 So, today I'd like to share with you guys some of the research results for one of the digital car key system. Yeah, so. Okay, I have to go just this way. Yeah, so. Who am I? My name is Kevin. Yeah, you can follow me on Twitter. It's welcome. I'm a security researcher from InGeek SecurityCon consultant. We are based in Shanghai. We're dedicated to automotive security research. And my particular area is focused on wireless and embedded systems. Yeah, so. And today's agenda is going to be like this. First, I'm going to do a very quick introduction about key for one of one. And then I will walk through the structure and the functionality of our target today. It's called Army Key. And Army Key is also called, aka digital car keys. And then I will do some analytics and introduce a tag of actors on this Army Key system. So basically I will start from physical layer and I know where to take a look a little bit about RF layer. And we take a look at the application. Eventually, let's see how can we do some Bluetooth sniffing and decrypt the pocket. So introduction. I think the car key fob is one of the most common items we can find in our pocket. So in a very early age, the car keys only really just rely on the mechanical key. And then they implement some kind of remote key entry. So it's actually start with some kind of infrared and then move on to RF fixed code and then the rolling code. And in order to do some authentication, they also implement something called RFID chip inside your car keys. And then there's a new game changer coming in. So basically those manufacturers start to implement some kind of car key system that really just rely on mobile phones. So yeah, this is going to be a new trend. For example, if you're buying a new Tesla Model 3, you won't have any actual physical key anymore. They're going to provide you RFID tag. And also, really, you're going to download the application from them and you can unlock a star engine from your mobile phones. Sorry, that was not my laptop. So now Tesla is not the only manufacturer doing that. Actually, it's everybody doing this for the future cars. So like Volvo, like Benz, they're also doing this kind of thing, right? So that's going to be a new trend. And now, all has been done in so far. For the past few years, we have looked at many different case studies to dedicate to the car key file studies. So here are at least some of them as an example. For example, in the early age of 2008, the rolling co-organization called key lock has been cracked. And also, there's a transparent organization as high-tech, too, also been cracked. And also Sammy, he's our hero, as always. He presented a talk in DevCon a few years ago. Basically, he found a trick called rolling jump that basically you can use a lot to kind of bypass the rolling co-organization mechanism. Now, listen, in 2015, there's some new attack veteran came out. I'm going to introduce a little bit more on these two details. So basically, a researcher from Germany, he found a way to hack your BNW through a cellular network. And then in England, there's a company from Pentas Partners. They are research and found out how can they hack the Wi-Fi access point through your Mitsubishi Outlanders. Oh, okay, sorry. All right. Yeah, so, yeah, those are the attack veterans not just only focused on your key file anymore. So it's actually involved even more attack veterans. So, yeah, here's the details regarding the BNW connect drive. So Banksy is a German researcher. He's able to set up a fake base station. So it's like a similar cellular network. Now, really, the vulnerable design here is BNW is really around HTTP to communicate back to the backend server. So he's able to decrypt the reverse engineer and decrypt the traffic and set up the fake base station in order to unlock the BNW connect drive, right? So, and then here's another case study. In 2016, Pentas Partners, the researcher, they were able to crack the Wi-Fi access point provided by your Outlander cars. And once they connect to your car and really reverse engineer protocols, now they're able to do a lot of cool things, like turn off your air-condition heating and the alarms, right? That's the scary part. So, I would say the new trend coming, there's always going to be some new hacks, right? So, now let's take a look at our main target today. It's called AmiKey. Yeah. The AmiKey, aka digital car keys, is invested by a company called Xiaomi from China. Basically, this device here is what it does is it enables some of the old car model become like smart cars. So, basically you can use this device to connect to your car and you can unlock and start an engine through mobile phones, right? Yeah. Here's some of the highlights for the features. So, yeah. So, this device is really rely on Bluetooth low energy and they can, as I said, they can lock and unlock your cars. And one of the interesting feature I found regarding to any other small locks is the key sharing features. And this is really advantage, I think, this screen sheet of old type of car key of systems is sharing. You can share to different users, your friends, even you are in different countries, right? So, you take the picture down below. That's how you connect your AmiKey to your cars. So, you have to put left your AmiKey always left inside your cars, right? And once, when you come to a car, you want to open it, you just pairing with the AmiKey with your Bluetooth. And then you send an unlocking command. AmiKey will send another RF signal in order to unlock the car, right? So, the components of AmiKey is like this. As you can see, it's quite simple. It's only really just a few items here. It's one of the blank key. And then you see the little thing in the middle is that that's the main board of AmiKey. And then there's another square one. It's called an AmiKey sensor. So, it's very simple components, right? So, here's how you're