 Hello, everyone. My name is Nick Ashworth. I am a graduate student here at the University of Tulsa in Tulsa, Oklahoma. And I am presenting today my research on tracking and identifying people and vehicles via the passive keyless entry system. Yeah, it's going to be a thing. So, before we begin, a couple quick, like, explanation. The vulnerabilities and the attacks that I've done. I have tested on seven vehicles so far, ranging from a 2013 Ford Explorer all the way up to a 2020 Lexus. Everything that you see in this presentation today, so all of the waterfall graph images, all of the image captures all of the description of the like individual message formats. And even the demo at the end will involve this wonderful 2014 Toyota Prius that as you can tell by the snow on the ground in the current 90 degree weather outside, this is a very recent image. And if you also didn't notice with the target trash bag over the front door handle, we take great care of this car. Honestly, it's perfectly fine and happy here. I promise me and the other graduate students don't do anything harmful to it at all. But okay, getting into the meat of the stuff. Passive keyless entry. For those of you who aren't familiar, there's two ways that you can use your key fob to get into your vehicle. The first and most common way that everyone knows active keyless entry. This is where I push a button. The key fob generates a message. The car receives that message. If everything is correct it unlocks the relatively newer way and manure in this case I mean starting from from 2003 on is a technique called passive keyless entry. Like its name implies in a passive keyless entry system. You just happen to have you just have to have your key fob on you. And whenever you either touch the door handle to enter the car or push the start but on the vehicle to begin to turn the engine on the vehicle will generate a message that forces the key fob to respond. And it is then able to tell whether or not the key fob is present and whether or not that key fob is the key fob that has been paired to the vehicle without you the driver doing anything. This has gotten very, very popular. Over 90% of the vehicle sold in the US in 2020 had passive keyless entry. It's really useful from a consumer standpoint for a lot of reasons because the vehicle was able to check to see if the key fob is near by it. The vehicle can automatically alert you if you're about to leave your keys in the car because it can check to see if the keys are present inside before you go to lock the door whenever you press the door lock button. It also is easier on the person because it's one less thing to carry for doing groceries, yada, yada, yada, the classic game of convenience versus security. And so it's something that's here to stay. Excuse me. The basics of passive keyless entry being broken down into three protocols that handle all the heavy lifting of this whole system. The first is the pairing protocol. This is the protocol that is used to match your key fob with your car. This is a very vendor-specific protocol. I'll be honest, I wasn't able to get that much info on it. But the basics of it are, as a part of the PKE system, there is a unique ID for your car and there is a unique ID for your key fob. And doing the pairing protocol, those two IDs are exchanged between the vehicles so that your car now knows this key fob ID is the key fob that it's supposed to listen to. And your key fob now knows that car ID is the car ID it's supposed to listen to. Pretty straightforward. The second one and one of the more interesting ones is a thing called the zero battery protocol. I suppose I should also clarify, because all these documentations are proprietary, I don't know the actual formal name of these protocols. These are just what I call them for convenience. Feel free to use or reject those names at your own discretion. The zero battery protocol is the emergency protocol used when the battery inside the key fob dies. So if your key fob dies, you can use the backup key that's inside most of these fobs to get into the car. But because the car uses a push-to-start system, whenever it's enabled with PKE, there's nowhere to use this to actually turn the ignition on. And so instead, what happens is the car transmits a very, very long, like 150 millisecond long message that powers up and energizes the encryption chip inside the key fob, and allows it to operate and send a quick message that yes, I'm here and yes, I'm your fob, even when the battery is not present and or dead. We'll get into a little bit more of how it does that and why it does it at the specific frequency later. The other one and the main thing that we'll be focusing on and the main thing that you actually use when you're using your car is a protocol called the four-way handshake protocol. This is the protocol that is used every time you touch a door handle, every time you use the push-to-start system, every time you try to do the trunk. And 99% of the time, this is the protocol you will use whenever interacting with your car. This protocol is interesting because unlike the zero-battery protocol where the car is powering up the key fob, enabling it to transmit, the four-way handshake protocol uses the battery inside the key fob, the