I don't know about laughing....but this is definitely hacking.
Hack a garage and the car inside with a child's toy and a few chips
Last month, pro hacker Samy Kamkar caused a kerfuffle at General Motors when he successfully hacked the car giant's RemoteLink mobile app to unlock and start vehicles, and now he's explained how it's done – and how to get into the garage that houses a target car. Speaking at a packed DEF CON talk on Friday, Kamkar explained …
COMMENTS
-
This post has been deleted by its author
-
Saturday 8th August 2015 10:14 GMT Anonymous Coward
Made me laugh too, I had visions of James Gandolfini in "In The Loop" where he's using the kids calculator to add up military invasion numbers.
-
Saturday 8th August 2015 04:43 GMT Christian Berger
Well...
those garage door openers have been around for decades now, and they always had very short keys. I think I've seen people just attaching a binary counter to one of the remotes and making it try out all the keys in that way.
So it's not exactly new. In fact with a simple SDR you can just record that signal, clean it up and re broadcast it.
-
This post has been deleted by its author
-
-
Saturday 8th August 2015 08:41 GMT Paul Crawford
Re: Well...
"Don't all garage door openers use rolling codes now?"
I have no idea, nor any obvious way of finding out.
And therein lies the problem - so many crap implementations of systems with known flaws (to experts) and nobody doing any public ratings of them.
While a garage door is less of a concern than, say, a self-driving car, it is high time that anything with high value or safety was forced to be independently audited for safety and security before sold (or at least insured). Yes, I know that sort of legal talk is not favoured round these parts, but we have seen time and time again really dumb mistakes being made (often to save some money in terms of who is hired to do it) and companies then using legal threats to silence those who question them.
-
Saturday 8th August 2015 08:51 GMT Doctor Syntax
Re: Well...
"Yes, I know that sort of legal talk is not favoured round these parts"
I don't know what gives you that idea. Plenty of us have said the same sort of thing just about every time a cock-up of this nature is brought to light, and goodness knows there's been no shortage of those recently.
-
Saturday 8th August 2015 10:30 GMT Cheshire Cat
Re: Well...
"Don't all garage door openers use rolling codes now?"
Some do, some don't. I know ours does, because I can't use a cheap record-and-replay replacement key but need to buy a special one and program the system to accept it (rather than the other way around). However cheaper ones (such as the ones used to secure stargates) do use fixed codes.
-
-
Saturday 8th August 2015 08:46 GMT Anonymous Coward
Re: Well...
Don't all garage door openers use rolling codes now? So it's only old ones that would be susceptible to the attack described.
In our case you'd also have to do this during the day - when the car isn't actually in the garage. Cutting the power to the door is part of the house lockdown routine for the night, so you're welcome to try any electronic hack.
Sometimes it doesn't have to be high tech :)
-
-
-
Saturday 8th August 2015 14:52 GMT Anonymous Coward
Re: Well...
The point of this attack is that it circumvents a rolling code. It has no knowledge of what the rolling code algorithm is, it simply tricks the user into leaking a future code that can then be used by the attacker.
Fixing this sort of flaw is not straight forward. All the things that we're familiar with for securing comes links are hard to put in a package the size and longevity of a key fob.
-
Sunday 9th August 2015 13:17 GMT Anonymous Coward
Re: Well...
The point of this attack is that it circumvents a rolling code. It has no knowledge of what the rolling code algorithm is, it simply tricks the user into leaking a future code that can then be used by the attacker.
Not from what I read in the article...
"The first stage was to get the garage door open. Using a radio analyzer, Kamkar discovered that wireless garage doors typically require a 12-bit access code to open, meaning he'd only need to check a maximum of 4,096 combinations to find the right one, which would take about 30 minutes to transmit..."
He's trying all possible combinations on what appears a shitty garage door opener. One I had fitted several years ago frequency hops, has over 4 billion code combinations, and has to be programmed to accept the key. I think the days of just being able to open garage doors like this are headed into the rear view mirror.
-
-
Saturday 8th August 2015 15:03 GMT joed
Re: Well...
The hack has a problem though. It's one thing to open garage door in the middle of nowhere - and the quicker the better. It's entirely different thing to open them simultaneously on all buildings along the street (withing transmitter range). Neighborhood watch or not someone will look out the window.
-
-
This post has been deleted by its author
-
Sunday 9th August 2015 04:27 GMT Pliny the Whiner
I took it for granted that the Mattel IM-ME was a rinky-dink little piece of shit that would fit into a girl's hand. Scotch that notion. This thing costs USD $400 (£258), more than enough to buy a nice crowbar and a serviceable notebook -- both of which will help you go far in your criminal ambitions. If you're into that sort of thing.
-
-
Saturday 8th August 2015 06:16 GMT Roq D. Kasba
Driving the car
The numbers generated by a fob should effectively be a hash of the previous number, with the receiver accepting upto n (often 512) codes *ahead*. That would make a capture and replay of an earlier code useless, as the receiver would be looking ahead from the attempt that did start the car, all previous codes are garbage. This is the weak point in the plan, but hardly weak enough to spoil his otherwise fascinating research, just for completeness and may give him a lead...
BTW, frustrate friends at parties, press the button on their car key fob 513 times, the receiver and it go out of sync, and you brick their key until someone with a spare key uses it a few times to get them all back in sync.
