Samy Kamkar: Reverse Engineering for a Secure Future

Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future —  shouldn’t your house be smart enough to know when you’re home?

Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.

Samy tells Elliot that his interest in vehicle security stems from a friend who had her car broken into. She’d locked it and walked away, but somehow a thief was able to exploit the passive entry and ignition system to open the car and steal some stuff. Samy goes into that exploit in some depth in his talk, but as fascinating as that is, the meat is not in what he did to dissect the exploit, but in the method he uses to solve problems in general.

Samy came to hardware hacking from the software world, and by his own admission, he doesn’t have the background on circuit design to instantly know what he’s looking at when he pops the hood on a device. But he brings a code jockey’s sensibilities to the reverse engineering process, which offers certain advantages. When presented with a thorny problem, software folks usually turn first to the Interwebz, so for hardware challenges, Samy highly recommends opening a laptop and doing some research before reaching for a screwdriver. He also offers tips on getting datasheets for parts without any identification on the case.

So what’s in a reverse engineer’s toolkit? For Samy, the answer is surprisingly little. Aside from basic hand tools for opening cases, Samy relies heavily on a HackRF SDR transceiver for his wireless exploits. A cheaper RTL-SDR dongle would do for starters, of course. Interestingly, Samy would not necessarily include an oscilloscope in his desert island toolkit; coming from a software background, he approached projects from a digital perspective for years, eschewing the analog side of things and forgoing the need for a scope. With more experience he’s found that a scope helps him with such things as timing attacks, and a logic analyzer is a helpful tool as well.

As for the original key fob attack that piqued his interest in vehicle cybersecurity, Samy gives a little taste for how the project turned out in the interview. He was able to build a device to perform an RF man-in-the-middle attack to unlock and start cars, the details of which he discusses in the full talk. As for where this goes from here, Samy is optimistic that manufacturers will overcome the MITM attacks, possibly through time-of-flight analysis to ensure that the RFID signals are coming from the rightful owner in proximity to the vehicle and not from a thief across the parking lot with spoofing gear. Seems like Samy is looking forward to breaking those systems too, and we’ll be keen to see what he comes up with.

15 thoughts on “Samy Kamkar: Reverse Engineering for a Secure Future

  1. Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door?

    Not me… my bicycle uses a mechanical lock and the garage door a different mechanical lock. Very hard to get the keys confused as they’re completely different sized keys.

    1. Me neither. I work full-time as an embedded programer in eastern Poland (please invest!) and I earn about $450. Enough to pay the rent and buy food (mostly) but car? Good joke.

    2. Me neither. I’ve never owned a car new enough to have remote locking. Actually I don’t have any keyfobs for anything. My TV / DVD player has a remote control, that’s about it :)

  2. I use a keyfob to leave, if I use one, but I prefer keys, comi g from a crypto background. But a keyfob for my house? While I have been called The Absent Minded Professor since I was 12, that just smacks of someone who narrowly missed a DUI… even if it was for mindless driving. Or, take my wife… pleassse… who despite great strengths and shortcomings, manages an office that issues these Cracker-Jack licences.

  3. “Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door?”

    Not a one, but then nothing I own requires one. Will all of this be “quaint” when self-driving cars become popular?

  4. Until transparent aluminum is invented a-la Star Trek and commercially available as auto-glass, the easiest, and most common, way to break into a car is still a very hard, heavy, and perhaps pointy object. Smash and repeat until the window becomes open.

    Unless your car is new and has fancy security features, the old ‘ram a screwdriver into the ignition and turn it over’ will probably still get it started, too. Renders the ignition inoperable, but the user is still out a car.

    Brute force solution, sure, but it gets the desired results (see: XDCD 538). No amount of RF security can fix mean people.

  5. The best fix for MITM would be to limit the range of the system and do away with the constant challenge transmissions as in the car never transmits anything until it hears from the fob and the fob doesn’t transmit until a button is pushed.
    With this simple change you just shrunk the attack foot print from something bigger than Snoke’s ship to the size of a womprat.
    Yes this means you’ll have to actually push a button to get in the car but if that’s too much for you then you deserve what’s coming for being so lazy.

  6. Well, recently was visited by a honda technician for foolishly leaving the keys inside the car. He just went down under the car and pop opened the door. He said it is a secret method of tricking the autocop to open the door which is undocumented. Has anyone ever heard about it? If it is true, it is a serious security lapse from the manufacturer. Isn’t?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s