Pratham AI Systems

The Car on the Road Code

In this series of Car hacking article, I will discuss how, a Car can be open by a Hacker without using a key fob. It will be useful for all the vehicle owner who are using automatic vehicle. It will be also useful for all who are using RF devices or technologies like Wi-Fi, Bluetooth, Near Field Communication (NFC), etc.

Disclaimer: This article is only for the education purpose. It doesn’t encourage any illegal activities.

Contents

  • Introduction
  • Types of Key fob attacks
  • Tools and technologies
  • Case study
  • Conclusions

Introduction

An ability to navigate without human interaction and to sense its environment is termed as autonomous vehicle. It is an emerged and advanced automated control systems for car. An autonomous car is also known as an autonomous vehicle, self-driving car, robot car or driverless car. It automatically select and navigate path, sense information from sensor devices, relevant signage and route obstacles. Autonomous vehicle emerged as the most widely used wireless technology for a vehicle and road safety applications to entertainment.

Software defined radio (SDR) is a radio communication system where components that have been traditionally implemented in analog hardware are instead implemented by means of software on a personal computer or embedded system. The technologies which are using Radio signal are Bluetooth, Wi-Fi, NFC, Satellite, etc. The applications of Radio signals are in Navigation, Radio, Television, , Air-traffic control, cellular telephony, Drones, remote controlled toys and Key Fobs. All the ships, aircrafts, drones are using Radio signals for navigations, and geo-locations.

Modern vehicles are often equipped with a remote keyless entry (RKE) system. These RKE systems allow unlocking or starting the vehicle remotely. Most of the countries including India the operation frequency of RKE system is 315 MHz, and distance ranges from 30-100 meters. The key fob may be use simple code or rolling codes in RKE. The key fob which are using simple codes have fixed code. In simple code key fob when user presses a key, then same code can be used for opening and closing the car doors every time. The attacker can record car key code that is sent over the radio, and then used this code to unlock the car. This is called replay attack as you replay that code to the car and unlock it. To overcome this replay attack car manufacturer creates rolling codes. In rolling code every time you pressed the button on your car key it plays the different code and sends it to the car. If code matches then car unlock, otherwise it won’t. So inside the key long list of codes and inside the car is a matching long list of codes are available. The rolling code method can use some algorithm to generate the key and matching the code.

The Federal Communications Commission (FCC) regulates interstate and international communications by radio, television, wire, satellite, and cable. All the RF devices consists of FCC ID, which provides information regarding the device and their radio frequencies used to communicate. We can get the information related to radio frequencies used by device at https://fcc.io

Types of Key fob attacks

  1. Replay attack: A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR.
  2. Jamming attack: Jamming is when those signals are overpowered by an even stronger signal –essentially a signal that is louder and drowns out the regular wireless frequency.
  3. Denial of Service (DoS) attack: DoS attack simple throwing the signals randomly into the airways to be able to block a signal from being able to communicate.
  4. Jamming and Replay attack: In this attack first Jam the signal, capture the signal and replay that signal to open the car door.

A fixed code of simple key can be captured and replayed to perform replay attack.

a. Jam the key fob radio signals at slightly deviated frequency.

b. Received the signals at frequency with tight receive filter bandwidth to evade jamming.

c. When user presses key but car can’t read signal due to jamming.

d. Once the attacker have code, he stop jamming and can replay the same signal to unlock the car.

A rolling code system in keyless entry systems is to prevent replay attack. After each key fob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will. Jamming and capturing the signal Rolling code can be break.

a. Jam + Listen(1), Jam + Lsiten(2), Replay(1)
b. Jam at slightly deviated frequency
c. Receive at frequency with tight receive filter bandwidth to evade jamming
d. When user presses key but car can’t read signal due to jamming
e. user presses key again – attacker now have two rolling codes
f. Replay first code so attacker gets into car, he still have second code.

