Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016

Hello everyone, thank you for coming. I'm Sammy and this is handling it like you hacked it. This is basically a fun talk. I've been continually working and improving while researching a couple of different areas, a couple of really fun areas for me have been vehicles, vehicle

radio

hardware

and we're going to focus a little bit on some of those things that are very fun for me, we'll also cover some web stuff. and I try to put it all together in a fun way so we all love Nicholas Cage, right, yeah, okay, I love Nicholas Cage, so I watched Gone in 60 Seconds, it's like one of my favorite movies, so I've been through the whole thing. my life trying to be like him, um, so like Gone in 60 Seconds happens, you know, basically, Nick Cage goes around stealing

cars

.

I hope I haven't spoiled that for anyone, but to do that, the first thing you have to do is get into a garage, which has some really cool

cars

, so over the last year I've been looking at how I can get into garages, how they work. garages and garages, uh, they're cool, we've all seen the clicker, the little garage clicker. Alright, I have one here, so I started learning how these things worked and my goal was to get into my own garage. I'm in a condo unit so there are a ton of different cars there and I wanted to see how this works so I started learning a little bit about

radio

frequency and how radios work and communicating with devices like garage door openers. garage, so the first thing we're basically going to dig into here and I'm going to show you. how this works, we'll actually do some live demos.

The first thing you do when you learn about something with radio is that there is something really interesting. Any device in the US that transmits that actually transmits radio frequency must have an FCC ID, so if you actually pull out your phone, all of our phones will have an FCC ID on the back here, so like on my iPhone, I see an FCC ID, the same goes for this garage door opener that opens my garage, so what we can do is Actually, take one of these things and open our garage, um, and if we look at the FC C ID, the good thing about the FCC is what they do: they regulate broadcasting in the US, so if you want to broadcast on a radio frequency, the FCC has to allow that device or manufacturer to do it, and what we can do is all the information about that ID is actually public information, so you can go to the FCC website, which is actually very difficult to use, and look for one.

Of these IDs, luckily, someone named Dominic Spill has created a website called fcc.io that I use all the time and basically at fcc.io you can just type the ID back into this garage door opener, into your garage door. or on your phone. So if you actually take out your phone and you can look up the FCC ID and you can learn everything about what your phone transmits, that's really cool, and inside of there we'll see some things, so the first thing we see is uh, you'll often see pictures of the actual device both on the outside on the left here and on the inside, so you'll see the inside of that circuit.

This is really great if you're trying to find information about, for example, a device that you don't necessarily have access to, a device that might be out of your price range or a device that hasn't been released yet, something that's about to come out. In fact, you can go here and learn a ton of information that you can probably produce. Know the vulnerability, you can probably discover vulnerabilities or problems with the device before it even comes out. It's pretty amazing, so here's an example of my garage door opener. I looked it up and the first thing we see here is we see where it is. it came from China obviously um and you also see the range here the frequency range so this is the frequency that it communicates on and on this one it says the bottom frequency is 390 MHz and the top frequency is 390 MHz so that means this.

It communicates on a 390 MHz frequency, which is great, so what else do we see from the FCC? We see things like, they have a cover letter, always a nice little formal letter, they write external photos like we saw internal photos, a couple of different things. One of the most interesting areas is the test report, so what the FCC does is they hire someone to come and test your device because the thing about frequencies is we're essentially sharing the spectrum like you're not. I want one device to just transmit constantly and prevent other devices from working, for example if I only held this garage door, if this was just transmitting all the time it may prevent other garage door openers from working, and you wouldn't want to do that . interfere with, say, someone across the street, then they do all these tests to make sure it transmits on the allowed frequencies, not

more

powerful than it should, etc., and so on, so if we pull this up we can see the internal report that In fact, I can often see a spectrum graph of the recording of that radio signal transmitted by the device and there are a few different devices that I use to listen to this type of thing, one of the really cool devices, is

hacking

RF, uh. it's capable of receiving and transmitting from 1 MHz up to 6 GHz, really wide range, totally open source, open

hardware

, a few hundred dollars, um, it can also transmit, which is really interesting, people have done really crazy things with this thing, eh, for example.

