 My name's Woody and I'm going to be giving a presentation on Ford vehicles and some possible vulnerabilities depending on how you look at it. I looked at them as vulnerabilities. Some of the engineers who I talked to from their company said, nope, works fine the way we tested, just don't do what you do. I wish I was making that up. So I'm going to go ahead. We're getting stuff going right now. I was going to do some really good slides and put everything together. But when I thought about it, I said, you know, the last thing I want to do is sit through some long, boring process of PowerPoint presentations. So I'm just going to do it live. I'm going to show you the exact steps that I used, how I figured it out, what tools I used, and what I used to try to make things a little easier. So that way, you have the ability to go through the steps like I did so you can find vulnerabilities and exploits as well. I think the biggest thing about finding exploits is just looking for them, you know. Too many people overlook stuff. When I give all the details of how I made this work, some of my buddies that are engineers that are really good, the guys I go to for advice, we're like, why would you even do that? It makes sense to even try it, but then it worked. Don't think that just because something isn't supposed to work means it won't work because sometimes it does. And that's what we're really going to point out here. So because the way we've got this set up right now, visual, there we go, I might have a little bit of trouble seeing some of the stuff so be patient with me. So the first thing that we're going to talk about is how do you start looking at and digging into these protocols, right? Well, the first thing I did was I bought a new truck. When I got that truck, it had key fobs. Like anything, I took it apart. And when I took the key fob apart, what do you always look for when you want to start doing RF research? FCCID. Not only did the FCCID tell me a lot about the fob, what it looked like, internal parts, it told me the frequencies, it told me how wide it communicated at, and it made my life a lot easier. It's documented. Some of the things will be, some of them won't. Look for it and see. So one of the things, yeah, tell me when I'm on the one that says Ford here, yay, again I didn't realize it was going to be this far away. So fortunately we've got some stuff we're going to look at. So I'm going to show you some videos real quick of how some of this stuff worked. And then we're going to talk about how it all came out. So this is an example of vehicles locked. This was a rental car. I take, I leave the keys on there so you know that I'm not doing anything with them. And now I walk over to the side of the vehicle, unlocked. So one of the things that happens when you do this is people are going to say, well, wait a minute, I thought there was rolling code. And what we're going to talk about is why rolling code is great when rolling code works and why it's not great when it doesn't work. So we're just going to get into, first I'm going to explain a little bit about rolling code and what we're looking at when we do that. When I talk about rolling code, what I want you to think about is if I want to make something so that you can't just copy it and replay it. Because we have all, most people in the room I'm sure have heard about the old replay attacks. Well, the problem that happened is they said, you know what? We need to make it so you can't just replay the same signal. So what happens is at the end of the signals, they'll put a code in there that changes. Now that code's not supposed to just jump up by one because then you could just guess what the next code is, right? It's not supposed to. So I started looking at that and I started wondering how the car's relationship worked with multiple key fobs. Well, each key fob has its own count. Now I've played with a lot of different vehicles. The reason that I'm doing this talk on Ford is because I was able to document Ford really well because I owned one. I've done exploits on some other vehicles. And when I talk about that, there's other vehicles that I've been able to own even more than the Ford. So the way that I was able to manipulate those, I'm not going to talk about those manufacturers because I haven't been able to document it well enough to give them appropriate time to fix it. Ford, I did. So I take the relationship between two key fobs. And what happens is one will have a slave relationship. Whichever drove it last is typically going to be the master and the other one is going to fall into a subordinate category. With some manufacturers out there, I've found that if I capture a signal from the key fob that is not being used at that time that hasn't driven it last, it'll accept any of those codes because it doesn't look for rolling codes on the key fob other than the one that drove it last. Absolutely works. That's not what we did with Ford. I was looking for that vulnerability because I'd found that in other vehicles. Another trick that I use is I'll replay a whole bunch of lock sequences at a vehicle. And when you do that, there's some vehicles out there that if you start sending lock sequences to it enough times, it actually goes, hey, I'm not supposed to let people unlock me. But why would I stop someone from locking me? And then they let the car lock. And once they do, after that, that manufacturer, while the code still rolls, the car doesn't care. It'll accept any code after that. So you have permanent access. This wasn't that attack. While I was trying those, I found something strange out. And this was documented pretty well on the Hack 5 series. There's a way to do a denial of service on Ford. I want to note at no point did I do any jamming techniques. None. I don't do jamming. What I did is I replayed the key fobs. That's it. When you replay a key fob against a