 Okay, how's everybody doing? Boy, this conference would be more fun if more people came, right? A couple notes. How many first time attendees do we have here? That's awesome. That's awesome. This is DEF CON. This is not like a conference that you've usually been to. There are shenanigans and shenanigans happen. Shenanigans may be encouraged in some instances. Some of those shenanigans may involve your badge. You never know. I have seen people wandering around with paper badges. That means if you have one of these fancy badges, they're probably going to be in high demand, right? Now, one challenge that we had with the badge, as you've probably already figured out, is how in the world do I wear this thing around my neck? Let me release a zero day vulnerability in the badge. If you are clipping this with the little clip, that is a bad idea. They will fall off or somebody will take them and jerk them and take them. So if you've got the paper around there, that's dumb. Harden your badge while you're sitting here, poke the lanyard through the hole, find some paracord, something like that. The other thing is, yes, it's big. It may not be fun to wear, but you need to be wearing your badge at all times. Otherwise, you're going to be getting some feedback from the sock goons. And as you might be able to tell based on the situations in the hallway, they might be a little bit grumpy. All right? So wear your badge at all times, secure your badge, and we'll be good. I do want to thank you guys for being so cooperative in moving around and getting plenty of people in. We've got a lot of great, great talks today. And this is the point where we're going to transition from talking about things that are broken, that we already know are broken, like our trust of the government and our regulatory system. And we're going to start moving into where we're going to start breaking stuff. And that's awesome. How do you feel like breaking stuff? And we're going to start breaking some really expensive stuff too. Not that. That's expensive. We're not going to break that. We're going to break other things. So you probably have read about this talk in the press, just like many talks that are in this track. Sammy's been doing some really, really interesting stuff. And I think we're all really excited to see some of this research in person. I want you guys to give a big welcome to Sammy. Awesome. Everyone hear me okay? Okay. Oh man, I'm so excited. It's been years since I've been at DEF CON. It was five years ago. So today, you are at drive it like you hacked it. So we're going to talk about cars. And I'm super excited about this. My name is Sammy Kamkar. I am a security researcher. That's pretty much what I look like when I wake up. And I pretty much spend my time doing research. I mean, there's so many really cool areas of devices. I mean all sorts of security from network to physical. I've worked on a couple of different projects. These are some of the fun ones. I'll actually be doing a quick talk tomorrow if you have kids. It's kids only. I'll be showing a combo breaker which is a 3D printed Arduino based combo breaker. You can break any combination lock in like 30 seconds. So we're going to talk about car hacking. Specifically, I'm interested in a lot of the like radio and some portions of the connected computers that we have within our devices, within our cars. I think we first need to talk about the awesome work from some other people. Who's heard about Charlie Miller and Chris Valsak? If you haven't heard about them, I feel bad for you son. Or daughter. Or daughter. But Charlie Miller and Chris Valsak have actually, their work probably in the last few years has gotten me into this. Just seeing them like make Andy Greenberg go scared over and over again. And there's so much other really interesting research in cars. So obviously they've been attacking all sorts of things over their mobile network, over their car, their can bus. There's some cool research in 2010 from UCSD in University of Washington where they're seeing what else they can do to a car from the CD player, from Bluetooth, from any other wireless communication. Recently there's been talk about amplification attacks which is super interesting. It's basically saying a lot of our cars, we have these keys that we can put in our pocket. And we can go up to our car and we can hit a button on the car. And that will unlock the vehicle as long as the key fob is near us. So what's cool about this is that the car sends a radio signal to your key fob. It's a passive key list entry system. And your key fob will see that signal and respond. Essentially a challenge response. When it sees that, it responds with a proper code and the car will unlock. As you get in the car, a couple of the receivers inside the car are then send a signal when you hit the start button. So when you hit start engine, it will actually send a signal to your key fob. And your key fob is actually responding. That's really cool. So what people have devised, and there's a paper on this, where they've actually been able to relay that communication hundreds of meters away. Either wirelessly or wired. And you can basically take a wireless device, go up to the vehicle, have a friend with another wireless device near the car key. So someone in their house, someone in a park. Some of you at DEFCON, sorry. And can actually hit the start button and that will trigger the system will send a signal to your key. The key will see it