SlideShare uma empresa Scribd logo

Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

A
archwisp

Attacking the rolling code cryptography used in remote entry systems to unlock cars

Tecnologia
1 de 23
Baixar para ler offline
Breaking RF Unlock Codes They said it couldn’t be done
Bryan C. Geraghty @archwisp Security Consultant, Security PS
Over the next 15 minutes… My Goal My Prior Knowledge The Target Attack Hardware Attack Software Signal Analysis Cracking LIVE DEMO What’s Next?
The Goal Unlock a car by forging a radio frequency signal A jamming & replay attack has already been published I will not be talking about that This attack exploits the predictability of unlock codes This is not a man-in-the-middle attack I have not found any published research on this
Disclaimer I have not completely broken the codes… yet I will not be releasing any of my code… yet I will not be disclosing car models… yet
Prior Knowledge Before starting on this project, I had done: A lot of programming No work with RF whatsoever Some cryptanalysis A little bit of research on RF signal analysis I submitted my proposal for this project in June 2014
The Target Most modern vehicles can be unlocked with a key fob Sends a code that unlocks the car Rolling code system mitigates replay attacks
Attack Hardware Software Defined Radio Receiver RTL2832 w/R820T Adafruit - $22.50 RF Link Transmitter - 315MHz WRL-10535 Sparkfun - $3.95 Total: $26.45
Attack Hardware (Alternate) HackRF One SDR Transceiver SparkFun - $299.95
Attack Software SDRSharp SDR Tuner Capture data FREE! Custom Code Frame Dumper Demodulator Encoder Signal Generator TIME!
Signal Analysis Find and capture the signal
Signal Analysis Yay! I captured some funny sounds! Now what?
Signal Analysis Dump MSB from one channel of WAV frame data
Signal Analysis Identify threshold value for binary conversion Threshold: If the hex value is greater than 32, it gets converted to a 1. Otherwise, it gets converted to a 0.
Signal Analysis Pulse-width demodulate the binary data Another Threshold: If the pulse is longer than 28 bits, it gets converted to a 1. Otherwise, it gets converted to a 0.
Signal Analysis Hex encode the binary data for analysis
Signal Analysis Capture samples!
Signal Analysis Analyze the samples
Cracking I identified a bunch of patterns I wrote some code to: Identify more patterns Generate signals using these patterns Compare them to sample signals I’ve gotten very close Let’s see how close…
LIVE DEMO Let’s hope this works…
Just in case the demo didn’t work…
What’s Next? Keep trying! Find a PRF cracking expert Collect hardware not attached to cars Collect samples from more vehicles Remote Start!
Thank you

Recomendados

Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Sensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkSensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkTim Fowler
 
OpenGL (ES) debugging
OpenGL (ES) debuggingOpenGL (ES) debugging
OpenGL (ES) debuggingLeszek Godlewski
 

Recomendados

Information and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherInformation and data security pseudorandom number generation and stream cipher
Information and data security pseudorandom number generation and stream cipherMazin Alwaaly
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60Riscure
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Sensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkSensory Perception: A DIY Approach to Building a Sensor Network
Sensory Perception: A DIY Approach to Building a Sensor NetworkTim Fowler
 
OpenGL (ES) debugging
OpenGL (ES) debuggingOpenGL (ES) debugging
OpenGL (ES) debuggingLeszek Godlewski
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)PVS-Studio
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
 
Your Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryYour Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryDaniel Parkin
 
Testing Adhearsion Applications
Testing Adhearsion ApplicationsTesting Adhearsion Applications
Testing Adhearsion ApplicationsLuca Pradovera
 
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Priyanka Aash
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFIDTinker London
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFIDTinker
 
Deep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDeep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDUONG Dinh Cuong
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
What is arduino
What is arduinoWhat is arduino
What is arduinovivek kumar
 
Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaž Remškar
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Hacking
HackingHacking
Hackingrameswara reddy venkat
 
Hacking
HackingHacking
HackingRoshan Chaudhary
 
args_types
args_typesargs_types
args_typesAhmed Abd El-Mawgood
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 