same battery that's used for your active keyless entry system. This means that the messages that it generates are relatively high power, at least compared to pretty much everything else that your car is transmitting, such as like TPMS or some of those other systems. And so you have a really long range with this. If you do the free space loss calculations, you're talking up to 90 meters of range. If you're looking at like a real world scenario, you're going to cut that in half and do anywhere from 30 to 40 meters of range. But either way, all of a sudden you can identify this over RF from really far away. The other key thing to know and will become very important is that the passive keyless entry system on your vehicle side transmits at 134 kilohertz. The key fob itself will transmit at anywhere from 315 megahertz, 434 megahertz. Some of them will even go up to 900 megahertz. And those are all relatively high frequencies. 134 kilohertz is incredibly low frequency for those of you who aren't familiar with RF. And it causes a problem in this space, which is honestly the biggest challenge in all my research that I like to refer to as the 134 kilohertz problem. So in RF, and I will just really admit I'm an idiot with an SDR. So take all this is a great stuff. But the basics of doing radio frequency analysis when you are designing an antenna to work at a given frequency. So you design that antenna to basically be a either on the half wavelength or the quarter wavelength of the of the wavelength you're trying to track. So you want it to be an even multiple be either that half wavelength or that quarter wavelength. Now, for 99% of the signals you and I interact with every day. That is not a big deal. The RFI is at 2.4 gigahertz or 5 gigahertz depending on what frequency which channel you're listening on the new 5 gigahertz signal that your cell phones are going to use gold wave 60 gigahertz. Very, very high frequency, which means very, very small wavelengths on the verge of like, you know, anywhere from meters to centimeters. You know, an antenna, even for a relatively low frequency signal like a is what ships use for identification that operates at 162 megahertz. Your antenna length is still, you know, something you, you or I could easily carry 134 kilohertz though is a really low frequency. To give me an idea of how low the wavelength of this signal is over 2000 meters, which means the half wavelength is 1000 meters and the quarter wavelength 500 meters. Having an antenna that's 500 meters long is a bit of a problem unless you're somebody like the government, or you just have a ton of property. It's like absurdly huge for this space. Now, what's cool is because this frequency is so low, you can do a lot of things with it. This frequency travels forever and has very little free space loss because of how low it is. The picture on the right, the little candy stripe towers, that is a timekeeping system in Colorado that the actual antenna is a thin cable that runs across all those poles, and it radiates a signal down into into the earth. That bounces off the earth and then kind of glides along the ground across the entire US. And if you ever had any one of those old radio controlled atomic clocks from like the 90s or early 2000s. This was the frequency it was listening to. No matter where in the US you were. That is like stupidly cool range. The counter to that is you need a really, really big antennas. And in addition to that, you need a lot of hoops to jump through if you're trying to talk on this frequency as a civilian. The FCC only recently, and by recently I mean like 2017, allowed amateur radio to begin operating near this frequency. Technically the amateur radio band is 136 kilohertz, but 13634 is close enough to not matter for our conversation. Because of that, a lot of your traditional strs like your hacker f ones, your RTL strs. Even your blade rfs don't operate at this low frequency most of them cap out at anywhere from like one megahertz or 75 megahertz for example if you're using an edits str. The only one that really will go this low natively without using up converter is the lime str made by line micro systems. And again, that's relatively new str that came out in around 2017. At the same time finding antennas that will operate in in this frequency range that you can just commercially buys also a bit of a nightmare. While there are a lot of hand groups that listen in at this frequency. And so you can find receive only antennas fairly fairly easily finding a transmit cable. Yeah sorry finding a transmit capable antenna is a bit of a nightmare. And that's kind of because the FCC again gets to be everybody's best friend because as a part of being authorized to transmit in this band. If you are one of the hand radio groups that actually can talk on these frequencies. You don't get a normal license your license is geo locked to a specific antenna that you will be using to transmit. And you must give the FCC the exact the exact GPS coordinates of that antenna. Having some mobile antenna that you can move around completely breaks all those rules. And so most people haven't designed one. I did eventually find one and I have on the GitHub page that explains this kind of a little kind of a little bit of