 So this is going to be stopping SDR relay and replay attacks on passive key entry systems. So who in here has heard of these or seen them in the news or yeah. Who in here is one of the fancy push button start cars? Yeah. Makes it even more that more interesting. So this is something where I'm going to go over a little cool device that I built. After I did a relay attack it was two years ago when I got my original Edison 210 so I'll go into a little bit of that. A little bit about myself. 32 work for NCR and I live in North Dakota. I've spoken, this is my fourth year at DEF CON speaking, Black Hat last year. I speak at a lot of ICS security conventions, things like that. And I've been doing pen testing. This is my 13th year professionally and I've been doing programming for about as long. And I've just gotten into a lot of research. Anything radio or car related has been kind of my focus on the last year. And I did a lot of attacks on ATMs and point of sale systems last year. So and reverse engineering malware is one of my remaining hobbies and that's one of my original hobbies that's how I got into reversing is actually turning apart the Chernobyl or CIH virus. It was the one that reversed your BIOS if anybody remembers that one several years ago. But yeah, it was a very good time. And yeah, so yeah, I'm going to do the car hacking village here. So this presentation, a little bit about the research. So last year, about two years ago actually, I looked into an amplification attack that some people in, I believe it was in another country in Europe. I need to sleep more obviously, but yeah, they're definitely, they were did an amplification attack. So they basically boosted the frequency and were able to send it a certain amount of distance. And last year I received three EDIS U310s or U210s and one N210, which is the one on the right there. And so I had force offered to find radios and I was like, what's the worst that could happen? And I was actually looking at a mobilizer bypasses and older dealership tools. I was getting in, so I've been doing car hacking for about, this will be my third year. So it is something where people can pick it up really, really quick, especially with some of the stuff that you can Google nowadays. A lot of the kits that are out there, it's just the price to enter point has gotten a lot cheaper compared to what it was. So, and yeah, this is an actual pile of 433 and 315 megahertz radios. So I'll actually be going into how to build the device and I have a demo lab on Sunday. So if you guys want to come and see how to build the device, then I can go into a lot more detail once I hear back from Ford on the actual TPMS sensor also. So there was a Swiss amplification attack. There was a couple researchers and they actually did the, there's several changes that actually went into a lot of the automobiles at that point. And from 2011 on, they started putting multiple sensors. They started dealing with actual delays and tracking a lot of that. There was a huge window. It was literally a third of a second for some of the original stuff. Now it's down to about a tenth of a second where you can actually relay the actual signal. And does everybody in here kind of understand the concept behind how the relay attack works for the most part? Okay. Yeah, this is actual passive key entry systems or did a lot of research also around 2014 on passive keys. So that's when I started looking at the, what they're actually speaking, what range is there. I looked into stolen vehicle slowdowns. I also had a DARPA contract and DHS contract with their attacks on PSAPs and E-901 centers. So I started looking at some of the automotive, automatic notification for crash detections. So if airbags were deployed, if vehicles rolled over, because that is something that these messages might be able to be flooded into a call center and stuff like that. So it's something where that came across as a lot of our stuff. So yeah, it's pretty interesting research and I will definitely be going into a lot of the actual passive key attacks that we have here. So 2015, I submitted or actually did the DSP for samples up to 700 megahertz. So the only keys that I wasn't able to do at that time were BMW and Ford because they are a higher spectrum than that. And that was just, yeah. So I used the actual DSP that I built, which is digital signal processor built off of an FPGA. And if you guys haven't played around with those, the entry points for those are very cheap. They're about 60 to 70 dollars and you can speed anything up that you need to do. It's very, very cool systems and I would definitely recommend people getting into them. And there was a Beijing based firm. So my setup that I'm going to go into now costs about $5700. Everybody has extra $5700 laying around. But the actual Beijing company, they got it down to $22, which is unbelievable. So that's when it becomes anybody can do it. So it's something where that's when it becomes scary. And that's when people will start talking about it. Press wired, did a very good write up on it. They actually did a very good job with their talk and their slides if you guys are interested in their device and how it actually works. And what I'm going to basically go over is the actual hijack two factor authentication. So who would like to have, who is two factor authentication on at least one of their electronic products? Yeah. How would you like to add it to your car? How would you like to use like a 1356 ring you have or some people are putting implants in? There's lots of things that you can do for your second form of verification. And