Breaking RF Unlock Codes

They said it couldn’t be done

Bryan C. Geraghty

@archwisp

Security Consultant, Security PS

Over the next 15 minutes…

My Goal

My Prior Knowledge

The Target

Attack Hardware

Attack Software

Signal Analysis

Cracking

LIVE DEMO

What’s Next?

The Goal

Unlock a car by forging a radio frequency signal

A jamming & replay attack has already been published

I will not be talking about that

This attack exploits the predictability of unlock codes

This is not a man-in-the-middle attack

I have not found any published research on this

Disclaimer

I have not completely broken the codes… yet

I will not be releasing any of my code… yet

I will not be disclosing car models… yet

Prior Knowledge

Before starting on this project, I had done:

A lot of programming

No work with RF whatsoever

Some cryptanalysis

A little bit of research on RF signal analysis

I submitted my proposal for this project in June 2014

The Target

Most modern vehicles can be unlocked with a key fob

Sends a code that unlocks the car

Rolling code system mitigates replay attacks

Attack Hardware

Software Defined Radio Receiver RTL2832 w/R820T

Adafruit - $22.50

RF Link Transmitter - 315MHz

WRL-10535

Sparkfun - $3.95

Total: $26.45

Attack Hardware (Alternate)

HackRF One

SDR Transceiver

SparkFun - $299.95

Attack Software

SDRSharp

SDR Tuner

Capture data

FREE!

Custom Code

Frame Dumper

Demodulator

Encoder

Signal Generator

TIME!

Signal Analysis

Find and capture the signal

Signal Analysis

Yay! I captured some funny sounds! Now what?

Signal Analysis

Dump MSB from one channel of WAV frame data

Signal Analysis

Identify threshold value for binary conversion

Threshold:

If the hex value is

greater than 32, it

gets converted to

a 1. Otherwise, it

gets converted to

a 0.

Signal Analysis

Pulse-width demodulate the binary data

Another

Threshold:

If the pulse is longer

than 28 bits, it gets

converted to a 1.

Otherwise, it gets

converted to a 0.

Signal Analysis

Hex encode the binary data for analysis

Signal Analysis

Capture samples!

Signal Analysis

Analyze the samples

Cracking

I identified a bunch of patterns

I wrote some code to:

Identify more patterns

Generate signals using these patterns

Compare them to sample signals

I’ve gotten very close

Let’s see how close…

LIVE DEMO

Let’s hope this works…

Just in case the demo didn’t work…

What’s Next?

Keep trying!

Find a PRF cracking expert

Collect hardware not attached to cars

Collect samples from more vehicles

Remote Start!

Thank you