running out of it and it's called the you loop small loop antenna. This is the antenna that I use to get all of my captures and I'll be using for the attack demo. It's what's known as a small magnetic loop antenna, which basically means it is a loop of wire. In this case, I've looped it around twice. You can kind of see that. And what that does is a bunch of demon magic that lets you bypass not having to be a quarter wavelength or half wavelength of this signal you're trying to receive or transmit. Now, the downside of that demon magic that allows it to happen is the system doesn't work very well as a transmit antenna. While those big giant poles the size of small houses will let you transmit across the continental US. And if you're in a military system fun fact, this is a similar frequency to what the Navy uses to talk to submarines at the bottom of the ocean. Again, this thing. There is no free space loss you can talk for miles and miles. It's really crazy. But this will not get you that range. And even if you go to a larger like meter meter long loop and add on an up converter everything else, you're still only getting like 20 30 meters of transmission range with it. In theory, if you were to design your own antenna for this space, you would probably have better luck. The background is not intended design. I so I don't really know how to do that. If you do please feel free to get in contact. I would love to talk and learn more. Because I think there's a lot of cool things that you can do even with the limits that we have which will go over soon. So, with that side discretion of the wonderful world of RF out of the way. Let's get into how the four way handshake actually works. The four way handshake as its name kind of implies consists of four messages, a wake up message, an acknowledgement message, a challenge message and a response. You're basically how this works is whenever you go to will say touch the door handle so I am trying to enter the car I touched the door handle. There is a passive sensor and that driver side door handle that alerts the vehicle that someone is trying to enter it. That allows the vehicle to generate a wake up message a wake up message as its name kind of implies tells the key five to wake up. It is a static message. This means that the data inside the message is always the same in the case of the 2014 Toyota Prius that will be using as our demo for today. So that wake up message is F F E A B A, if I remember correctly, and it will be that way for every 2014 Toyota Prius you run across or every, I believe it's generation three is the vehicle model, or is the vehicle family of the 2014 model Toyota preseason. So in theory, every one of that vehicle model will use will generate this wake up message. It will become useful to know later on we're going to get one of the tax. The key fob, if it is within range to receive this wake up message will respond with an acknowledgement message at whatever frequency it transmits on. In our case for today that is 315 megahertz. The acknowledgement message is also a static message that basically just tells the vehicle that yes, there is a key fob in range that match it or that is a Toyota Prius key fob. Now you might be wondering why both of these messages are static. After all it seems kind of useless to have them there. The advantage of having to static message to start this out is a static message is both very easy to generate and very power efficient. Because you're not dynamically doing any calculations or changing anything on the fly, you can transmit this signal without draining your battery that much. Because the car is sitting there and using its car battery and because your key fob is sitting here using your little tiny coin cell battery that's in here. Battery drains kind of a big deal on on the engineering side and so that's why they decided to make this first half static to reduce that battery consumption. Now, once your car knows that there's a key fob nearby that could possibly be its key fob, it generates the challenge message. The challenge message is a much longer message. So for comparison, the wake-up message on most of the vehicles I tested was around five milliseconds in like total transmission time. The challenge message is about 50 milliseconds. It's a big boy. That challenge message contains your car ID, a challenge seed, which the key fob will use to solve the validity that it is the key fob it claims to be. And a simple little CRC to just kind of do data validation. So what happens is then after that challenge has been transmitted, your key fob will receive that challenge message. We'll look at the car ID first and see if that car ID matches its key fob ID. If it does great, it further decodes the message. If it not, it throws it away and it laughs and doesn't care. It will then take that challenge seed from the challenge message and attempt to solve it. And it's a pretty simple cipher. Like, okay, we're saying it's encrypted, but this isn't like an AES kind of game. This is like the challenge word is A, the password is Apple. The challenge is B, the password is Banana. Again, battery is a huge issue doing a ton of calculations and computations takes a lot of battery power. So things are kind of this, this isn't your