Difference between revisions of "SDR-RelayAttacks"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Line 5: Line 5:
One of the most used systems is the so-called “keyless entry system”. Therefore, the car environment is surrounded by periodically low frequency signals about 130 kHz. If the right key is in this zone, the chip is reacting with those low frequencies and is creating an ID with ASK / FSK modulated signals.
One of the most used systems is the so-called “keyless entry system”. Therefore, the car environment is surrounded by periodically low frequency signals about 130 kHz. If the right key is in this zone, the chip is reacting with those low frequencies and is creating an ID with ASK / FSK modulated signals.
   
   
Therefore, we got 2 possibilities:
#Therefore, we got 2 possibilities:
''' 1.    The car is sending a LF signal with some kind of “wake up signal”. '''
''' 1.    The car is sending a LF signal with some kind of “wake up signal”. '''
#a.  The car is sending permanent wake up signals.
#a.  The car is sending permanent wake up signals.
Line 13: Line 13:
'''2.    The car sends a LF signal with a car ID. '''
'''2.    The car sends a LF signal with a car ID. '''
#a.  Periodically a LF signal is transmitted by the car.
#a.  Periodically a LF signal is transmitted by the car.
#b. If a “keyless entry key” is nearby and the ID fits to the one of the car’s, the key transmits the right “key code”. If the key code fits, the car is going to open.  
#b. If a “keyless entry key” is nearby and the ID fits to the one of the car’s, the key transmits the right “key code”. If the key code fits, the car is going to open.
 


== Summary ==  
== Summary ==  

Revision as of 18:59, 12 July 2022

Introduction

We want to simulate a keyless car hacking situation. Therefore we want to interfere with a connection between a car and a car key during the opening process. The key question is: How does a Passive Keyless Entry (PKE) system works? PKE communication is an electronic locking system which is mainly used for entering cars without needing any keys. The locking system uses passive components (keys) which will be activated by the car. The car constantly transmits its recognition signal, range is about 1.5-3 meters. One of the most used systems is the so-called “keyless entry system”. Therefore, the car environment is surrounded by periodically low frequency signals about 130 kHz. If the right key is in this zone, the chip is reacting with those low frequencies and is creating an ID with ASK / FSK modulated signals.

  1. Therefore, we got 2 possibilities:

1. The car is sending a LF signal with some kind of “wake up signal”.

  1. a. The car is sending permanent wake up signals.
  2. b. If a “keyless entry key” is in the near of, an “Acknowledgement” is transmitted to the car.
  3. c. If the key and car fits together, an ID check is going to start.
  4. d. The car is sending an ID to the key – if it fits, the key is transmitting the right key code. If the key code fits to the one of the automotive, the car is opening.

2. The car sends a LF signal with a car ID.

  1. a. Periodically a LF signal is transmitted by the car.
  2. b. If a “keyless entry key” is nearby and the ID fits to the one of the car’s, the key transmits the right “key code”. If the key code fits, the car is going to open.

Summary

This documentation is about SDR (Software defined radio) and relay attacks. This document will give you a better understanding of these definitions and how some devices in IOT can/could be attacked with SDR relay attacks. This documentations will also provides detailed information about devices we used, the setup of these devices and other requirements.

Requirements

Software

  • Computer with native Kali-Linux installed.
  • License for PandwaRF.
  • PandwaRF App for Android. (Must be a device with latest Android version installed)

Description

Pentesting with PandwaRF

Step 1

  1. Install the application on your Android Phone.
  2. Open the Device.
  3. Install the antennas. (Never use a SDR Device without antennas.)
  4. Connect the PandwaRF via USB-C to your phone.
  5. Open the application.


Step 2

  1. The device should have connected with your application. If not, do it manually in the search tab.
  2. After the device has connected, you can use the spectrum analyser to analyse the frequency which the device captures. If you want to get your desired signal, you need to choose your frequency.
  3. At the Rx/Tx tab you can scan you signal which you try to capture. It is even possible to auto detect a signal which is sent.The pandwaRF will give you the captured signal in hex or in Binary which you can afterwards analyze.
  4. In order to transmit a captured signal, you need to buy a "Kaiju License". Kaiju is an online tool where you can analyze rolling code and generate those. Kaiju is mainly used to attack systems which use rolling code.

Pentesting with HackRF one

Step 1

  1. Set up a laptop with native kali linux
  2. If you want dual boot on your local machine use these instructions
  • Dualboot on windows machine
  1. You need a USB stick with a minimum of 8gb storage
  2. Download Kali image from official website https://www.kali.org/docs/development/live-build-a-custom-kali-iso/
  3. Download e.g. Etcher to flash the image on the USB stick to make it bootable https://www.balena.io/etcher/
  4. On the computer enter BIOS and change the BIOS-Mode to Legacy instead of Secure Boot (if secure boot is enabled). Secure boot prevents booting from external device! Then change the BIOS-Priority to “USB” first.
  5. For further information follow the instructions on the official website https://www.kali.org/docs/usb/live-usb-install-with-linux/

Step 2

    • Driver Installation on HackRF One
  1. Download Zadig https://zadig.akeo.ie/
  2. Only compatible with Windows
  • Set-up HackRF on Linux
  1. Sudo apt-get update
  2. Sudo apt-get -y install hackrf

Download Universal Radio Hacker on Linux machine

  • First method
  1. Sudo python3 -m pip install –upgrade pip
  2. Sudo python3 -m pip install urh
  • Second method
  1. Sudo apt -y install urh
  • Third method
  1. git clone https://github.com/jopohl/urh
  2. cd urh
  3. python setup.py install
  • Start Universal Radio Hacker with the command “urh”
  1. Choose HackRF
  2. Enter the frequency

Nesdr Smart – receive only

Step 1

Install the driver with zadig (detailed information in the HackRF One section)

Step 2

Enter the RTL-SDR the “Device” option of the device settings and the frequency and you are ready to receive signals!

Used Hardware

  • HackRF One
  • PandwaRF
  • Nooelec SDR

Conclusion

We were able to receive signals with all three Software defined radios. However, HackRF One was the only device which allowed us to transmit signals too. It should be possible to transmit signal with PandwaRF as well, but we struggled with the Kaiju license, which is necessary for the transmission process. Therefore, we were able to achieve our project goals with the HackRF One.

References