my key here and my laptop. In other words, we're gonna press the button outside of the range of my car. So the car doesn't advance its list and I'm gonna record it here on my laptop and then use my laptop to play it back to the car. So I've got this thing here called a HackRF One. It's a software defined radio. In other words, you plug it into your laptop here using USB and it's a radio, but you use software to control the radio. It can receive and send radio signals. And then I've got this aerial plugged in here. But anyway, just put... So there's the aerial. I've got this software here called Universal Radio Hacker. And we're gonna record the signal from this car key. So, you've got to select the frequency that you want. I've selected 433.92 megahertz. That's because devices like this in Europe tend to be around that frequency 422.89 around there, because it's a free bit of the spectrum that you're allowed to do stuff with. Starts. Press the button, stop. And there we go, we've picked up a little bit of a sample from the car key and then we can crop in on that. Now, you might be able to see that there are these gaps. And in fact, what you've got is five short messages and you might be able to see actually they're all the same. So we're just gonna crop in on one of them and then the key obviously just sends the signal five times in case it doesn't work a few times. And look, if we zoom in, you can start to see, well, there's the radio waves and either it's on or off. So we can look at that differently. We can look at that in the just sort of on-off way. In other words, demodulated. Zoom a bit more. So if it's up, it's a one, if it's down it's zero, that's a very naive interpretation. And look, here are the interpreted ones and zeros down here. And if I select them, it actually shows you where it's picking that up from the signal itself which is pretty cool. So, we could dive in and start to analyze what those ones and zeros mean, but for a replay attack, it's simple enough to just take those ones and zeros and replay them with the same frequency from this thing. Lemme just click start and it will send that, but let's send it five times. Just like with the way the car key does. All right, moment of truth time. So look, the car is locked. I can't get in there. There's my laptop. There's the aerial. Let's play it and see what happens And... Nothing. I mean, it's the first go. I wasn't expecting it to work the first time. What this demonstrates fairly well is that I have no idea what I'm doing, but in spite of that, I do have options. So I bought a second software defined radio. This only does receiving not transmitting but then what I can do is, I can record the key using one software defined radio. And then I've got that recording on file, that I can look at. I can then retransmit that data with one software defined radio while recording it on the other, I can then compare that recording of the key with the recording of my transmission from the laptop. And if they look wrong, I can tweak some things until I get it right. It turns out that length of bit was wrong. It was too long. Like, one bit as in one or zero needed to be half a millisecond long, mine was way off. So I tweaked some variables. Didn't have a clue what I was doing but I noticed that it changed things. And so I just played with the numbers until the recording of my transmission looked the same as the recording of the key. So now, I'm kinda confident. So the car door is locked. There's no way to get in. Let's press play and see what happens. Damn it. Here we go. Nope. Nothing. Damn it. So this is the fourth attempt. I don't know how many I'm gonna include in the edit but once again, look, the car is locked, that is proof. Let's press play on here, see what happens. Yes, it's so good. I'm in my car. Amazing. A replay attack like that on a system that uses rolling codes isn't particularly useful to a thief because it's impractical to use. You'd have to be with someone while they're pressing the unlock key on their car key while they're not near their car. And why would someone be doing that? Maybe you could use social engineering to get them to do it like, "Hey, can I take a look at your car key for a second?" Damn it. It seems unlikely, doesn't it? Maybe you're the sort of person who has parties where people put their keys in a bowl at various points. In which case you could do it then, it seems like a lot of effort to go to, doesn't it? The point is, if the exploit is much more effort than simply smashing the window of the car then that's secure enough. That's why you need a different attack. Like the one we mentioned earlier, roll jam. To perform a roll jam attack. You actually need two radios. The first radio is sending a jamming signal, so that the car can't hear the car key. And the second radio is recording the car key. So someone comes up to the car, presses the button, the car can't hear it, so it doesn't unlock because it's being jammed. And you record that signal with the second radio. And what happens when you press the button on your car key and your car doesn't unlock, you try it a second time. So the car key is pressed a second time. And again, you're jamming the signal. So the car can't hear it. And you're recording that second signal, but immediately afterwards, you stop jamming and send the first signal