normal, your normal kind of game, but it's also operating in a space where it's not really expected to get that many hits. And so when your key fob generates that response, your car will look at the key fob ID to validate that it is correct. It will look at the actual response message to validate that it is correct. And then it lets you in. And all four of these messages happen in the time span of you touching the door handle and pulling it open. Or pushing the start button and waiting for the engine to actually start. So it's relatively quick, quick happenings. It's fairly straightforward. It works the way you think it should, because honestly, it's not that badly engineered of a system. It's actually pretty good and useful. There is one key point that will become very important very, very soon on the four way handshake. And that is, there's actually a couple different implementations of the four way handshake, and not all of them are four way. Because again, cars, why, why do we have standards? Who needs that? No one wants to make life easier, nice. In the traditional implementation, this is what we have shown on the screen. And this is what a majority of the cars that I've tested have used. And based on like reading the literature of some of the other reports of people doing more traditional exploits on Kifa on the PKE system, such as doing really style attacks. This is the kind of system they run into too. So I'm fairly certain this is kind of the main more universal of the two. But it is important to know that there is an alternative implementation of this that consists only of the challenge and response messages. Of the vehicles that I tested, two of them, the 2018 Buick Encore and the 2024 expedition, both use the alternative, this alternative implementation of the four way handshake. Now, there's a lot of reasons why you would use the alternative implementation, especially on newer vehicles where the Kifa will respond back, rather than like a rather instead of like a very simple AMO of Keen or like a simple little FS case, FSK transmission, maybe they're using Z-Wave or Bluetooth or ZigBee up at like the 900 megahertz fan. Well, those data links already have a way built into them to determine how close a transmitter is to a receiver. And so the wake up and acknowledgement messages can be kind of supplanted by that built in capability. There's also the general case of maybe you just used a really large, or not really large, but like really high capacity coin cell battery. And so therefore you're not quite as worried as it running out of charge. Both of those are completely viable. Both of these systems work. We do have a tax for both of them. And I'll explain those later on, but it is important to know that you will sometimes see a difference, especially if you're doing this research on your own. And you're sitting there and you're getting your captures and you're wondering why you're only seeing two instead of four messages. This is why it just means the vehicle you're testing uses an alternative message or alternative four way handshake setup. And so the message from the vehicle is just the challenge message and the response from the key fob is the response. Now let's get into the fun stuff. How do we actually hack and attack the system and what can we do with the key fob that we care about. So before we get too deep into it, let's talk about radar. Most people are familiar with traditional radar where you have a big giant antenna dish and it transmits this crazy weird frequency thing at really high power, and it hits an airplane, and it reflects off the skin of the airplane and then based off those reflections the dish receives it and does a bunch of calculations and math and says, Oh, there's somebody at that altitude and that angle and they're possibly moving at this speed as I track them. That's traditional radar. That's the radar that the military uses for like everything because they're the military yay. But it's not the only form of radar that exists. One of the forms of radar that's especially more common civilian side is a type of radar called cooperative radar. Now in cooperative radar, you have the same kind of equipment but everything's just slightly different. So for example, rather than my radar, generating a weird signal and watching reflections, it generates what's called an interrogation, which is a simple message that can be recognized as shouting out into the into the darkest is anybody out there. And the aircraft that is receiving this interrogation, rather than just letting it reflect off of its skin and using the back scatter and all that other crazy physics to figure out where it is receives the message decodes it and sends a message back that says, Yes, I am here. I'm familiar with aviation. This is IFF. IFF or ADSB are both wonderful examples of a cooperative radar system that works. If you're not familiar with aviation, you're actually also probably still familiar with cooperative radar, just in the form of the pool game Marco Polo. So for those of you who never played it or who haven't had kids who played it or whatever or are scared of the water, Marco Polo Polo is a very popular childhood pool game where one player who is it covers their eyes and has to shout Marco. And