Ford, Ford decided that they wanted to stop replay attacks. So if I replay, we'll say key fob A, key fob A, while you can still start the car with it, you can use the manual key, you can use the RFID feature where you walk up and it will unlock if you have that feature in your car. That will still work. However, you won't be able to push any of the buttons because it won't accept any codes from that key fob again until you reset it. So that's the first thing I realized. If you replay, you're going to wind up getting a denial of service. So if I don't want somebody to be able to use their key fob, all I do is catch it, replay it. Done. That key fob will not work again until you reset it. Don't worry. I'm going to show you how to reset it. Then I started realizing that if I then took the second key fob and I sent a signal from it, all of the old codes that I had for key fob one worked again. I started looking at this and I figured out what happened. When Ford deauthorizes a key fob, when you reactivate it, it resets the code count. So I was like, all right, sounds good. Now, to do denial of service, I only need one key fob. To be able to do this, I need two key fobs. Man, that's a little tougher. But I think we can work with this. We'll make it happen. So there's a couple ways to look at that. Most people have at least two keys for their vehicle, right? So if I go and drive my vehicle and then I come home and I have a spouse, they go and drive the vehicle, there's a good chance we're each going to have our own key fob. So if you live in an apartment complex or a housing area or anything else, it's not hard for people to be able to just catch the signals. Because I'm going to show you how I fingerprint which one comes from each. So that's not too hard. Then the other thing we realized, the other thing that we realized was that as you start doing these attacks, once I catch key fob A and key fob B, and I have codes from both of them, and I'm going to release this weekend all the code that you're going to see up here because we made an automatic key fob grabber that you run through the new radio. So anytime you hit a Ford, it just records it for you. And writes it out. So when we started going through and looking at it, one of the cool aspects was that now I could have either one. So hey, if I see that person A drove, now I use person B's signal. Now how do I do that? When I see person A coming out to do something, I just replay any old signal from key fob B. Key fob B is now disabled. Person B is not driving the car. Person A is. So when they get to their car and they unlock it, the moment that I see the car do anything or have it automated, the moment that I see key fob one fire a signal, I have to make sure that within, we'll say roughly 29-ish seconds, if I hit within that window, key fob B, it's reactivated. That's how you reactivate it. You have to hit it within a certain amount of seconds of key fob one being hit. Once I do that, I've reset the code to zero. Every code I've caught up to that point now works. So once we did that, I wanted to be able to automate it. I wanted to be able to see how it works. And people are like, yeah, so you can do this attack from fairly far, right? You have key fobs. You can be fairly close. Interesting thing, my Raptor, when I looked up that FCC code, it's not 315. It's not 433. It's 902 and 903. It actually broadcasts on two channels. We'll talk about that, because that can be a little confusing at first when you're trying to demodulate. So that means that the range is now ridiculous. The reason they do that, they want you to be able to be in the store or anything else and just be anywhere near your vehicle, you can hit the lock button twice and then hold down on remote start. Which, by the way, I capture and replay, and now I start your vehicle. Don't worry. We're going to dig into some stuff funner than that. So I was like, OK, how bad could this be? Well, my Raptor is the only one that did. I said, well, maybe this is a new feature with the cars that use the 900 band. Nope, started testing on the ones with 315. Still worked. I was able to get back to about 2017 for vehicles that I tested against, and every time this worked, Raptor Captor worked. Yesterday, I went to the car hacking village, and they have a mock-up of a 2012. I said, well, let's try it. Yep. All the way back to 2012, I can do a de-authorization attack to your key fob, and I can replay old codes by resetting your rolling code count. So we thought that was pretty interesting. We wanted to keep moving with it. So when you find something like this, you've got a couple roads you can go down. You can just sell it to someone. Use it as an exploit. I'm a big fan of Freedom, and I like being able to do stuff outside of a cage, so I decided not to run down that route. So I got a hold of Ford. Now, it was interesting when I got a hold of Ford, because for almost a month, I reached out. I emailed. I sent them videos of me starting my truck remotely with a porta pack, a HackRF radio, and the porta pack. This is all I needed. I didn't even need a computer. I could catch, boom, replay, done. Whole thing. Finally, nobody reached out to me. And I get it, they're busy. I tried going to HackR1, but they only had software exploits. There was nothing for hardware exploits. So I teach open source, and I'm decent at finding stuff online. So I just found Mr. Ford's email address by some Google searches for atford.com and documents, and sure enough, found it, and I emailed him. And a couple hours later, I got a phone call from an assistant who said, our cyber department will be getting a hold of you. There we go. So when I talked to them, we finally talk, and I get the engineer on the phone, and I'm like, hey, here's the thing, I want to have responsible disclosure. He said, well, the first thing we're going to need you to do is to run the test like