how is this used? The passive key entry starts. The vehicle allows the driver to actually lock the vehicle, doors without touching the key. So when you get into proximity, there's sensors in the roofs in most of them, where it'll sense where you are at adjacent to the vehicle. So if you're in the back of the vehicle, you can't start it. If you're at the front of the vehicle, you can open the door, you can possibly start it. So these are remote key entry systems and the actual remote keyless ignitions. So the main frequencies for these, for as far as the US goes at least, you're in most likely one of these ranges, 314.9 to 315 or 433 megahertz. And then the 125 kilohertz is usually what the key is speaking for its low interrogation signal. So it doesn't have a lot of range, but it's basically in a, you have a key in your pocket, it's going to send out the 125 kilohertz, and your vehicle is going to send back 433 or 315 depending on what the actual making model of this. So yeah, and let's see here. Yeah, so the actual key that I was able to do the, some of the relay attacks on it was 433 megahertz. And also I submitted all these to the, the actual Cadillac and Chevy have, our General Motors has an actual bug bounty program. And they informed me that they knew about the amplification attacks. And I actually took a look at a lot of their systems. And they are definitely stepping up their systems. And most of it was fixed by a lot of software patches. It's just a lot of the second, second hand vehicles in some cases didn't get it. So it's definitely interesting. And so those are the two that I actually was working on. Because they were in the 433 to 315 range, which was within my sample range of the DSP that I built. So, and let's see. Updated in most vehicles. Yeah, like they have multi-roof sensors. Fiat Chrysler is amazing company. They're very open about talking to people and the security community. They had some Jeep issues several years back. And they've been very, very good to the community. And they talk to people. They're very good at reaching out and actually taking care of the issues. So, yeah. So basically when you walk in the range, you're detected by the door. The car opens. You're sitting near the passenger door. The car won't start. That was one of the issues that I'm actually going to do in my demo lab on Sunday. I will go into a little bit of how you can do something. It's basically beam forming. Or you can make your beacons appear as if they're coming from somewhere else inside the vehicle. Or you can actually roll through about a six foot radius. You can actually change it. And that was something that I also used for some of the 802.11 attacks that I did yesterday. And yeah, 2015. I said about a $5400 setup. And 2016. Now I can probably get around the same setup for about, I would say, about $1,200 to $1,300. And 2017 setup is about $322. So the actual ones, the attack surface is getting very, very cheap. And that's where some of these have been used in the wild. There's lots of people. When it becomes in that $22 range, everybody can afford it. And it's especially when plans are leaked or they're out there. Yeah, so how did I start this research? I admired my neighbor's black Durango. And I went over to my neighbor and asked to borrow her Durango. I ran away from my driveway over to the Durango. And yeah, basically I explained to her that I was going to see if I could drive around to have the key in it. And basically you'll get glares for the rest of your life and you mow your lawn after you've done stuff like this. So it's better to just go out and rent it or have a family member. Or like I had a friend who had another vehicle that would have been susceptible to it. But yeah, here's a little bit of the explanation of it. So you have a software defined radio on one side and this is the very expensive version of it. So basically there was my driveway. I had an NSN 210 on that side, NSN 210 on this side. I tried using the USB versions at that time. When I was doing that my USB 3 ports couldn't keep up with it. So I did a lot of troubleshooting and wasted a lot of time getting it to work when I should have just went with the network versions of it. So ran a cable, did a cable test first and here's the actual setup on the bottom. So I had two Lenovo laptops in the NSN 210s and then basically you have to have a daughter card that's within that range and you can tie in the DSP to the daughter card so you can actually demodulate and remodulate it a lot faster. And yeah, here's test two explained. So I did it over wireless the second time. It was susceptible to latency and I was checking into that and this is the actual results when I submitted it and everything like that. They were asking me if it had an aftermarket starter added to it so I added a little bit of susceptibility for that type of stuff as far as accepting the start. But as far as up to 18 milliseconds of latency is what I could add to it where it would actually still accept it as a valid key entry. So this is basically the same as the wired except for the wireless version of it. And here's my final test. So I did it over a 365 spectrum and I did it from almost a quarter of a mile away. It was a Super Bowl Sunday like two years ago and I was also watching the Super Bowl game. I don't even know who won that year or who's even playing because I was driving a Durango around without the keys in it so having to blast. It was a very fun time and like I said I have a whole setup and like this was a little bit expensive but this one had really good range. It worked on multiple