because it's been amplified by this device, a radio device that's actually transmitting much further. The key responds. And normally the RSSI or the signal within the car is actually, the receivers within the car are looking at the signal, the RSSI, to see how strong that signal is. And if it's strong enough that it's inside the car, the car turns on. The key is not in the car. The amplifier is. It's near the car. So that amplifies the signal, it re-amplifies it and now the car turns on. So this is existing research. People are getting their cars jacked like this. I'm also excited about the Tesla talk later today. That's pretty cool. There's been cryptographic attacks on key lock. So key lock is a rolling code system. We'll talk about that later. It's been cracked over and over again in some pretty cool ways. Specifically on the crypto side. A lot of cars have RFID immobilizers as well. So some keys will actually have a passive RFID device inside so that when you put your key in the ignition, in turn, it's actually sending low frequency to 125, 134 kilohertz signal to your key. The passive RFID key fob actually responds. So it has to be within a few inches. You might be able to do some amplification attacks. There's some pretty cool attacks using Proxmark 3 penetration testing toolkit. That's pretty awesome. If you're just interested in RFID, I suggest get a Proxmark 3. You can do so much crazy stuff. There's some cool talks. There's a BLE key that's coming out this at DEF CON. That's pretty exciting. Also some cool work from Open Garage. I am the cavalry and some other people. So definitely check all of that out if you're interested in car research. I also wanted to thank the EFF. I've supported them for a long time and a few months ago I reached out and said, hey, like, I don't want to get sued. I mean, 10 years ago I released something called the MySpace worm and I ended up not being able to touch a computer for about three years of my life. So I want to prevent that from happening again. So I'm not releasing worms anymore. Not under my name. And I did use this image without asking. I hope that's okay, EFF. Please don't sue me. So let's start talking about car hacking. We all want to be more like Nicholas Cage. So the first thing to get to a car, at least from what I learned and gone in 60 seconds, is that you obviously need to locate the car, you need to find it and get into it. Now I know there's some pretty sweet cars behind this garage. So how are we going to get behind this garage? So we're going to first take a look at garage doors. Who has a garage door with a clicker? Everyone? Okay, hold on. Got it. So we're going to talk about some basic RF research. So the first thing you want to do, I'm going to walk you through from start to finish. I have like a garage door opener right here. If you have a garage door opener, if you have any device, even if you pull your phone out right now, you'll see on the back, it will say FCC ID and an ID number. I want to learn what this garage door is sending. What is this clicker actually sending to my garage that makes it open? And how can we open it? So if you take your clicker or your phone, you'll actually see an FCC ID on the back. We can actually take that FCC ID and the FCC puts up, publishes all the data about that device online. So if you have the device in your hand, you won't always have it in your hand, but you can actually take that FCC ID and we can go to a website called FCC.io which makes it really, the FCC website is awful. But if you use FCC.io from Dominic Spill, you can actually just go to FCC.io slash whatever the FCC ID is and it'll pull up the FCC page so you can actually access everything from the FCC on that. So if we do that, there's a couple cool things we see here. The first thing is we have the frequency. So we can actually see the frequency that this is sending on. If you had a device and you didn't have an FCC ID, you could use a frequency scanner. We'll talk about a frequency scanner a bit. But from here, we see that this is 390 megahertz for example. So FCC also has some other stuff. It has like internal photos is always really interesting because they'll actually open it up and a small percentage of the time if you're lucky, you can actually see the chips that they're using. You can actually see the name of the chip set that's being used. At that point, without even having the device in your hand, you can then go find the data sheet of that device, learn all about it. Another thing that happens is there's a test report. So the FCC tests every device that they authorize. And what's awesome about that is that they're actually putting information about the signal, the frequency, the modulation. A lot of it you can even see from the way that their test report looks because they're actually showing a spectrograph of the waveform that the device is creating. So here it looks like some amplitude modulation or amplitude shift keying. We'll get into that in a second. So I want to tell you about the actual hardware that I use to do a lot of this development and research. The Hacker F1 has been pretty invaluable to me. This is by Michael Osman. It's an incredible device for software-defined radio or SDR. It's a little over $300, extremely powerful. I mean some of the comparable stuff out there is $1,000 and up. It can receive and transmit between 1 and 6, 1 megahertz and 6 gigahertz. You can get raw IQ samples. You can record, demodulate, use all