this. And he gave me the parameters, exact parameters and times of how he wanted me to test. And I did it. And I said, yeah, it doesn't work if I do it like that. He goes, all right, the protocol sound. I said, yeah, but I got a lot of other ways I could do this, right? And he's like, yeah, but if you do it the way I said, it doesn't work. And nobody else is going to go through the steps that you're doing. No one else is going to push two buttons in under 30 seconds. It's ridiculous. I said, OK, now I will say, everyone else at Ford was, once we started talking, they were really good to deal with. I like my vehicle. And I don't believe that Ford was being irresponsible in the way they did this. I think they were being aggressive in trying to stop replay attacks. I really do. The only negative impact I had with any of them was the one individual. And it's probably because within the first five minutes of our conversation, he goes, hey, I don't want you to get this wrong. I'm impressed a guy like you could even figure this out. But everyone else, and I mean this, everyone else from Ford was actually really good to talk to, very nice to deal with. And it was a good thing. I recommend if you find something, go to them. I did get a type of bug bounty. I got a $500 gift card for keychains and hats on their website. But the bigger thing is I'm able to get the word out about the safety of this and what you need. Because if you don't know how to take that little piece of metal out that's in your little key fob and open your door, and they're all a little different in how you do it, some of them you have to break a piece, a plastic off. Some of them you have to, it's just ridiculous, some of the different ways you have to. You have to pull the handle out, put the key in, turn it to unlock, pull the key out, push the handle in, then pull it back open again. So when you do that, it starts getting ridiculous. But you need to understand that it is extremely important that you learn how to do that. You also, if you have a Ford, need to learn your door access code. Because if you're someone and you get targeted, they can do a denial of service on your key fob. And if you don't have the RFID feature where the door automatically unlocks when you're within a certain range, you're going to have to manually open your car now. There's no way around it. You'll still be able to start it, but you're going to have to manually restart your car. Now, there's a second way that you can reactivate your key fob. Ford has an amazing policy where you can program your own key fobs if you get them. So the cup holder typically, if you open the cup holders up, there'll be a little slot in there. You put your key in there, you turn the car on, and that key is now reset. So you can do it either way. You can have two key fobs, so you reset one that's been denial of service, or once you do get in your car, you put it in the center console, you start your car, you're going to be good. It'll be reset. It'll be reset at count zero, but it'll be reset. So we start going along, and we start digging into this, and we wanted to see what else we could do. So when we were looking at a couple other things, we found something real interesting. Do you see the one, it's a CAN bus video? I apologize, I didn't realize it was going to be that far. What did it say? What? So you see that right there? That's the code to my door panel. You know how I got it? I started the, I simulated a lock sequence, simulated the start the truck sequence, rolled an old unlock code, got in the car, plugged into OBD2 port, and quarried it using 4Scan for the door access code. So now I have permanent access without having to do another replay attack. Oh, you can change this, but the master will always work. This is the master code. It happens. So let's get into it and just kind of show some of the stuff that we can do, because I think it'll be fun. So I want this talk to get people to realize that you don't need super expensive equipment. You don't need thousands of dollars of equipment to start doing this. RTL-SDRs right here, that's it. This is how you start into these worlds. And then as you move up, you get the porta pack. I'm running the porta pack with the Havoc firmware. It is awesome. I love it. I use it all the time. So what we're going to look at is how did I start figuring out what was going on. One of the challenges right now in the capture of the flag is actually to recreate what I did and figure out what the coding sequence is. Because then you may not need to capture both key fobs if you know what the key fob identifier is for the other vehicle. And if you know what the lock sequence is, so I wanted to run down that and see how hard it would be. So most people in the software defined radio world are fairly familiar with a program called Osmocon, FFT. This is a cool little program. So what does this program do? Well, I'm going to show you. I know that these key fobs, because I looked at the FCC site, work around 902. So now I'm listening to 902. Now one of the things that I want to do is I want to listen to enough information. So when I'm listening now, what's going to happen is I can just start looking around to see if there's any key fob activity around me. Hit here, hit average, not too bad. So whenever somebody hits their key fob, oh, I get a bump. Now that bump with two spikes lets me know that this is FSK, Frequency Shift Keen. So that means that it sends a zero on one frequency and a one on the other. It's a little harder to demodulate than on off Keen, and it's a little tougher to retransmit. But we're going to show you the tricks to that, and you'll be able to do it in minutes. The other thing when you start looking at this is every time I hit it, I'm able to see this code. That makes life really easy. Now if I listen at 903, oh, I've got two signals. Now I know this because I