keys which is something that I'm from what I understand of the $22 version as you can it's very susceptible to interference and stuff like that. I could literally walk this one into a dealership throw it down by the dealership rack and go off with any vehicle that's on the lot. Because of the way that it samples and the rates that it can sample at it is very, it can take a lot of data before it'll actually start jamming it up or basically garbling the messages. And yeah, this is what I drove the ATM that I did my ATM hacking talk last year so that was one of the vehicles that I did the BRRRR that performed the attack on. It was pretty fun. I loved the vehicles they're amazing vehicles but yeah it was the actual one that I performed the attack on. Not this exact one but it was a white deringo. So the dealership, the actual digital and analog analog to digital dealership attack so that was like one of the proof of concepts that I submitted along with my vulnerability disclosure was say for example if somebody was to go into a dealership, dealerships they have them hanging in a box inside of a wall inside of a manager somewhere. So if somebody was to drop the bag near one of those they would be able to actually walk off with several vehicles in some cases depending on the actual setup of it or how many keys there were. There might have been a lot of confusion depending on how many of the interrogation signals and things were getting passed back and forth. So this actual attack so that would have been something where in addition to like rental returns there was a couple other concepts that I went through that would be possible especially in smaller cities not like the bigger airports they have the strips where you wouldn't be able to drive them out and stuff like that but yeah so if you do the digital analog to digital so you're basically taking it from layer 0 to layer 1 back down to layer 2 or down to layer 1 or layer 0 excuse me. So and yeah so the low frequency so I used a Procmark proxy which who on here has dealt with those before 1356 they're very very nice I've used them on RFID badges in the past and it's something where the low interrogation signal that's sent off from the key fob you're able to actually do that one is a little bit less susceptible to some of the actual interference and things like that so but this was part of the initial setup so I had the Procmark then I had that for all the actual LF or low channel information then for the UHF channels it was 315, 433 that was what I was tuned to so anything out of that range like I tried it on there was a couple Ford vehicles my wife is a Lincoln did not work on those and I believe BMW was 868 so that was two of the frequencies and these are the ones I didn't dive too much into or I saw they didn't work so those numbers might be inaccurate or they might be for their actual fob system some of these vehicles might not have a passive key entry at all it's just the actual spectrum that they're actually using so so and I'm not saying that any of those are susceptible 100% but yeah it's something where it's cool to see how they've actually done reactions ever since the 2009-2010 research because they published their research in 2009 for the amplification attack and the actual attack service for that went down pretty severely so and yeah so a roller jam that's something that Sammy Camcar did last year basically blocks your message or then it'll allow it to relay or play it a second time once you play the second thing it's very very cool you should go check it out that's one of the features that I'm actually building into the stop mitigation method it's actually going to stop because you have a two factor authentication on the device that I'm building so you'll actually be able to detect if there's any roller jamming going on so that one will do a signaling and I'll show you the actual Adreno method if you guys want to go to the demo labs I'll actually go into greater detail I could literally talk for half an hour about that specifically so but yeah it's going to add there's other key attacks there's some Genesis code attacks like from dealership codes and stuff like that where people are able to do some other things you'll be able to detect if anybody's trying to attack your vehicle wirelessly and adding features as they develop and I'd love to see what the community has to do one of the biggest ones is I don't have a stock infotainment system in my computer I have an aftermarket CD player it's an android CD player so I actually have a bluetooth radio on that one so I can actually basically tie it into the jamming frequency my vehicle that I have is a 95 it's an older vehicle but it still has a 1356 chip and the ignition so it still has some kind of wireless that I can jam to actually pass or de-off jamming would be illegal so but it's something where you can actually take care of the actual wireless beacons and it won't be able to actually pass off to the immobilizer and you won't be able to start the vehicle they will be able to with certain other instances there still are bypasses that people can do to steal vehicles and disable them so but basically it's a time lock option so you can this one is a built in time frame so like for the beta one that I did from the hours that I'm sleeping basically or I can actually do when my phone gets plugged in anytime my phone gets plugged in it'll turn on a certain beacon or you can do whatever you want for as far as your trigger for it you could eventually have an android phone hooked up to it and in certain parts of town you'll just lock your jam your