sorts of really cool software. If you know nothing about SDR, like I didn't know anything about SDR earlier this year, you can just be cool and use Hacker F Transfer, a console app, and just record and replay signals. So like half the garage is out there. You can just type that. Hacker F Transfer, the frequency, which we saw on the FCC, and then save it to a file. And then later when you want to open that garage, you can then replay it. That's it. You don't need to know anything. You don't need to know about the modulation. You don't need to know about any of that. It's like copy and paste. It's amazing. Another tool I use is RTL SDR, which is another software-defined radio. Specifically it was meant as a TV tuner card, but the chip set inside someone discovered a few years ago can actually be used as a software-defined radio. So you can actually see all sorts of cool stuff on the spectrum. This is a much, you get a much smaller range. You get like 24 to 1.7 gigahertz. You can get up to about 2.2 gigahertz if you have, there's an E4000 version. It only receives, so you won't be able to trans-over this with this. It also has a much smaller sample rate. Then another piece of software that a lot of people use is GNU Radio, which I haven't used because I don't understand all these boxes. You need to draw a lot of boxes to do stuff, and I just don't understand that. But most people use it. So I'm going to have to learn that soon. Another tool I've been using is GQRX. This is a free tool. It's for Linux. It's for OSX. It looks pretty. I like pretty applications. It makes it very easy to see signals. Actually, I mean, we can, we'll test that in a second. It's only for Linux and OSX. So if you're on Windows, oh man, I don't know if this happened to anyone trying to install, something happened. Looks like nothing has actually happened. If you're on Windows, you can actually use something called SDR-Sharp. SDR-Sharp also sort of kind of works on OSX. I tried to compile it with Mono, but it kind of looked awful at that point. I think it was Mono's fault. Another tool I use, RTL FM. So RTL FM is a console app that can use like RTL SDR and demodulate a signal. I'll talk about modulation in a second. So these are all the tools I'm using. The cost of the tools, I told you like HackRF, a little over $300, RTL SDR, about $20. That's, that's it. I'm using one or two other tools that I'll talk about in a, in a bit. But this is very inexpensive. And my, my research is always focused on making this stuff super inexpensive. I want everyone to be able to access this stuff. So that's why I believe everything is open source, fully documenting everything. And I hope more of you will, will get into this research because there's so much to be done. There's so many things that are just ponable and they need to be phoned. We can demonstrate like the crazy security weaknesses everywhere. So let's get back to this. Let's check out the, the FCC document for a garage door opener, right? So this says ask, modulation type. Ask is amplitude shift keying. It's a way of actually sending digital data. So what that looks like is here we have a signal. At the top we have our actual binary signal. So 0, 0, 1, 1, 0, 0, 0, 1, 0. An amplitude shift key signal would look like the ASK or ask version there in green. So basically when you want to send a signal, you want to send a 1, you go high. When you don't, you send nothing. Frequency shift keying actually changes the frequency. Now amplitude shift keying is just like AM radio. So AM radio is amplitude modulation. So when you listen to AM radio in your car, you're actually, it's actually doing amplitude modulation where the amplitude of the signal is changing based off the frequency of the sound that is trying to send. Where frequency FM or FM radio is actually doing what FSK is doing. FSK is just for digital data and ask is for digital data. There's PSK and a couple other modulation schemes. This is what it looks like. If you're taking a device that you have no idea what it looks like and half the time, you know, I'm looking at signals that I don't know where they're coming from. I don't know what they are. You want to be able to figure out what they look like. So here's an example of two FSK. Two simply means that the frequency shifting is between two different frequencies. You can have like four FSK and other variations. So what you'll see in something like GQRX or a waterfall view is you'll see two separate signals kind of like going back and forth. For amplitude shift king or OOK which is on off king, you'll just see like on off, on off, on off. That's why it's called on off king. Actually I'm going to like alt tab. Maybe we can just open GQRX. Let's see if that works. Can I move over? Sweet. So I have a remote here. Is there a spike? Okay, sweet. That's a remote. So that's amplitude shift king. We can see exactly what that looks like. And we can actually just record that. But I'll just quit. Okay. Let's go back to this. Cool. So we can do that. Now with RTLFM or GQRX, you can actually save that data. You can save it as an audio file and then look at it in audacity. It's free, free audio viewer. So actually, why don't we do that too? Should we? Yeah, okay. We'll do it live. Let's open up something here. All right. So we're going to do, I can't see that. All right. So RTL, I'll put it on your screen in a sec. We know that this is 300 megahertz. And then RTL is just a simple program that actually swaps