Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware.
It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.
Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.
Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know.
Despite the name, home automation doesn’t have to be limited to only the devices within your home. Bringing your car into the mix can open up some very interesting possibilities, such as automatically getting it warmed up in the morning if the outside air temperature drops below a certain point. The only problem is, not everyone is willing to start hacking their ride’s wiring to do it.
Which is exactly why [Matt Frost] went the non-invasive route. By wiring up an ESP8266 to a cheap aftermarket key fob for his Chevrolet Suburban, he’s now able to wirelessly control the door locks and start the engine without having to make any modifications to the vehicle. He was lucky that the Chevy allowed him to program his own fob, but even if you have to spend the money on getting a new remote from the dealer, it’s sure to be cheaper than the repair bill should you cook something under the dash with an errant splice or a misplaced line of code.
The hardware for this project is about as simple as it gets. The fob is powered by the 3.3 V pin on the Wemos D1 Mini, and the traces for the buttons have been hooked up to the GPIO pins. By putting both boards into a custom 3D printed enclosure, [Matt] came up with a tidy little box that he could mount in his garage and run off of a standard USB power supply.
On the software side of things [Matt] has the device emulating a smart light so it can easily be controlled by his Alexa, with a few helpful routines sprinkled in that allow him to avoid the awkward phraseology that would be required otherwise. There’s also a minimal web server running on the microcontroller that lets him trigger various actions just by hitting the appropriate URLs, which made connecting it to Home Assistant a snap. One downside of this approach is that there’s no acknowledgement from the vehicle that the command was actually received, but you can always send a command multiple times to be sure.
This isn’t the first time we’ve seen an ESP8266 used to “push” buttons on a remote. If you’ve got a spare fob for your device, or can get one, it’s an excellent way to automate it on the cheap.
Now that nearly every car on the road comes with an electronic key fob, people are desperate to find ways to repair these indispensable little gadgets without coughing up potentially hundreds of dollars at the dealership. There’s a whole market for replacement shells which you can transplant your (hopefully) still functional electronics into, but if you’re going to go through the trouble of putting the electronics into a new case, why not make it special?
That’s what [Michicanery] was thinking when he decided to build his own custom key fob. The end result is an utterly magnificent feat of engineering that’s sure to be a conversation for the life of the vehicle, if not beyond. Made of wood and aluminum cut on his OpenBuilds Lead CNC 1010, this build just might inspire you to “accidentally” drop your existing fob from a great height. Oh no, what a shame.
[Michicanery] starts by disassembling his original fob, which is the type that has a key integrated directly into the device. This meant his replacement would need a bit more thought put into it than a separate stand-alone fob, but at least it wasn’t one of the ones where you have to stick the whole thing into the dashboard. To make sure the build was strong enough to survive a lifetime of being turned in the ignition and generally fiddled with, he cut the central frame and buttons out of 1/4″ thick aluminum.
The top and bottom of the fob were then cut from Chechen wood and then chamfered on a table router so it felt a bit better in the hand. He applied oil to the pieces to bring out the natural color and grain of the wood, but not before engraving his own logo onto the back of the case for that extra touch of personalization. Not that we think [Michicanery] is going to have trouble identifying his keys from this point on.
Like the incredible watch cases we’ve seen recently, this is a perfect example of an everyday object getting a new lease on life as a bespoke creation thanks to a custom built enclosure. Granted we’re not sure Honda key fobs have quite the heirloom potential of a good watch, but we’d still prefer it over the black plastic original.
This clever precomputation attack was developed by a group of researchers at KU Leuven in Belgium. Unlike previous key fob attacks that we’ve covered in the past which have been essentially relay attacks, this hack precomputes a ton of data, looks for a collision in the dataset, and opens the door. Here’s how it works.
Continue reading “Tesla Opens With Precomputed Key Fob Attack”
Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future — shouldn’t your house be smart enough to know when you’re home?
Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.
Continue reading “Samy Kamkar: Reverse Engineering For A Secure Future”
[tomwimmenhove] has found a vulnerability in the cryptographic algorithm that is used by certain Subaru key fobs and he has open-sourced the software that drives this exploit. All you need to open your Subaru is a RasPi and a DVB-T dongle, so you could complain that sharing this software equates to giving out master keys to potential car thieves. On the other hand, this only works for a limited number of older models from a single manufacturer — it’s lacking in compatibility and affordability when compared to the proverbial brick.
This hack is much more useful as a case study than a brick is, however, and [tomwimmenhove]’s work points out some bad design on the manufacturer’s side and as such can help you to avoid these kind of mistakes. The problem of predictable keys got great treatment in the comments of our post about an encryption scheme for devices low in power and memory, for instance.
Those of you interested in digital signal processing may also want to take a look at his code, where he implements filtering, demodulation and decoding of the key fob’s signal. The transmission side is handled by rpitx and attacks against unencrypted communications with this kind of setup have been shown here before. There’s a lot going on here that’s much more interesting than stealing cars.
[Via Bleeping Computer]
Continue reading “Exploiting Weak Crypto On Car Key Fobs”
We all do it — park our cars, thumb the lock button on the key fob, and trust that our ride will be there when we get back. But there could be evildoers lurking in that parking lot, preventing you from locking up by using a powerful RF jammer. If you want to be sure your car is safe, you might want to scan the lot with a Raspberry Pi and SDR jammer range finder.
Inspired by a recent post featuring a simple jammer detector, [mikeh69] decide to build something that would provide more directional information. His jammer locator consists of an SDR dongle and a Raspberry Pi. The SDR is set to listen to the band used by key fobs for the continuous, strong emissions you’d expect from a jammer, and the Pi generates a tone that varies relative to signal strength. In theory you could walk through a parking lot until you get the strongest signal and locate the bad guys. We can’t say we’d recommend confronting anyone based on this information, but at least you’d know your car is at risk.
We’d venture a guess that a directional antenna would make the search much easier than the whip shown. In that case, brushing up on Yagi-Uda antenna basics might be a good idea.