Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

https://www.youtube.com/watch?v=CikveyZjum4

This whole situation with people refusing to be more than what this stunted culture inculcates is reminding me of something Nietzsche alluded to in Thus Spoke Zarathustra,

"The Last Man is the individual who specializes not in creation, but in consumption. In the midst of satiating base pleasures, he claims to have “discovered happiness” by virtue of the fact that he lives in the most technologically advanced and materially luxurious era in human history.

But this self-infatuation of the Last Man conceals an underlying resentment, and desire for revenge. On some level, the Last Man knows that despite his pleasures and comforts, he is empty and miserable. With no aspiration and no meaningful goals to pursue, he has nothing he can use to justify the pain and struggle needed to overcome himself and transform himself into something better. He is stagnant in his nest of comfort, and miserable because of it. This misery does not render him inactive, but on the contrary, it compels him to seek victims in the world. He cannot bear to see those who are flourishing and embodying higher values, and so he innocuously supports the complete de-individualization of every person in the name of equality. The Last Man’s utopia is one in which total equality is maintained not from without, by an oppressive ruling class, but from within, through the “evil-eye” of envy and ridicule."

https://academyofideas.com/2017/10/nietzsche-and-zarathustra-last-man-superman/

Are we going to be the last men and go meekly and quietly into extinction, or are we going to stand for higher values, like longterm survival for our planet? This is a big question people need to grapple with, and quickly.