between RTLFM and HACRFFM depending on which I have plugged in. And we'll call it stefcon.wave. So I'm now recording a signal. I'm going to hit something. I'm going to hit something. I'm going to control C. We're going to open this directory. I'm going to take that file. I'm going to put it in audacity. Defcon.wave. Cool. So here we actually have the signal. And if we zoom in, zoom, zoom, zoom. Enhance. Enhance. Dehance. Dehance. Okay. Cool. So we see, all right. You see some cool stuff here. What just happened? All right. So what you're seeing is if you look closely, zoom in a little bit more if I can. Man, I can't see that screen. I lost my mouse. Okay. I'll zoom in a little bit more here so you can see it really clearly. All right. It refuses to zoom. So what you can see here is you can see sort of long signals and short signals. Now if I open this key, I will actually see that those long signals as ones or ons in your key, who seem these remotes which have like dip switches in them? They're garage remotes, right? So they have a bunch of dip switches. And that's essentially your code. And that's on a fixed code garage. So what's happening is those long signals are one and the short ones are zero. So it's super easy to understand what's happening here. So we just recorded that live. Let's go back to this presentation. So that's essentially what we see here. We see that those dip switches within the remote control are exactly correlating to what we have here. Now this is after doing amplitude shifting demodulation from RTL FM. It does it for you. You just say I want to record at 300 megahertz and demodulate as ask. And that's what we get. So let's think about this for a moment. A lot of us have garages. Most garages will have like 10 or 12 bit dip switches. So if we think about that, we will see that that means there's two to the 12 possible combinations, which is not a lot. Let's calculate that real quick. Two to the 12, 4,000 possible combinations for garages. So that's on a 12 bit garage. 4,000 combinations. If you have a two letter password for a website with just alpha numeric and a couple of keys on top, that will be more secure than your 12 bit garage code. So let's see how we can crack that. Now we don't even know if you have a 12 bit or an 11 bit or a 10 bit, 9 bit, 8 bit garage code. So let's say we just want to brute force the whole key space. If we do that, each signal or each bit of a signal is two milliseconds plus another two millisecond delay from what I saw in Audacity. And every time I hit the button, it actually transmits five times. So if we do that for every type of garage or every type of dip switch, then it will take about 30 minutes to open a fixed code garage. This is not applied to rolling code garages. Newer garages like IntelliCode, Genie, a couple others actually use rolling codes. We'll talk about that later. So this will take 30 minutes to brute force. But I didn't want to like stand outside for 30 minutes and my neighbors were looking at me really weird because I live with a bunch of other units and I'm just always outside with my computer. And the garage is just like randomly opening and closing and opening and closing. So if we take a look at that signal closer, we see this. It we can actually remove instead of taking the five transmissions that we see on top, we only need to send one transmission. There's no point of sending code over and over and over. The reason that devices do that is because they're cheap transmitters, they're cheap receivers. Sometimes the signal will be hard to hear. There could be some interference. So sending it more times helps ensure that the signal will be heard. But for hacking, we just assume we'll have something good enough that transmits well and that we will get it. So instead of doing five times, we only do it one time per code. So that reduces, we divide by five, we get six minutes. Six minutes to open any fixed code garage. From there, I was chatting in the Ubertooth IRC channel and Mike Ryan suggested that I actually take away the wait times. So what happens is when you send a signal, you'll see at the top there's this, there's the signal on the top left and then a wait period before the next signal. So he suggested just removing the wait period and just send them red, green, purple, blue, just in sequence without that wait period. So that removed another 50% of the time that it would take to actually open that. That reduced down to three minutes. Also, he's doing an awesome talk on hacking electric skateboards where he just like takes over your skateboard. So I'm pretty excited about that talk with Mike Ryan and Rico. That's, I believe that's a, what is that? That's Saturday at 3 p.m. Track 2. All right, let's hear. Let me check that out. So that's, that's pretty cool. But as I was looking at the signal, there's something interesting about the signal. There's no preamble or sync word. There's nothing to delineate and tell the garage door that this is the beginning of a garage code. It's just raw data. It's like, it's like sending a packet without TCP IP header and just sending like an HTTP request without any IP header. Like it doesn't know where it's going or anything. So the garage is just blindly listening. And the question is, how does it know where one code starts and the other ends? I thought maybe it's using a bit shift register. And a bit shift register is essentially something that will take in a sequence of bits. And as the buffer