vehicles actual authentication so there's plenty of methods and I would love to see what the actual hacker community can come up with for this but you're basically adding two factor authentication so if you're de-authenticating about a foot radius depending on the TX code or the actual TX strength excuse me depending on your broadcast strength you can take care of basically your van or your vehicle area network so it's going to everything that's in proximity to your vehicle you're not going to be stopping other vehicles in most cases so that's other ways you can do is you can just actually disrupt the can bus method or there's a lot of ways that you can disrupt the actual starting of the vehicle I don't think radio jamming would be necessarily the best one but it's one that was the first one that came to mind and it seems to be the simplest where I get to in that $11 range some of the other methods would involve having to buy proprietary ports or at least Chinese knockoffs of them so and yeah you can basically disrupt the infotainment system you could do a pin that's one that I would recommend dealerships do or actual auto manufacturers so maybe they leave the keyless doors being able to be opened but they add some kind of thing where you can opt in to have your vehicle have a four digit pad pin to actually get your immobilizer some kind of thing to actually stop these kind of attacks and I hope that they handle it with a little bit more security in mind so and I have a USB based infotainment jammer so that one is one where you can basically still get into your doors you can still unlock your vehicle depending on the makes models some of them that have are non wired for the actual keyless entry you wouldn't work on that and yeah so you'll be able to detect like I was saying a lot of the actual spoofing plastic slip for your key fob there's actual modifications I'm doing for the actual fobs for the fiat Chrysler vehicles where you can actually basically slide a piece of plastic up on the side and it actually covers the actual internal battery portion of it so yeah so there's lots of actual ways that people would stop this I know a lot of people were like oh put your key in a electrostatic bag or inside of a Faraday cage or something along those lines and yeah I definitely wouldn't see that as being something convenient but I think adding a second factor such as having your phone and bluetooth would definitely be something that would be simple to use so basically it jams 433 or 315 not necessarily jams that it can de-authent it can you know take care of those radio signals however they're saying but it effectively adds a two factor authentication to your vehicle so if you're jamming 315 megahertz it's not going to jam 2.4 gigahertz which is that your bluetooth or whatever your secondary wireless beacons actually going to be in range and you could literally have it as simple as something there's bluetooth low energy you could have it there's lots of devices that actually put off these so you could have a watch to start your car it's amazing I just have it the idea and the concept is actually to stop this attack and it was to build some kind of two form authentication that's it's really really fun when you have something that's in your vehicle that works with your vehicle and it's a really really fun project it's really cheap and it takes about two hours to build so and yeah like I was saying you could do the actual 8 p.m. to 5 a.m. that's what I do for mine if I needed to actually go to work in between here and there I still have ways that I can do it I can go in there and I can actually do workarounds or if some days if yeah it's just as simple as modifying it there's a very very simple file and I'll be releasing all these open source MIT license so everybody can just literally grab this and throw it into products I hope the actual companies offer these kind of these kind of things I would think that would be awesome and it would be nice and for the years that aren't covered though it's nice to be able to actually build something from the ground up and yeah and as simple clock control so the simple clock control one so the one that's windowing just for shutting your vehicle down at certain hours that one is very cheap to build I built that one for less than six dollars so and I'll be releasing all the plans for those a little after DEF CON and using actual jammer to steal vehicles so this is another proof of concept this is something dealerships need to watch out for so I was like okay if people can build 433 jammers 315 jammers they can basically go to a car dealership walk up to salesman be like hey I'd like to purchase this vehicle then they'll go over the vehicle the vehicle won't open what is the first thing salesman does he walks to go get a jump starter then they just turn off the jammer and walk off of it so that's something where I think the the automotive manufacturers need to put some kind of jam tracking in there some kind of light some kind of indicator something on the key fobs it's definitely something that I don't think this is going to go away it's something where they might get more advanced like I was saying I never thought that they'd be able to get it down to twenty two dollars if you would have funded me a million dollars I wouldn't have been able to get it down to the small form factor that they did it so it's something where you know with a little bit of research put into it people are able to get it to that where now it's available in everybody's hands so actually a couple other cool projects I was working on I mentioned