👍︎︎ 1 👤︎︎ u/DivineBeast666 📅︎︎ Feb 26 2020 🗫︎ replies

Captions

hi everyone thanks for coming I'm Sammy and this is drive it like you hacked it this is a basically a fun talk I've just been continuously working on improving as I'm doing research in a couple of different areas a couple really fun areas for me have been vehicles vehicles radio hardware and we're gonna focus a little bit on some of that stuff which is really fun to me we'll cover some web stuff as well and try to bring it all together in a fun way so we all love Nicolas Cage right yeah okay I love Nicolas Cage so I saw gone in 60 seconds it's like one of my favorite movies so I've spent my entire life trying to be like him so as gone in 60 seconds happens you know basically Nic Cage is going around stealing cars I hope it'll spoil it for anyone but to do that the first thing you need to do is you need to get into a garage which has like some really cool cars so in the last year I've been looking at how can I break into garages like how do garages work and garages are pretty cool we all have sort of we've all seen the clicker right little garage clicker all right I have one here so I started learning about how these things worked and my goal was to break into my own garage I like a I'm in a condo unit so there's a bunch of different cars down there and I want to see how this thing works so I started learning a little bit out radio frequency and how radios and communicating with devices like garage door openers it works so the first thing we're going to basically go in-depth here and I'm going to show you how this stuff works will actually do some live demonstrations the first thing you do when learning about something with radio is there's something really cool any device in the US that transmits that actually transmits radio frequency has to have an FCC ID so if you actually pull out your phone all of our phones actually will have an FCC ID on the back here so like on my iPhone I I see an FCC ID so same thing with this garage door opener which opens my garage so what we can do is we can actually take one of these things and open up our garage and if we at FCC ID the cool thing about the FCC is what they do is they regulate transmission in the u.s. so if you want to transmit on radio frequency the FCC has to allow that device or manufacturer to do it and what we can do is all of the information about that ID is actually public information so you can actually go to the FCC's website which is really really hard to use and search for one of these IDs fortunately someone named Dominic spill has created a website called FCC IO which I use all the time and basically on FCC IO you can just type in the identifier back on either this garage door opener or your garage door itself or your phone so if you actually pull out your phone and you can look up the FCC ID and you can learn all about what your phone transmits on is actually very cool and inside of there we'll see a few things so the first thing we see is often you'll see pictures of the actual device both the outside on the left here and the inside so you'll actually see inside that circuit this is really cool if you're trying to look up information on say a device that you don't necessarily have access to or a device that might be out of your price range or a device that's not released yet right something that's coming out you can actually go here you can learn a ton of information you could probably produce you know vulnerable you can probably discover vulnerabilities or issues with the device before it even comes out it's pretty incredible so here's an example of actually my garage door door opener I looked it up and the first thing we see here is we see kind of like where it came from it came from China obviously and you also see the range here the frequency range so this is the frequency that it communicates on and on this one it says the lower frequency is 390 megahertz and the upper is 390 megahertz so that means this communicates on one one frequency 390 megahertz which is pretty cool so what else we see on on the FCC we see stuff like they have a cover letter always a nice little formal letter they write external photos like we saw internal photos a couple different things one of the more interesting areas is the the test report so what the FCC does is they hire someone to come out and actually test your device because the thing with the with frequency were essentially sharing the spectrum like you don't want a device to just constantly transmit out and prevent other devices from working for example if I just held this garage door thing if this were just transmitting all the time it may prevent other garage door openers from working and you wouldn't want to interfere with say someone across the street so they do all these tests to ensure that it transmits on the frequencies it's allowed to not more powerful than it should so on and so forth so if we pull this up we can see like the internal report we can actually often see a spectrograph of actual recording of that of the radio signal transmitted by the device and there are some different devices I use to actually listen to this kind of stuff one of the devices really cool it's hack RF it's capable of receiving an Trin's transmitting from one megahertz all the way up to six carrier it's a really wide range totally open source open hardware a couple hundred dollars it can also transmit which is really interesting people have done some really crazy stuff with this thing for example spoofing GBS I mean people have literally spooked GPS using this device or similar devices and have made ships go off course ships literally going off course because what are they depending on they're depending on GPS how's the GPS works it's from radio signals getting sent from satellites down to the earth and we're using that to like figure out where we are and someone comes along and transmits the signal and you think you're somewhere else or you think you're just going somewhere else I mean the the amount of dependency that we have on these radio signals is massive and it's growing every single day so there's another reason that this is like such an interesting thing and I'm so interested in this right now and now hacker F you may say okay well I don't know anything about radio and I know very little about radio personally but you can do some pretty simple things for example if you're dealing with something that uses a fixed transmission something that where it's like a password so if you open your garage door opener a lot of our garage door openers basically have a bunch of dip switches which is essentially a password and that opens your garage now if you don't know someone's like if I were trying to exploit someone's garage and trying to break in what I might do is I might record that signal and replay it and hacker