Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future — shouldn’t your house be smart enough to know when you’re home?
Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.
Samy tells Elliot that his interest in vehicle security stems from a friend who had her car broken into. She’d locked it and walked away, but somehow a thief was able to exploit the passive entry and ignition system to open the car and steal some stuff. Samy goes into that exploit in some depth in his talk, but as fascinating as that is, the meat is not in what he did to dissect the exploit, but in the method he uses to solve problems in general.
Samy came to hardware hacking from the software world, and by his own admission, he doesn’t have the background on circuit design to instantly know what he’s looking at when he pops the hood on a device. But he brings a code jockey’s sensibilities to the reverse engineering process, which offers certain advantages. When presented with a thorny problem, software folks usually turn first to the Interwebz, so for hardware challenges, Samy highly recommends opening a laptop and doing some research before reaching for a screwdriver. He also offers tips on getting datasheets for parts without any identification on the case.
So what’s in a reverse engineer’s toolkit? For Samy, the answer is surprisingly little. Aside from basic hand tools for opening cases, Samy relies heavily on a HackRF SDR transceiver for his wireless exploits. A cheaper RTL-SDR dongle would do for starters, of course. Interestingly, Samy would not necessarily include an oscilloscope in his desert island toolkit; coming from a software background, he approached projects from a digital perspective for years, eschewing the analog side of things and forgoing the need for a scope. With more experience he’s found that a scope helps him with such things as timing attacks, and a logic analyzer is a helpful tool as well.
As for the original key fob attack that piqued his interest in vehicle cybersecurity, Samy gives a little taste for how the project turned out in the interview. He was able to build a device to perform an RF man-in-the-middle attack to unlock and start cars, the details of which he discusses in the full talk. As for where this goes from here, Samy is optimistic that manufacturers will overcome the MITM attacks, possibly through time-of-flight analysis to ensure that the RFID signals are coming from the rightful owner in proximity to the vehicle and not from a thief across the parking lot with spoofing gear. Seems like Samy is looking forward to breaking those systems too, and we’ll be keen to see what he comes up with.
Not me… my bicycle uses a mechanical lock and the garage door a different mechanical lock. Very hard to get the keys confused as they’re completely different sized keys.
Me neither. I work full-time as an embedded programer in eastern Poland (please invest!) and I earn about $450. Enough to pay the rent and buy food (mostly) but car? Good joke.
You need a new job. Look at Chicago. Lot of remote jobs. Not sure about for embedded programmers. Learn Node.
Me neither. I’ve never owned a car new enough to have remote locking. Actually I don’t have any keyfobs for anything. My TV / DVD player has a remote control, that’s about it :)
I use a keyfob to leave, if I use one, but I prefer keys, comi g from a crypto background. But a keyfob for my house? While I have been called The Absent Minded Professor since I was 12, that just smacks of someone who narrowly missed a DUI… even if it was for mindless driving. Or, take my wife… pleassse… who despite great strengths and shortcomings, manages an office that issues these Cracker-Jack licences.
“Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door?”
Not a one, but then nothing I own requires one. Will all of this be “quaint” when self-driving cars become popular?
Until transparent aluminum is invented a-la Star Trek and commercially available as auto-glass, the easiest, and most common, way to break into a car is still a very hard, heavy, and perhaps pointy object. Smash and repeat until the window becomes open.
Unless your car is new and has fancy security features, the old ‘ram a screwdriver into the ignition and turn it over’ will probably still get it started, too. Renders the ignition inoperable, but the user is still out a car.
Brute force solution, sure, but it gets the desired results (see: XDCD 538). No amount of RF security can fix mean people.
The best fix for MITM would be to limit the range of the system and do away with the constant challenge transmissions as in the car never transmits anything until it hears from the fob and the fob doesn’t transmit until a button is pushed.
With this simple change you just shrunk the attack foot print from something bigger than Snoke’s ship to the size of a womprat.
Yes this means you’ll have to actually push a button to get in the car but if that’s too much for you then you deserve what’s coming for being so lazy.
I’ve never done this but when I was younger and in a rush I’d come home from school and get the question why did you put the cereal in the fridge and the milk in the cupboard.
I absolutely love the fact that my 1997 Chevy has no Fob, no power windows, no power locks, and thank God, no TPMS in the wheels. My key works every time.
My 1987 Chevy has no radio, dome light, or turn signals but does have a keyless ignition.
… and as a bonus you can wind the windows up and down without the key in the ignition.
I find it funny that people are so annoyed by TPMS.
Well, recently was visited by a honda technician for foolishly leaving the keys inside the car. He just went down under the car and pop opened the door. He said it is a secret method of tricking the autocop to open the door which is undocumented. Has anyone ever heard about it? If it is true, it is a serious security lapse from the manufacturer. Isn’t?
Could also be a feature for first responders to be able to get into the car in case the occupants are incapacitated.