Jump to content

Has my street been hacked


Recommended Posts

I personally have not dabbled with RF hacking, so please forgive any ignorance that reveals itself with this post.   I recently bought a 2016 honda civic.  I live in a city neighborhood and park it on the one way street that I live on.  It like most cars, has a key that also allows for remote locking / arming of the alarm, and unlocking, as well as opening the trunk.

 Anyway, a few weeks into buying the car I started noticing my trunk would be open in the morning.  At first I figured I must have accidentally hit the trunk button on the key, and started being much more careful about where I put my keys down.  But it kept happening, always over night and on my street.  It was not happening when I stayed over my girlfriends for weeks at a time, or anywhere else.  Just when I parked it on my street.

 The other night 15 of my neighbors cars on my street were all broken into, with their glove compartments rifled through.  2 cars were flat out stolen, and not a single alarm had gone off.  None of the cars showed evidence of forced entry.. my car was one of them.  My car was parked literally right out side my bedroom window and I know I would have heard the alarm..  the interesting thing to me was that after I heard about the break ins, and rushed to check my car,  I first tried clicking the lock/engage alarm button on my key.. only to find my car was not responding to it. I found my car unlocked, no evidence of tampering.. the key fob eventually started working again, only after I tried unlocking it first.. it was as if the key fob was out of sync and the rolling pin was off or something.. do you folks think my street was attacked with an SDR attack?  Honda told me that my battery might be low.. trust me, its not... I tested the battery, and everything works now.. I am almost certain it wasn't working because it somehow fell out of sync..  

Also would love some clever ideas on how to fuck with these petty theifs should they do it again.

#karateForDefence

 

 

Edited by Onus
Link to post
Share on other sites

I don't know about that technique, but would that cause my remote key, to be out of sync.. it seems to me that since my key remote wouldn't lock until I hit unlock, indicates that the pin was probably incremented and my key was behind, thus out of sync.. does that make sense..

Link to post
Share on other sites

You have 2 keys, right? Both are fobs and both should Just Work (tm), no matter what had happened to the car before. If the key and the car really did go out of sync it means that you're re-synced one key but not yet the other. I'm quite sure the key syncs to the car and not the other way around so if it really is a case of the two of them being out of sync the spare key should STILL be out of sync. Try that.

My guess is that whatever had happened put the car's lock system out of whack and it just wanted to verify that a valid key was present, i.e. inside the car. So bring the car to the dealer and let them run some diagnostics. This stuff should pop up and indicate in some way what happened when and with a bit of luck even how. While you're there, give the dealer an ear full about how such a modern car can be opened this trivially, and what THEY are going to do to prevent this from happening in the future.

Link to post
Share on other sites

Yep, that's sounds like an attack. I doubt they'll come back now, though. I was going to suggest a hidden camera pointing at your car, but I doubt they'll come back after that attack. They'll move on to another street in another town probably. If they do come back, they're idiots.

Link to post
Share on other sites

About a fat year ago, a lot of cars were broken into, just like you described.  A small device opens the door, without setting off the alarm.  But can't start the car.  If memory serves me right, its a relay attack, where a device picks up your fob, then relays it to the car.

Link to post
Share on other sites
On ‎25‎/‎07‎/‎2016 at 0:17 PM, anode said:

About a fat year ago, a lot of cars were broken into, just like you described.  A small device opens the door, without setting off the alarm.  But can't start the car.  If memory serves me right, its a relay attack, where a device picks up your fob, then relays it to the car.

Looks like a good possibility this was a similar attack.

Found this, which explains the attack method nicely.

Note that this states the emitter needs to be within close proximity to your key-fob, in this case less than 30cm. One simple method to discourage this type of attack would be to place your keys more than 30cm from your front door / front of the house. You could also place them inside something that blocks RF signals.

Link to post
Share on other sites

Very interesting reading. It does imply that the lock being out of whack had exactly nothing to do with the attack since everything that was happening did so according to protocol.

The suggested mitigations seems valid too: Keep the key in a metal container when at home, or if you choose to leave it out in the open (on a table or something) verify that clicking the unlock button on the fob at that distance doesn't actually open the car.

Main thing though, which you thankfully did right: Don't keep important/expensive shit in your car overnight.

Edited by cooper
Link to post
Share on other sites
  • 1 month later...

I know im kinda late with this but was reading this post and it sounded like a rolljam attack  I read about a little while back. also explains the step out of sequence rolling code.

http://1abxf1rh6g01lhm2riyrt55k.wpengine.netdna-cdn.com/wp-content/uploads/2015/08/2015-defcon.pdf

Link to post
Share on other sites

I recently tried to do a rolljam on my car as a proof of concept.. using two yardstick ones, one to jam and one to replay, but my car uses fsk not ask and I can't seem to get a roll jam to work.. I can certainly jam my car so that it can't get the key fobs packet but can't seem to properly capture the packet/filter out the jam signal.. 

I'll check all the links above tonight..

 

 

Link to post
Share on other sites

Well was just a thought, props for trying it yourself tho! I find this a real interesting hack.

In my searchings I found a post where they did what you did but with a VW that apparently used AM/OOK codes -

"attacks described in this blog post are specifically looking at AM/OOK codes, however some cars use different modulations such as FSK which makes the jamming and capturing of the codes much more difficult (and naturally my scripts would not work with those unless they were modified). However the attack in theory should still work against it."

Might be worth a look https://andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/

Edited by Just_a_User
Link to post
Share on other sites

Ha, I have thought about opening up an old laptop and putting in pi zero or something like a built in backdoor that would exist even if they formated the PC and installed a new OS..  another thought was to install a pi in my car that I could ssh into and start/stop a jammer of my own..

Still playing with a rolljam for fsk, I think the way to do it might be to jam on ask at say 43390000 and then on the second yard stick listen at 2fsk 433920000. Thoughts? I'm very new to SDR and the learning curve is quite steep

Onus

Link to post
Share on other sites

I cant find any examples of existing fsk rolljam code. And im also new to SDR in general and am still finding my feet with it. This is very interesting tho and I like learning about these things. I'm assuming your taking the ask ook example from here? https://github.com/alextspy/rolljam

As a defense, I was wondering if you could you use a fake rolling code generator in the car. Also you could stop using the keyfob and use the key to lock up which would limit your exposure - at least for a rolljam attack.

If you combine a rolljam with a canbus attack - cars with a start button (no key ignition) could theoretically be entered, started and stolen with no keys needed or alarm going off. crazy thought.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...