RollBack Breaks Into Your Car

Rolling codes change the signal sent by car keyfobs unpredictably on every use, rendering them safe from replay attacks, and we can all sleep well at night. A research team lead by [Levente Csikor] gave a presentation at Black Hat where they disclose that the situation is not pretty at all (PDF).

You might know [Samy Kamkar]’s RollJam attack, which basically consists of jamming the transmission between fob and car while the owner walks away, fooling the owner into clicking again, and then using one of the two rolling codes to lock up the car, keeping the other in your back pocket to steal it once they’re getting coffee. This is like that, but much, much worse. Continue reading “RollBack Breaks Into Your Car”

A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

Honda cars have been found to be severely  vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.

This Week In Security: Ransomware Decryption, OpenSSL, And USBGadget Spoofing

We’ve covered a lot of ransomware here, but we haven’t spent a lot of time looking at the decryptor tools available to victims. When ransomware gangs give up, or change names, some of them release a decryption tool for victims who haven’t paid. It’s not really a good idea to run one of those decryptors, though. The publishers don’t have a great track record for taking care of your data, after all. When a decryptor does get released, and is verified to work, security researchers will reverse engineer the tool, and release a known-good decryption program.

The good folks at No More Ransom are leading the charge, building such tools, and hosting a collection of them. They also offer Crypto Sheriff, a tool to identify which ransomware strain got your files. Upload a couple encrypted files, and it will inform you exactly what you’re dealing with, and whether there is a decryptor available. The site is a cooperation between the Dutch police, Interpol, Kaspersky, and McAfee. It may surprise you to know that they recommend reporting every ransomware case to the authorities. I can confirm that at the very least, the FBI in the US are very interested in keeping track of the various ransomware attacks — I’ve fielded a surprise call from an agent following up on an infection.

OpenSSL

The OpenSSL project has fixed a pair of vulnerabilities, CVE-2021-3711 and CVE-2021-3712 with release 1.1.11l. The first is a possible buffer overflow caused by a naive length calculation function. A “fixed” length header is actually dynamic, so a carefully crafted plaintext can overflow the allocated buffer. Continue reading “This Week In Security: Ransomware Decryption, OpenSSL, And USBGadget Spoofing”

Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack

Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware. 

It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.

Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.

Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know. 

Custom Keyfob Fixes Mazda Design Mistake

While Mazda has made some incredible advances in fuel efficient gasoline engines over the past few years, their design group seems to have fallen asleep at the wheel in the meantime, specifically in regards to the modern keyfob design. The enormous size and buttons on the side rather than the face are contrary to what most people need in a keyfob: small size and buttons that don’t accidentally get pressed. Luckily, though, the PCB can be modified with some effort.

This particular keyfob has a relatively simple two-layer design which makes it easy to see where the connections are made. [Hack ‘n’ Tink] did not need the panic button or status LED which allowed him to simply cut away a section of the PCB, but changing the button layout was a little trickier. For that, buttons were soldered to existing leads on the face of the board using 30-gage magnet wire and silicone RTV. From there he simply needed to place the battery in its new location and 3D print the new enclosure.

The end result is a much smaller form factor keyfob with face buttons that are less likely to accidentally get pressed in a pocket. He also made sure that the battery and button relocation wouldn’t impact the antenna performance. It’s a much-needed improvement to a small but crucial part of the car; the only surprise is that a company that’s usually on point with technology and design would flop so badly on such a critical component.

Thanks to [Brian] for the tip!

Continue reading “Custom Keyfob Fixes Mazda Design Mistake”

Lock Your Keys In The Car On Purpose With Aluminum Foil

[TJ] is a surfer, and drives his car to get to the beach. But when he gets there he’s faced with a dilemma that most surfers have: either put his key in your baggies (shorts) or wetsuit and hope it doesn’t get lost during a wipeout, or stash it on the rear wheel of his car. Hiding the keyfob by the car isn’t an option because it can open the car doors just by being in proximity to the car. He didn’t want to risk losing it to the ocean either, so he built a waveguide of sorts for his key out of aluminum foil that lets him lock the key in the car without locking himself out.

Over a series of trials, [TJ] found out that his car, a 2017 Chevy Cruze, has a series of sensors in it which can determine the location of the keyfob based on triangulation. If it thinks the keyfob is outside of the car, it allows the door to be locked or unlocked with a button on the door handle. If the keyfob is inside the car, though, it prevents the car from locking via the door handles so you don’t accidentally lock yourself out. He found out that he could “focus” the signals of the specific sensors that make the car think the keyfob is outside by building an open Faraday cage.

The only problem now is that while the doors can be locked, they could also can be unlocked. To solve that problem he rigged up an ESP32 to a servo to open and close the opening in the Faraday cage. This still means there’s a hidden device used to activate the ESP32, but odds are that it’s a cheaper device to replace than a modern car key and improves security “through obscurity“. If you have any ideas for improving [TJ]’s build, though, leave them in the comments below. Surfers across the world from [TJ] to the author would be appreciative.

The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!”

Hack long enough and hard enough, and it’s a pretty safe bet that you’ll eventually cause unintentional RF emissions. Most of us will likely have our regulatory transgression go unnoticed. But for one unlucky hacker in Ohio, a simple project ended up with a knock at the door by local authorities and pointed questions to determine why key fobs and garage door remotes in his neighborhood and beyond had suddenly been rendered useless, and why his house seemed to be at the center of the disturbance.

Few of us want this level of scrutiny for our projects, so let’s take a more in-depth look at the Great Ohio Key Fob Mystery, along with a look at the Federal Communications Commission regulations that govern what you can and cannot do on the airwaves. As it turns out, it’s easy to break the law, and it’s easy to get caught.

Continue reading “The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!””