- Let's press play on
here, see what happens. Yes. So good. So I figured out how to unlock
my car, using my laptop. And I don't have a fancy
Tesla or anything like that where you can unlock it
from an app on your phone. It's a 2014 Mini, has a really
simple locking mechanism with a really simple
key, like one of these, but I've figured out how to
do it for my laptop instead. Why did I bother? Well, there's an arms race
going on between hackers and people who make devices. And the humble car key
is a wonderful example of that arms race. So, when you press the
button on your car key it sends a code in binary
over radio to your car. And if the car recognizes
that code, then it unlocks. And in the old days, the
way it used to work was, every single car had a unique code. And if you wanted to unlock the car then you had to send that specific code. And if your car key didn't send that code the car wouldn't unlock. But that system called static
codes is really vulnerable. It's vulnerable to something
called a replay attack. And this is the first step in the arms race from the hackers. What you do is, you hide near the car when someone's pressing
the button to unlock it. And you record that code
that is sent over radio. And then at a later date, perhaps at night, when no one's around, you replay that code to
the car and unlock it. So how do you patch the
vulnerability of a replay attack? Well, manufacturers came up with something called rolling codes. That's where every time you
press the button on your car key it plays a different code
and sends it to the car. So inside the key is a long list of codes and inside the car is a
matching long list of codes. So you press the button, it sends the first code in the list. The car looks at the
first code in the list. They match, the car unlocks and then crucially the car
crosses that code off the list, that is now an invalid code. So if you try to replay that
code the car won't unlock. The next time you press
the button on your car key, it plays the next code
in the list that matches the next code in the list on
the car and so on and so on. By the way, it's almost certainly not like a giant spreadsheet inside
the key and inside the car. What will most likely be
is, there'll be an algorithm for generating the next code in the list and it'll be a secret algorithm
and the car and the key share that secret algorithm
for generating codes. For the next step in the arms race, enter Samy Kamkar and his roll jam attack. Samy Kamkar is a famous
information, security researcher. He's done loads of amazing
stuff with radio, wifi, all sorts of different things. Before we get into the roll
jam attack and how it works. Let's just do the replay
attack as a proof concept using my key here and my laptop. In other words, we're
gonna press the button outside of the range of my car. So the car doesn't advance its list and I'm gonna record it here on my laptop and then use my laptop to
play it back to the car. So I've got this thing
here called a HackRF One. It's a software defined radio. In other words, you plug it
into your laptop here using USB and it's a radio, but you use
software to control the radio. It can receive and send radio signals. And then I've got this
aerial plugged in here. But anyway, just put... So there's the aerial. I've got this software here
called Universal Radio Hacker. And we're gonna record the
signal from this car key. So, you've got to select
the frequency that you want. I've selected 433.92 megahertz. That's because devices like this in Europe tend to be around that
frequency 422.89 around there, because it's a free bit of the spectrum that you're allowed to do stuff with. Starts. Press the button, stop. And there we go, we've picked
up a little bit of a sample from the car key and then
we can crop in on that. Now, you might be able to see
that there are these gaps. And in fact, what you've
got is five short messages and you might be able to see
actually they're all the same. So we're just gonna crop in on one of them and then the key obviously just
sends the signal five times in case it doesn't work a few times. And look, if we zoom in,
you can start to see, well, there's the radio waves
and either it's on or off. So we can look at that differently. We can look at that in the
just sort of on-off way. In other words, demodulated. Zoom a bit more. So if it's up, it's a one,
if it's down it's zero, that's a very naive interpretation. And look, here are the interpreted
ones and zeros down here. And if I select them,
it actually shows you where it's picking that
up from the signal itself which is pretty cool. So, we could dive in and start to analyze what those ones and zeros
mean, but for a replay attack, it's simple enough to just
take those ones and zeros and replay them with the same
frequency from this thing. Lemme just click start
and it will send that, but let's send it five times. Just like with the way the car key does. All right, moment of truth time. So look, the car is locked. I can't get in there. There's my laptop. There's the aerial. Let's play it and see what happens And... Nothing. I mean, it's the first go. I wasn't expecting it
to work the first time. What this demonstrates fairly well is that I have no idea what I'm doing, but in spite of that, I do have options. So I bought a second
software defined radio. This only does receiving not transmitting but then what I can do is, I can record the key using
one software defined radio. And then I've got that recording on file, that I can look at. I can then retransmit that data with one software defined radio while recording it on the other, I can then compare that
recording of the key with the recording of my
transmission from the laptop. And if they look wrong, I can tweak some things
until I get it right. It turns out that length of bit was wrong. It was too long. Like, one bit as in one or zero needed to be half a millisecond
long, mine was way off. So I tweaked some variables. Didn't have a clue what I was doing but I noticed that it changed things. And so I just played
with the numbers until the recording of my transmission looked the same as the recording of the key. So now, I'm kinda confident. So the car door is locked. There's no way to get in. Let's press play and see what happens. Damn it. Here we go. Nope. Nothing. Damn it. So this is the fourth attempt. I don't know how many I'm
gonna include in the edit but once again, look, the
car is locked, that is proof. Let's press play on
here, see what happens. Yes, it's so good. I'm in my car. Amazing. A replay attack like that on a system that uses rolling codes isn't
particularly useful to a thief because it's impractical to use. You'd have to be with someone while they're pressing the
unlock key on their car key while they're not near their car. And why would someone be doing that? Maybe you could use social engineering to get them to do it like, "Hey, can I take a look at