F can do that now not all device are capable of recording and replaying often you need to know a lot more information about the signal which we'll learn in a bit but with literally two commands you can record and then replay kind of like recording a you know taking a microphone and a speaker and reproducing some signal now this will work in some scenarios not in all scenarios for example cars will use something called rolling codes we'll go over that later or the passwords changing kind of like google authenticator or 2fa right you might get a two fa is essentially a rolling code where every time you get a new identifier or new password to log into something another device I use is RTL SDR this thing is awesome I have it right here it's basically another antenna it's a soft SDR means software-defined radio RTL it's from real tech and software-defined radio is all hack RF is also a software-defined radio it allows you to use software and inexpensive hardware to analyze the radio spectrum and also often transmit RTL SDR is great because it's like $20 on Amazon so you can go right now for 20 bucks get into it you know start learning and you can do so much you can see planes going overhead there was actually someone in LA who did who has been recording planes so it's public transmission whenever a plane is flying it's sending radio signal of where it is of its GPS coordinates and information about it C unique name and he's started mapping it out as a hobby and he found that there's these planes that are just circling over LA there's going in circles right they liftoff they fly around and then they circle why are their planes circling over LA and he started look what's that correct FBI planes he's the guy who discovered that these are FBI planes going around probably using something like stingray to listen to our phone calls and text messages so always say hi FBI when you pick up the phone so rtl-sdr is another really cool example he did that with rtl-sdr it's a $20 device you can use free software open-source software on your computer no matter you know in any major operating system good new radio this is like a this is a fun although complicated piece of software that it's probably not complicated it is really hard for me to learn so I'm still trying to figure out how to use this thing but it allows you to take radio signals or actually any signal technically you can just pipe audio into it and you can manipulate it you can run different filters on it and extract information or transmit information so this is another really useful tool gqr X this is an awesome tool actually use this in a minute I'll show you how it works basically this allows us to see a waterfall view of the spectrum of the radio spectrum so we can say alright I want to see from 300 to 301 megahertz I want to see everything that happens on there this would allow you to mate let's say you have a device and you don't have the FCC ID or let's say you don't have access to a device let's say you're outside of something and you have a black box or you know someone's driving up to layer garage and they're about to hit a button but you don't know what frequency their device is using you can use this to essentially watch watch a waterfall of radio frequencies and you will see when there is something with a high amplitude when there is essentially a signal that's getting transmitted it's really cool this is for Linux and OS X only if you're on Windows you can also get SDR sharp it's another similar tool to do the same thing very cool and the cool thing is I mean there are people out there like on reddit there's a there's a subreddit called rtl-sdr and you can actually go on there and people are just looking at the spectrum because there's all these radio frequencies out there and we have no idea what a lot of them are right a lot of these you know this is this is something that's invisible right is essentially invisible to us and usually when there's something invisible like people just assume it's secure because we can't see it we don't know how it works and more and more people are now playing in this area in researching and trying to find what are all these invisible signals and a lot of it lacks security I mean it's really interesting some of the stuff that's coming out of here RTL FM this is like a command-line tool that allows you to record signals with the RTL SDR so these are some of the tools that I use the presentation will be available online so if you guys want to grab it and do any research in here you'll you'll have access to all that so let's go back to this FCC report there are three things I usually look at when I'm looking at an SCC report for for device internal photos because that allows me to see inside if I can see inside I might be able to make out the chip that's being used if I look at the chip I can probably look up data sheets available for that chip and I can learn all about what the chip is doing the frequency communicates on the modulation all sorts of information about it I can look at the test report as well and the test report will will often provide some useful information such as what frequencies it uses perhaps what modulation and then also the user manual there's always like incredible pieces of information in user manuals that I find a friend of me a friend of mine was at Coachella and he's like yeah I came back to my card all my windows were were down and it's like was anything stolen he's like no luckily like well so it's like someone broke into my car and didn't take anything I was like huh that seems weird so I looked up the FCC ideas like maybe someone hacked his device like radio thing or his car key and I looked at it looked it up and I looked at the user manual and it's just a section of how the car key operates and everything about the car key and apparently if you hold one of the buttons down for enough seconds all of your windows just rolled out I haven't told them I'm going to use against them so so here's an example of a test report from a from my garage door opener you can we can see something called the the frequency is 390 megahertz we see the modulation type is ASX or ask we'll go over that in a second here and a couple other things about the device so let's talk about modulation a little bit uh who here has listened to the radio ok cool younger people may not know what that is it's like Spotify so we now have things there's different types of modulation it's basically how we encode data in a signal there's ask which is amplitude shift keying there's FSK frequency shift keying and PSK phase shift keying these are common modulation schemes that are used now these are specifically for digital data when you're trying to communicate digital information over over the radio spectrum now ask is actually a type of amplitude modulation amplitude modulation is