Software-defined radio (SDR): Relay Attacks
Introduction
We want to simulate a keyless car hacking situation. Therefore we want to interfere with a connection between a car and a car key during the unlocking process. The key question is: How does a Passive Keyless Entry (PKE) system works? PKE communication is an electronic locking system which is mainly used for entering cars without the need of a key. The locking system uses passive components (keys) which will be activated by the car. The car constantly transmits its recognition signal, range is about 1.5-3 meters. One of the most used systems is the so-called “keyless entry system”. Therefore, the car environment is surrounded by periodically low frequency signals about 130 kHz. If the right key is in this zone, the chip is reacting with those low frequencies and is creating an ID with ASK / FSK modulated signals. Therefore, we got 2 possibilities:
1. The car is sending a LF signal with some kind of “wake up signal”.
- The car is sending permanent wake up signals.
- If a “keyless entry key” is near a car which has the keyless entry technology, an “Acknowledgement” will be transmitted to the car.
- If the key and car fits together, an ID check between the car and the key will begin.
- The car is sending an ID to the key – if it fits, the key is transmitting the right key code. If the key code fits to the one of the automotive, the car is opening.
2. The car sends a LF signal with a car ID.
- Periodically a LF signal is transmitted by the car.
- If a “keyless entry key” is nearby and the ID fits to the one of the car’s, the key transmits the right “key code”. If the key code fits to the car key code, the car is going to open.
Summary
This documentation is about SDR (Software defined radio) and relay attacks. This document will give you a better understanding of these definitions and how some devices in IOT can/could be attacked with SDR relay attacks. This documentations will also provides detailed information about devices we used, the setup of these devices and other requirements.
Requirements
Software
- Computer with native Kali-Linux installed.
- License for PandwaRF.
- PandwaRF App for Android. (Must be a device with latest Android version installed)
- Universal Radio Hacker
Description
Rolling Codes vs. Fixed Codes
Remote controls send a digital code word to the receiver. If the receiver considers the code as correct, the sender will do the stuff which it is programmed for. For example: opening a door, closing, blocking, holding or locking etc. Simple remote controls use fixed code word. That means the code word which opens the a door today, would open the door some time in the future with the same code word. An attacker who has the right device to capture a code, could easily capture the simple code and send it sometime later to open the door. Some safer systems would use so called "Rolling codes". With rolling codes, hacker would be able to capture a signal, but to retransmit these signal, they need to know the algorithm behind the rolling code in order to open the door because the captured code is used already and therefore deleted in the code algorithm. The rolling code system uses an encryption method which allows the sender and the receiver to use share codewords in to make it harder for the attacker to steal the code.
Pentesting with PandwaRF
Step 1
- Install the application on your Android Phone.
- Open the Device.
- Install the antennas. (Never use a SDR Device without antennas.)
- Connect the PandwaRF via USB-C to your phone.
- Open the application.
Step 2
- The device should have connected with your application. If not, do it manually in the search tab.
- After the device has connected, you can use the spectrum analyser to analyse the frequency which the device captures. If you want to get your desired signal, you need to choose your frequency.
- At the Rx/Tx tab you can scan you signal which you try to capture. It is even possible to auto detect a signal which is sent.The pandwaRF will give you the captured signal in hex or in Binary which you can afterwards analyze.
- In order to transmit a captured signal, you need to buy a "Kaiju License". Kaiju is an online tool where you can analyze rolling code and generate those. Kaiju is mainly used to attack systems which use rolling code.
Side Note: You won´t be able to use PandwaRF to open your car. After long researches and communication with the manufacturer, the car opener function is only allowed for the goverment or law enforcement.
Pentesting with HackRF One
- Warning: The HackRF One will not be able to transmit on windows
Step 1
- Set up a laptop with native kali linux
- If you want dual boot on your local machine use these instructions. With dual boot you will be able to use Windows and Kali Linux native simultaneously.
- Dualboot on windows machine
- You need a USB stick with a minimum of 8gb storage
- Download Kali image from official website https://www.kali.org/docs/development/live-build-a-custom-kali-iso/
- Download e.g. Etcher to flash the image on the USB stick to make it bootable https://www.balena.io/etcher/
- On the computer enter BIOS and change the BIOS-Mode to Legacy instead of Secure Boot (if secure boot is enabled). Secure boot prevents booting from external device! Then change the BIOS-Priority to “USB” first.
- For further information follow the instructions on the official website https://www.kali.org/docs/usb/live-usb-install-with-linux/
Step 2
- Driver Installation on HackRF One
- Download Zadig https://zadig.akeo.ie/
- Only compatible with Windows
- Set-up HackRF on Linux
- Sudo apt-get update
- Sudo apt-get -y install hackrf
Download Universal Radio Hacker on Linux machine
- First method
- Sudo python3 -m pip install –upgrade pip
- Sudo python3 -m pip install urh
- Second method
- Sudo apt -y install urh
- Third method
- git clone https://github.com/jopohl/urh
- cd urh
- python setup.py install
- Start Universal Radio Hacker with the command “urh”
- Choose HackRF
- Enter the frequency
Nesdr Smart – receive only
Step 1
Install the driver with zadig (detailed information in the HackRF One section)
Step 2
Enter the RTL-SDR the “Device” option of the device settings and the frequency and you are ready to receive signals!
Used Hardware
- HackRF One
- PandwaRF
- Nooelec SDR
Conclusion
We were able to receive signals with all three Software defined radios. However, HackRF One was the only device which allowed us to transmit signals too. It should be possible to transmit signal with PandwaRF as well (Only for Garage Openers), but we struggled with the Kaiju license, which is necessary for the transmission process. Therefore, we were able to achieve our project goals with the HackRF One.
References
- https://www.youtube.com/watch?v=5CsD8I396wo&t=327s
- https://www.essentracomponents.com/en-gb/news/product-resources/explaining-remote-keyless-entry-in-cars
- https://en.wikipedia.org/wiki/Rolling_code#:~:text=A%20rolling%20code%20(or%20sometimes,and%20keyless%20car%20entry%20systems
- https://www.youtube.com/watch?v=XrRGDQ2IzDE
- https://en.wikipedia.org/wiki/Remote_keyless_system
- https://sectigo.com/resource-library/why-automotive-key-fob-encryption-hacks-are-making-headlines
- https://rolling.pandwarf.com/
- https://www.offensive-wireless.com/how-to-install-universal-radio-hacker/
- https://installati.one/ubuntu/20.04/hackrf/
- https://zadig.akeo.ie/
- https://www.kali.org/docs/usb/live-usb-install-with-linux/
- https://www.balena.io/etcher/
- https://www.kali.org/docs/introduction/download-official-kali-linux-images/