Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Breaking RF Unlock Codes 
They said it couldn’t be done
Bryan C. Geraghty 
@archwisp 
Security Consultant, Security PS
Over the next 15 minutes… 
My Goal 
My Prior Knowledge 
The Target 
Attack Hardware 
Attack Software 
Signal Analysi...
The Goal 
Unlock a car by forging a radio frequency signal 
A jamming & replay attack has already been published 
I will n...
Disclaimer 
I have not completely broken the codes… yet 
I will not be releasing any of my code… yet 
I will not be dis...
Prior Knowledge 
Before starting on this project, I had done: 
A lot of programming 
No work with RF whatsoever 
Some ...
The Target 
Most modern vehicles can be unlocked with a key fob 
Sends a code that unlocks the car 
Rolling code system...
Attack Hardware 
Software Defined Radio Receiver 
RTL2832 w/R820T 
Adafruit - $22.50 
RF Link Transmitter - 315MHz 
W...
Attack Hardware (Alternate) 
HackRF One 
SDR Transceiver 
SparkFun - $299.95
Attack Software 
SDRSharp 
SDR Tuner 
Capture data 
FREE! 
Custom Code 
Frame Dumper 
Demodulator 
Encoder 
Signa...
Signal Analysis 
Find and capture the signal
Signal Analysis 
Yay! I captured some funny sounds! Now what?
Signal Analysis 
Dump MSB from one channel of WAV frame data
Signal Analysis 
Identify threshold value for binary conversion 
Threshold: If the hex value is greater than 32, it gets ...
Signal Analysis 
Pulse-width demodulate the binary data 
Another Threshold: 
If the pulse is longer than 28 bits, it gets...
Signal Analysis 
Hex encode the binary data for analysis
Signal Analysis 
Capture samples!
Signal Analysis 
Analyze the samples
Cracking 
I identified a bunch of patterns 
I wrote some code to: 
Identify more patterns 
Generate signals using thes...
LIVE DEMO 
Let’s hope this works…
Just in case the demo didn’t work…
What’s Next? 
Keep trying! 
Find a PRF cracking expert 
Collect hardware not attached to cars 
Collect samples from mo...
Thank you
Upcoming SlideShare
Loading in …5
×

Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

1,336 views

Published on

Attacking the rolling code cryptography used in remote entry systems to unlock cars

Published in: Technology
  • Be the first to comment

Breaking RF Unlock Codes - Presented at TriKC 0x01 (November 2014)

  1. 1. Breaking RF Unlock Codes They said it couldn’t be done
  2. 2. Bryan C. Geraghty @archwisp Security Consultant, Security PS
  3. 3. Over the next 15 minutes… My Goal My Prior Knowledge The Target Attack Hardware Attack Software Signal Analysis Cracking LIVE DEMO What’s Next?
  4. 4. The Goal Unlock a car by forging a radio frequency signal A jamming & replay attack has already been published I will not be talking about that This attack exploits the predictability of unlock codes This is not a man-in-the-middle attack I have not found any published research on this
  5. 5. Disclaimer I have not completely broken the codes… yet I will not be releasing any of my code… yet I will not be disclosing car models… yet
  6. 6. Prior Knowledge Before starting on this project, I had done: A lot of programming No work with RF whatsoever Some cryptanalysis A little bit of research on RF signal analysis I submitted my proposal for this project in June 2014
  7. 7. The Target Most modern vehicles can be unlocked with a key fob Sends a code that unlocks the car Rolling code system mitigates replay attacks
  8. 8. Attack Hardware Software Defined Radio Receiver RTL2832 w/R820T Adafruit - $22.50 RF Link Transmitter - 315MHz WRL-10535 Sparkfun - $3.95 Total: $26.45
  9. 9. Attack Hardware (Alternate) HackRF One SDR Transceiver SparkFun - $299.95
  10. 10. Attack Software SDRSharp SDR Tuner Capture data FREE! Custom Code Frame Dumper Demodulator Encoder Signal Generator TIME!
  11. 11. Signal Analysis Find and capture the signal
  12. 12. Signal Analysis Yay! I captured some funny sounds! Now what?
  13. 13. Signal Analysis Dump MSB from one channel of WAV frame data
  14. 14. Signal Analysis Identify threshold value for binary conversion Threshold: If the hex value is greater than 32, it gets converted to a 1. Otherwise, it gets converted to a 0.
  15. 15. Signal Analysis Pulse-width demodulate the binary data Another Threshold: If the pulse is longer than 28 bits, it gets converted to a 1. Otherwise, it gets converted to a 0.
  16. 16. Signal Analysis Hex encode the binary data for analysis
  17. 17. Signal Analysis Capture samples!
  18. 18. Signal Analysis Analyze the samples
  19. 19. Cracking I identified a bunch of patterns I wrote some code to: Identify more patterns Generate signals using these patterns Compare them to sample signals I’ve gotten very close Let’s see how close…
  20. 20. LIVE DEMO Let’s hope this works…
  21. 21. Just in case the demo didn’t work…
  22. 22. What’s Next? Keep trying! Find a PRF cracking expert Collect hardware not attached to cars Collect samples from more vehicles Remote Start!
  23. 23. Thank you

×