going to talk the AmiKey really works. First, you need to download some application from AmiKey. And you do a normal process, sorry. You do a normal process like you duplicate your original key, mechanic keys, and you scan the barcode on your AmiKey in order to get an activation code. Then once you put an activation code into the application, then you are binding your application with this AmiKey. And then you can log in to the AmiKey through booters. And from there, you can log and unlock. Send a lock and unlock command to the AmiKey. And just like any other key duplicating process, the very last stage is you need to register your AmiKey to the car. It's just like if you lost your original car key, you go to the car dealer, you do the same thing. You need to register your new key to your car, right? As AmiKey claimed, they are supporting quite a lot different brand of the car models. Now remember, those car models are not very high-end recent car models. Their targeting in the market is like an old car, an old model of cars, right? Because those cars usually don't have those fancy features. But if you want to have some nice features, you probably can buy some AmiKey, right? So I think that's how the marketing strategy is. So yeah, as you can see, they are supporting. But those models are very common, like Volkswagen, Hyundai, Ford, right? Let's take a look inside, right? From a hacker perspective, we don't care how many models they are really supporting. We really care about how they work, right? So I think the very first stage when you... This is not just applied to AmiKey. I think it's applied to any other embedded systems. The first thing when you get your target, you want to get as much information as possible. Now, sometimes when you get some black box of your target, you have no idea at all about your target. So I think the best practice is if you are able to access some kind of X-ray machine, you take a picture to look inside. Now, the reason why we're doing that is to see if your target has an... implement some kind of protection mechanism inside, right? Sometimes if they do, when you open a case, you will make damage, right? So, yeah, we take a look through X-ray machine, and we have found there's actually just only two screws. They don't implement any actual protection mechanism, but still this is the best good practice, right? It's not very sturdy, but yeah, good to have. Yeah, so we can go ahead and open it up. And this amic-key system structure is very simple. They only have two boards inside. As you can see, the yellow board, the yellow one, and there's a green one. And the picture in the middle is actually the backside of the green board. This one is just connected back to the yellow board. So, when we open up the amic-keys, we want to see some details, right? The deep details. So, I think people are more familiar with reverse engineering, those hardware or embedded systems. The first thing we are going to look for is the chip model. So, from there, we can find some more details, right? So, for the amic-key, the nicely labeled chip model is CC2640. And when we Google it, we find out this is actually a Bluetooth module, right? So, and then we Google another green board. It's actually called NSP61X0915, and this is an RF module. So, basically, we can use it on just like your actual RF car keys. Now, there's one thing different here is this RF module is really very different car models, right? So, not again. Sorry, really apologize. Yeah, and also, if you have ever done some RF hacking, you will know the first thing we always going to look is something called FCCID. But since this amic-key is very dedicated to the Chinese market, they have similar system. It's called CMITID, but it's just equivalent to FCCID. So, we type into the database. We can find more details regarding this device. Now, there's one thing interesting though. You remember, there's a little square device beside the amic-key main board. It's called a sensor. And when I open it, we find out the chip type is SYD8801. Now, I don't know why the amic-key does this. The functionality of this sensor is unknown, right? I go through the menus, I go through the applications, I go through our official website. They have not any detail mentioned. What do we do with this one? And we can get amic-key's work even without this one. So, it's really strange that they have this device here. So, maybe they are just implementing this for future use. So, they send you in advance, right? So, they don't need to send you again. So, I open it up. It's really just another Bluetooth module. So, I connect into it to try to get some more details. And as we can see, this is something called amic-key smart key sensors. And there's some interesting UID here. So, since we cannot find more details, so, why not just go deeper? So, I take a look at the data sheet of this particular chip. And I try to connect, since from the data sheet, we find out it's actually supporting UART, SPI, all those common protocols. So, I connect into it and try to find if there's a hint of what it may do. But I cannot find much useful information here. But since this device is not really useful for hacking the actual amic-key, so I just leave there for a moment. Maybe in the future, if they actually implement and they update some information, we can always go back to take a look at it. So, now we actually spend most time on the main board of the amic-key. So, we take a look first at the RF module. In the back side of the RF green board, let's take it later there. So, they have nicely labeled the value on it. So, we can simply do some simple math to find out the... seems like a potential frequency range and a bit rate, something like that. But we need to verify it, right? So, this is a very simple setup like this. We're using an SDR device and we connect to an antenna and then we just simply press the lock