Onus Posted July 24, 2016 Share Posted July 24, 2016 (edited) I personally have not dabbled with RF hacking, so please forgive any ignorance that reveals itself with this post. I recently bought a 2016 honda civic. I live in a city neighborhood and park it on the one way street that I live on. It like most cars, has a key that also allows for remote locking / arming of the alarm, and unlocking, as well as opening the trunk. Anyway, a few weeks into buying the car I started noticing my trunk would be open in the morning. At first I figured I must have accidentally hit the trunk button on the key, and started being much more careful about where I put my keys down. But it kept happening, always over night and on my street. It was not happening when I stayed over my girlfriends for weeks at a time, or anywhere else. Just when I parked it on my street. The other night 15 of my neighbors cars on my street were all broken into, with their glove compartments rifled through. 2 cars were flat out stolen, and not a single alarm had gone off. None of the cars showed evidence of forced entry.. my car was one of them. My car was parked literally right out side my bedroom window and I know I would have heard the alarm.. the interesting thing to me was that after I heard about the break ins, and rushed to check my car, I first tried clicking the lock/engage alarm button on my key.. only to find my car was not responding to it. I found my car unlocked, no evidence of tampering.. the key fob eventually started working again, only after I tried unlocking it first.. it was as if the key fob was out of sync and the rolling pin was off or something.. do you folks think my street was attacked with an SDR attack? Honda told me that my battery might be low.. trust me, its not... I tested the battery, and everything works now.. I am almost certain it wasn't working because it somehow fell out of sync.. Also would love some clever ideas on how to fuck with these petty theifs should they do it again. #karateForDefence Edited July 24, 2016 by Onus Quote Link to comment Share on other sites More sharing options...
axion Posted July 24, 2016 Share Posted July 24, 2016 Most automatic car locks are actuated by a solenoid; any chance they were just using a really strong magnet to open the doors? Quote Link to comment Share on other sites More sharing options...
Onus Posted July 24, 2016 Author Share Posted July 24, 2016 I don't know about that technique, but would that cause my remote key, to be out of sync.. it seems to me that since my key remote wouldn't lock until I hit unlock, indicates that the pin was probably incremented and my key was behind, thus out of sync.. does that make sense.. Quote Link to comment Share on other sites More sharing options...
cooper Posted July 25, 2016 Share Posted July 25, 2016 You have 2 keys, right? Both are fobs and both should Just Work (tm), no matter what had happened to the car before. If the key and the car really did go out of sync it means that you're re-synced one key but not yet the other. I'm quite sure the key syncs to the car and not the other way around so if it really is a case of the two of them being out of sync the spare key should STILL be out of sync. Try that. My guess is that whatever had happened put the car's lock system out of whack and it just wanted to verify that a valid key was present, i.e. inside the car. So bring the car to the dealer and let them run some diagnostics. This stuff should pop up and indicate in some way what happened when and with a bit of luck even how. While you're there, give the dealer an ear full about how such a modern car can be opened this trivially, and what THEY are going to do to prevent this from happening in the future. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted July 25, 2016 Share Posted July 25, 2016 Yep, that's sounds like an attack. I doubt they'll come back now, though. I was going to suggest a hidden camera pointing at your car, but I doubt they'll come back after that attack. They'll move on to another street in another town probably. If they do come back, they're idiots. Quote Link to comment Share on other sites More sharing options...
anode Posted July 25, 2016 Share Posted July 25, 2016 About a fat year ago, a lot of cars were broken into, just like you described. A small device opens the door, without setting off the alarm. But can't start the car. If memory serves me right, its a relay attack, where a device picks up your fob, then relays it to the car. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted July 27, 2016 Share Posted July 27, 2016 On 25/07/2016 at 0:17 PM, anode said: About a fat year ago, a lot of cars were broken into, just like you described. A small device opens the door, without setting off the alarm. But can't start the car. If memory serves me right, its a relay attack, where a device picks up your fob, then relays it to the car. Looks like a good possibility this was a similar attack. Found this, which explains the attack method nicely. Note that this states the emitter needs to be within close proximity to your key-fob, in this case less than 30cm. One simple method to discourage this type of attack would be to place your keys more than 30cm from your front door / front of the house. You could also place them inside something that blocks RF signals. Quote Link to comment Share on other sites More sharing options...