looked at the FCC site. But if I hadn't, this might surprise me. This might also throw you for a loop, and you might think that it's a very wide FSK and think that you have to work those two signals together. They're the exact same signal being broadcast simultaneously on separate frequencies. So I only need one of them. So that took me a little while to figure out. So I'm going to give you a little hint. If you're trying to recreate this, you only need one side. That's why I make sure that what I listen to, I'm only going to catch one of them. So that's what I did. I just narrow it down. I know that 902 will put me pretty close to where I want to be, and I'll push in there and get it. So that's how I use the first tool. Now I can hit record, and now I have a copy of this file. That means I have a copy that I can use to replay, do whatever I want. And this is a raw catch. This is the exact same signal. So if I replay that same signal, it's just like hitting the key fob. It's great. You just have to make sure that you got it all. The other problem I had is because it was so wide, I was worried I couldn't catch both of them wide enough and play them right. I don't need to. You only need to catch about, if you do one meg wide sample, you're going to be fine. If you do two megs wide, no problem. But make sure you shift either to the left to get the 902, or you shift to the right to get the 903. Because it's 903.6 and 902.37. Don't try to catch them both, because it will make it harder for the next step. So then I'm like, OK, what's a cool tool that I could use to start working with this? Those of you that have seen the stuff that I did with Iris and with some infrared stuff in Gotenna know that I'm a big fan of audacity. Well, this is frequency shift keying, and I have a harder time using that with audacity. For me, it's just it's not as clean. So I was like, you know what? I really like the guys who make in spectrum, right? It's a great little tool. So I'm like, all right, well, that'll work. So now when I'm here, all I have to do is that control C. There we are. All right, so now all I have to do is record a signal. If I record a signal and I put it in here, in spectrum is going to show me how to crack this symbol. It works really well. Works really, really nice. So we're going to grab a sample. We'll put it in here just to show you how easy it is to do. This is going to help me break out ones and zeros and give myself a sanity check to be able to figure out what it is. If you're doing FSK stuff, this makes it really, really nice, OK? So the next step after I used in spectrum is I'll say, all right, what else is out there? There's a program out there called Universal Radio Hacker. This is a great tool. So when I'm using this tool, the first thing it says is, well, what do you want to do? Do you want to record a signal, spoof it, or do you just want to see what's going on out there? Well, I just want to see what's going on out there. So first thing I'm going to do is go to the frequency where I think this is going to be, right? Oh, also make sure I say USRTL. Which one? Wasabi? There? All right, now. Come over here, and I'm going to put 902.3. All right, now that I do that, how wide is my sample? One meg? Good enough for me, because I don't want to catch too much. And I start. Now, what we're going to do is like, wow, there's a lot of noise, right? Because we have this up here, right? So man, well, that's OK. We can still work with this. We're just going to clean some stuff up. There we go, adjust it a little bit. Now, a little bit cleaner, right? So even with all this noise going on out here, I'm still able to clean this up. But am I going to be able to get a catch? Guess we're going to have to see. So the nice thing about it is, oh, yep, I can get a catch. So what do I want to do with this catch? Well, the first thing I do is I want to center my frequency. So I bring this right to the center. I click it. I hit it again. There we go. Now, I've got that pretty well centered. And the nice thing is, this is going to hold it for me. This is going to store that position. So I'm like, OK, well, let's make this happen. So I'm just going to go ahead and close this now. Now, when I close it, I come back over and I say, hey, now I'm ready to record. This one's record, right? OK. So what does all this say up here? It saved all my settings, right? That makes it really nice. It's also going to label my file with these settings. I recommend you leave that in the name. You'd be amazed how easy it is to forget what you actually recorded at or, like, I don't know, your sample rate, which sometimes can be an issue if you're trying to do a replay and you don't remember it. So now I'm like, OK, I'm ready. So I just hit record. Now, once this starts recording, I'm just going to drop a couple samples and see what we can do, OK? So boom, boom. Now, these aren't real huge, but we'll see if it's good enough to do what we need to. So I'm going to save them. OK, now I'm just going to go ahead and leave this right here, save. And it automatically opens them for me when I close this in a place that I can try to work with them. Now, we got a lot of noise, so I might have to do another catch. We'll see if I can clean it up. The first thing I do is I come right here and I hit this little filter button. That's a little better. You can probably work with that. Now, I'm going to come down here and tell it, hey, can you guess what protocol you think this is? And it's going to try. Now, with all the noise we had, I may have to clean this up a little more. So we'll see. There we go. No, so it's not going to clean it up much more. So this is the noise button right here, right? OK, so what I'm going to do to the noise button is, what number is in there right now? 110. All right, see if we can clean it up a little bit. Did it change it to 10? All right. So, yeah, it's still got a little bit of noise. So it's just straight 10 right now? No, no, it's 0010. 