This clever precomputation attack was developed by a group of researchers at KU Leuven in Belgium. Unlike previous key fob attacks that we’ve covered in the past which have been essentially relay attacks, this hack precomputes a ton of data, looks for a collision in the dataset, and opens the door. Here’s how it works.
Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future — shouldn’t your house be smart enough to know when you’re home?
Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.
[tomwimmenhove] has found a vulnerability in the cryptographic algorithm that is used by certain Subaru key fobs and he has open-sourced the software that drives this exploit. All you need to open your Subaru is a RasPi and a DVB-T dongle, so you could complain that sharing this software equates to giving out master keys to potential car thieves. On the other hand, this only works for a limited number of older models from a single manufacturer — it’s lacking in compatibility and affordability when compared to the proverbial brick.
This hack is much more useful as a case study than a brick is, however, and [tomwimmenhove]’s work points out some bad design on the manufacturer’s side and as such can help you to avoid these kind of mistakes. The problem of predictable keys got great treatment in the comments of our post about an encryption scheme for devices low in power and memory, for instance.
Those of you interested in digital signal processing may also want to take a look at his code, where he implements filtering, demodulation and decoding of the key fob’s signal. The transmission side is handled by rpitx and attacks against unencrypted communications with this kind of setup have been shown here before. There’s a lot going on here that’s much more interesting than stealing cars.
[Via Bleeping Computer]
We all do it — park our cars, thumb the lock button on the key fob, and trust that our ride will be there when we get back. But there could be evildoers lurking in that parking lot, preventing you from locking up by using a powerful RF jammer. If you want to be sure your car is safe, you might want to scan the lot with a Raspberry Pi and SDR jammer range finder.
Inspired by a recent post featuring a simple jammer detector, [mikeh69] decide to build something that would provide more directional information. His jammer locator consists of an SDR dongle and a Raspberry Pi. The SDR is set to listen to the band used by key fobs for the continuous, strong emissions you’d expect from a jammer, and the Pi generates a tone that varies relative to signal strength. In theory you could walk through a parking lot until you get the strongest signal and locate the bad guys. We can’t say we’d recommend confronting anyone based on this information, but at least you’d know your car is at risk.
We’d venture a guess that a directional antenna would make the search much easier than the whip shown. In that case, brushing up on Yagi-Uda antenna basics might be a good idea.
Modern smart keys allow you to keep the key fob in your pocket or purse while you simply grab the handle and tug the door open. [Phil] decided he would rather ditch the fob altogether and instead implemented a passive Bluetooth keyless entry system with his Android phone. It’s probably unlikely for car manufacturers to embrace phone-based keys anytime soon, and [Phil] acknowledges that his prototype poses a landslide of challenges. What he’s built, however, looks rather enticing. If the car and phone are paired via Bluetooth, the doors unlock. Walk out of range and the car automatically locks when the connection drops.
His build uses an Arduino Mega with a BlueSMiRF Silver Bluetooth board that actively searches for his phone and initiates a connection if in range. Doors are unlocked directly through a 2-channel relay module, and an LED indicator inside the vehicle tells the status of the system. A pulsing light indicates it’s searching for the phone, while a solid ring means that a connection is established.
We hope [Phil] will implement additional features so we can make our pockets a bit lighter. Watch a video demonstration of his prototype after the break, then check out the flood of car-related hacks we’ve featured around here recently: the OpenXC interface that adds a smart brake light, or the Motobrain, which gives you Bluetooth control over auxiliary electrical systems.
If you’re lofting a digital camera high into the stratosphere with a helium balloon, you really can’t do better than one of those key fob spy cameras. Being extremely lightweight with decent resolution, they’re the perfect camera to take to near space. If you’re bringing someone along to snap the pictures, that is.
[Román] wanted to take his 808 spy camera to new heights, but not wanting to manually reset the thing when it’s 100,000 feet in the air decided to use a microcontroller instead. An 8-pin PIC12F675 takes care of taking 60 pictures with a 4-second interval, then switching to movie mode and recording a 20-second video.
The entire device can be powered by 6 to 9 volts with the help of a voltage regulator. [Román] found the camera hangs after taking about 1600 photos, so a connection from the microcontroller to the reset switch was added. Everything works on the ground, so we can’t wait to see what happens miles above the Earth’s surface.