GPS spoofing I mean, people have literally spoofed GPS using this device or similar devices and caused ships to go off course, ships literally go off course because what do they depend on? They depend on GPS, how GPS works, on radio signals that are sent from satellites to Earth and we are using that to find out where we are and someone comes and transmits a signal and you think you are somewhere else or you think you are just going to Elsewhere, I mean the amount of dependence that we have on these radio signals is enormous and growing every day, so this is another reason why this is such an interesting thing and I'm very interested in this right now, and now hacker F, you can say, well, well.

I don't know anything about radio and I know very little about radio personally, but you can do some pretty simple things, for example if you're dealing with something that uses a fixed transmission, something that's like a password, so if you open your door opener many of our garage door openers basically have a bunch of DIP switches that are essentially a password and that opens your garage now, if you don't know someone, like you're trying to blow up someone's garage and trying to get in. What you could do is record that signal and play it back, and hacker F can do that.

Now not all devices are capable of recording and playback. You often need to know a lot

more

information about the signal, which we'll learn in a little bit, but literally with two commands you can record and then play back, kind of like recording, you know, taking a microphone and a speaker and playing back some signal. Now this will work in some scenarios, not in all scenarios, for example, in cars, we will use something. They're called rolling codes, we'll see later, where the password changes, like Google Authenticator or TFA. You might get a tofa which is essentially a rolling code where every time you get a new ID or a new password to log into something. another device I use is rtlsdr this is awesome I have it here um it's basically uh another antenna is a soft SDR means software Divine radio um RTL is from realtech and software divinad radio is good hacker f it's also a software defined radio that allows you to use cheap software and hardware to analyze the radio spectrum and often also transmit rtlsdr is great because it's like $20 on amazon so you can buy it right now for 20 bucks you know start learning and you can do so many things you you can see. planes passing overhead, there's actually someone in Los Angeles who did it and who's been recording planes, so it's a public broadcast every time a plane is flying, it sends a radio signal of where it is, its GPS coordinates and information about it, its unique name and began to map it. just as a hobby and he found out that there are these airplanes that are just circling over Los Angeles, they're just circling, they take off, they fly and then they circle, why are their airplanes circling over Los Angeles?

And he started looking, what is that right? FBI planes, this is a guy who discovered that these are FBI planes hanging around, probably using something like Stingray to listen to our phone calls and text messages, so always say FBI loudly when you pick up the phone, so rtlsdr is another example really cool thing he did. which with rtlsdr is a $20 device, you can use free open source software on your computer, no matter what you know, on any major operating system, um G, new radio, this is like a fun albeit complicated software, um, Which probably isn't. complicated, it's very hard for me to learn so I'm still trying to figure out how to use this, but it allows you to pick up radio signals or really any signal.

Technically, you can just pipe audio and you can manipulate it. we can run different filters and extract information or stream information so this is another really useful tool um gqrx this is an amazing tool we'll use it in a minute I'll show you how it works basically this allows us to see a waterfall view of the spectrum of the radio spectrum so we can say okay, I want to see 300 to 301 MHz. I want to see everything that happens there. This would allow you to do, let's say you have a device and you don't have the FCC ID or let's say you don't have access to a device.

Let's say you're outside of something and you have a black box or you know that someone is driving up to his garage and is about to press a button. but you don't know what frequency your device is using, you can use this to essentially look at a cascade of radio frequencies and you'll see when there's something with a high amplitude when there's essentially a signal being transmitted, it's really cool. um this is only for Linux and OSX uh if you're on Windows you can also get sdrsharp it's another similar tool to do the same thing very cool um and the good thing is that there are people out there like on Reddit there's a there's a subreddit called rtlsdr and you can go there and people just look at the spectrum because there are all these radio frequencies and we have no idea which ones are right.