the that players in the pool, shout out Marco every so often to try to figure out where everyone else is. The other players in the pool are able to move around. And every time the player that is it shouts Marco, they have to shout Polo. So because the player that is it has their has their eyes covered. They have to use the sound of everyone's response to figure out where they are and try to navigate towards them and tag them. This is cooperative radar. This is the basic stuff. This is also why I decided to name my toolkit Marco after the pool after the pool game. Also because Marco Polo with an SDR looks really, really funny, but it is what it is. So that's what we're going to use to keep up for in these tax is we're going to basically turn this into a cooperative radar system where I, or you, or really who any anyone who downloads toolkit, we use an SDR to generate a series of interrogations that will then force the key fob to respond. Like it was a transponder unit aircraft or a kid shouting Polo if you're playing pool game. We have two attacks that will go over that I have that work with this. The first is what's called a zero knowledge identification attack. So in this attack, we are targeting the wake up and acknowledgement messages of the four way handshake. And how this works is the attacker just basically has to generate a bunch of wake up messages very, very quickly, and the key fob will then respond with its acknowledgement. Now, this sounds simple and spoiler it is. But what you can do with this attack is actually really, really cool. So remember how I said earlier that both of these messages are static, and thus they don't change for any of the vehicles of that given make model generation. Well, that means that you could attack a vehicle and identify it or identify the driver if the person is walking around outside their vehicle without having to know what the key fob is ahead of time. Because if you are here and you have a library of a lot of car samples will say like a couple hundred. You can generate every one of those wake up messages and just run through that list. And whenever you finally get a response from the key fob, congratulations, you now know that the key fob is a make X model why generation Z whatever. That's a really cool feature in this where you don't have to have any not any specific knowledge of the vehicle you're trying to attack ahead of time, which is why we call this a zero knowledge identification attack. I'm able to identify the vehicle on the fly as it pops up or as I care about it. Now, as cool as this technique is, it has a couple flaws. First off, the acknowledgement message is also a static message, which means if I have say to Toyota Prius is right beside each other the same make model generation. I'll know that there are two because for every wake up message I transmit I'll get two acknowledgement responses, but I won't be able to know which one is which. So say for example, we are driving down the we are driving down the road and I am my friend Bob driving because I'm going to be sitting on the laptop, and we are following to will stick with Toyota Prius is just for the example. One of them is red, one of them is blue. I'm sitting here I'm generating my interrogation I have my antenna running. I'm seeing the acknowledgement, everything's great. I can validate that yes, these are both generation three Toyota Priuses because they're responding to that wake up message. All of a sudden, one of the Toyota Priuses turns left and the other turns right. Now, I have no way of knowing using this technique, which one went which way, because all I know is that there are two Toyota Priuses based off the acknowledgement message. I can't tell you which one is the red one and which one is the blue one. And thus, even if I so these loop antennas are slightly directional so even if I spin it and are like okay, one is to the left one is to the right. I'll still know where they are, but I'm not able to identify them at a granular level of which Prius is which one. It would be a flat guess. So that's kind of the cost of this setup is you can identify everything on the fly, but you're limited on your granularity of how much you can look at. You're also limited of being only being able to identify stuff based off how big the library is. And then, as if it wasn't bad enough for our poor little zero knowledge identification attack. There's a third thing he has to deal with. Remember how I said earlier that there were two implementations the four way handshake. Well, if you happen to be one of the lucky users that uses an alternative version of the four way handshake and thus does not have a wake up message or an acknowledgement message as a part of your activation process. Congratulations. This attack won't affect you at all. So what this ends up meaning is that while it is true 90 plus percent of the vehicles on the road use passive keyless entry. And while it's true, this kind of zero information attack will work in a passive keyless entry system. You're not going to be hitting 90 plus percent of the vehicles on the road. My best guess is you're looking at something around 50%. Again, I've only unfortunately been able to test seven vehicles for this partly because of covid and then