or unlock buttons, try to receive some signals to see if the configuration is correct. So, I'm using SDR hack RF here, but it doesn't really just hack RF. We use RF where we want. So, as you can see, when I press the button, yeah, there's the peaks coming up. So, definitely it is the 433.9 MHz range. So, the configuration is correct. Now, we also take a look at some RF... Brutus module. Brutus module is actually... we spend the most time to... in order to hack the Rami key. So, what we can do... the first one we try to connect in your Brutus module is to do some recon operation, right? So, we can use an application... like light blue or RF connect. Yeah, really here just try to find out as much as possible. So, first we can see... we actually always broadcast the Brutus MAC address. So, that means we... potentially we may be able to track you. And also, the other key information details here is those UUIDs, right? And if you ever have done Brutus hacking, then you will know those UUIDs are really key things to... for you, right? Now, we... Oh, come on. Yeah, so... the light blue or RF connect is not the only thing that application you can use to talk to your Brutus devices. If we want to more interactive... we can always use the application GATU to get active with your target. So, here I list all the UUIDs here from the admin key, right? Yeah, so... Okay, so... and also if we want to see more details, we also can... Now, the last feature from the Android 4.4 above in the developer mode, there's a function you can enable Brutus Damp. So, basically, you can see all the traffic... interactive traffic... from the log file. And we can reloading this log file into a wire shock, and then we can... we know all the details, every steps between UU Mobile Phone and your target admin key, right? So, here, we can see some response regarding admin key's battery information. So, this is the actual app. I know it's in Chinese, but I've gone to translate to English. Actually, the layout is quite simple. So, first, there's a connection. You press the buttons to connect into your admin key. And then once you connect, there's only a few functions here. So, basically, it's unlock your car and unlock it, or you open your trunk back door, something like that. It's very simple. And then, as I mentioned, the nice feature is the key sharing. You can share it with your friend, your wife, your other guys, and, yeah, so... but we want to see more, right? Turns out, admin key application, just like everybody else, they never bother to huddle in your actual code, so we can easily to see the Java by code. Now, from Java by code, it's almost like we are reading the source code. So, for example, this class here is really just an algorithm on how they're generating the UUID. So, basically, we actually spend some time here to just reading through that code to understand how admin key works, how it's functional. Yeah. Now, here's got something interesting. Yeah, so if you are able to read the Chinese, then you see that the comment is very funny, right? Yeah, basically, I think it's just maybe developer a lot of time is not very in a good mood. You actually put comments like, oh wow. Now, other than that, there's some interesting information like this URL here. Now, it actually, when I try to access this URL, it actually turns out, they have mentioned that this is a company internal log-insistence. If you are not an employee, please go away. So, I don't know why if they don't want people access it when I just don't bother to put there, right? Okay. Here, did you spot something interesting? Yeah. Like, usually, when I start to try to reverse engine some applications, I will expect to see the first thing I actually expect to see if they have enabled sub-panning or not, but turns out it's not necessarily at all. They are completely rely on HTTP, right? So, from there, since we all know HTTP is not insecure, all the information is in plain text, so they are leaking a lot of privacy information here. So, for example, this one here, probably cannot see, but it's actually your IMEI number of your mobile phones. Right? So, if people are able to sniff in with your traffic, then, yeah. Now, when we register, usually when we register a new user, they have some kind of protection called security questions in order to recover your keys in the future if you lost it. So, again, it's in HTTP. So, if you sniff in it, you are able to find other answers to those security questions, right? So, you may just impersonate this guy, the owner in the future because you already know how to recover it. So, simple summary here is the IMEI key application communicating with serve back and server is really just rely on HTTPs. So, yeah, no privacy here at all. But, there's more. So, I'm going to introduce more on this one later on. So, we'll see how this HTTP can lead us to combine your systems. Right? But, encryption. Right? Because every manufacturer always claims their product is the most secure one in the world. So, actually, in the menu, there's one Q&A kind of thing. They mention their product is rely on Brutus 4.0 and they have created their own proprietary encryption. Unique, right? Very secure. They really think they are super secure. So, they put this picture I took from their official website. They put all the fancy crypto awards on there. So, you may think, wow, this is really scary. It's just super secure. Right? Wow, okay, let's find out. Yeah, the first thing we can do is try to do some physical access. Right? Again. Okay. So, here's the thing. We can always do some old-school way, right? Now, remember, the army key by request has to be always left in the car. So, maybe, those theft, what you usually do, they can break in your glass. Right? They get it. They get your key. Your key is inside. Now, however, you cannot, because you cannot get in with your army key yet. So, what they can