A lot of them you know this is something that's invisible, right, it's essentially invisible to us and usually when there's something invisible, people just assume it's safe because we can't see it, we don't know how it works and increasingly People are playing in this area and researching and trying to find what all these invisible signs are and many of them lack security. I mean, it's really interesting some of the things that are coming out of here. RTL FM um, this is like a command line tool that allows you to record signals with the rtlsdr, so these are some of the tools that I use.

The presentation will be available online. If you want to take it and do some research here, you'll have access to all of that, so let's go. Return to this FCC report. There are three things I typically look at when looking at an FCC report for a device. Internal photos because that allows me to see the interior. If I can see inside, I might be able to make it out. the chip that is being used uh if I look at the chip I can probably look up data sheets available for that chip and I can learn everything about what the chip does, the frequency at which it communicates in the modulation, all kinds of information by regarding, um, I can also look at the test report and the test report will often provide useful information, like what frequencies you use, maybe what modulation, um and then also the user manual.

There is always amazing information in the user manuals I find, friend. In my case, a friend of mine was at Coachella and he was like, yeah, I got back in my car and all my windows were down and I thought something had been stolen. He says no luckily they like it so it's like someone broke into my car and I didn't take anything I was like H that seems weird so I looked up the FCC ID. I thought maybe someone hacked your developer, your thing like your radio, uh, or your car key, um, and I looked, I looked it up and I looked at the user manual and it's just a section of how the car key works and everything. the thing about the car key and apparently if you hold down one of the buttons for enough seconds all your windows just roll down um I haven't told you I'm going to use it against you so here's an example of a test report of a garage door opener.

We can see something called the frequency is 390 MHz. We see that the modulation type is ask or ask. We'll go over that in a second here and a couple more things about the device um so let's talk a little bit about the modulation uh who here has listened to the radio okaywho pressed the button on their key and it didn't work once that happens fine and you just press it again and it usually works fine, there was some interference or you didn't hold it down. is long enough, so what if I deviate from the frequency a little and listen too?

I also use a similar device for listening. In fact, I can be very specific and listen to just that signal and listen to its code and ignore my interference because I know where I'm interfering. I can ignore that part of the signal. The problem is that once I recorded that signal, the car can't be heard. I can use that signal now. I can use it to unlock however they want. Keep pressing it until it works and when it works when the car hears your unlock code all the previous codes are deactivated so the code I acquired now is no longer useful;

However, since we are humans, we all follow a simple pattern if I jam and I listen and I get a code and I keep locking, so you walk up to your car, you press unlock, it doesn't work, you press unlock again, it doesn't work twice in a row, but I have heard both. codes and extracted those two passwords. Now I take those two and just repeat the first one, so now the card works in the lock the second time, but I'm using the first code, so later when you go home and lock your car. I still have an unused future code that I can unlock your vehicle because there really isn't a right time.

It's just the order of the sequence of these codes, so you can essentially trick the user by playing the first one on their second time. and of course you can automate this um, so this is an attack that I call roll jam. I've demonstrated about 30 on hardware and there are many other attacks in this area. I mean, it's such. I think it's a very exciting area because you have cars coming out this year.

2016

that will actually communicate with other vehicles on the road is called v2v, so there will be a lot of other radio communications that will happen.

You know, cars can use ultrasound to see if there's something in front of them, but what happens if you send your own ultrasound, right, what I mean is you can generate ultrasound, it's just a sound at a higher frequency. What happens if you send that to a vehicle? You can make him believe that there is someone in front of you. You can send communication to the cars saying what it really is. rainy, so slow, you just make everyone slow down around you, I mean, you can do all kinds of things, um, it's crazy, scary and exciting, uh, there are a lot of other cool attacks, um, I was too looking at me and my car.

I found out that if they are locking the vehicle if they are pressing lock, lock, lock and I record that data or interfere with that data, well I can't use a lock to like that, that's not good, I can't know what It's fun to block. However, I found his car at the sign while looking at the data sheet. I found out that the rolling code is one part and then the command is the second part, so I was able to change the command from Lock to unlock and use the same code always. As I locked and interfered in its lock command, then I can use that command from lock to unlock, so even though they pressed it, they pressed the lock later.

