3. Over the next 15 minutes…
My Goal
My Prior Knowledge
The Target
Attack Hardware
Attack Software
Signal Analysis
Cracking
LIVE DEMO
What’s Next?
4. The Goal
Unlock a car by forging a radio frequency signal
A jamming & replay attack has already been published
I will not be talking about that
This attack exploits the predictability of unlock codes
This is not a man-in-the-middle attack
I have not found any published research on this
5. Disclaimer
I have not completely broken the codes… yet
I will not be releasing any of my code… yet
I will not be disclosing car models… yet
6. Prior Knowledge
Before starting on this project, I had done:
A lot of programming
No work with RF whatsoever
Some cryptanalysis
A little bit of research on RF signal analysis
I submitted my proposal for this project in June 2014
7. The Target
Most modern vehicles can be unlocked with a key fob
Sends a code that unlocks the car
Rolling code system mitigates replay attacks
8. Attack Hardware
Software Defined Radio Receiver
RTL2832 w/R820T
Adafruit - $22.50
RF Link Transmitter - 315MHz
WRL-10535
Sparkfun - $3.95
Total: $26.45
14. Signal Analysis
Identify threshold value for binary conversion
Threshold: If the hex value is greater than 32, it gets converted to a 1. Otherwise, it gets converted to a 0.
15. Signal Analysis
Pulse-width demodulate the binary data
Another Threshold:
If the pulse is longer than 28 bits, it gets converted to a 1. Otherwise, it gets converted to a 0.
19. Cracking
I identified a bunch of patterns
I wrote some code to:
Identify more patterns
Generate signals using these patterns
Compare them to sample signals
I’ve gotten very close
Let’s see how close…