Mais conteúdo relacionado

Semelhante a Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)PVS-Studio
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Barry Greene
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacPriyanka Aash
 
Your Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryYour Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryDaniel Parkin
 
Testing Adhearsion Applications
Testing Adhearsion ApplicationsTesting Adhearsion Applications
Testing Adhearsion ApplicationsLuca Pradovera
 
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Priyanka Aash
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorPriyanka Aash
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFIDTinker
 
Deep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDeep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDUONG Dinh Cuong
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
 
Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaž Remškar
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 

Semelhante a Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014) (20)

Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
 
Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1Sp Security 101 Primer 2 1
Sp Security 101 Primer 2 1
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
 
Your Project as Told by Your Commit History
Your Project as Told by Your Commit HistoryYour Project as Told by Your Commit History
Your Project as Told by Your Commit History
 
Testing Adhearsion Applications
Testing Adhearsion ApplicationsTesting Adhearsion Applications
Testing Adhearsion Applications
 
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
Designing and Applying Extensible RF Fuzzing Tools to Expose PHY Layer Vulner...
 
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus EmulatorWindows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFID
 
XBee and RFID
XBee and RFIDXBee and RFID
XBee and RFID
 
Deep Coder - Experimental Research Presentation
Deep Coder - Experimental Research PresentationDeep Coder - Experimental Research Presentation
Deep Coder - Experimental Research Presentation
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
What is arduino
What is arduinoWhat is arduino
What is arduino
 
Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012Blaz_Remskar_1998-2012
Blaz_Remskar_1998-2012
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
args_types
args_typesargs_types
args_types
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 

Último

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

  • 1. Breaking RF Unlock Codes They said it couldn’t be done
  • 2. Bryan C. Geraghty @archwisp Security Consultant, Security PS
  • 3. Over the next 15 minutes… My Goal My Prior Knowledge The Target Attack Hardware Attack Software Signal Analysis Cracking LIVE DEMO What’s Next?
  • 4. The Goal Unlock a car by forging a radio frequency signal A jamming & replay attack has already been published I will not be talking about that This attack exploits the predictability of unlock codes This is not a man-in-the-middle attack I have not found any published research on this
  • 5. Disclaimer I have not completely broken the codes… yet I will not be releasing any of my code… yet I will not be disclosing car models… yet
  • 6. Prior Knowledge Before starting on this project, I had done: A lot of programming No work with RF whatsoever Some cryptanalysis A little bit of research on RF signal analysis I submitted my proposal for this project in June 2014
  • 7. The Target Most modern vehicles can be unlocked with a key fob Sends a code that unlocks the car Rolling code system mitigates replay attacks
  • 8. Attack Hardware Software Defined Radio Receiver RTL2832 w/R820T Adafruit - $22.50 RF Link Transmitter - 315MHz WRL-10535 Sparkfun - $3.95 Total: $26.45
  • 9. Attack Hardware (Alternate) HackRF One SDR Transceiver SparkFun - $299.95
  • 10. Attack Software SDRSharp SDR Tuner Capture data FREE! Custom Code Frame Dumper Demodulator Encoder Signal Generator TIME!
  • 11. Signal Analysis Find and capture the signal
  • 12. Signal Analysis Yay! I captured some funny sounds! Now what?
  • 13. Signal Analysis Dump MSB from one channel of WAV frame data
  • 14. Signal Analysis Identify threshold value for binary conversion Threshold: If the hex value is greater than 32, it gets converted to a 1. Otherwise, it gets converted to a 0.
  • 15. Signal Analysis Pulse-width demodulate the binary data Another Threshold: If the pulse is longer than 28 bits, it gets converted to a 1. Otherwise, it gets converted to a 0.
  • 16. Signal Analysis Hex encode the binary data for analysis
  • 19. Cracking I identified a bunch of patterns I wrote some code to: Identify more patterns Generate signals using these patterns Compare them to sample signals I’ve gotten very close Let’s see how close…
  • 20. LIVE DEMO Let’s hope this works…
  • 21. Just in case the demo didn’t work…
  • 22. What’s Next? Keep trying! Find a PRF cracking expert Collect hardware not attached to cars Collect samples from more vehicles Remote Start!