Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Grand theft-auto-digital-key-hacking

1,294 views

Published on

DEFCON26 talk slides -- Please find demo videos at my Youtube channel: https://www.youtube.com/user/ReverseKevin/videos

Published in: Devices & Hardware
  • Be the first to comment

  • Be the first to like this

Grand theft-auto-digital-key-hacking

  1. 1. GRAND THEFT AUTO DIGITAL KEY HACKING @Kevin2600 @MonkeyKing
  2. 2. Agenda: . Introduction -- Keyfobs 101 . Structure & Functions -- Anmi-Key . Analysis & Attack vectors -- Anmi-Key . A0 -- Physical Access . A1 -- RF Jamming Attack . A2 -- Key-Sharing Analysis . A3 -- BTLE Sniffing & Decryption
  3. 3. Introduction
  4. 4. . Mechanical Key Entry . Remote Key Entry (Infrared; Fixed; Rolling) . Passive Key Entry (Transponder RFID) . Digital Key Entry (Mobile phone as Key) Car-Keyfobs
  5. 5. New Trend ?
  6. 6. . RKE KeeLoq algorithm cracked (2008) . Passive Keyless entry Keyfob Relay attack (2012) . Gone in 60 seconds -- Hijacking with Hitag2 (2012) . Samy's Rolljam -- Drive it like you hacked it (2015) . BMW ConnectedDrive -- Telematics hacked (2015) . Mitsubishi Outlander WIFI Hacked -- PenTestPartners (2016) . 14 vulnerabilities found in BMW connected cars -- KeenLab (2018) What Hacked ?
  7. 7. . Dieter Spaar discovered BMW ConnectedDrive that allowed him to remotely open the vehicle’s lock . Simulated a mobile network in a test environment with OpenBSC . After triggered by a decrypted SMS message. The vehicle sent a simple HTTP GET request to the server, in order to retrieve unlock command New trend New hack - 2015 http://tiny.cc/bmwconnectedrive
  8. 8. . Mitsubishi Outlander PHEV Top Selling hybrid SUV. Control of the car by WiFi access point . Unique SSID (REMOTEnnaaaa) Easy to locate on wigle.net. The Wi-Fi PSK is too short to crack .Controlling protocols are reverse engineered. Turn on/off Air-condition; Heating; Lights and Alarm !!! New trend New hack - 2016 http://tiny.cc/pentestpartners-Outlander
  9. 9. Structure & Functions -- Anmi
  10. 10. Digital Car key -- Anmi
  11. 11. Features : Keyless Entrance System : Keyless Engine Start/Stop : Bluetooth Low Energy 4.0 : Auto Lock/Unlock Function : Mobile as Key (Android; Iphone) : Remote Keys Sharing (20 Users)
  12. 12. Components
  13. 13. Key-Pairing
  14. 14. Car-Models
  15. 15. Internal 1
  16. 16. Internal 2
  17. 17. Internal 3 • B T L E - M o d u l e ( C C 2 6 4 0 ) t o communicate with mobile APP through 2.4ghz • RF-Module(NXP-61X0915) Emits unlock/lock cmd to the vehicle. RF-module vary from different car models • BTLE-Module (SYD8801) sensor. 2.4GHz BTLE SOC 32-bit ARM Cortex-M0. Functionality unknown ?
  18. 18. Mystery Sensor ?
  19. 19. Mystery Sensor ?
  20. 20. RF-Module Oscillator: 13.560Mhz Math: 13.560MHz / 8000 = 1695hz 13.560MHz * 32 = 433.92Mhz
  21. 21. SDR-HackRF
  22. 22. SDR-GQRX
  23. 23. BTLE-Module
  24. 24. BTLE-Interactive
  25. 25. BTLE-HCI-log
  26. 26. Mobile APP
  27. 27. Mobile APP - Codes
  28. 28. Mobile APP - Codes
  29. 29. Mobile APP - MitMProxy
  30. 30. Mobile APP - MitMProxy
  31. 31. Mobile APP - Server Say Bye Bye to your Privacy ..
  32. 32. Encryption ?
  33. 33. Super “Secure” ?
  34. 34. A0 -- Physical access
  35. 35. . Anmi-Key by request, always left in the car . Breaking glass by force. Get the Anmi-Key to ulock the door . Desolder the Registered Anmi chip and Mechanical Key put it into a blank key . Or use self design board to emits unlock cmd to the vehicle by RF-module . Start the engine and run away Old School way
  36. 36. DEMO
  37. 37. A1 -- RF Jamming
  38. 38. RF-Jammer
  39. 39. RF-Jammer
  40. 40. Does Anmi-Key smart enough to avoid this ?
  41. 41. One way communication ..
  42. 42. DEMO
  43. 43. What's Next DRIVE IT LIKE YOU HACKED IT @SamyKamkar
  44. 44. A2 -- Key-Sharing Analysis
  45. 45. Features
  46. 46. Analysis
  47. 47. What could possibly go wrong ?
  48. 48. Key-Sharing-Wechat
  49. 49. Key-Sharing-Wechat
  50. 50. DEMO
  51. 51. Let's cancel it then ?
  52. 52. DEMO
  53. 53. Let's wait until it expired ?
  54. 54. DEMO
  55. 55. A3 -- BTLE Sniffing & Decryption
  56. 56. Where is the “Secure” Encryption ?
  57. 57. BTLE -- Analysis
  58. 58. BTLE -- Analysis
  59. 59. BTLE -- Analysis
  60. 60. BTLE -- 1st Attempt
  61. 61. BTLE -- Login Steps
  62. 62. Login -- Encryption
  63. 63. BTLE -- Login Protocol Fetch a random values from Anmi-Key (4 bytes) Calculate EncryptionCode (Random Value; Secret Key) Wrap up to make an encrypted login packets Send to Anmi-Key and Log in (Status 0xAA)
  64. 64. Only 1 byte key needed Login -- Encryption Arg6 is a Dword random from fetch random SecretKey is a fixed random Dword number from device Initialization
  65. 65. Login Packet: +0 byte channel 0xA1 +1 short len fixed in 0301: 43 00 +3 short crc16 +5 short protocolver 0301 +7 byte usertype +8 uchar[16] password +24 uchar[16] enc_md5_username +40 uchar[16] enc_md5_imei +56 uchar[6] enc_advertising_key //ascii +62 uchar[6] enc_date // YYMMDDHHMMSS +68 uchar enc_openrssi +69 uchar enc_lockRssi What we need is to decrypt only 1 byte Login -- Encryption What year now ?
  66. 66. Recover “EncryptCode” with a fixed year data: 0x12 Then You can get: Login -- Encryption
  67. 67. Login – Crafting Packets
  68. 68. Login – Crafting Packets Error Code 0x66 ???
  69. 69. Login – Firmware Inspection Flag[1] is set only when Anmi-Key is fully assembled
  70. 70. Login – Crafting Packets
  71. 71. Login -- Sniffing Packets
  72. 72. Login -- Sniffing Packets
  73. 73. Login -- Encryption . 1-byte of encryption key . XOR as the super secure encryption algorithm . Easy to recover by sniffing the BTLE packets
  74. 74. DEMO
  75. 75. Report for CVE ?
  76. 76. Conclusion: . Security by obscurity !? . Don’t trust the user input . New trends come with new hacks . Test the product properly, before going on market
  77. 77. Question ?

×