do is since it's also easy to open up, they don't have any production mechanism. You can simply grab a blank key. You replace the army key RF module chip in swap to the blank keys. And that way, you are able to unlock it. Or you can, during a reverse engineering process, we actually build a board to simplify the process, right? Yeah. So, here, I like to play a little demo here to see, to prove my point. Okay. Let me find it. It's not coming up. Okay. Yeah. This is actually a blank key, right? Oh, we already done the replacing process. So, yeah. Yeah. It's open, right? So, this is a simple process to prove that this replacing RF process will work. Right? Thanks. Yeah. But, you know, we're gentlemen. We shouldn't do like, you know, but safe, they don't care, right? So, yeah. Since this physical access is really just, it's really not much technical detail involved. This is violence. Let's check out some RF. Now, when I researched the RF module, I easily found some news all over on the internet. So, basically, some theft, they actually used a device called car key jammer. They used it not to prevent the owner to lock in your car, right? And they actually make a lot of money just by doing it. They even by selling those key jammer to make it for you. So, yeah. Now, here's the actually simple process, how they do it. So, they basically the theft just wait in a parking lot and waiting for some user can maybe they have something in mind and they forgot, they are in rush. They just simply press the lock button and they don't bother to check if they actually lock or not. Meanwhile, the theft, they send out RF jamming signals. So, you cannot actually unlock your cars. So, when the owner walk away, they can just open your cars and take away where they want. So, this is a very simple process. Now, and then my question is, does amicky smart enough to awarding this kind of, yeah, the tech, right? So, turns out, the amicky is actually just a one-week communication. So, basically, you're sending the signal to the yellow board to Brutus and Brutus will send another like simple post to your green board to say, okay, let's unlock it. But you never check, there is no response say if the actual signal has actually arrived in your car. So, here I make another simple demo just to prove my point. Yeah. You see the background noise is the SDR is running. So, I see when I press lock and unlock, you'll hear the signal beep and then little yellow light LED turn on. That means its operation works, right? So, yeah, to prove my point, you press button and you see the signal peaks, right? Okay. So, now I just using a yard sticker and RF card like a tool called ORK tools to just basically you can use to send in all the jumping signals, right? So, and yeah, as you can see all the the frequency band is already being jumped. Now, let's do the operation again. And you can, as you can see the LED still turn right up but there's no no signal, no details regarding the jumping. So, you cannot the owner of the amicky cannot tell if it actually works or not, right? So, basically if even amicky can in itself is a smart car key system, but they really they're just like any other origin old systems, right? Okay, what's next? Again, some is our hero, right? So, yeah, I would recommend you to take a look at his talk presentation back a few years ago in Defconn and yeah, check out the rolling code, roller jump techniques. It's very cool. But since the RF module on amicky is very different from other amikis, so my goal here is really just complete. I want to compromise the amikis. So, I don't spend, I decide not to spend much time on it, right? But here's more we can do. Key sharing analysis, right? So, here's the a nice feature regarding your key sharing. It's very simple. First, you settle the time, the name of your key you want to share. How long are you going to be last? You can also set a permanently, or you can set just like maybe one day, one month, something like that. And once you create that, you can send it. Also, this amicky has the limitation on only, you can only create a share to 20 keys to, to basically 20 users, right? So once the name is reached, you will not able to create anymore. So this is the entire process of how you can share, what it actually shared with your friends, right? So, basically you can click on share key craze you created. Then, the amicky will generally barcode here. And also, they have three other different ways to distribute those shared keys. So, basically you can send the text to your friend. You can just copy the keys and just maybe email to anyone over here. Now, there's another feature called, you can send to WeChat. WeChat is okay, WeChat is one of the most popular IM software they use in China. So, you can, you can send this key to WeChat. Now, also, I'm using the 2D barcode reader to, to, to just check out what code inside of 2D barcode turns out it's not like this. Now, then once, now this is actually the key you share with users. So the, the user, when the user get this keys, they can again put into the activation, go through the activation process and once they activated and then go to code, right? So, what could possibly go wrong? Super secure, right? Again, as I mentioned, the complete communicating process rely on HTTP. So, really, if we are doing some kind of main in the middle of anything, we can easily to get your actual key. Right? Now, the first thing when in a, in a background, the first thing I mean key does is they send your very long secure and question key, I mean key to one of the websites, and the website will short, response back a very short URL for you. And when I access the URL, again, it will just reveal the actual keys, right? So, now, this is from owner side. If you are sniffing in your, in the car owner's local network, then you will get a key. Now, what, what about if you are but, but because there are a