your car key for a second?" Damn it. It seems unlikely, doesn't it? Maybe you're the sort of
person who has parties where people put their keys
in a bowl at various points. In which case you could do it then, it seems like a lot of
effort to go to, doesn't it? The point is, if the
exploit is much more effort than simply smashing the window of the car then that's secure enough. That's why you need a different attack. Like the one we mentioned
earlier, roll jam. To perform a roll jam attack. You actually need two radios. The first radio is
sending a jamming signal, so that the car can't hear the car key. And the second radio is
recording the car key. So someone comes up to the
car, presses the button, the car can't hear it,
so it doesn't unlock because it's being jammed. And you record that signal
with the second radio. And what happens when you press
the button on your car key and your car doesn't unlock,
you try it a second time. So the car key is pressed a second time. And again, you're jamming the signal. So the car can't hear it. And you're recording that second signal, but immediately afterwards,
you stop jamming and send the first signal to
the car and the car unlocks. And crucially, your laptop is holding onto the most recent key press
that the car hasn't seen yet. If you can make the whole
package small enough like if you use a Raspberry Pi with two of these aerial things attached and you can stick it to
the underside of the car and the person drives around, they're using their key all the time, your device is always holding on to the most recent key press, while sending the previous
key press to the car to do the thing that the
driver expects it to do. You may already have thought of two issues with the roll jam attack. The first is, well, if you're sending a
signal that jams the car so the car can't hear that car key. How is that not also jamming your radio? That's trying to record the car key. Well, these car keys
are very simple devices and depending on how much
charge the battery has and what the temperature
is on any given day, the actual specific
frequency of radio waves that the car key transmits is gonna vary. So the car needs to
listen on a broad range of frequencies to ensure
that it actually captures the specific frequency that this car key is sending on any given day. That means that if you know the exact frequency of the car key, you can send a jamming frequency that isn't the same as
the car key frequency but is within the range
that the car is listening. So that completely prohibits the car from being able to hear anything else but you can tune your receiver to the specific frequency of the car key. You don't need to use that
broad spectrum of frequencies because you've done some
snooping to figure out the exact frequency. So that's how you can jam the car and record the key at the same time. The other complication
of the roll jam attack that you may have thought
of already is like, when I leave my car the
very last thing I do is lock it with the button. So, if you're recording my key presses, the most recent thing
that you have in the bank that you're retaining is a lock code. So if you were to play
that code to the car all you'd be doing is locking it. So you need to better do
some reverse engineering to figure out how to convert a lock code into an unlock code. At this point, it's probably worth talking to Samy Kamkar himself. - So I'm the co-founder of openpath.com, a physical access control system
that uses mobile and cloud. - So wait, so your company does away with these stupid ID cards
that are really good. - Yeah exactly. - You got that secure thing
that everyone's got anyway. - Exactly. Yeah, your mobile phone. You leave it in your pocket and you'll actually have a
fully encrypted connection and thus you open the door. - Literally about a half an hour ago I managed to unlock my car. - Oh, right. Yeah, that's awesome. Good job. That's so exciting. How did it feel? - Oh, it felt so good, it was like... - [Samy] Yes. - I mean, it was only a replay, right? It wasn't a roll jam, so you know... - That's okay. Yeah. That's really cool. - It's a Mini, BMW Mini. When it first comes through,
it looks like it's 128 bits but none of the bits are longer than... You never get more than
two of anything in a row. You never get like 000. You never get 111. - Okay. So that's called
Manchester encoding. - Manchester encoding. That's where every bit is
the same length in time. In this case, one millisecond is one bit. And during that one millisecond, either the signal goes
from being on to off or from being off to on. On to off is zero and off to on is a one. With Manchester encoding, you
never get more than two offs or two arms in a row. Which is why, when I said to Samy, I never saw three zeros in a
row or three ones in a row. He knew it was Manchester encoding. Take a look at these five codes
that came from the car key just by me pressing the
unlock button five times. You can see they're all different because it's a rolling code, but you'll notice that
the first eight bits are all the same. And these eight bits are
all the same as well. My hope was that those first
eight bits or like a preamble. It's the keys way of saying, "Hey, I'm a key. You better listen to the next 40 bits that I send, because that's my rolling code. That's how you're gonna
know that I'm a key that you should listen to." And then the next eight
bits immediately after that are like, that's the thing
that I want you to do. In this case, 01100101. That means unlock. Right. That was my hope, because then I can just figure out what those eight bits would
be in the case of lock. And that way I can take
any lock signal that I have and I can convert it into an unlock signal and we can actually then
perform the roll jam attack. Unfortunately, if you look
at these five lock codes or messages as they're called, you'll notice that those eight bits that I was hoping meant unlock. They're actually the same in
the unlock sequence, 01100101. So, unfortunately those eight
bits aren't the instructions. They're not the bit that say, "Hey, unlock," or ,"Lock," or ,"Open the boots," or whatever. - Do you have the data? Do you still have the Manchester data? Do you have it in ones and zeros? - On my clipboard, I have it in a hex. - That's fine, yeah. If you wanna paste it, we
could take a quick look. Okay. So basically this... I made a simple tool called
diffbits, it's on my GitHub. And what this is showing
us essentially in color, that and that middle line is telling us, "Okay, the first eight
bits are all identical," which you already know from the hex. And then it's pointing... Oh, by the way, these are like... if there's a V, like a blue V going down these are all the same. Between the lock and the unlock. There are certain bits that
are always identical in those. - Yeah.