like, you know, going over to random people to mess with their car wasn't really kosher with covid restrictions and then all the rental car companies sold all their cars. So you couldn't just go to a lot and hop from one to the other aisle to aisle. So again, if you have a vehicle you want to help out on this, please let me know I'd love to I'd love to talk to you. But while the zero knowledge guy is kind of hit or miss of having a lot of really cool functionality and not requiring a setup. He's all not able to hit that many people. The alternative is what I call a targeted tracking attack. So in this attack, we are targeting the challenge response messages, which means does not matter whether you're using alternative passive keyless entry or you're using or sorry alternative four way handshake or traditional four way handshake. This attack will work on you. So this is the attack that will track everyone and everything everywhere, which is great, right fantastic. Well, again, their great power comes great responsibility and in this case great responsibility comes with the slight cost. Unlike the previous attack where we didn't need to know anything about the target ahead of time and we could just basically point on antenna at them and keep trying things until they responded to be like yep, that's who they are. This attack requires knowledge of the vehicle before you're able to spoof it to be specific from call that the challenge message contains the cars unique ID that is used by the keep on validate that it's it's vehicle. Because we are pretending to be the car. We have to use that ID, but that means we have to solve for it. Now, there are two ways one can get this information on easy way and a hard way. The hard way is to reverse engineer the algorithm of the specific vehicle that you're trying that you're trying to spoof. There have been previous papers that have done this in some form or another, mainly looking at the cryptographic chip used by the key fob, which is the digital signature transponder. People figured out that a lot of these IDs are based off of the serial number of the car. But you still have an issue of every different vehicles going to have a slightly different limitation and so you're going to have to do a lot of math. The easier option and the option I use doing my research is you just have to capture a single message. All you need is a single challenge message and you are good. This is because the challenge message is what we like to call deterministic deterministic algorithm means that if I pass you a value or a key, your answer will always be the exact same. It doesn't matter how often I pass you that same key or what I passed you beforehand. Everything is discreet. It means it's deterministic. Recall earlier I said that the challenge response algorithm is fairly simple compared to a lot of the stuff we're used to in like the web or an IP based system or something like that. As a part of this, your key fob doesn't have any way to validate that a challenge message actually came from the car that is claiming that the person it claims to be effectively. The reason for this is remember all that challenge message has is the car ID, your seed, and your checks on the validate. I can just as easily steal Bob's name tag, pop it on. I'm Bob now. The challenge is A and validate that the message is correctly. Because in this case of this attack in particular, I'm only really interested in the key fob ID. I don't care what the response is. So I don't need to pass it some different challenge every time I can pass it the exact same challenge. In fact, it's easier for me to pass it the exact same challenge because then the CRC value will change and it's just going to be the exact same message every time. And all I have to look then is do I get a response and does that response match my key fob ID that I'm interested in. So this is the attack that I think is kind of like the most useful from a project standpoint. Because while it's true, it does require some previous knowledge. It works on everything and getting the knowledge needed to attack it is pretty simple. There are plenty of attacks on active keyless entry systems, for example, where the attacker is sitting there and waiting for the victim to press a button on their key fob so that they can capture the rolling code message into it. This is similar, but we're not even happen. But actually it's similar, but it's even more simple in that we're not even having to reverse the message like there's no encryption code that we care about on this. We just need to know the formatting. And so by ripping out a message that works and knowing that all that data is good and valid. We can then go in at any point that we want after we have that data, whether it be today, tomorrow, two years from now, 10 years from now, even assuming the battery somehow is still working. We can track that key fob wherever and whenever we want as long as it's in transmission range. And that's pretty cool, I think. I suppose I should also be nice and mention that I drive 2009 Toyota Yaris that doesn't have a key fob at all. Therefore, I'm not affected by this research. For those of you panicking right now, I'm sorry. But with that said, let's take a step back and talk about