Unlocking Car Doors with the HackRF Replay Attack

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys welcome to the Hacked existence demo on replay attacks with the hack rf1 with the portapack so in this video I will show you guys how I took my car alarm remote and cloned the functionality of it onto the Porta pack so that I can unlock and remote start my truck using just the Porta pack so before we jump in on how to do it let's take a look at it in action okay so I'm just going to replay the signal that we captured from the remote and there you can see the door unlocks okay so the reason we were able to transmit this signal here and have it unlock the truck is because this remote uses a static code that means is that every time you push this button no matter how many times you push it it's always going to generate the exact same signal so all we have to do is capture that signal by being in range when somebody presses the button and then transmit that signal on the same frequency and the doors will unlock so how do we figure out what frequency that's at well looking at the back of the remote we can see the FCC ID here if we take that and type it into fccid.io it'll bring up all the information Nation about it and we can see the first thing here is the frequency range of 305.3 to 306.3 megahertz sometimes this will be an exact frequency in this case it's a range so we'll have to narrow down where the signal is at in the range we'll use the hack rf1 to do that a quick note there's tons of other really good technical information down here about the transmitter so if you're looking something up on here definitely dig through there you also don't need the FCC ID to figure out the frequency it's just a very tedious task so let's jump over to the hack RF okay so now we need to find the frequency at the center of the signal that comes out of the remote and in order to do that we're going to use the Porta pack with the Havoc firmware we're going to use the search close call function we'll set the minimum to be 305.3 the max to be 306.3 we got that from the FCC page now I'll just click the button and we'll see that it lights up with 306.175 is the frequency and if you look closely right here you can actually see the signal on a little tiny scope there but now we know we're at 306.175 so if we back out here and go to capture and we'll set this frequency here to 306.175 now if I click the button we can't see a whole lot going on but if we go up to this rate here and start zooming in um as we get closer and closer right around there at 3K you can see that signal fly by so that's the signal we're going to capture so in order to do that I'm just going to go down here to the record button I'll press record click press record again and that's it now we've captured the unlock signal we'll go to replay open file go all the way to the last file we made and now let's go check out the truck okay so now we'll just replay the signal that we captured and the door is unlock so now for good measure let's go capture the remote start signal okay so back in the capture function we already know the frequency and the rate so I'm just going to hit record hit remote start and hit record again and now let's go try it okay so now inside the truck I will replay the remote start signal and we'll see the accessories kick on and there's the ignition okay so at this point I've successfully demonstrated how to capture and replay the unlock and remote start signals from my car alarm but I don't want you guys to think that you can just run out buy a hack rf1 slap a porta pack on it dump the Havoc firmware and you're going to go out there and start opening people's vehicles of all the car alarms that I've tested so far this is the only one that was vulnerable to a replay attack because it uses a static code so this is going to be rare in anything that's halfway modern or has a halfway decent sense of security all of those kinds of devices are going to implement a rolling code so where else are we going to see things that Implement a static code well Old School Garage Door Openers that use dip switches these are setting a static code so garage door openers that implement this type of dip switch setting these are going to be vulnerable to a replay attack low end Electronics like basic RC cars that use a very simple transmitter those are going to implement a static code and be vulnerable to replays but for the most part anything halfway modern and with a halfway decent sense of security is going to implement a rolling code that's significantly harder to compromise so what I want you guys to take away from this video is if you're trying to secure something definitely make sure that it has a rolling code I hope you guys enjoyed this video I had a lot of fun learning about radio signaling and making this video implementing this attack so plenty more content to come stay tuned and thanks for watching

Info

Channel: HackedExistence

Views: 597,520

Rating: undefined out of 5

Keywords: HackRF, Car Alarm, Car Hacking, radio, SDR, software defined radio, portapack, havoc firmware, replay attack

Id: CA3XnGyD-SQ

Channel Id: undefined

Length: 4min 42sec (282 seconds)

Published: Mon Jan 28 2019