0010? OK. So that noise is still pretty high, right? Is it? All right. So what's the number? What's that? Yeah. Live brick, you got to love it. Yay, all right, all right. There's a way around that. OK, there we go. We are good. We'll just hit it again. No scared. All right, so now, if you already have a file, the nice thing about it is, you can actually just come down here and open a pre-existing file, right? So I can come through here and I can look. So here's what it looks like if you just open a file that you've been working on trying to save. So I'm going to open it up. All right, so I do the same thing. Let's clean it up a little bit. Says, hey, I can't see the protocol. Well, let's go ahead and do our filter again. The filter is going to try to get rid of all this extra noise. Now, here's the other kicker. I don't need this, right? Well, let's just get rid of it. Delete, correct? Now I don't have to deal with it. So if you've dealt much with radios, man, that's a nice feature. I can just come in here and get rid of it. Now, I still need to adjust this noise. It's way too much. What's the number there? 135. OK, so 080. 080. Oh, now we're getting some stuff we can see, right? Let's go a little bit further. What's it say? 0, 0. OK, here we go. Now I can probably work with this. This is looking a little better. So my data down here doesn't look horrible. But if I want to see what's going on a little more, it's going to give me a couple ways of viewing it. So when I click here, I can come to the demodulation view. And now this gives me the ability to actually look at this FSK signal. And that's what we want to do. We want to be able to actually come in here and look at it. So I can start drilling in. And now I can see, hey, you know what? Let's clean this up just a little bit more. Now this is going to let us come in and be able to see more stuff. Now I can actually see those ones and zeros. And now if I say, hey, can you find this protocol? What do you think it is? We've cleaned it up enough. It says, OK, I think we figured this out. And it's able to come in and start looking at this. If I want to change it on my own, I can come in there and adjust it out. Gives you a nice feature over here so that you can make it a little bigger, figure it out, drop it in. There we are. This makes life really, really simple. It's really easy to do this. So that's one of the ones that I like digging into and looking at. Now I'm going to go ahead and close this one. OK, let's go ahead and we're going to open a file now. So let me know when it's down at the one that says Ford. Is that? Lock, lock. So now let's see what this code looks like. So let's say that we've spent about an hour digging into this. Wow. So once I get that cleaned up, this starts spitting this information out for me. So what I've done is, Tim Kerster, for those of you that know him, he's a great guy. Those of you that don't, when it comes to software to find radios, he's like the guy I go to. He's helped teach me from the very beginning. He's just a really amazing guy. He helped me actually break this protocol out. So now when we get in here, we already have these labeled into what they do. Hey, there's a unique identifier. Hey, here's this. Oh, wait a minute. Right here, this is the key fob identifier. These are actually different for the two key fobs. So I know if key fob A or key fob B was used. That makes it really nice. Now over here, I'm able to see the lock and unlock sequence. Now how do I know this? I know this because I caught some lock sequences from one key fob. Then I caught some unlock sequences from the same key fob. And I saw which bits changed. Then I did the same thing with the other key fob. But this can get really tough to look at, right? So the nice thing with this program is, it will actually come in and change stuff around for you. So you can say, hey, I want to look at everything in hex. So it'll come in here, and it'll let you look at stuff in hex. Usually. What's that? I'm sorry, I can't hear. Yeah. Now I just, yeah, shit the bed. All right. Pop it up again. We're good. Here we go. Nice and fast. Got it. All right, so now we're in here. Drop it to hex. There we are. Now I've got hex. That's a lot easier to look at than 1s and 0s, isn't it? And now when we come over, do you see how these start changing? So guess what? I know that this is the key fob identifier. This is the unique key identifier. But here's the problem. I can replace stuff I've already caught. But what if I figure out that if a lock sequence is this, and I want to play an unlocked sequence from the other key fob, how am I going to figure that out? Because if anything's off, if any of the way that I send the signals is off, encoding or anything else, I'm going to have a problem. Well, I did some work with TPMS, and I figured out that they use Manchester encoding. Manchester 2 encoding. Yeah, threw me off too. I was like, no. So all I do, if I want to see how this is going to be affected, I just go ahead and I highlight everything I want. I come down here. Now, Manchester 2 encoding. So let's look at this now. Little easier. So now when we look at this, what it's actually doing is we're able to come in here, see what's going on, and it's just a lot cleaner. And that was one of the issues that we had initially. And now, what do they have here? We can actually look. Instead of using a bunch of crazy characters that might be hard to read or maybe make it more difficult for somebody to figure out the protocol, one is lock, two is unlock. Basically, it goes right down the key fob, six is panic. So you're able to put this in here. So now I could get the code from figure out what the sequence is for key fob 2, and I could just flip a bit and have it now say unlock instead of lock. Now where it got really