fills, once you have more bits available, it only drops one bit and then pulls in the next one and then drops one bit and pulls in the next one. So what if I could do that with a garage? What if I could send, let's say, instead of 12 bits for one garage and 24 bits for two codes, what if I sent 13 bits? If it's a bit shift register, we'll have 12 bits that go in, it checks. Is that the correct code? It will say no. And then it shifts off one bit, pushes everything over one bit and then takes in the next bit, the 13th bit and tests a brand new unique 12-bit code. So there must be an efficient way to do this. And there's a guy named De Bruyne. De Bruyne? How do I pronounce his name? Who knows? De Bruyne? Okay, De Bruyne. De Bruyne was a mathematician who came up with a sequence to efficiently produce every unique combination of a number or a series of numbers so that you produce every possible overlapping code. So here we see, if I want, let's say the garage was only two bits long, then I would need to send 0, 0, 0, 1, 1, 1, 0, 8 bits to cover everything. But with De Bruyne sequence, we can actually just send 5 bits, 0, 0, 1, 1, 0, because everyone overlaps, right? The garage will first test 0, 0, then it will test 0, 1 in blue, then 1, 1 in red, then 1, 0. So if we do that with 12 bits, it takes 8 seconds. Theoretically, we know how to do it. So we actually have to implement this. So one of the things that I love using is Yardstick One. This is another device from Michael Lawson. They'll be for sale soon. In the interim, you can also use something called the CC-111-EMK. This device has something called the CC-111-1 chip set from Texas Instruments. It's basically, we'll talk about that in a bit, but it's basically a sub gigahertz radio. It can receive and transmit. And the software I use a lot for this kind of testing is called RFCat by Atlas. He's also doing a talk later today at 5 p.m. So I'm pretty excited about that. And RFCat is awesome. It's just a console app, no like boxes, like in GNU radio, where you're like dragging and dropping with your mouse. Who uses the mouse anyway? With this, you can just talk to this command line, this Python command line, and do, here it says, it'll set the frequency to 433 megahertz. It'll set it as ask or on off keying, as we talked about earlier. It'll set the packet length. We don't even need to do that. And then it'll transmit hello. Instead of hello, we can just transmit, you know, some binary. The garage code, for example. We need to set our baud rate to whatever the baud rate of the garage is. And another tool I've been using is from one of the most heinous, devious companies out there. Uh, Mattel. So a couple years ago, a hacker found that the Mattel I Am Me actually has something called the Texas Instruments ChipCon 1101 Chipset. It's a sub gigahertz transceiver. It has a screen. It has a back light. It has a keyboard. It has a little buzzer. It's battery powered. And conveniently there are pins for reprogramming on the back when you open it up. It's not protected. You can entirely rewrite everything. So this is actually a picture of Michael Lawson's spectrum analyzer that he built. Um, a couple of people have done some really awesome work on this. Um, Dave, I think originally found that you could, uh, hack it and reflash it. And the amazing thing is Mattel created this. So they did batch creation of this, essentially $20 toy for kids. That's for communicating. It's for like texting your friends with this device. Uh, it's now discontinued so it's really cheap. It's like $20, $30. Uh, usually. Um, Travis Goodspeed has done a ton of work with, uh, with Goodfet. Michael Lawson has done a ton of work. This is a spectrum analyzer. Um, here's a Goodfet device by Travis Goodspeed. So I used a Goodfet for all sorts of things that do for like 2.4 gigahertz, uh, hardware hacking. It's just an, it's an open source JTAG adapter. You can use it for all sorts of stuff. So ultimately, I didn't want to have to use like the, the yardstick one in my computer to transmit cause it's just like, I already wear a enask all the time. Like I didn't want to have to sit with the laptop as well. So instead I just programmed the IME to do that 8 second, uh, attack. And that's what I call open sesame. Um, let's see if this video plays. Here's an example of it in action. By the way, how much time do I have? Cause I keep going out of my thing so it keeps resetting the clock. What time am I good till? Well, like 1.45, 1.50. What, what time am I good for? How much time? 20 minutes. Cool. I just want to know what time I am. Cool. Alright, 1.50. Sweet. So you can actually buy these IMEs. Unfortunately I released almost all of the source for open sesame. I bricked it just slightly. Something that probably everyone here could fix, but you know, just common fees and criminals wouldn't be able to. Um, unless they learn to code, which is, which is great. They'll probably just get a job. Unfortunately, after I released it, the prices went up a little bit. Um, so I do have a, a brand new one that I, uh, I programmed with Michael Osman's Spectrum Analyzer. Um, so it's like a, a live Spectrum Analyzer on here. Would anyone like this? Uh, it's a $900 value. Um, cool. I'll just run out and give it to somebody here cause who wants it? Oh my God. Dammit. Someone's going to have to come up here. What? No, no, no one who ran. Sorry. Alright. Someone in the second row. Second row. Alright. Yeah. You. Do it. Alright. Here