am it's literally AM radio when you listen your AM radio your radio is taking the radio spectrum at whatever frequency you're listening to say 200 kilohertz and it the amplitude which is essentially if you listen to let's say a sound file right the amplitude is the volume it's essentially how strong that volume is the amplitude defines where what kind of sound you're hearing or what frequency the sound is that frequency shift keying is frequency modulation or FM so FM radio we listen to 102.7 you're actually listening to 102.7 megahertz and we can use that we can see that in rtl-sdr and the frequency is actually not 102.7 it's actually a range so it's actually more like 102.5 to 102.9 and the frequency changes depending on where you know what that sound what that frequency should be so in something like rtl-sdr we can also if we don't know what device is transmitting we can look at it here and on the Left we see that there's kind of like two signals coming whenever I hit a button so that's probably something called two FS k or frequency shift keying where the frequency is changing and because it's digital it's just ones or zeros so left or right means one or zero and then on the right we have ask which is amplitude shift keying where it's just either there's a signal or there's not a signal which represents a one or a zero so why don't we actually why don't we actually see what this looks like I am going to open G qrx and I'm going to use this rtl-sdr just so we can take a quick look let's see if this works here all right so awesome so we can see here I'm at 300 megahertz which is what this garage door opener is at and whenever I press we can see data so that's pretty cool like if I didn't know what frequency was that we could like go searching through you know we could go to let's say here we have we have actual stations right so I'm at 100 megahertz now so we can actually see FM radio stations and I could actually demodulate this data I don't see if it even works t-mod so we'd have to tune oh yeah so we can actually tune to different stations here that's my jam right there alright cool cool so we actually know that this is at 300 megahertz now this is really cool we can demodulate this data right in here so now that we know it's at again we'll look at it once more here 300 Meg yep 300 megahertz and because it looks like it's just one signal go on turning on and off that tells me it's probably amplitude shift keying or a.m. and amplitude modulation so we can then use RTL FM so let me quit that let's see here find my windows alright so I mean that's gonna be hard to see but here I'll just record it first so I'll say RTL 300 test dot wave I'll press this once or twice great control C and what this actually does is this produces an audio file a WAV file that we can then inspect so I'm going to pull this up in audacity a free audio tool let me find the file here and I will throw this in here alright cool so this is audacity so here we can see I click I hit it twice I did it once here and then once here so let's take a look at what this signal actually looks like zoom in it looks like it's a repeating signal it looks like the same information now who has open one of these garage doors and had to like set the dip switches you had to do that alright so so we've seen those usually it's like 10 or 12 dip switches so let's zoom in can you guess what these relate to so if I open mine right here this thing is impossible to open all right now got it all up I'll tell you what I have here I have on and off dip switches mine is on on off on let's just zoom in so we can see if there's any correlation at all on on off on off on off off off off so basically we're seeing Amplatz we're actually seeing a signal in this case it looks like a long signal followed by nothing long is a 1 and a short signal followed by nothing is a 0 so literally just by using this $20 device I've recorded and I now know the code to my garage door you could go around like recording code like just like in gone in 60 seconds right they go up to the garage they use their little device which probably didn't exist and they are able to record the code like that's so interesting alright so let's go back to oh man I can't see anything alright I like I like where he's going with that alright let's see if I can figure out how to open I can't I'm not marrying here show all windows enhance all right back to the slideshow okay cool so we just saw GQ rx and we saw this right so we actually analyzed that signal we saw it's just a repeating signal it repeats a bunch of times because amplitude shift keying like if you've ever listened to a.m. the audio sucks audio quality sucks it's it's very easy to it's the most inexpensive way to transmit information but it's also the most prone to interference people sniffing you can really see if anything though so someone had a good suggestion what if we brute force that how long would it take well if we take a look at these different garage doors there's a couple different things some are 8-bit some are 10 bits 12 bits right there just on and off so I recorded this one and it looked like it was 2 milliseconds per bit with a 2 millisecond delay for each bit and it sent five signals per transmission minimum so if we calculate that for all the possible garage doors that I've looked at that use fixed codes it looks like it would take about twenty nine twenty nine and a half minutes to brute force so basically 30 minutes to brute force someone the garage which is pretty insane so I was looking at this and I was like well can I do this a little faster because I have stuff to do I can't just sit outside of people's homes thirty minutes and do this and uh I was looking and I saw okay well if it's repeating the signal what if we stop repeating the signal like it's repeating just so that it can be more successful but for the most most part we're not going to have interference so if you actually take out the repetition we can actually reduce it to six minutes to brute force any fixed code garage that's pretty cool but looking at this further I saw that there was basically this massive period of wait of delay between every time it sends a signal so it's curious what if I took out that delay where it's sending one signal followed by like one password followed by another password instead of a delay in between them what if I just sent password password password password and that worked it opened my garage so that reduced it down to three minutes to open any fixed code garage and then I was thinking how does it know where one password begins and one password ends what if it's using something called a bit shift register now a bit shift register is basically a register where you you pull in data one bit at a time and as it's essentially it performs a test let's say it's a 4-bit register it looks at