I come to I S. I send an unlock by simply changing that bit because it is just a command that is not linked to the code in Anyway, here is the device itself that I tested on many cars, it unlocked many cars and it was beautiful, lessons, I want say, you know, encrypt those buttons together, so if you're sending a lock command, for example, and of course, this works anywhere, this will work over HTTP, since you should use these same methods, um, encrypt that , encrypt or scramble that communication together, correct hash of the key, hash of the key with the command uh, use hmax, uh, time-based algorithms, there's actually something called uh, I mean, we've had an id secure for 20 years, those RSA RSA tokens that are essentially 2fa, we've had them for 20 years and every 2015 car I've attacked has had this problem, we can implement this. things, these things exist, we know about this, we know about these problems and we know how to solve them.

You can also do a challenge response with transceivers instead of just cheap receivers, so there are ways around this. And you know that's it. That's what I have for you, thank you very much for coming. I hope you enjoyed it and I'm happy to answer any questions. Thanks, yes, did they report any of those applications that they accepted? I informed them all. Yes, I contacted what they did. fortunately they all came out with new applications um well the first GM didn't contact them again I mean it was impossible to contact them they didn't have any kind of uh uh um they had no way for the researchers to contact them uh so the I called and went. to support that escalated, I sent an email, I visited their website, I mean I literally never heard back and then I posted a demo, I didn't post the code or anything, and then they called me, you know, within 24 hours. and then bz BMW etc they all fixed it I mean everything they all fixed in a few days which is great because it's just an app update yeah the reports you file none of them had reward programs or none of them had a security presence.

The one I was actually able to communicate with was literally, I mean literally, all of these companies that I had to just uh, they had no safety response, right, these are new areas at least for vehicles, now GM has a safety program. security. I'm sure they do and they correct because this is the device. In fact, I have a new device I created that is smaller and cheaper. It costs $30 and you put it under your car so you always have the following code. I see, yeah, so they literally have to press the button twice every time and we adapted pretty quickly, we just got used to it now, you just press it twice, it works the second time every time.

What's that? Absolutely, it's a great idea, yes. You could actually do that, so you'll just have to bother them once it's a good point. I didn't think about that successful field test that corrected, yes, many field tests, in fact you will see that the lot is half empty now, thanks for coming. any other questions yeah sure yeah I mean the amplification attack is really interesting a lot of us have keys that we keep in our vehicle or in our pocket and we can get in our car open the door and it will send a signal that our key detects and then it will do a challenge response to the right and to start the car it actually uses the signal strength to know that you are in the car, so if the signal strength is too low it says "oh, you ".

You're outside the car, I'm not going to start the vehicle, you have to be inside the car, but as you say, you can do an amplification attack where we actually say you have two people and you get close to the car that you throw. the door sends the signal, your device amplifies that signal or sends it wirelessly to another location that is rebroadcast near the door or near the person's car key at a restaurant or outside their home and yes, then you can Unlock and start your vehicle and drive away and the vehicles cannot stop if they detect that the keys are no longer in the car, it would be too dangerous if you are on the highway or something, then the car will continue moving forward and you will take it to your Chop Shop, Yeah. that's correct, they all have some timing, but they're missing enough for you to be able to perform the attack in all the cases I've seen.

Yes, yes, no, I know, yes. I mean, it's all the vehicles you know. they all use some of the same chipsets from the same companies, um, so it's the same attack, yeah, yeah, absolutely, you know. I mean, I feel like this is what you know. I think we were talking about it before like this was the website 10 years ago. 10 or 15 years ago everything had xss, everything had SQL, you know, sqli, everything had RFI, now it's just most things have much more hardware and radio security. I hope so, yes. I suspect so, uh, that was different, it was someone else, yeah, yeah, what security people, no, seriously, I don't think they have security people, I think it's something new, right, yeah, Le Scag, oh , interesting, wow, I didn't know that.

That's great, awesome, yeah, yeah, okay, thank you all so much.