to the car and the car unlocks. And crucially, your laptop is holding onto the most recent key press that the car hasn't seen yet. If you can make the whole package small enough like if you use a Raspberry Pi with two of these aerial things attached and you can stick it to the underside of the car and the person drives around, they're using their key all the time, your device is always holding on to the most recent key press, while sending the previous key press to the car to do the thing that the driver expects it to do. You may already have thought of two issues with the roll jam attack. The first is, well, if you're sending a signal that jams the car so the car can't hear that car key. How is that not also jamming your radio? That's trying to record the car key. Well, these car keys are very simple devices and depending on how much charge the battery has and what the temperature is on any given day, the actual specific frequency of radio waves that the car key transmits is gonna vary. So the car needs to listen on a broad range of frequencies to ensure that it actually captures the specific frequency that this car key is sending on any given day. That means that if you know the exact frequency of the car key, you can send a jamming frequency that isn't the same as the car key frequency but is within the range that the car is listening. So that completely prohibits the car from being able to hear anything else but you can tune your receiver to the specific frequency of the car key. You don't need to use that broad spectrum of frequencies because you've done some snooping to figure out the exact frequency. So that's how you can jam the car and record the key at the same time. The other complication of the roll jam attack that you may have thought of already is like, when I leave my car the very last thing I do is lock it with the button. So, if you're recording my key presses, the most recent thing that you have in the bank that you're retaining is a lock code. So if you were to play that code to the car all you'd be doing is locking it. So you need to better do some reverse engineering to figure out how to convert a lock code into an unlock code. At this point, it's probably worth talking to Samy Kamkar himself. - So I'm the co-founder of openpath.com, a physical access control system that uses mobile and cloud. - So wait, so your company does away with these stupid ID cards that are really good. - Yeah exactly. - You got that secure thing that everyone's got anyway. - Exactly. Yeah, your mobile phone. You leave it in your pocket and you'll actually have a fully encrypted connection and thus you open the door. - Literally about a half an hour ago I managed to unlock my car. - Oh, right. Yeah, that's awesome. Good job. That's so exciting. How did it feel? - Oh, it felt so good, it was like... - [Samy] Yes. - I mean, it was only a replay, right? It wasn't a roll jam, so you know... - That's okay. Yeah. That's really cool. - It's a Mini, BMW Mini. When it first comes through, it looks like it's 128 bits but none of the bits are longer than... You never get more than two of anything in a row. You never get like 000. You never get 111. - Okay. So that's called Manchester encoding. - Manchester encoding. That's where every bit is the same length in time. In this case, one millisecond is one bit. And during that one millisecond, either the signal goes from being on to off or from being off to on. On to off is zero and off to on is a one. With Manchester encoding, you never get more than two offs or two arms in a row. Which is why, when I said to Samy, I never saw three zeros in a row or three ones in a row. He knew it was Manchester encoding. Take a look at these five codes that came from the car key just by me pressing the unlock button five times. You can see they're all different because it's a rolling code, but you'll notice that the first eight bits are all the same. And these eight bits are all the same as well. My hope was that those first eight bits or like a preamble. It's the keys way of saying, "Hey, I'm a key. You better listen to the next 40 bits that I send, because that's my rolling code. That's how you're gonna know that I'm a key that you should listen to." And then the next eight bits immediately after that are like, that's the thing that I want you to do. In this case, 01100101. That means unlock. Right. That was my hope, because then I can just figure out what those eight bits would be in the case of lock. And that way I can take any lock signal that I have and I can convert it into an unlock signal and we can actually then perform the roll jam attack. Unfortunately, if you look at these five lock codes or messages as they're called, you'll notice that those eight bits that I was hoping meant unlock. They're actually the same in the unlock sequence, 01100101. So, unfortunately those eight bits aren't the instructions. They're not the bit that say, "Hey, unlock," or ,"Lock," or ,"Open the boots," or whatever. - Do you have the data? Do you still have the Manchester data? Do you have it in ones and zeros? - On my clipboard, I have it in a hex. - That's fine, yeah. If you wanna paste it, we could take a quick look. Okay. So basically this... I made a simple tool called diffbits, it's on my GitHub. And what this is showing us essentially in color, that and that middle line