the four bits and it performs a test is this the correct four bit if not it then takes one bit off pops one off and then shifts one in well if that's the case you wouldn't actually need to test all possible codes you could actually just pop for example if I used let's say let's say I'm looking at this is a two bit code let's say we're just looking at a two bit code right here 0 0 0 1 1 1 1 0 those are the four options that's a total of 8 bits however if we create something called the de bruit de Bruyne sequence de Bruyne is a mathematician who discovered this algorithm to efficiently produce all possible codes over that overlap so if we overlap these we can say 0 0 1 1 0 now if we put them in bit shift register we get 0 0 is the first 2 bits and if we move over just one bit then we get 0 1 over 1 bit we get 1 1 and then the last one 0 so we've actually gotten all 8 bits out of a 5 bit sequence now if we do that with every 8 to 12 bit code we actually reduce this down to 8 seconds to brute-force any fixed code garage between 8 and 12 bits long 8 seconds yeah um tv-b-gone uh although all of the infrared codes that are basically public information for all the televisions tv-b-gone you could do that but tv-b-gone specifically turns off TVs so if you're a brute forcing what you'd actually end up doing is like changing the volume changing the import stores doing all this other stuff tv-b-gone specifically has programmed all of the IR codes for most of different televisions but you can definitely do something similar because you will hit the off code at some point right so at this point we have 8 seconds now this is just how to transmit rtl-sdr does not actually transmit this is just an assumption of how we can a mess with with this garage we need a device to actually transmit one device I'm a fan of is this yardstick one also by Michael Osman this has a nice radio chip both receiving and transmitting it's not software-defined radio software-defined radio allows you to take a very a signal you know nothing about and then perform all the modulation and demodulation and accessing and reading it in software this is all hardware there there's pros and cons the the con the major con of something like this is that if you don't know what the signal is if you don't know if it's frequency modulated or amplitude modulated or the frequency this is not going to be too helpful because you have to tell this to tell this hardware I know it's FS k I know it's on this frequency I know it's this data rate and show me the data or translate the data but if you know what you're looking for or you know what you want to transmit you can use this device and you there's a Python interface that you can use by something called RF cat and there's a another device that that I like to use from this from one of the most amazing technological companies of our time Mattel so Mattel creates all sorts of awesome toys for children and one of their devices one of their toys is called the Mattel I am me this is a texting device for tweens to basically communicate with each other without being on the internet we're creepy creepy people hang out so with the IME you can actually text someone and it wirelessly transmits to a little dongle on on a USB stick and then it goes over the Internet to your friend who also has one of those USB dongles and then wirelessly transmits to the this little device to the IME the service is no longer active they don't sell these anymore so you can get them off eBay for like 1020 dollars and a couple of people have found that inside of this device is a really cool chipset from Texas Instruments and it's a sub gigahertz transceiver that means it can receive and transmit on virtually any frequency under one gigahertz which is actually amazing if you're trying to build a device like this yourself it might cost hundreds of dollars thanks to Mattel and massive production you can get it for like 10 bucks on eBay so Travis good speed and some other people found out that you can connect to the back of this thing and reprogram it and do whatever you want with that transceiver so this is the device I chose to use for transmitting across all the different garage frequencies performing this attack and this is a I call this the Open Sesame attack let's see if it oh no oh no how do we get this to there should be a video here oh I'm sorry so that's an example of the Open Sesame just running on my friend's garage it takes a total a max amount of eight seconds which on average is four seconds so awesome uh one one step down so I've released almost everything to do this obviously I don't want people breaking into people's garages so I did not I bricked the code so that it would not work however I released most of it so that people could understand how this type of attack works and also how to how to prevent it unfortunately since I did that the prices have raised of the IME so if you do want one reach out to me I'd be happy to send you one if you're going to do some research in this area because I bought them before they they became kind of ridiculously priced so some lessons here don't use a ridiculously small key space just because it's invisible right just because it's over radio and people aren't looking doesn't mean people aren't going to look right at some point people will look they will understand the technology your proprietary you know method is not going to help you so you know have the there's plenty of information on this require a preamble or sync word which is basically a something that says the passwords about to start that would prevent the de bruyne attack where you can actually have all of these passwords sort of rolling over each other and then rolling codes that's another thing we'll talk about rolling codes will prevent this type of attack so now we're inside of the garage and there's some cool stuff we can do here one thing that's happening is all of our cars are becoming connected so great so a lot of new cars now have all sorts of different radios inside besides the am/fm Sirius XM Radio's they have some other things they often have gsm they'll have GPS receivers and they'll communicate with the Internet who has OnStar OnStar yeah so okay a lot of you have Ansari and aren't raising your hand that's okay so actually any GM vehicle GMC Buick Cadillac will actually has OnStar built in now you know whether you activate or nots irrelevant you actually have these features and those features are connected to the computer of the car the ECU and the various other our cars are no longer cars they're no longer mechanical vehicles right there now essentially we computer with wheels so the computer controls so much I mean we have so many awesome features coming out in our vehicles like assisted Park and all of these things if there's something called assisted Park that means the vehicle