0x00. INTRODUCTION
Previously from part1, we have looked at
some common methods for hacking fixed-code RF Locks, such as signal jamming, replay,
and brute-force attack. In part2, we are going to look at more advanced
techniques to hack the rolling codes of RF Locks. This series of articles
serves as a beginner’s RF lock system hacking journey, performing lock hacking
with Flipper-Zero and other RF hacking tools. I hope each case study will help
people get a better idea of what they would need for hacking RF locks.
0x01. PROPRIETARY ENCRYPTION
In part1 we mainly target RF locks that rely on fixed-code. Fixed-code locks are vulnerable to replay attack by design. One solution to prevent replay attacks is to implement a so-called rolling codes mechanism. For example, the keyfob and the car synchronized with the same rolling codes algorithm. As the codes change with each use, we will not be able to predict the next sequence of rolling code. The car will not accept the command until the rolling codes is valid, so a simple replay attack will not work.
When it
comes to designing a secure cryptosystem, people always say we should never use
untested proprietary encryption algorithms in our products. However, there are always some “smart” people trying to challenge
this statement. Let's take this commercial RF remote control lock as an example.
What makes it very eye-catching is the advertising terms, such as the lock is
use a “US military grade of rolling code” chip. What could possibly go wrong
then?
As you can see in the demo video below, we
only need to capture the unlocking command once, and then replay it repeatedly,
until the lock is finally unlocked.
In addition, Flipper-Zero can add some
well-known keyfobs protocols manually. Take LiftMaster_315 as an example. It
implemented a rolling code mechanism. However, as you can see in the pics
below, the counter value is predictable, so does the key. Therefore, it is very
easy to capture then spoof an unlock command to such system.
0x02. ROLLJAM ATTACK
Fortunately, most car manufacturers will
not use such naive designs for the car door locks. They prefer to use their own
proprietary encryption algorithms instead. As you can see in the picture below is
a 2014 Jetta keyfob. Since Volkswagen keeps the algorithms secret, the
flipper-zero is not able to recognize it.
URH comes with a
comparison function that can be used to compare and analyze the rolling code
parts between different commands.
As you
can see in the demo video below, since modern cars nowadays have implemented
the proprietary rolling code mechanism, we can only replay the unlock command
once.
Years ago, a security researcher, Samy Kamkar, came up with an idea that can
manipulate certain rolling code system. He called it the Rolljam Attack. How
Rolljam attack works is well explained in the slides below. The Rolljam attack
works by jamming the target radio signal at slightly deviated frequency and
recording the signal at tight receiver filter bandwidth from the keyfob at the
same time. Since the first unlock signal is blocked, the car door will not
unlock and the car owner will likely try again. Attacker can again record and
block the second signal, but this time the attackers also replays the first
code to unlock the car door.
0x03. ROLLING-PWN
In year
2021, I have found a very interesting yet scary car lock vulnerability, which
affected all Honda vehicles currently existing on the market globally from year
2012 up to year 2023. All Honda vehicles allow a replay of the already expired
commands in a consecutive sequence to unlock the car door permanently.
The
CVE-2021-46145 has assigned to this bug, and I have written an article
dedicated to this bug (https://rollingpwn.github.io/rolling-pwn). Special thanks to researcher,
Rob Stumpf helped us to verify the bug with his own 2021 Honda Accord from the
US.
Moreover,
Honda officially acknowledge the bug. However, Honda concluded this is a low
risk to customers, and Honda regularly improves security features as new models
are introduced that would thwart this and similar approaches. Fingers crossed.
0x04. KEELOQ DECRYPTION
In the world of
crypto, there is a well-known Kerckhoff principle; a crypto system should be
secure even if the attacker knows all the details about the system, except the
secret key. However, have you ever wondered what happen if that secret key
leaked from manufacturer or a default manufacturer key from the datasheet used in
the final products? These kinds of incidents are not uncommon; remember the
mifare crypto1 default key hacks, anyone? Let’s take a widely used rolling code
algorithm called Keeloq as an example.
KeeLoq is a proprietary cipher owned by Microchip. It is widely used in keyfob systems by car companies such as Honda, Toyota, Volvo, Volkswagen Group and so on. If we found HCS200 or HCS300 series chipset inside the keyfob, which means we are facing the Keeloq cipher based system. In March 2008, researchers from the Ruhr University, Bochum, broke the KeeLoq-based cipher with side-channel analysis. By measuring the power consumption of a device during encryption, the researchers can extract the manufacturer key from the receivers and the remote control.
We can
use the simulator to demonstrate it in practice. Here we set the manufacturer's
secret key to 0123456789ABCDEF, the serial number to 4141410, and the counter
starts from 2600.
The
32-bits rolling code contains key information such as counters to prevent a
replay attack.
As mentioned earlier, if the default manufacturer key has been used. We can
decrypt the 32-bits rolling codes with the program, you can see the rolling
code in sequence in the decrypted message, which matches the starting value of
2600 we set earlier.
In Part 2, we
have looked at some of the advanced techniques, such as RollJAM; Rolling-PWN
and Keeloq Decryption. However, there are many other types of encryption and rolling
code algorithms to play with. Stay tuned.
One of the best explanations i've read online about this subject. What about dev boards that can run flipper clone OS?
回复删除See this video: https://youtu.be/zD0cTrAu4jc?si=K7_5kobJJYaLJnWE
删除