funny was when we started coming over towards the end, because when we start looking at this protocol, anyone see any funky counts? Rick, is there any sequencing that looks like? Now, these are more key fobs. So what I'm going to do is show you what happens when you catch like 25 of them. All the way up to this point, they count by one. Literally, one, two, three, four, five, six, seven, eight, nine, zero, A, B, C, D, one, two, three, four, five, six. And then they flip the bit to the left. So if I want to know what the higher rolling code would be, I just need to flip the bit to the left because I know that it'll be one complete cycle away from it. Yeah. So that's a recent find that we were just able to be able to get into and start figuring out. So when we do this and we started looking at it, it started becoming very evident that there's some flaws with this protocol. But the other thing is there's some amazing tools out there for us to use. In Spectrum, you get in there, you break the code out, you can tell FSK very simply. You get into this, you're able to find some really, really cool stuff that you can play with. Now, once you get these codes and you get them working, here we go. I'll show you the kind of thing you can do. So, I don't think we have volume. So, port-a-pack. I fired up. Now, you'll see the lights. I unlock it. Now I start it remotely. So any thing you want to do that the key fob can do, you now have the ability to do. Then once you start it and then you unlock it, one of the next steps that you can do. This is just another, I apologize, another one. This is, here we go. This is how after I unlock your car, well, I start it, then I unlock it. This is how I get permanent access. Doing the same thing. I unlock it. I'm walking to the vehicle and I get in. Trucks are supposed to be dirty. So now I get in. The reason I videotaped the entire process was because I wanted to make sure that that engineer who I met wasn't going to say, well, I think it might have skipped a step. So I plug in. I use a program called 4Scan. Now it's pretty expensive, $75 for a lifetime license. So again, boundaries set pretty high. Now all I do is, this gives me the ability to do some great stuff. I don't like having the volume control on the right-hand side of my steering wheel because I typically drive my left hand. So I just switch the controls all through this. I hate the door chime. Got rid of it. Seatbelt alarm. So then I come into this and I don't show the whole thing because I don't want you to have the full code to it, but I showed you a screenshot of part of it. Go ahead. I can. It sounds like a bad word. It's not. So the question was, can I tell you what the software is again? It's 4Scan. S-C-A-N. Yeah. Yeah, I know. So it's an L-CAM that you can buy. If you look up anything about 4Scan, they'll tell you about it. It's about a $15 to $20 device. And if you have a Ford, a Mazda, there's several other vehicles, you can now go over the OBD2 port and you can actually set a whole bunch of your own features. It's a pretty cool little device. But it also gives me the ability to get permanent access, as you're seeing here, to your door code, which means you can never keep me out at that point. So when we did this, I had no idea it was going to lead all the way to the point to where I could get permanent access to the door code on the side. I also hadn't thought of the dangers of the denial of service part until later on. And then I realized how easy it would be for somebody to do that. So one of the things we really want to come out of this talk is we want people to know how to get into your car if your key fob doesn't work. If your key fob just quits working, have a high index of suspicion that maybe somebody's trying to replay attack. How can you reset it? You take the key fob that works. You hit any button on it. And then you hit the other one within about half a minute, has to be pretty quick. And once you do that, the other key fob works. Now, one of the kickers with this was, you're like, well, OK, yeah, you make the other key fob work again. But you have to be right there. How are you actually going to be able to use it? So here's what I do. I can catch any code. So what I do is key fob A, I catch a whole bunch of codes. Because I haven't shown you the sniffer yet. We're getting ready to turn that on. Because it's automated, because I'm lazy. So once I have those codes, when you drive your vehicle and then you come back and then I see person B drive the vehicle, the moment that I de-auth your key fob, as long as I play my codes in order and you don't use your key fob, it's indefinite how long I have access. Until you use your key fob again and I play my codes in order, they're valid. There's no time limit to use them. There's only a time limit for that reset factor. That was another thing. He's like, well, yeah, you got to be there within 30 seconds. I said, no, I just have to fire one message. Well, they'd see that something happened. No, not if one of the messages is, oh, I don't know. The double press you use when you start the vehicle and I only send one of them, doesn't matter. If it catches one symbol that it knows, key fob reactivated. So we set that up, tested it. It works great. So how do we automate this and make it a little bit easier? This is where Tim comes in. Why? Well, because I can lift heavy things, but I can't always spell them. So I call Tim. So we use another really fun program. This is a program that if you have not used it, you definitely should. It is called GNU Radio Companion. How many people in the room have used GNU Radio Companion? Yeah, this thing's awesome. So we're gonna release this code for everyone this weekend and you're gonna be able to have Raptor Captor, which this is an automated system. It uses a module that Tim wrote that he calls GRRevenge. So it's designed to actually go out