what are the other ways to identify vehicles. So it's great that we're doing all this stuff with the key fob and like, yeah, it's cool. And okay, most of us just kind of assume that all you would care about a key fob is spoofing and steal a car. So this is like new and crazy. But we have other ways to track vehicles. We have a lot of ways actually to track vehicles. The most common way that you're probably familiar with is a license plate reader camera. These are camera setups that you can get for anywhere from $1,000 give or take or sometimes a little less. They sit on your either your vehicle or on your property. You aim them in a car and basically they do like an open CV, excuse me, they do an open CV algorithm to grab the license plate number. Look it up in a database and tell you who it is. And because every car legally driven legally driven in the US has to have a license plate. This works really well. These tend to have a range of around 30 meters give or take license plates readers can be really delicate and sensitive to light to angle because obviously all they care about is the license plate itself they don't care about everything else. And so they can be a little bit but you're looking at at least the ones that I saw on Amazon. They were reporting ranges of around 30 meters as their maximum expected range. The other main competition that we're competing against is TPMS to your tire pressure monitoring system. This is a very simple data link. It's in every one of your tires mandated since 2008 is completely universal. And basically, as you're driving along, your tires will periodically broadcast to your car what their pressure is. This happens roughly every 30 seconds when you're moving at speed. At speed in this case tends to mean any above either 30 or 35 miles per hour. And so as you're rolling along the roads your tires are periodically telling your car what the pressure is. This is useful because it can give you a heads up that a tire is depleting. It will also happen every first turn your car on so that you'll know if your tires are under inflated need to re inflate them. And the whole point of it was to stop people from basically ignoring their tire pressure and having blowouts on the side of the road. Because of where a TPMS sensor is located at inside the tire itself. It's actually really hard to get captures of it. Because depending upon what side of the road you're standing on or if you're above the vehicle or something like that, that signal has to go through the entire car. Well, cars are kind of big heavy bulky metal objects. And you know a lot of signals don't travel through solid metal that well, or even mostly solid metal. Add to that that TPMS is time independent. You're only operating once every 30 seconds. So it's kind of random whenever you get somebody. The signals because they're being generated by the tire are very, very low power. Here you're only looking at a range of about 10 meters. So relatively short. Now, on the testing that I have done here at the university, which is basically consisted of me. The wonderful Toyota Prius that you saw earlier that is in totally drivable conditions and is not completely stuck on the parking spot that it is currently residing in. And we'll reside into the time. I just basically walked around and used parking space lines as a measurement indicator. So full disclosure, this is not a super scientifically accurate test because it's me out in the sun carrying this laptop around in try and then using Google Earth to measure how far away I am from where I from where I think I'm at. In that got me roughly 30 to 40 meters, depending upon the trial run of range using the targeted tracking attack. So basically setting the keep up up. I was not using this antenna. I was using a meter. I was using the full size version of the U loop antenna, which is about meter diameter loop. Also with a with a preamp attached to it to him to signal. The reason why I'm not using that here for this demo is because I wanted to a have the tenant on on screen. And so doing something that was a size of me was just too bulky and be I. General rule of RF whenever you're transmitting something at power. It's a really bad idea to happen that close. So that's why we're using this antenna today. But using that range, I was able to get close to a really good, really good line license plate camera range without having to see the license plate. Unlike the license plate reader. This attack works in any null directions because it's RF and your key fob radiates omnidirectionally omnidirectionally just means in all directions. So, you know, this tech also has a unique feature in that it works whether you're carrying your keep up in your car, or whether you have it on your person like in your purse for your pocket, which is what we all do with our keys when we're out walking around. So, with that said, I have a quick demo that I'm going to do that will basically just show you the generation the challenge message. I have two key fobs here. This is the key fob that is paired to our 2014 Toyota yards. This is a 2014 Toyota yards key fob that I bought off Amazon that is not paired. And so I'll show you how they behave with the challenge message. And then we'll also talk about what you