Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future — shouldn’t your house be smart enough to know when you’re home?
Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.
Samy tells Elliot that his interest in vehicle security stems from a friend who had her car broken into. She’d locked it and walked away, but somehow a thief was able to exploit the passive entry and ignition system to open the car and steal some stuff. Samy goes into that exploit in some depth in his talk, but as fascinating as that is, the meat is not in what he did to dissect the exploit, but in the method he uses to solve problems in general.
Samy came to hardware hacking from the software world, and by his own admission, he doesn’t have the background on circuit design to instantly know what he’s looking at when he pops the hood on a device. But he brings a code jockey’s sensibilities to the reverse engineering process, which offers certain advantages. When presented with a thorny problem, software folks usually turn first to the Interwebz, so for hardware challenges, Samy highly recommends opening a laptop and doing some research before reaching for a screwdriver. He also offers tips on getting datasheets for parts without any identification on the case.
So what’s in a reverse engineer’s toolkit? For Samy, the answer is surprisingly little. Aside from basic hand tools for opening cases, Samy relies heavily on a HackRF SDR transceiver for his wireless exploits. A cheaper RTL-SDR dongle would do for starters, of course. Interestingly, Samy would not necessarily include an oscilloscope in his desert island toolkit; coming from a software background, he approached projects from a digital perspective for years, eschewing the analog side of things and forgoing the need for a scope. With more experience he’s found that a scope helps him with such things as timing attacks, and a logic analyzer is a helpful tool as well.
As for the original key fob attack that piqued his interest in vehicle cybersecurity, Samy gives a little taste for how the project turned out in the interview. He was able to build a device to perform an RF man-in-the-middle attack to unlock and start cars, the details of which he discusses in the full talk. As for where this goes from here, Samy is optimistic that manufacturers will overcome the MITM attacks, possibly through time-of-flight analysis to ensure that the RFID signals are coming from the rightful owner in proximity to the vehicle and not from a thief across the parking lot with spoofing gear. Seems like Samy is looking forward to breaking those systems too, and we’ll be keen to see what he comes up with.