there and be able to sniff packets and you set triggers. So, oh, if I have this preamble and then I see this sequence, write it and it just writes it for you. We're gonna turn it on, we're gonna try it because I could be lying. So, let me open. So, Rick, can I, or Rosabi, I'm gonna need some eyes again. So, where does it say open? There we go. Nope. And Raptor Captor, is that Raptor Captor lower? Is it lower? Okay, so we'll pop this one in real quick, see what happens. Whoop. So, yep. Make sure it's assembled. We'll go, there's two of them, so we'll see how this one runs. All right, so it's looking okay. Getting some signals, but we're getting signals, we're not getting anything to write. So it's like, ah, man. Well, if you listen to the, remember I said you have to pick which side you're gonna listen to. If you try to listen to too much, you aren't gonna get anything. So, let's go back here. Open. File. Okay. Now, where's the other Raptor? Okay. What's it say, which one says lower? This one? Yeah. So, let's see what happens if we try to do this and we actually pick like just one side of the spectrum, instead of both, because remember it's kicking out of both, right? What did it say? Takes a minute for it to, okay. Oh, wait a minute. What's that? Yeah, so what happens is we're actually, we're probably getting some interference because all this is that right at 902 as well. But now, because I picked one side of the spectrum, oh, now I have a counter. This immediately spits out whatever code they hit. So, if I automate this, it writes to a file, hey, I got unlock for key fob one. I got three locks for key fob one. I got two codes, two locks for key fob B. I got a start for key fob B. I know how to categorize all of them because they follow the same code. It's that simple. As long as you know the number, one, two, six, whatever it is, you know it's either lock, unlock, panic, start, and you can now recreate, use this and build your own captor and auto replay to be able to manually do this without having to sit there and watch somebody. Which is what I was told by the engineer, well, nobody's gonna do that. So he's obviously never been divorced. So, now it's automated. I can put this on anything. What makes this possible and very easy is that block that I told you about. There we go, catch, catch. Now, it makes it easy because there's trigger set in. It's a great module. I recommend if you use GNU radio, look up GRRevenge. It is amazing how well because you can set these triggers to be able to do it. So, from start to finish, how did we work it? We were able to come in here and get into a vehicle by watching someone else. We denied their access if we wanted to or we just shut their key fob off when it was a key fob that wasn't being used and replayed all the codes that we already had. Once we replay them, we can do anything we want. Then we can get inside the car. Once we're inside the car, we plug into the OBD2 port. Once we plug into the OBD2 port, now there's a lot we can do but I'm just gonna talk about the simple ability to pull the door access code. We tried to take this and not be limited by one set of factors. I didn't wanna say, oh hey, yeah, I can do an RF attack. Well, let's demodulate it. Let's see if maybe we can work on this. So, the next step is we're gonna start flipping bits because now that we figured out what the coding was because before when we were trying that, it wasn't working. Well, now I know after doing some TPMS stuff that it actually had to be flipped to Manchester 2 which I never expected. I was using Manchester 1. So when I get home, I'm gonna be out there trying to flip bits and see, can I send a replay or a lock sequence from key fob 2? Can I jump by one increment in that category that we saw and be able to make things happen? I don't know, but it's worth trying. You're all gonna have the tools to be able to try it as well which means you can give feedback and maybe figure out more than I did, hopefully. But all the tools are gonna be available to you. In spectrums out there, Universal Radio Hacker makes this so simple to be able to. All you have to do is use the cell filter. Don't push it more than two or three times. Use the cell filter, adjust your noise levels. It makes FSK easy because FSK is not always easy. In spectrum does the same thing. I was gonna do an In Spectrum demo, but from this far away, it'd be a waste of your time because it would take so long being able to see it, but all you do is you put it in there, you say, hey, I'm doing some frequency sampling and you just drop it right in the center of the code that you can see or the signal that you see and it helps adjust all that for you. That way you have multiple reasons and the reason that I want you to use more than one tool when you do this. If you use one tool and you're wrong, you don't know you're wrong until you just start beating your head against wall. I always compare, especially if I'm pulling ones and zeros out of a signal with multiple things. I'll use Universal Radio Hacker, I'll use Audacity, I'll use In Spectrum, I'll use Raptor Captor, but what I do is I put it all together and I see, was there a big difference, was there something wrong? One of the biggest things you're gonna do wrong is you're gonna record it at one meg and then you're gonna use a default two meg for your sample rate and when you try to replay, you might have some issues. Make sure you remember that sample rate because you'd be amazed how many times you're like, wow, this was just working. It was, but you didn't readjust your sample rate. That's probably the easiest, fastest one that I've seen people make mistakes with. And the other thing is just to have fun with it and try it. I didn't dig into the chipset, I didn't start going crazy doing a bunch of funky stuff. I started with the basics. Can I get a one and zero out of this? From there, it