cooper Posted July 28, 2016 Share Posted July 28, 2016 (edited) Very interesting reading. It does imply that the lock being out of whack had exactly nothing to do with the attack since everything that was happening did so according to protocol. The suggested mitigations seems valid too: Keep the key in a metal container when at home, or if you choose to leave it out in the open (on a table or something) verify that clicking the unlock button on the fob at that distance doesn't actually open the car. Main thing though, which you thankfully did right: Don't keep important/expensive shit in your car overnight. Edited July 28, 2016 by cooper Quote Link to comment Share on other sites More sharing options...
Just_a_User Posted August 30, 2016 Share Posted August 30, 2016 I know im kinda late with this but was reading this post and it sounded like a rolljam attack I read about a little while back. also explains the step out of sequence rolling code. http://1abxf1rh6g01lhm2riyrt55k.wpengine.netdna-cdn.com/wp-content/uploads/2015/08/2015-defcon.pdf Quote Link to comment Share on other sites More sharing options...
Onus Posted August 30, 2016 Author Share Posted August 30, 2016 I recently tried to do a rolljam on my car as a proof of concept.. using two yardstick ones, one to jam and one to replay, but my car uses fsk not ask and I can't seem to get a roll jam to work.. I can certainly jam my car so that it can't get the key fobs packet but can't seem to properly capture the packet/filter out the jam signal.. I'll check all the links above tonight.. Quote Link to comment Share on other sites More sharing options...
Just_a_User Posted August 30, 2016 Share Posted August 30, 2016 (edited) Well was just a thought, props for trying it yourself tho! I find this a real interesting hack. In my searchings I found a post where they did what you did but with a VW that apparently used AM/OOK codes - "attacks described in this blog post are specifically looking at AM/OOK codes, however some cars use different modulations such as FSK which makes the jamming and capturing of the codes much more difficult (and naturally my scripts would not work with those unless they were modified). However the attack in theory should still work against it." Might be worth a look https://andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/ Edited August 30, 2016 by Just_a_User Quote Link to comment Share on other sites More sharing options...
i8igmac Posted August 30, 2016 Share Posted August 30, 2016 http://thehackernews.com/2016/08/hack-unlock-car-door.html?m=1 This is a huge bug that I figure would hit the local news channels soon... Set up some cameras... Go the extra mile and plant a gps device in a cheap labtop and wait for it to be stolen Quote Link to comment Share on other sites More sharing options...
Onus Posted August 30, 2016 Author Share Posted August 30, 2016 Ha, I have thought about opening up an old laptop and putting in pi zero or something like a built in backdoor that would exist even if they formated the PC and installed a new OS.. another thought was to install a pi in my car that I could ssh into and start/stop a jammer of my own.. Still playing with a rolljam for fsk, I think the way to do it might be to jam on ask at say 43390000 and then on the second yard stick listen at 2fsk 433920000. Thoughts? I'm very new to SDR and the learning curve is quite steep Onus Quote Link to comment Share on other sites More sharing options...
i8igmac Posted August 30, 2016 Share Posted August 30, 2016 That article shows 100 million cars effected by this keyless entry bug... probably more... Quote Link to comment Share on other sites More sharing options...
Just_a_User Posted August 30, 2016 Share Posted August 30, 2016 I cant find any examples of existing fsk rolljam code. And im also new to SDR in general and am still finding my feet with it. This is very interesting tho and I like learning about these things. I'm assuming your taking the ask ook example from here? https://github.com/alextspy/rolljam As a defense, I was wondering if you could you use a fake rolling code generator in the car. Also you could stop using the keyfob and use the key to lock up which would limit your exposure - at least for a rolljam attack. If you combine a rolljam with a canbus attack - cars with a start button (no key ignition) could theoretically be entered, started and stolen with no keys needed or alarm going off. crazy thought. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.