Car hacking tutorial: Replay attack /w SDR

August 31, 2017
sdr car hacking infosec embedded

Replay attacks

SDR

Image taken from: NullBytes

If you want to find out what SDR is, check out my other post:

Tempest attacks

Remote keyless systems

Wiki defines RKS as:

The term remote keyless system (RKS), also called keyless entry or remote central locking, refers to a lock that uses an electronic remote control as a key which is activated by a handheld device or automatically by proximity.

As we all well know, today’s cars all have keys that can remotely unlock your car with the push of a button. No more pesky key insertions and twisting and manual locking/unlocking. Technology!

Yeah, about that…

RKS uses radio to send an unlock or lock signal to the car, to unlock it. Have you ever wondered what would happen if someone had the ability to record that signal and just replay it once you’ve left your car in the parking lot?

Let’s find out.

Target

We’ll be attacking an Opel Astra car, the only car I was close to at the time of writing.

Image taken from: Opel Astra Wiki

Gear: HackRF One

HackRF One is a SDR device which can transmit and receive radio signals in the range of 1 MHz up to 6 GHz. It was designed to enable test and development of modern and next generation radio technologies. It’s an open source hardware platform that can be used as a USB peripheral or programmed for stand-alone operation.

We’ll be using it to receive and transmit signal.

Determining the frequency

First and most important, frequency on which the key operates needs to be determined. For that, CubicSDR can be used, after connecting a HackRF to the computer running it.

After opening up the CubicSDR software, the frequencies between 433 and 434 MHz can be scanned, which are the most likely frequency for it to be operating on, based on some quick online research. Even if there is no clue whatsoever what the frequency is, the search range can be broadened and zoomed into the first signal that corresponds to the timing of pressing the keys on the RF controller. The frequency found is around 433.9 MHz, and since each SDR receiver has its own margin of error (many software programs use frequency correction to deal with this), it’s safe to assume that it’s indeed using the standard 433.92 MHz frequency that most car keys operate on. It can also easily be seen that the HackRF has no trouble finding the signal the car key sends

Recording the signal

Now that the frequency the car key operates on is determined, it’s possible to intercept the signal using GNURadio Companion and record it to a file, so it can be replayed later.

As seen in the picture above, the flow graph is really simple. On the left side there is a variable block that determines the sample rate used, 10 million samples per second, and an osmocom Source block. Osmocom blocks are primarily developed for OsmoSDR hardware by Osmocom, but they in fact support a wide range of devices, including the HackRF through the libhackrf library, made by the creator of HackRF, Michael Ossmann. The blocks enable interaction with the HackRF device through the GNURadio software. This particular block, the Source block, enables users to tune in to the device with the settings they want and receive and manipulate the data it receives based on the settings they give it. On the right side there is a QT GUI Time Sink, which enables visualising the received data, and if necessary to make some adjustments to the settings of the source block based on the data. Last, there is the File Sink which streams the signal from the source directly to a file on the computer running GNURadio. Since the osmocom Source block is the most important part of the flowgraph here, each and every one of the settings on it will be analysed, explaining what they are used for. They will also be of use when describing the flowgraph used for replaying the attack.

Upon execution of the flowgraph, and pressing the unlock button on the car key, the waveform of the signal the key sends can be seen. After stopping the flowgraph, a file should be stored on the computer running GNURadio, containing the signal. Because of the high sample rate, the file can easily reach sizes up to 1GB for a few seconds of recording.

Analysing and replaying the signal

After recording the signal, we’re ready to begin the replay attack phase. First, a flowgraph for replaying the signal has to be made, and the signal quality needs to be checked, to determine if it is good enough to be reproduced reliably.

The flowgraph for replaying the signal is also fairly simple, the difference is that this one is using an osmocom Sink block to replay the data through the HackRF, and a Throttle block, since the visualisation of the raw data with the QT Sink would be very CPU intensive. After trying to replay the captured signal, nothing happens. The attack doesn’t work. The reason why can be seen through the QT GUI Time Sink.

It can easily be seen that the maximum and minimum amplitude reached is only approximately 0.35, which isn’t that great considering it can go up to 1 and down to -1. So, the signal needs to be amplified to at least be doubled somehow, to reach 0.7 amplitude or more, and GNURadio has just the block for that.

The block is called Multiply Constant, and it can be used it to multiply the captured signal by any given number. Since the goal is to at least double the signal amplitude, 2 can be used as the constant.

Upon execution of the replay attack, the difference in the amplitude of the signal we’re sending to the car is immediately seen, and sure enough, the attack works. The car can now be locked or unlocked by executing the flowgraph given the file containing the saved signal.

Tempest attacks using a DVB-T stick

February 6, 2018
sdr infosec tut tempest

Hardware hacking tutorial: Reversing and emulating firmware

September 1, 2017
reversing hardware hacking infosec embedded

Hardware hacking tutorial: Dumping and reversing firmware

September 1, 2017
reversing hardware hacking infosec embedded
comments powered by Disqus