just took off and it was great. So the only way that we're gonna get better at this stuff is if everybody tries doing it. And that's what I want everyone here to do is just keep working at this and try and do stuff. And it's not just with RF, light does the same thing. Vehicles use a lot of light. The LiDAR system to tell how far away you are? That's a designated coated laser. Yeah, things can be done there. TPMS, one of the challenges we have them doing over here is I set a TPMS challenge up. We have a TPMS Fox right now that's walking around that's broadcasting an actual Ford tire sequence. It's a Fox this year. They had to break the TPMS protocol and then be able to figure out the full ones and zeros out of that. Jared, thank you for driving that research that got a lot of us involved. Now, that's a capture of the flag event. So, I mean, that's the thing. If you don't know Jared and the stuff, it's amazing. Thank you very much, please. He's the person who invented the porta pack that goes on your hack RF. Oh, really? I didn't, ha ha, yeah. Those, oh, yeah, I'm sorry, I didn't see you there. Yeah, stand up, this is in spectrum right here. That tool, like I said, I wish I had a monitor right in front of me, is amazing. And as a cross-reference piece, that tool is simply incredible. And if you're doing FSK, I can't imagine doing it without having that tool as a backup. It's incredible, thank you for making that. The, so, the big thing with this talk is I wanted to make it where people could walk out of here with at least a little extra knowledge of how to either do something or figure it out and I also wanted you to have the safety feature. I'm not saying Ford's bad, trust me. Most manufacturers have errors in what they're doing. It just is, no one's hack-proof. I was just able to document this well enough to do a talk. There's other vehicles that I'm able to lock and unlock and some of them, I destroy the rolling code protocol all together. Test it, try it out, know what you have. But I'm gonna go ahead and open up for questions and anything. So he asked, well hey, you know, you're hitting your key fob a whole bunch. Is that gonna unsink your key fob? That I found because there used to be a event, please correct me, those of you that have done it because I wasn't doing this when they were using the first edition of rolling code, but it was only like 250-some rolls. Now it's around 63,000. So you're good. So yeah, I do these demos and talks and I've never had an issue. But it's a good question, something definitely to think of. But now you know how to reset it if it does get out of sync. So the question was, do these attacks work if the vehicle's moving? Only if that vehicle allows the person with their key fob to do these. It depends on the protocol that that vehicle has. Most vehicles won't let you do most of these things while the vehicles engage. So it would depend on what the protocol is. You're following their exact protocol. In fact, you're following it the exact way the guy told me he wrote it. So what? I did not test while driving if the key fob will engage. So, but it's an area to look at. I did not try those. I'm not sure what they would do, but it's definitely something that I think we could start running down and working with. There's some great, there's a lot of opportunities here. Flipping bits, I'm excited for people to get this and start practicing flipping bits to see can we make it take a lock instead of an unlock? Can we make the other key fob the master? How does it work? Let's see. You're gonna be able to see the sequencing of counts up to a certain point. Just back off one and move up. I don't know for sure. I just figured that piece out literally in the last 48 hours. Just like I just found out that at least all the way back to 2012, this works. So seven years worth of vehicles, you can do this too, at least. Go ahead. Question was, is there a fix? I don't know if this can be fixed in software or if this would have to be done at the body control module. So he asked if the door access code can be reprogrammed through the CAN bus. I don't know the code to do it. I'm not saying it can't be. You can change it yourself. It's a feature you can do. However, if you change it, the master code will still stay the master code. Yes, sir. Looking to see whether it's encrypted or not. So that's one of the things that I'm looking at to check because when you do the FCC search, it actually tells you which encryption protocol they're using, which I apologize, I've taught my head I can't. Yep, however, if those products are sold in America, they've got to use the FCC. So you can use our FCC. And it's a simple Google search. I just do FCC ID and whatever I'm working on or looking at will have, it'll say FCC ID. I just type it right in, put it in quotes, do an Uncle Google's thing and done. Any other questions? Oh, so he asked how long the packet is and the other question is the sample rate. I'm sorry, symbol rate, but what was the second part of it? Oh, a checksum. So we were looking at that and everything we found makes it look like there isn't. We ran checksum, in fact, Universal Radio Hacker will do a checksum check for you. And each time it never matched up, so I can't say it doesn't, but everything we found looks like there's not a checksum. I can't say with 100% certainty, but we've looked and we haven't been able to prove it is a checksum and we tried. We thought for sure it was. Definitely a good stock. Anything else? I appreciate your time. Thank you for coming to the talk. Oh, also, we did this entire talk on a compu stick. I did all the processing, all the data rates, all the collection, compu stick, that's it. Didn't need any big crazy computers, something I can put in my pocket, take anywhere, and the presentation all off this. So you don't need a bunch of crazy equipment to be able to make fun things happen.