can do to protect yourself against this attack. So, I'm going to stop sharing here. I am going to start sharing. And so you should now see a waterfall graph. So this is SDR sharp. This is a open source. This is a waterfall generator. For those of you not familiar with RF, a waterfall graph is just a representation of RF power over time. You can see it's normally blue. Whenever I go here and push the button and force the key fob to transmit, you see we have that nice little spike at the frequency it's transmitting at. And you can see how the color changes based off the power level that the keep up is transmitting at. So we put those over there. I'm now going to go into I have a little VM running that has all this set up. Make sure everything is connected. That is on. So as I should also mention at this point, I have the Marco code all online. It is on GitHub. It is publicly available for you and anyone else who wants to download and use this toolkit. It's at Z Tulsa slash PKE is the GitHub link. It's written in Python and uses canoe radio. For those of you who have never used a new radio before, congratulations, you sweet summer child. For those of you have. Yeah, it's a little hit or miss to work, but Marco acts as a Python script that runs on top of that. And that allows you to dynamically generate messages where a canoe radio module that I wrote converts those into the PKE format. And this allows you to do a bunch of different cars very, very easily. In our case, we are going to do a demo configs, and we are going to do a demo message. That all looks good. This is going to transmit a message once every second. And so if I hold it up here like this, hopefully you should both be able to see the little red light flashing every second, and you'll see the waterfall graph going on. Now, this gets into a weakness that I forgot to mention when discussing the target attack. But your key fob contains a really simple cryptographic chipset in it called a digital signature transponder. They're made by Texas Instruments. Texas Instruments is like very paranoid about letting data about this chipset out. And that chipset is what is tied to your LED on your key fob. For those of you that have an LED on your key fob. That means that anything that causes that chipset to activate will cause the LED to light up. So in this case, because we're generating a challenge message and forcing a response message to generate, that causes the LED to light up. By comparison, if I were to only generate the wake up message and not generate the challenge message, the LED would not light up and you would have no way of knowing that the attack was happening if you were the victim. But again, the crux of that is when I'm only targeting wake up, I can't identify you uniquely. Now, by comparison, if I go over here and now use... Oh, shoot, hold on. Sorry, I had that still pointed at it. The beam pattern for this guy is... Why is that still going on? There we go. Okay. My apologies for that. The beam pattern in this guy is such that he's not going to be activating, which is why PC, the LED doesn't light up on him. So he is not generating any signals right now. We have someone else transmitting, don't know who. But yeah, that's the targeted attack. That's the basics of it. This guy will transmit and respond if I don't have anything nearby him. He doesn't. If I put it in nearby him, he's now transmitting and talking and you can see it. And now he's not. Now, if you are wanting to protect yourself against this attack, it's actually super easy. So fun fact, when you go to turn on your car, your car doesn't actually care. Your car doesn't care once it started if the key fob is present or not. This means that you can just basically turn the car on and put the key fob in like a really simple copper bag, like the thing that they ship passports in, and you're fine. Because you're an effectively a Faraday bag, the data won't get transmitted out or get transmitted in the key fob and respond and you're safe. But that requires remembering to put the key fob that you normally just leave in your pocket or purse and never touch into a bag. And so let's be honest, odds are 99% of people aren't going to do it. But yeah, that is the basics of my research with key fobs and passive keyless entry systems. Again, this is a kind of really cool space because we're using key fobs in a way that like most people have kind of ignored. I also have the advantage of being able to go in and turn these things into a radar system, which they were totally never designed to be, which I consider like super cool. So if you want to download source code, it's on my GitHub repo ztulsa slash pke. Please feel free to download it mess with it build on it whatever I have example scripts of how to do everything that I showed you today. I have a couple tutorials on how to do captures of your own. Unfortunately, I don't get great radar or sorry great Wi Fi reception in the parking lot so I apologize for not being able to show that as a part of this tutorial. It's really, really simple I promise all you need is just like one or two sdr is to set up in there to capture your signals and then to go through the analysis. So yeah, thank you for watching. I hope you enjoy and have fun at Def Con. Bye.