- What is interesting though, is typically what I would expect is, for a bit to be identical in one and then the opposite and the other, which we're not seeing here.
- Yeah of course. So there is no specific bit
within the messages coming from this car key that are always, one for lock and always zero
for unlock or vice versa. And in fact, the few columns
that were either all ones or all zeros in these
two sets of messages, turned out to be just by chance. And in fact, when we looked
at 10 of each type of message there were no columns that
were all ones or zeros, except for the two sets of eight bits that we already knew about. In other words, this key
doesn't send the command to lock or unlock in the open. It obviously sends that command. It's just scrambled in some
way, probably using encryption. So as of right now, the 2007 BMW Mini is basically secure
against a roll jam attack. Samy did mention other
things you could try. If you are really determined, like you can pull the key apart, look at the labels on
the integrated circuits. See if there's any information out there. Actually, they're quite
secretive in car keys. But if you look at similar
integrated circuits you might find documentation. You can even look at the
silicone under a microscope and try and extract the
encryption algorithm. You can even bombard the
silicon with charge particles and try and force it into a debug mode. At this point, it really is
a lot easier just to smash the window of the car. But it's interesting to
see how far you could go for a really high value target. I asked Samy about other ways that manufacturers could protect
against a roll jam attack. - What you could do is, you
could have a real time clock inside of your key fob. And the clock in your key
fob needs to be synchronized with the clock in your car. And that way, if I ever am able to jam, steal two codes from you and then replay, the code will have expired. - And I suppose then, every time you have a
successful interaction between the key and the car you're also gonna synchronize
your clock at that point. - That's a great idea.
- (indistinct) over time. - The problem is that
people don't want to maybe necessarily increase the cost of the fobs but hopefully that will come. - So I wasn't able to reproduce a roll jam attack for
myself because my 2007 Mini it's too sophisticated, but I
was able to the replay attack, which is really cool. You know, my conversation with Samy was about an hour long in total. We talked about so many
interesting things, like other vulnerabilities, like hacks on passive entry vehicles, how to hijack a drone, hacks on ID cards. We even talked about the morality of being a security researcher. Like, how and when do you choose to release information
about a vulnerability. Really interesting stuff. Far too long for this video. So that's a second video. It's about 20 minutes long
of extra interview footage. I'm making an exclusive for my patreons. So check out my Patreon page for that. The link is in the description. A huge thank you also to (indistinct), who really helped me out on this project. My Blinkist recommendations this time, all follow a theme,
see if you can spot it. Blinkist is sponsoring this video and Blinkist does something amazing. They condense non-fiction
titles into 15 minute reads. They're also audio generated, so you can consume them
in that way as well. They're just a great summary
of the main points of a book. And very often you want to read the whole book after reading the summary. So it's a nice way to
dip your toe into a book before committing to the whole thing. But also it's just a
great way of getting loads of information really quickly. Anyway, here's the recommendations. "The Undercover Economists
by Tim Harford." "Adapt by Tim Harford" and
"Messy by Tim Harford." What I'm saying is if you
haven't read Tim Harford yet you absolutely must. And Blinkist is a lovely way
to get a summary of his ideas. And I'm sure you'd want to
read the full books afterwards but even if you didn't,
these nuggets of information will change your view of the world. I absolutely love Tim Harford's books. Blinkist also has full audio books that you can get cheaper
than anywhere else. And now, there's something
called Shortcasts. Which are podcast episodes that have been given
the Blinkist treatment so that you can get to the heart of a podcast episode really quickly. The best part is you can try it all for free using my special link. The first 100 people to go to blinkist.com/stevemould. Will get one week absolutely
free, no strings attached. And if you want to continue
to get 25% off as well. The link is also in the description. So check out Blinkist today. I hope you enjoyed this video. If you did, don't forget to hit subscribe and I'll see you next time. (upbeat music)
Locks keep honest and lazy people out