the vehicle's computer has control of the wheel we're before it used to be simply mechanical now it's a computer that's actually able to turn your wheel so OnStar has a very cool feature they have an iOS and Android app so a friend of mine had actually with the same car he had he had OnStar and I was playing with this stuff and he said you can play with my vehicle if you want so I was playing with the app I downloaded OnStar it does some cool stuff lets you see where your car is let's you do a couple things there's a key fob access you can lock you can unlock remote start hit the horns and lights I tried that a few times while he was driving but they they fortunately they don't allow you to activate the horn in lights while you're driving which is smart so I thought okay I'll I'll check out this communication I assume it's encrypted with SSL so I'll install my own CA you know my own certificate authority on my phone and I'll sniff the traffic you know lo and behold it was encrypted I installed the CA and or I usually have my own certificate authority installed on my on my mobile device and I started sniffing and because I was using my own CA I could actually perform as a cell man in the middle attack again this is only I'm on my own device I can't do this on someone else's because they don't have my certificate authority installed my certificate authority tells my phone that Oh Sammis you know house of cards CA is a legitimate Authority you can use his key instead of the legitimate GM or OnStar SSL key so once I decrypted the traffic I saw you know nice HTTP requests in plain text I saw some base64 pulled out the basics t4 and of course the password and username are right there like okay so make sure to not use you know the OnStar app on a network that you don't trust uh but as long as as long as you don't have someone CA they shouldn't be able to decrypt that traffic and then I realized I had just reset my iPhone I forgot like something happened I reset it so I actually didn't have my certificate authority installed which means the app allowed an invalid certificate authority to decrypt traffic even though it had no recognition it had no idea who Sammis house of cards was so the GM app was not looking at an SSL CA it was blindly it will take accept any SSL key that means as long as you have someone on your Wi-Fi network which is very easy to do and they open that app you can decrypt all of their traffic for that app I thought wow they're like this is this is absolutely insane so it's like how can i exploit this and I created a device with a Raspberry Pi computer a phone a GSM board Malory which is an open-source SSL man-in-the-middle attack software some DNS spoofing so that the user wouldn't actually detect anything so I only took over API GM comm so anyone using OnStar but all their other traffic would still continue to go through the correct servers and correct SSL Certificates and a couple other things like a alpha wireless card and then I thought okay how do i attack my friend how do I get them to jump out to my network now fortunately you can do things like you can use your own or you can use common Wi-Fi network names like ATT Wi-Fi or Starbucks things that you know that they might be on but there's actually something pretty cool here another thing that our phones do is they send out probe requests so if your phone doesn't see your network it will actually send out probe requests saying hey I'm looking for a network in this case named Taedong is there a network name to dog out here and you can say yes it actually tells you the network name it's looking for and with that information you can generate a network on the fly which it will then join assuming that it's the correct network it's actually our phones our devices our computers or laptops none of them actually look at the MAC address they're only looking at the network name now this is only for open networks if if your phone has only connected to encrypted networks fortunately this attack will not work but I'm assuming almost everyone has at least connected to one open unencrypted network before ATT Wi-Fi on almost all iPhones absolutely Nekia Linksys I mean you can and the cool thing is you can just launch all of them alright so if you come near my house you may actually just see like 10 different network names for all the common ones so with under $100 we have a little device that I threw under my friend's car and was able to you know at some point let's see own star yes this is an app called own star now so here I am and and once I acquired his credentials I was then able to unlock his car remote start it and basically do anything to his car at that point and then I tested BMW which also did not check SSL certificates and then I checked in Mercedes Benz which did not check SSL certificates and then I tested Chrysler Jeep which not test SSL Certificates this is a massive issue in virtually every I'd say this was like five out of ten of the car apps that have the ability to unlock a vehicle right I only cared about the apps that actually did something you know important five of ten did not perform SSL see a validation so the lessons here if you're going to do this either validate certificates from a CA which actually I wouldn't necessarily suggest anymore the nice thing about CA is you can like turn off your keys if they ever get stolen however there are a lot of certificate authorities out there for example like I don't know you wouldn't want the Hong Kong you know post to be releasing CAS or releasing keys for you but they have that full capability they can say they own gmail.com if they want and we've seen we've seen CAS get hacked before or accidental keys for gmail.com get released four so better yet you certificate pinning this way your the app that you release has a key in it you have that key those are the only people who know about this key no one else can you know avoid that also hash the passwords like don't just basics before everything right hash your passwords use the salt make it difficult even if someone does obtain this information who knows how someone will break into your device sometime in the future there will be new attacks they will extract information in different ways and always assume you're on a hostile network just always assume that so now we've broken into some cars we'll go through this uh now there's another interesting thing that I've seen a lot of these vehicles use and a lot of the key fobs they all use something called rolling codes so rolling code is likely talked about before with the CA the code actually changes every time kind of like 2fa you get a different SMS message or your Google Authenticator sends you a different number every time and that's great that's actually a really good way to prevent an attack like they keep like the garage-door attack right Open