you go. Don't sell it. What's that? Um, so that has a Spectrum Analyzer on it. I use it all the time. It's like more convenient than anything else I use because it's just like, it's in your pocket. It's portable. Um, it's my favorite color. So, what do we learn from this? You know, if you're implementing a garage door system or, or similar system that's based off a simple radio, radio signals, A, don't use a small key space. Like that's just, no. Don't use fixed codes at all. Um, use like a preamble or sync word so that the, the, the De Bruyne, De Bruyne, De Bruyne attack doesn't work. Um, or use rolling codes. So, now we're in the garage, right? We've opened it up. We're able to see all these awesome cars. And let's uh, if I use my special VR headset, I can actually see all these connected cars. Um, amazing. Connected cars. So I started looking at some of these basic connections. Just the basic stuff that, uh, some of these devices have. This is a, this is a screen grab of the OnStar remote link app. So remote link is actually a really cool mobile app, uh, for Android, iOS and Windows. What it allows you to do is do things like locate your car wherever it is, um, via GPS, uh, lock, unlock, remote start, horn and lights. Definitely the most fun. Um, and also grab all sorts of PII from the user. So the owner. So you can actually see your name, your email address, your phone number, uh, your, yeah, home address, uh, some billing information. So I was taking a look at this because my friend had a, had a car that had this remote link app. Um, and I thought, okay well, it's obviously going over the network. Let's see if we can see some of that network traffic. So I got out, I think my, my iOS device and, uh, I installed a certificate authority. I wanted to do some like SSL man in the middle sniffing. Um, and I remember, yeah, I always have sort of an SSL man in the middle, uh, certificate authority on there so that I can sniff. So I started sniffing this and this is a, a login request that we see. Um, it's pretty much, it's an HTTPS post to api.gm.com and there's some base 64, uh, encoding here. Um, when we unzip, uh, when we, uh, sorry, uh, remove base 64 we see the, the username and password. Now it's not a big deal because I had like a certificate authority, this is my own phone. And then I remembered I had actually just reflashed my iOS device and I never installed that certificate authority. So I was man in the middling an SSL connection with an invalid certificate that my phone essentially behaving as a, a fresh phone didn't even know about. So there's actually no certificate handling. There was no certificate checking at all. And what that means is if I'm on, uh, let's say if I'm on your network I can then potentially ARP spoof or DNS spoof and, ah, she's texting me. Um, I can ARP spoof or DNS spoof and take over that api.gm.com connection, do an SSL man in the middle, no certificate warning, no issues, just for that host and we'll be able to see all the traffic such as username and password. Um, so we can do this pretty easily. We can, uh, you can take a, uh, what I did was I took a Raspberry Pi, I took a GSM board, a phono GSM board, um, I used Mallory which is an open source SSL man in the middle, um, toolkit, uh, I DNS spoofed api.gm.com. And the reason I only did that was instead of, uh, man in the middling old traffic is that if you open up any other, let's say you open up Safari or App Store or something like that, I don't want you, I still want it to work. I don't want a man in the middle of that because then it'll either not work or get certificate warnings. So now, if I can get you onto my Wi-Fi network, I can do this. Um, I also use IP tables and alpha, uh, you know, those alpha cards for, uh, Wi-Fi, uh, monitor mode, uh, edimax Wi-Fi dongle and a, and a SIM card that you can put into, uh, the GSM board. And the nice thing is you can get prepaid SIM cards. Like T-Mobile has a G, uh, 2G network that you can get a prepaid SIM card. So if you're a criminal, you wouldn't have to like give up any information. You just get prepaid everything. Uh, now one way I could potentially actually do this attack is by creating this device and then putting it under somebody's car. Um, then what I could do is create a network. So what's a network that I can probably get them to use? I thought, well, by default, I'll just use ATT Wi-Fi. Um, that's a Starbucks network. So if you've ever connected your phone to ATT Wi-Fi, you will connect to my device. Uh, as I woke up this morning, I saw, uh, ATT Wi-Fi, uh, uh, in the hotel. I also saw NSA Honeypot number 42. Which is funny because the NSA Honeypot was probably somebody's like phone and ATT Wi-Fi was probably the NSA Honeypot. Now that's cool, but there's no guarantee that they're gonna jump onto ATT Wi-Fi. Maybe they don't, you know, maybe they've never been to Starbucks. Um, you know, maybe they're more a coffee bean person. And instead, what I've done is I now sniff for probe requests. So using the Alpha card, we can actually see probe requests from your phone. Whenever your phone is somewhere new, it will actually send out Wi-Fi probe requests to networks it's connected to in the past, saying hey, I connected here. Are you there? So I can actually see the name of a network that you've connected to in the past and on the fly generate that Wi-Fi network. So as soon as you go up to your car where I left this device underneath, then your phone, or it sends, your phone