is telling us, "Okay, the first eight bits are all identical," which you already know from the hex. And then it's pointing... Oh, by the way, these are like... if there's a V, like a blue V going down these are all the same. Between the lock and the unlock. There are certain bits that are always identical in those. - Yeah. - What is interesting though, is typically what I would expect is, for a bit to be identical in one and then the opposite and the other, which we're not seeing here. - Yeah of course. So there is no specific bit within the messages coming from this car key that are always, one for lock and always zero for unlock or vice versa. And in fact, the few columns that were either all ones or all zeros in these two sets of messages, turned out to be just by chance. And in fact, when we looked at 10 of each type of message there were no columns that were all ones or zeros, except for the two sets of eight bits that we already knew about. In other words, this key doesn't send the command to lock or unlock in the open. It obviously sends that command. It's just scrambled in some way, probably using encryption. So as of right now, the 2007 BMW Mini is basically secure against a roll jam attack. Samy did mention other things you could try. If you are really determined, like you can pull the key apart, look at the labels on the integrated circuits. See if there's any information out there. Actually, they're quite secretive in car keys. But if you look at similar integrated circuits you might find documentation. You can even look at the silicone under a microscope and try and extract the encryption algorithm. You can even bombard the silicon with charge particles and try and force it into a debug mode. At this point, it really is a lot easier just to smash the window of the car. But it's interesting to see how far you could go for a really high value target. I asked Samy about other ways that manufacturers could protect against a roll jam attack. - What you could do is, you could have a real time clock inside of your key fob. And the clock in your key fob needs to be synchronized with the clock in your car. And that way, if I ever am able to jam, steal two codes from you and then replay, the code will have expired. - And I suppose then, every time you have a successful interaction between the key and the car you're also gonna synchronize your clock at that point. - That's a great idea. - (indistinct) over time. - The problem is that people don't want to maybe necessarily increase the cost of the fobs but hopefully that will come. - So I wasn't able to reproduce a roll jam attack for myself because my 2007 Mini it's too sophisticated, but I was able to the replay attack, which is really cool. You know, my conversation with Samy was about an hour long in total. We talked about so many interesting things, like other vulnerabilities, like hacks on passive entry vehicles, how to hijack a drone, hacks on ID cards. We even talked about the morality of being a security researcher. Like, how and when do you choose to release information about a vulnerability. Really interesting stuff. Far too long for this video. So that's a second video. It's about 20 minutes long of extra interview footage. I'm making an exclusive for my patreons. So check out my Patreon page for that. The link is in the description. A huge thank you also to (indistinct), who really helped me out on this project. My Blinkist recommendations this time, all follow a theme, see if you can spot it. Blinkist is sponsoring this video and Blinkist does something amazing. They condense non-fiction titles into 15 minute reads. They're also audio generated, so you can consume them in that way as well. They're just a great summary of the main points of a book. And very often you want to read the whole book after reading the summary. So it's a nice way to dip your toe into a book before committing to the whole thing. But also it's just a great way of getting loads of information really quickly. Anyway, here's the recommendations. "The Undercover Economists by Tim Harford." "Adapt by Tim Harford" and "Messy by Tim Harford." What I'm saying is if you haven't read Tim Harford yet you absolutely must. And Blinkist is a lovely way to get a summary of his ideas. And I'm sure you'd want to read the full books afterwards but even if you didn't, these nuggets of information will change your view of the world. I absolutely love Tim Harford's books. Blinkist also has full audio books that you can get cheaper than anywhere else. And now, there's something called Shortcasts. Which are podcast episodes that have been given the Blinkist treatment so that you can get to the heart of a podcast episode really quickly. The best part is you can try it all for free using my special link. The first 100 people to go to blinkist.com/stevemould. Will get one week absolutely free, no strings attached. And if you want to continue to get 25% off as well. The link is also in the description. So check out Blinkist today. I hope you enjoyed this video. If you did, don't forget to hit subscribe and I'll see you next time. (upbeat music)
Info
Channel: Steve Mould
Views: 1,279,202
Rating: 4.9443326 out of 5
Keywords:
Id: 5CsD8I396wo
Channel Id: undefined
Length: 20min 29sec (1229 seconds)
Published: Thu Dec 03 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.