Sesame where we have a fixed code also rolling codes are much much longer they're not like silly 12 bit codes that you can break in a couple of seconds so that's a that's a nice thing I'll quickly run through some hardware attacks that if you're ever looking at hardware that you don't know some of the devices I was looking at I was actually finding that they would actually mark the chip off it would actually scratch off the name so they couldn't look up the datasheet and see what what it was using so in that case what I use is I use a couple of things they use a logic analyzer logic analyzer just looks at looks at information with the digital information going on a wire so you can connect pins to each of these pins I use these SMD micro these micro probes so I can connect like really small really small pins off of chips I also use a multimeter you can measure voltage with a multimeter of different different pins on a chip and when I'm looking at the chip that I don't know anything about I'll start mapping it out I can use the multimeter to find the ground and define power so I can mark all the ground and power pins also I can use the logic analyzer and I can look for certain things that look like a clock signal the clock signal will just look like a square wave or pulse width modulation once I do that if I know what frequency it's communicating on which I should be able to learn with something like an rtl-sdr or hack RF I can then download all the data sheets I can find for something that does that lets these communicate on 2.4 gigahertz I will download all the data sheets of transceivers on 2.4 gigahertz and then I'll take all their pin out pages and I'll look at them and I'll compare do any look similar to what I have do any have the same number of pins do any have the grounds in the same places the voltage in the same place is the clock in the same place and if so I've now discovered what chip that that device is being used despite them trying to you know scratch it off using the logic analyzer and datasheet I can see how that chip is communicating with the device what commands it's sending then I'll learn all sorts of other information like if there's encryption I might learn a key I might learn you know what's what it's using I can extract all the serial communication how it communicates with that device and I can then build an interception device which is pretty fun so at this point let's take a look at my car my car uses something called rollin codes now if you look at this there's a ton more data in this code so this would actually take years and years and years to brute-force and it's only good once so as soon as you use this code it will never work again so when I hit the kick clicker on my car to unlock that code is used and my car knows that this code is no longer valid which is great so let's understand how rollin codes work there's basically a random number generator in your car and in your key and they're synched there's actually like a rolling window so when you press the unlock button your car expects that unique identifier that unique code but now that the car has heard it it says I will never accept that again so if someone was sitting out the Nicholas Cage was outside of your home and he like sniffs this identifier and he tries to use it later on to replay it's not going to work because the car says oh I've seen that code before I will not accept it I'll only accept the next code and there's a rolling window so in case you know in case the keys in your in your pocket and you hit it a bunch of times out of range of the car then you go back to the car the car will say oh you're actually out of range but it's ok you know you're all you're in the future right you're not using a past code you're just a little bit in the future you probably hit the next Emily a few times that's okay now that's only a small window so it's it's hard to use that to attack so it's trying to find ways of replaying rolling codes of attacking that the only you know the major way I could think of was the only way is to capture a signal while you're out of range of the car so if you like break into someone's house take their car hit the button record it and then go back later and then replay it now all of most cars these days also use this for starting the vehicle as well so these attacks are actually not only for unlocking vehicles but also starting now this is a really lame attack I think if you're in the house and you have access to their key you should just take it so how can we how can we get around this what if we Jam what if we Jam the code now again these keys are inexpensive so they're I mean they'll charge you like 300 dollars to buy one but they're actually really cheap so it's a it's actually very easy to interfere with this communication so when someone hits their button if you're actually transmitting as well in fact if you even have the same similar key and you hold down the unlock or lock button of your key while someone tries to unlock their car they won't be able to unlock their car you can actually do this for kind of a wide range it's kind of funny to watch up but you can basically easily interfere with this communication so worst case scenario they might have to like pull out their key now who has hit their button of their key and it didn't work once that happens right and you just hit it again and it typically works right there was some interference you didn't hold it long enough so what if I Jam just slightly off just slightly off the frequency and I also listen I also use a similar device to listen I can actually be very specific and listen to just that signal and listen to their code and ignore my jamming because I know where I'm jamming I can ignore that piece of the signal the problem is once I've recorded that signal that the car is not heard I can use that signal I can use it to unlock however they're going to keep hitting it until it works and when it works when the car does hear their unlock code all previous codes get disabled so the code that I've acquired is now no longer useful however as we're human we all follow a simple pattern if I Jam I listen and I get one code and I keep jamming so you go to your car you you hit unlock it doesn't work you hit on lock again it doesn't work two times in a row but I've listened to both codes and I've extracted those two passwords I now take those two and I only replay the first one so now the car does a lock on the second time but I'm using the first code so later on when you go home and you lock your car I still have an unused future code that I can unlock your vehicle because there's actually no timing right it's all about just the order of the sequence of these codes so you can essentially trick the user by playing the first one on their second time and of course you can automate this so this is an