sends a probe request. My device says, oh okay, I'll make a Wi-Fi network with that name in addition to ATT Wi-Fi. Your phone jumps on. I S-cell man in the middle. I automatically acquire credentials from Remote Link if you ever open the app. And indefinitely, I then have access to your car. Um, here's the hardware I used. And again, you can see Raspberry Pi, the Edimax, the Alpha, Wi-Fi dongle, and a phone, a GSM board. And this device I call the own star. Um, tested it on my friends, uh, on my friends' volt here. It's actually a really cool car. I was pretty happy with that. Let's see if that works. Uh, oh yeah, it says like, only remote start when it is safe and legal. Uh, which is true, you should only do that. Uh, fortunately, uh, I reached out to GSM before releasing any details of this. And they were actually, while it was very difficult to get to anyone who knew anything about security or technology, I was going to like, support, like, oh man, they were just trying to tell me, no sir, no sir, your, your password is safe. Your password is safe. Trying to like, trying to escalate from support at GSM is impossible. Um, however, I finally got to a cybersecurity, uh, executive over there. And it sounds like, hey, he was, he was awesome and very easy to work with. They fixed it within days. So they did, uh, I was really happy about that. They did a great job. Um, within a day, just mentioning that this was going to be part of my talk, they had already resolved it on, on about, uh, three, three million remote link apps. So what did we learn? A, validate your certs. Like, always validate a certificate from a CA. Now, if you don't trust the Hong Kong post office, which has a certificate, a thought, which is a certificate authority by the way, um, and is trusted in most browsers, if you don't trust them, um, use your own certificate, use certificate penny. That way you're only, you will only ever use your certificate. You'll ignore, even if the CA, even if VeriSign or Thought or Hong Kong says, yeah, this certificate's legit. Uh, your device, your mobile app will ignore it and only use yours. Um, also hash your passwords to the random salts. I mean, you always assume that the network you're on is hostile. Because someone here is going to make that network hostile if it wasn't before. Um, it doesn't matter if you're on a mobile network, it doesn't matter if it's cellular, it doesn't matter if it's wifi. Um, you are, it is a hostile network. Cool. So, sweet. Um, we did that, you know, that, that affected Chevy, Cadillac, uh, GMC, Buick. Um, but there's one other thing that I wanted to go, uh, talk briefly about, and that's key fobs. Um, which are pretty cool. Most people have a key fob, right? Raise your hand if you have one of these car key fobs that unlocks and does cool stuff with your car. Sweet. Hold on, hold on. Scanning. Scanning. Amplification. Um, so here's one that, that I took a look at. I took a look at a couple. Um, this is called the NM95HS01 or 02 from National Semiconductor, now part of TI. It's called the High Security Rolling Code Generator. And this is a signal. Now if you remember, there's, there's a lot more like bursts of data here. Um, also it's modulated a little bit differently. So with our previous garage signal, uh, we learned that one was like a long signal was one and a short was zero. Um, we'll talk about that in a sec. But what is a rolling code? Let's understand what a rolling code is. So, let's say you have, um, a car key. Essentially it has a PRNG or a pseudo random number generator inside. And the same number generator, uh, PRNG is in your car. So when you hit this button, it will send a code to that car. Now the next time you hit that button on your key, it will send the next code in the PRNG based off your initial seed. Now, as long as both the car and the key have the same seed, what will happen is the key, uh, the car will also permit or will continue down that logical progression of the seed and you'll always match up. However, if you're accidentally, if you like have the key in your pocket and you accidentally press it, you will then be out of sync with the car. So the car also has an allowance. So the car will allow something like 200 to 1000 additional codes. Um, that may seem like a lot, but fortunately most rolling code systems, uh, use such a, such a large key space that 1000 is really negligible. Um, I'm seeing typically like 40 to 60 some bits, um, for the rolling codes. So that 1000 doesn't really help us, right? It helps us like guess a little bit, but not much. We're not going to guess that code in this lifetime unless we have maybe a cryptographic attack on the rolling code. So it hits a button, sends the code, hit the button again, sends the next code. If you don't know the rolling code, you are not going to figure out what those numbers are unless you find some attack. So this prevents a replay attack. Um, a replay attack is when we can sniff and then replay the same signal. So if you recall with our fixed code garages, we could, if we sniff the signal, we can then replay it later. It's kind of irrelevant because it only takes, it takes us eight seconds to brute force every garage out there. Um, but this prevents replay attacks. Now, one thing you can do about replaying rolling codes is you can actually capture, um, a signal while the remote is out of range and use that. So if I broke into your home, pressed your remote control and recorded that, I can then go to