SlideShare una empresa de Scribd logo

Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

A
archwisp

Attacking the rolling code cryptography used in remote entry systems to unlock cars

Tecnología
1 de 23
Descargar para leer sin conexión
Breaking RF Unlock Codes They said it couldn’t be done
Bryan C. Geraghty @archwisp Security Consultant, Security PS
Over the next 15 minutes… My Goal My Prior Knowledge The Target Attack Hardware Attack Software Signal Analysis Cracking LIVE DEMO What’s Next?
The Goal Unlock a car by forging a radio frequency signal A jamming & replay attack has already been published I will not be talking about that This attack exploits the predictability of unlock codes This is not a man-in-the-middle attack I have not found any published research on this
Disclaimer I have not completely broken the codes… yet I will not be releasing any of my code… yet I will not be disclosing car models… yet
Prior Knowledge Before starting on this project, I had done: A lot of programming No work with RF whatsoever Some cryptanalysis A little bit of research on RF signal analysis I submitted my proposal for this project in June 2014
The Target Most modern vehicles can be unlocked with a key fob Sends a code that unlocks the car Rolling code system mitigates replay attacks
Attack Hardware Software Defined Radio Receiver RTL2832 w/R820T Adafruit - $22.50 RF Link Transmitter - 315MHz WRL-10535 Sparkfun - $3.95 Total: $26.45
Attack Hardware (Alternate) HackRF One SDR Transceiver SparkFun - $299.95
Attack Software SDRSharp SDR Tuner Capture data FREE! Custom Code Frame Dumper Demodulator Encoder Signal Generator TIME!
Signal Analysis Find and capture the signal
Signal Analysis Yay! I captured some funny sounds! Now what?
Signal Analysis Dump MSB from one channel of WAV frame data
Signal Analysis Identify threshold value for binary conversion Threshold: If the hex value is greater than 32, it gets converted to a 1. Otherwise, it gets converted to a 0.
Signal Analysis Pulse-width demodulate the binary data Another Threshold: If the pulse is longer than 28 bits, it gets converted to a 1. Otherwise, it gets converted to a 0.
Signal Analysis Hex encode the binary data for analysis
Signal Analysis Capture samples!
Signal Analysis Analyze the samples
Cracking I identified a bunch of patterns I wrote some code to: Identify more patterns Generate signals using these patterns Compare them to sample signals I’ve gotten very close Let’s see how close…
LIVE DEMO Let’s hope this works…
Just in case the demo didn’t work…
What’s Next? Keep trying! Find a PRF cracking expert Collect hardware not attached to cars Collect samples from more vehicles Remote Start!
Thank you

Recomendados

Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Sensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkSensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkTim Fowler
 
OpenGL (ES) debugging
OpenGL (ES) debuggingOpenGL (ES) debugging
OpenGL (ES) debuggingLeszek Godlewski
 

Recomendados

Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Sensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkSensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkTim Fowler
 
OpenGL (ES) debugging
OpenGL (ES) debuggingOpenGL (ES) debugging
OpenGL (ES) debuggingLeszek Godlewski
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)PVS-Studio
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
 
Your Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryYour Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryDaniel Parkin
 
Testing Adhearsion Applications
Testing Adhearsion ApplicationsTesting Adhearsion Applications
Testing Adhearsion ApplicationsLuca Pradovera
 
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Priyanka Aash
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFIDTinker London
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFIDTinker
 
Deep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDeep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDUONG Dinh Cuong
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
What is arduino
What is arduinoWhat is arduino
What is arduinovivek kumar
 
Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaž Remškar
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Hacking
HackingHacking
Hackingrameswara reddy venkat
 
Hacking
HackingHacking
HackingRoshan Chaudhary
 
args_types
args_typesargs_types
args_typesAhmed Abd El-Mawgood
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Más contenido relacionado

Similar a Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)PVS-Studio
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
 
Your Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryYour Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryDaniel Parkin
 
Testing Adhearsion Applications
Testing Adhearsion ApplicationsTesting Adhearsion Applications
Testing Adhearsion ApplicationsLuca Pradovera
 
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Priyanka Aash
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFIDTinker
 
Deep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDeep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDUONG Dinh Cuong
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaž Remškar
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 

Similar a Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014) (20)

Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
 
Your Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryYour Project as Told by Your Commit History
Your Project as Told by Your Commit History
 
Testing Adhearsion Applications
Testing Adhearsion ApplicationsTesting Adhearsion Applications
Testing Adhearsion Applications
 
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFID
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFID
 
Deep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDeep Coder - Experimental Research Presentation
Deep Coder - Experimental Research Presentation
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
What is arduino
What is arduinoWhat is arduino
What is arduino
 
Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
args_types
args_typesargs_types
args_types
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

  • 1. Breaking RF Unlock Codes They said it couldn’t be done
  • 2. Bryan C. Geraghty @archwisp Security Consultant, Security PS
  • 3. Over the next 15 minutes… My Goal My Prior Knowledge The Target Attack Hardware Attack Software Signal Analysis Cracking LIVE DEMO What’s Next?
  • 4. The Goal Unlock a car by forging a radio frequency signal A jamming & replay attack has already been published I will not be talking about that This attack exploits the predictability of unlock codes This is not a man-in-the-middle attack I have not found any published research on this
  • 5. Disclaimer I have not completely broken the codes… yet I will not be releasing any of my code… yet I will not be disclosing car models… yet
  • 6. Prior Knowledge Before starting on this project, I had done: A lot of programming No work with RF whatsoever Some cryptanalysis A little bit of research on RF signal analysis I submitted my proposal for this project in June 2014
  • 7. The Target Most modern vehicles can be unlocked with a key fob Sends a code that unlocks the car Rolling code system mitigates replay attacks
  • 8. Attack Hardware Software Defined Radio Receiver RTL2832 w/R820T Adafruit - $22.50 RF Link Transmitter - 315MHz WRL-10535 Sparkfun - $3.95 Total: $26.45
  • 9. Attack Hardware (Alternate) HackRF One SDR Transceiver SparkFun - $299.95
  • 10. Attack Software SDRSharp SDR Tuner Capture data FREE! Custom Code Frame Dumper Demodulator Encoder Signal Generator TIME!
  • 11. Signal Analysis Find and capture the signal
  • 12. Signal Analysis Yay! I captured some funny sounds! Now what?
  • 13. Signal Analysis Dump MSB from one channel of WAV frame data
  • 14. Signal Analysis Identify threshold value for binary conversion Threshold: If the hex value is greater than 32, it gets converted to a 1. Otherwise, it gets converted to a 0.
  • 15. Signal Analysis Pulse-width demodulate the binary data Another Threshold: If the pulse is longer than 28 bits, it gets converted to a 1. Otherwise, it gets converted to a 0.
  • 16. Signal Analysis Hex encode the binary data for analysis
  • 19. Cracking I identified a bunch of patterns I wrote some code to: Identify more patterns Generate signals using these patterns Compare them to sample signals I’ve gotten very close Let’s see how close…
  • 20. LIVE DEMO Let’s hope this works…
  • 21. Just in case the demo didn’t work…
  • 22. What’s Next? Keep trying! Find a PRF cracking expert Collect hardware not attached to cars Collect samples from more vehicles Remote Start!