I believe when people are new to hacking RF
locks system. One of the most common questions they will ask is which tools
they will need. Usually I would say HackRF is a must to have tool. Up recently,
the Flipper-Zero became one of the most popular gadgets among RF hackers. To be
honest, the first time I heard about Flipper-Zero, I was not that impressed. I
already owned a bunch of wireless hacking tools, such as Proxmark3, Yardstick1
and HackRF-Portapack. Why should we get another toy that provides similar
functions? Soon I learned that I was wrong about it. For instance, other than
its rich wireless capability, Flipper-Zero has also provided extendable
external modules through the GPIO ports. This feature made the Flipper-Zero
become a LEGO of hackers ;)
(After 2-hours long wait in the queue, I finally got one at DEFCON31)
This article serves as a beginner’s RF lock system hacking journey, performing lock hacking with Flipper-Zero and other RF hacking tools. I hope each case study will help people get a better idea of what they would need for hacking RF locks.
0x01. SIGNAL JAMMING
the easiest yet effective RF attack techniques called signal jamming. The
attacker is constantly sending noise signals at that same frequency channel as
the target, hoping to jam the original signal to achieve interference. Jamming
essentially disrupts communication between two or more devices by shouting
louder. It does not matter what to shout, as long as others cannot hear you.
on the spectrum diagram)
Jamming attacks against car locks are also one of thieves' favorites. Criminals use hidden jamming equipment to prevent car owners from locking their cars. Once car owners leave, they can easily open the car door and steal the belongings left inside the car. Although signal jamming is not a new concept, it continues to grow in popularity among criminals, as the technology used becomes more sophisticated and easily accessible.
Although Flipper Zero comes with certain regional and frequency restrictions, by installing a custom firmware (Xtreme) can bypassed this limit. This made Flipper-Zero perfect for experimenting with the jamming attack.
(Source from @McSHUR1KEN)
0x02. SIGNAL REPLAY BLINDLY
Of course, it would be cooler if we can control
the target. The replay attack is one of the oldest tricks from the book that
can achieve exactly that. Since most RF lock system operating frequency is at 315
MHz or 433 MHz range, and some of them still use fixed-code mechanism. Meaning
we can just leave the capture device near the target and wait patiently. If
lucky enough we will be able to catch the unlock signal for a later replay.
This is a lot like fishing, but the reward is
unlock signal instead. Below is a video demonstration of the replay attack with
HackRF. As you can see in the video below, it works as a charm.
Interestingly for Tesla’s charging port, it still uses a fixed-code mechanism. People can download the pre-recorded Tesla Charge Port files to the Flipper-Zero, and messing with other Tesla vehicle owners, yet not knowing what is really going on behind the scenes.
(Source from @takeapart)
0x03. SIGNAL REPLAY ANALYZE
Only blindly replaying the signal is not
going to satisfy the Hackers. Unlike the jamming attacks, if we like to get to
know our target better, we need to find out the target frequency, encoding
method, chip model, etc. For example, we can learn the operating frequency by
using the Frequency Analyzer application provided by Flipper-Zero.
(Source from a good amigo)
0x04. SIGNAL REPLAY
Have you ever wondered if those fixed-code lock systems are bruteforceable? Here is an interesting lock; it comes with 8 DIP switches on both the lock and keyfob side, we can switch up, center and down to have different combinations.
In this article, we have looked at the
common methods of RF Locks hacking. In Part2, we are going to look at more
advanced and interesting RF Locks hacking techniques. Stay tuned.