attack I call roll jam I've demonstrated with about thirty dollars in hardware and there's so many other attacks in this area I mean such as I think it's such an exciting area because you have cars coming at this year in 2016 they'll actually communicate with other vehicles on the road it's called v2v so there's so much other radio communication that's going to be happening you know cars are able to use ultrasound to see if there's something in front of them but what if you send your own ultrasound right what you can generate ultrasound it's just sound at a higher frequency what if you send that to a vehicle you can make it believe that someone is in front of you you can you can send communication a car saying that oh it's it's really rainy so slow down you just make everyone slow down around you I mean you can do all sorts of stuff it's crazy and it's scary and it's exciting there's so many other interesting attacks I was also looking at my at my car and I found that if they're locking the vehicles they're hitting a lock lock lock and I record that data or a nurse interfere with that data well I can't use a lock to like that's no good I can't what fun is locking their car however I found in the signal as I was looking at the data sheet I found that the rolling code is one part and then the command is a second part so I could change the command from lock to unlock and use the same code as long as I jammed and interfere their lock command then I can use that lock command to unlock so even though I hit they hit lock later on I come over I sent I send an unlock just by changing that bit because it's just a command and not tied to the code in any way here's the the device itself I tested on a lot of cars it unlocked a lot of cars and it was beautiful lessons I mean in you know encrypt hash those buttons together so if if you're sending a lock command for example and of course this this works anywhere this will work on HTTP like you should use these same these same methods encrypt that encrypt or hash that communication together right hash the key hash the key with the command use H max time based algorithms there's actually something called I mean we've had secure ID for twenty years now right those RSA RSA tokens which are essentially two FA fat those for 20 years and every 2015 car I've attacked has had this issue we can implement this stuff this stuff exists we know about these we know about these problems and we know how to solve them also you can do challenge response right with transceivers rather than just cheap receivers so they're ways of fixing this and you know that's that's about it that's that's what I have for you thanks so much for coming if you guys enjoyed it and happy to take any questions thanks yeah yes I reported all of them yeah communicate over there what did they do they'll force me they all came out with new apps well the first one GM did not reach out I mean it was impossible to contact them they had no like they had no way for researchers to reach them so I called them I went to the support is callate it I emailed I went through their website I mean literally never heard back and then I then I released a demonstration I didn't release the code or anything and then I got called the you know like within 24 hours and then Benz BMW etc they all did fixed I mean everything everyone fixed it within a few days which is great because it's just an app update yes none of them had bad none of them had bounty programs oh and none of them had security presences that I could actually communicate with it was literally I mean literally all these companies I had to just they had no security response right this is this is new areas at least for the vehicles now GM does now GM does have a security program I'm sure they do yes the future code is expire all the previous ones correct because so this is this is the device my um actually a new device I've created that's smaller and cheaper does $30 and you put it under their card so it always has the next code yeah so you just it literally they have to press the button twice every time and we adapt pretty quickly we just get it used to it right now you just hit it twice like works the second time every time what's that absolutely that's a great idea yeah actually you can do that so you only take means than once that's a good point I didn't think of that correct yes many many field tests you'll actually see the the lawn is like half empty now thanks for coming any other questions yes sure yeah I mean the amplification attacks is really interesting right a lot of us have keys that we keep in our vehicle or we keep in our pocket and we can go up to our car pull the door and it'll send a signal out that our key detects and then it will perform a challenge response back right and for starting the car it actually uses the signal strength so it knows that you're in the car so the signal strength is too low it says oh you're outside of the car I'm not going to start the vehicle you have to be inside the car but as you say you can perform an amplification attack where you actually let's say you have two people right and you go up to the car you pull the door it sends the signal your device amplifies that signal or sends it wirelessly somewhere else that gets retransmitted near the door or near the near the person's car key in a restaurant or outside of their house and yeah you can then unlock and start their vehicle and drive away and vehicles cannot stop if they detect the key is no longer in the car it would be too dangerous right if you're on the freeway or something what happens so the car will continue to go and you take it to your Chop Shop yes that's correct up all of them do have some amount of timing but it's lacks enough that you can perform the attack in every case that I've seen yes yes um no I know yeah I mean they're all you know vehicles they're all using some of the same chipsets from the same companies so it's all the same attack yeah yeah yeah absolutely you know I mean I feel like this is you know I think we're talking about it earlier like this is the web 10 years ago right 10 15 years ago everything had access has everything had sequel ah you know sqli everything had RFI now only most things have XSS and sequel I and RFI so I think in another 10 years hopefully we'll have a lot more hardware and radio security I hope so yeah I suspect we will yeah that was a different those someone else yeah yes what security people no no seriously I don't think they have security people I think that's a new thing right yes Oh interesting wow I didn't know that it's very cool awesome hey yeah yeah okay well thanks so much everyone

Info

Channel: OWASP

Views: 705,642

Rating: 4.9017205 out of 5

Keywords: owasp, appsec

Id: 1RipwqJG50c

Channel Id: undefined

Length: 51min 12sec (3072 seconds)

Published: Mon Mar 21 2016