your car and unlock it for example. This is super lame because we actually need physical access to the, to the device. And also, um, as soon as the key is pressed again, let's say the owner of the car goes to the car and locks or unlocks, that will actually invalidate all previous codes. So what if there was another way that we could get that code, get that code from, uh, the user? And I found that, and this has been basically known in talk about for years and years and years and years. And I've never seen actually demonstrated, I've never seen any code or, uh, examples of, uh, legitimate examples of this. What if we jam the signal? Right? What if I'm at your car and I'm jamming that, let's say it's 350 megahertz and I'm jamming that signal. So when the user goes to their car and they hit unlock, the signal sends, my jamming device is sending a signal as well and the car won't hear it because now it's seeing so much data. Simultaneously, what I can do is I found that most, uh, when I say most, I mean every vehicle I've tested, um, all, all will just say virtually all vehicles have essentially a receive window of a frequency that they're looking at. So if your key is 315 megahertz and your car is listening on 315 megahertz, technically it's actually listening probably between 314.5 and 315.5. So this is a receive window of about a 1 megahertz. Um, half, you know, 500 kilohertz, uh, plus or minus from the primary frequency. Um, now if I'm jamming somewhere in that frequency range, your car won't be able to listen to what I'm, uh, listen to the key. So I jam that signal and you hit the car, you hit the key and then I have a receiver as well. And my receiver has a nice, has a good chip and has a much tighter receive bandwidth. So my filter bandwidth is so much smaller that I'm evading or I'm avoiding any of the jamming signal and I see your key code, your rolling code very clearly. So I now have a rolling code that your car didn't hear and I can use that at my leisure because they're non-expiring. Now let's say I stop jamming and now I have this code and I'm happy. Well, what will happen is the user will be like, okay, well that didn't work. So they hit unlock again and it works and they drive away. My code is now invalidated. So again, it will invalidate as soon as another code, a future code has been set. All previous codes are invalidated. So instead, what if I jam twice? What do you do when your button doesn't work on your car key? You hit it again. Now I have two codes. So with two codes, we have, I now have two codes. And then I stop jamming and I replay the first one. Because we automate this, this happens in under a second. So you go to your car, you hit unlock, that didn't work. You hit unlock, the device within a second stops jamming, plays the first one, leaves me with a future code that the car has not heard. This applies to garages as well. Any garage with rolling codes. So we've now covered all of garages. So we can just jam, listen, jam, listen, replay the first code, abuse the next code later on. This is pretty incredible because it means I can go to your car later and do whatever I want to. Depending on what I say do whatever I want based off the key. Another thing I found is that this works on remote start vehicles. So keys with remote start and remote start kits. This works. One thing I found is that, so people have described this attack. Another issue I found is that let's say you want to steal stuff from their car, right? You want to go to their car and, you know, break in. Well, if they've hit lock, if the last thing they hit was lock and you, the last signal you'll have is a lock signal. So if you replay that, all you're going to do is lock the car. Well, I found most signals actually have the data field separate from the rolling code. So as long as you know the rolling code, you can change that lock signal and weaponize it into an unlocked signal and open their car. This is roll jam. This is a device, uh, I'm releasing the full source and, uh, I probably won't be putting any, any specific cars in it, implementing any cars, but this is a device that you can, it uses two CC1101 chips and a TC 3.1. Uh, one will actually do the jamming and do the replaying whenever you hit the button or you can use an actual remote to trigger it. So if you put this under a vehicle for example, um, and it will perform this full attack. Uh, I think, I think that's about it. I'm out of time. It's worked on every car I tested. Uh, it felt really good. Though the basic lessons, encrypt or hash your button. Um, use an HMAC to prevent bit flipping if encrypted. Use a time based algorithm. We've had these RSA secure ID key fobs that have been like, would have a rolling code for at least 20 years. I couldn't find how old, old they were. I was trying to look. I could not find. Now we have dual key lock, which came out this year, or I'm sorry, last year, which also solves this. This has been an, an issue that we've known about for over 20 years. It's been solved 20 years ago. It virtually every manufacturer are still implementing this off poor implementation. Um, another way is to use a challenge response. So use, uh, via a transceiver rather than just transmitting, you'll transmit, you'll say, I want to unlock. The car will say, okay, uh, here's my challenge. And then your key can receive that and respond appropriately. Um, that's the, the best way to handle this stuff. I'll be releasing this stuff shortly. Thank you so much.