The Rolling-PWN bug is a serious vulnerability. The Rolling-PWN attack found in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. The remote keyless system on most of the Honda vehicles sends the same RF signal for each door-open request, which might allow a replay attack. What they found is a FIXED CODE vulnerability, meaning where an attacker can records the transmission in advance and replays it later to cause the car door to lock or unlock. After each key fob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car.

Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022). This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.
The researchers have successfully tested the 10 most popular models of Honda vehicles from the Year 2012 up to the Year 2022 from the attacker’s perspective. Therefore, they strongly believe the vulnerability affects all Honda vehicles currently existing on the market.

Key Fab


CVE-2021-46145 is the official reference to this bug. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
The exploitation does not leave any traces in traditional log files. But considering the ease of exploitation and attacks leaving no trace, this threat should take seriously.
The attack relies on a weakness that allows someone using a software defined radio—such as HackRF—to capture the code that the car owner uses to open the car, and then replay it so that the hacker can open the car as well. The attack can use a so-called rolling code mechanism, which means that every time the car owner uses the key fob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the hacker found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car. All Honda models from 2012 to 2022 are vulnerable to this attack.

Tools and techniques

The devices used to capture the Radio frequencies are RTL-SDR, HackRF One, LimeSDR, and BladeRF

RTL-SDR is only a receiver, it can only receive a signal but cannot transmit.

HackRF One is an SDR peripheral capable of transmission or reception of radio signals from 10MHz to 6 GHz. HackRF is the least expensive and effective SDR device SDR hacking.

Tools and techniques

DragonOS Focal is an out-of-the-box Lubuntu 20.04 based x86_64 operating system for anyone interested in software defined radios. DragonOS is the straight line between you and Software Defined Radio! It leverages the portability, security, and power of Lubuntu Linux as a delivery package and operating environment for a pre-installed suite of the most powerful and accessible open source SDR software. DragonOS has verified support for a range of inexpensive and powerful SDR hardware, including RTL-SDR, HackRF One, LimeSDR, BladeRF, and many others.

The software used in SDR are SDRShark, Universal Radio Hacker, GQRX. All are open source, free and easy to use and can work with most of the SDR hardware.

Case studies

Vice President (USA) William Walden is assassinated by a terrorist who hacks into his Internet-enabled heart pacemaker and accelerates his heartbeat until he has a heart attack.

Medical devices such as insulin pumps, continuous glucose monitors, and pacemakers or defibrillators have become increasingly small and wearable in recent years. They often connect with a hand-held controller over short distances using Bluetooth. Often, either the controller or the device itself is connected to the Internet by means of Wi-Fi so that data can be sent directly to clinicians. But security experts have demonstrated that with easily available hardware, a user manual, and the device’s PIN number, they can take control of a device or monitor the data it sends.

The RUSI (Royal United Services Institute) noted that the BaoFeng UV-82HP radio waves V/UHF wavebands and lacks military-grade encryption. However, this triggered immediate speculation on the health and performance of Russian Armed Forces radio communication’s. In Ukraine war the Russians have not been encrypting the radio communication, so Ukraine had all the information related to their forces and strategies.

Most of the Bomb attacks in Afghanistan and Iraq used Radio signals to trigger a Bomb.

In most of the political gathering security agencies blocked the radio signals in their immediate vicinity so that none of attacker can transmit the signals. They Jam the signals around them, because those signals can be used to trigger a bomb.

Conclusions

In this article I, discussed how an attacker can open the car door without the key with the help of SDR devices. Other than Car almost all the devices and technologies which are using Radio frequencies can be hacked using SDR devices, including Drones, Wi-Fi devices, Airplanes, NFC devices, Bluetooth devices etc.

In the next article I will discuss what are the different ways to enter into car.

References

https://fcc.io

https://nvd.nist.gov/vuln/detail/CVE-2021-46145


Amar Nayak

22 years of experience in Training, Programming, and Research.
Certifications: IBM DB2, IBM WebSphere, IBM Tivoli, OCA, OCP, SCJP (OCJP), CCNA, RHCE,

https://prathamai.com

Leave a Reply

Your email address will not be published. Required fields are marked *