-
Saturday 8th August 2015 08:35 GMT Paul Crawford
Re: Driving the car
The problems with the simple version of "high tide mark" sort of approach are:
1) Key fobs usually reset when the battery is changed.
2) You might have several key fobs for his & hers, etc, that are at different points in their sequences.
A much better approach would be a two-way negotiation where the car can query the fob for information about a shared secret but then the cost & complexity of the fob, etc, goes up a lot.
-
Saturday 8th August 2015 15:15 GMT joed
Re: Driving the car
(2) would also be my concern (but I just keep using one key anyway).
Cars usually have provisions for getting in when the fob is out of sync/juice (better RTFM before this happens;).
In addition, having physical lock is hopefully more than just security theater sacrificed on behalf of premium trims with keyless entry (fine with this) and start (meh).
-
-
-
-
Sunday 9th August 2015 12:33 GMT Adam 1
Re: Driving the car
Sure. We move well past my knowledge of how they are implemented presently, but it really wouldn't be too hard to do. If each keyfob has an identifier that gets broadcast with the code, and the car ignores unpaired fob identifiers, then the brute force would have to emulate a particular fob. Then you can count brute force attempts by a fob id having too many wrong guesses and lock them out.
-
-
Sunday 9th August 2015 22:13 GMT Phil Endecott
Re: Driving the car
> Wouldn't a far simpler solution be if the door detected say 1000 open
> attempts that it is switches off the receiver for 5 minutes. Make brute
> forcing impractical.
That makes you vulnerable to denial-of-service.
There's a tradeoff between making it harder for someone to steal your car and making it easier for them to lock you out of it.
-
Sunday 9th August 2015 22:46 GMT Adam 1
Re: Driving the car
Yes, DOS is possible, but it is already possible. I remember visiting a scenic lookout tower about 10 years ago. It doubled as a communications tower. Upon returning to my car, the fob did not work. If you are going to DOS then the easiest and most effective technique is to flood the airwaves in those frequencies with white noise, not some elaborate fob emulator. The backup plan is to use your key. :)
-
-
-
-
Saturday 8th August 2015 08:46 GMT Paul Crawford
Known technique
From the Wikipedia page on De Bruijn sequence:
The sequence can be used to shorten a brute-force attack on a PIN-like code lock that does not have an "enter" key and accepts the last n digits entered.
So not only a fail for using only 12 bits for the garage code, but a fail for not enforcing a start and/or end sequence, nor a minimum time between codes, to make it harder to guess. And that is before we even consider a rolling sequence...
-
Saturday 8th August 2015 11:32 GMT DropBear
Re: Known technique
That's what got me wondering too, actually. Such a sequence is fine for _keypad_ devices that transmit keypress after keypress as distinct messages, but what is it doing in a _keyfob_ device that is supposed to transmit its code within one single message, inevitably flanked by a bunch of other bits that identify the code part as such?!? This smells fishy... Did that garage door opener setup also have an external wireless PIN-based keypad too perchance...?
-
-
-
Sunday 9th August 2015 08:49 GMT Anonymous Coward
Re: But, But, But
Our 1970s house has a very common up and over metal door which uses a key to lock the release handle. One night next door had an expensive bicycle stolen from their garage. The investigating policewoman gave the locked door a bash with her hand in a very specific place - and the latch was released.
-
-
-
-
Sunday 9th August 2015 18:50 GMT Destroy All Monsters
Re: Too cheap to put in some crypto
To reiterate on the above comment
1) Put SoC with appropriate code and radio interface into door controller, all nicely hardened (but updateable via USB stick should a problem appear in any case)
2) This will cost $$$ but it's going to be "The Right Thing"
3) ???
4) PROHIBITIVE COST, MARKETING APOPLECTIC, BOSS BLOWS A GASKET, FIRED!
-
-
-
Sunday 9th August 2015 18:36 GMT Crazy Operations Guy
Rolling codes
Given the bit-length that the key fobs are using, it shouldn't take too long to grab enough codes to start predicting the next in the series. The key-fob would be using a very low-power micro-controller, so the algorithm would need to be pretty brain-dead simple. The problem is that both sides have to arrive at the same code (or at least the vehicle would have to calculate the expected code + 50 or more to account for presses of the fob when it was out of range). So given that, the algorithm would fall pretty quickly to GPU-powered AWS instance.
Of course I wouldn't put it past auto-makers to just burn a 1K long sting into the micro-controller and then just puke out 12-bits from there and just grab 2 bytes at a time and throw 4 of them away (first time take the first 12 bits, second round ignore the first bit, take the next twelve, etc). It'd theoretically give you 4096 codes before re-use (and make full use of the 12-bit space).
-
Monday 10th August 2015 11:32 GMT Alan Edwards
Wouldn't work in the real world
... unless there's no replay attack protection. Or the jammer whatsit is in the car somewhere, but if you've already got physical access why do you need it.
1) Car owner presses button, nothing happens, but code 1 has been recorded
2) Car owner presses button again, code 2 is recorded, code 1 is replayed, car unlocks
3) Car owner gets in, drives to shops, locks car with code 3
4) Car owner gets home, locks car with code 4
5) Thief attempts to unlock car with pre-recorded code 2, which is now invalid because code 3 and 4 have been used, nothing happens.