some of these TPMS sensors so the tire pressure monitor sensors actually have one for so I have a buddy who races Mustangs and he hates having his dash flashing while he's at the drag strip or whatever so he switches his tires out and he has to go have his vehicle flash every time so basically I wrote a program or modification that you can do to actual Ford and Lincoln vehicles from somewhere around 2007 up you'll be able to actually modify the TPMS IDs so you can have three sets of tires on your vehicle and this one only works for Ford and Lincoln if there's interest in other stuff maybe other people in the community want to reach out to me we can do it for other vehicles I don't think other vehicles are as hard to actually flash over I haven't actually researched it though so we're on five minutes awesome I should be wrapped up here soon and yeah so the random TPMS ID so every time you start your vehicle I have the this is one of the security talks I did yesterday actually every time your vehicle starts it flashes your TPMS sensors so it does random numbers basically and it actually loads them into your ECU and everything for you so it does everything that the dealership does except for every time you drive around you're not being able to be tracked by billboards and it's going to get more and more intrusive in the future people are going to be literally be using these I know over in other countries they've even used TPMS sensors for you know IEDs and other things so there's lots of ways that if people were able to actually shut their actual sensors off of their vehicles without the actual dash lights going off or being able to add at least like three three sets of tires to their vehicles it would be something that they'd be very interested in and if you guys have questions about any of these I will also be talking about these at the actual demo labs on Sunday because I can drive into a little bit deeper detail you can ask some of the more questions that you want to roll so and yeah so basically the random rolls of the TPMS sensors cycle throughs ten revisions is what I have the Lincoln model working for so it'll actually every time you start it'll roll through one of ten so basically ten sets of tires attached to your vehicle and it does draw a little more energy so you can wirelessly charge it so if people aren't a fan of putting more things into their tires it might be something that they might want to refrain from or have some kind of actual kinetic energy system around it and the early warrant protection system this is one that I came up with about two weeks before I came to DEF CON actually and it's actually there's on certain so when somebody served a warrant they basically have to for the most part they have to serve an empty dump truck to their house and actually load the trash in that way so and it was something it was just a proof of concept and I just I've reached out to a couple of the actual manufacturers to see if it's something that they care about because there are load either from the airbag distributions and it's something that I know there's a couple people that have been research on actual loads for armored trucks to be able to tell how just by how they're riding how much actual stuff is inside of them so it's something where they need to actually maybe lock down a little bit on some of the wireless sensors in this case so but yeah I'm gonna open up the questions and then we got maybe like two minutes left something like that so yeah anybody have any questions or yes targeted route jammers for as far as it's accidentally happened there was an instance in New York where somebody's AV equipment actually jammed I think it was like three and a half miles of vehicles starting that it yeah so it's gotten a lot better since then that was early that was early adopters right there I think so then some of the newer ones they possibly do have some of that I know they definitely worked a lot of the kinks out of the original ones so you're talking for which which spectrum or if you want to ask me on the hallway we can probably do that or maybe okay yeah I think it has and I've heard of instances in New York so yes anybody else have any other questions or yes yeah yeah yeah when you drive around it will the vehicle that I was driving around I thought the key it did beep every a few miles and then once I got it out of drive it did notify me every time but I was able to drive pretty much until I turned the vehicle off so in that instance and then what was the first half of the question oh yes yeah some of them are throttled yeah yeah yeah it's like a thin line that they're dancing on with that right now because it's what if somebody you know is is hurt or injured in their vehicle would not be able to drive them into the hospital that you know defeats the rate of you know people or the actual NICB or whatever the rating of the vehicle that you know will get from being stolen a lot so if it gets to be a bigger issue I'm hoping that they'll actually include something like this as an add-on because like I said the bluetooth version is very very simple and if they can have actual output from their infotainment systems it would be something that would be even if it was a secondary device it's something that there are still are ways to fix this and I haven't found any utility or any kind of patenting that would make it where they wouldn't it would stop them from doing anything like that so it's not like one brand of vehicle has anything like that so any other questions or thank you and thanks a lot for your guys this time and thanks for listening so