lot of guys Oh, I would do very quick, right? Sorry about guys. Yeah, so, the user side there is very, also simple, they send you the car keys, and yeah, it's also plain text, and then you can sniffing for it, right? So, I used time stop, so I don't do much demos here. So, yeah, the very next thing you can do is, can we cancel it, right? So, if you don't want to find out that you want to cancel a key, right? So, yeah, I have to do a very quick demo here, just, so, yeah, see, I actually try to cancel it. Now, see, the, I mean keys canceled, share the keys canceled, but still, we're still able to lock and unlock the car keys. Right? Maybe it's already connected. So, I disconnect it again, and try to reconnect. It still works. Why? See, you turn on, turn off, no problem. Now, it turns out, if you go back to the owner's fund, there's actually a message here, it's what, it's actually say, you need to think in order to cancel the shared key, you need to connect, sync your admin key first, right? Now, think about this, if you already lost your car keys, cars, where the hell you can connect into the keys, right? You cannot. So, you need to be able to cancel it. Right? Simple, very interesting logic here. Again, right? So, if we cannot cancel it, can we wait? Because there's timing, right? If you, if you are not set up permanently, there's not, so maybe we can just wait until that expired, right? Okay. Just very, very quick, almost there, right? Yeah, so, here again, I try to find out if we can bypass those timing, sharing issues, right? So, see, as you can see here, it's telling me that times already expired, and that actually shared time is actually 1.30, right? A.M. in the morning, yeah, okay, and when, when you share to the user, you have not, you don't have much function to do, just lock and unlock. So, again, we're still able to lock and unlock, right? Even the time expired, so disconnect, connect again, still function, right? Unlock, lock, yeah, just, um, so, um, just to confirm, now time is like 1.43 already, it's way past the time, right? So, again, when time expired, you have to connect to your original car keys to, in order to update information, this car is expired. What the hell? You cannot. So, which means your key sharing expired, it will never expire, right? Your last key, here you go. Okay. Okay. Just sniffing the traffic and decryption, right? That's the interesting part. So, yeah, where's the security encryption they're talking about? So, basically, we're not analyzing through the wire shock. They, they, they sent some, this is interesting information. The first step, they send some, seems like send some command to your key and the key will respond some random values here. And then the following is, it's a very long, it's actually in total 70 bytes of the, some kind of, I don't know encryption strings, maybe. So, yeah, because, yeah, okay. So, and then you, and when I try to lock and unlock and then we're all three times and I can't see this fixed value, always gonna see this fixed value. The reason they send it two times is they may probably simulate the press and release movement, right? So, that's why they send two values to your UIDs. Okay. So, once we have the value, actually, can we unlock it? Actually, it's not. We have actually failed with it. So, actually turns out, in order to lock, unlock your key, it's actually a kind of locking process. So, yeah, so I take a look very quickly the locking process is actually locked. So, we have details regarding all the parameters we need for locking through your system. And the, yeah, from the picture here, we really see the secure, super secure algorithm is here, XOR. We see XOR operation all over the place. Now, turns out the locking protocol is really like working like this. We fetch, they fetch a value to the server and get a random value key and then it can curate it and it runs about, it runs up to make an encryption lock in pocket. Now, if everything works fine, it will respond to a status code, okay? Now, really, when they look deeper, we're able to find out it's actually in order to find out an encryption code it's really just a random numbers we got from the key and then there's also another secret key fixed random D word number from device initialization but turns out it's only one byte. So, we take a look at locking pocket parameter again. We see some interesting code. The algorithm to find out a one byte key code is really just you get current, current, calendar, the year and you minus 2000 and you get a one byte that you convert to the hex code and once you get that, you're able to get all the information in order to create your login pocket. Here's the code we wrote to do that and yeah, just prove. However, this turns out some surprise but it's not going to bother too much because we not see the status code to in order to work. We're really looking at the actual firmware but in order to find out yesterday, we had dissembled it so in order to not work, we have to put everything in one piece. So now we get a code that's working. So yeah, we can sniffing the traffic and yeah, it turns out it's not really scary though. One byte machine, SOR, we can sniffing it. So yeah, sorry, I'll take a last step then we'll just prove my point. So here, we're just running a simple script and then you can see, we are able to trigger the key to send out, create our own pocket login to the key and send out the same notes. We send it three times just to prove from our point. Okay, so let's go back again. Yeah, so can we report for CVEs? So as a responsible disclosure, so I actually connect through their phone, mobile, e-mails they have nothing to reply to. So yeah, really, the conclusion here is security by obscurity is not really going to work, you have to test your product property before going to the market. Yeah, I'm running time so there's no questions. Sorry guys. Thank you.