Recently, I’ve seen a number of posts on Facebook groups for South African communities about people having their car remotes jammed and the contents of their cars cleaned out while they are at petrol stations, malls and other public areas. It seems to be on the rise as an easy way for criminals to gain access to vehicles usually to look for high resale items such as laptops, cameras, wallets and purses. This is just a post on building a really simple, not start of the art way to determine if someone is constantly transmitting (jamming) on the frequency cars commonly use for their remotes.
Car jamming works on a very simple process that you simply block the “lock” signal being sent to your vehicle. People often will walk away from their car and press the lock button assuming it will just work without physically confirming this. Essentially when you press the button on your remote your remote sends out a signal that when your car decodes it and verifies it as from your remote will perform an action. Most remotes for cars (and gates/other consumer devices) work at 433mhz. What a criminal will do is simply hold down the button on another remote (such as a gate remote) and this will stop your car from being able to properly receive that signal. An easy way to think of this is that your remote is shouting out a series of numbers that your car can understand. But when another person also presses their remote its like two people shouting at the same time and the car cannot properly hear the series of numbers.
There are a number of ‘detectors’ available but the prices range from about R500 to over a few thousand! Generally these simply determine if there is a signal being transmitted for an extended period of time, and if there is it will sound an audio or visual (usually LEDs) alarm.
Having worked with 433mhz transmitters and receiver pairs for some of the research I did previously on bypassing car remotes as well as building the zacon badges I thought I would give it a go to build a very cheap passive ‘detector’. I put detector in quotes because it still needs a person to visually see the alert!
Essentially you can buy a very cheap 433mhz receiver ( usually they are sold in pairs of receiver and transmitter ) for about $1-2 (~R20). The additionally components you would need are a 5v voltage regulator, a resistor and an LED. You can then wire up an LED to the data channels of the receiver and everytime there is any activity in the 433mhz (and 434) range the LED will come on. Thus if you are trying to determine if there is jamming around you will see the LED staying on.
The circuit is dead simple and shouldn’t take more than a few minutes to build (and should be easy enough to show your kids how to build it too!):
Here are a couple more pics of the device:
First off let me just say a big thank you to the MWR guys who put this CTF together, usually I don’t partake in CTFs because the skillset required is usually out of my grasp (IANAP).
To have developed this CTF in a manner that allows people who do not work with crypto/hackz0r wizardry to still have a chance of solving the problems is awesome! I didn’t solve all of the problems, but I did spend far too much of my free time and apologise to the many bars I had to let down during that time. After this writeup I shall resume my social responsibilities ;)
Each of the various problems took my many hours of frustrating, wallpunching, facepalming and omgnoobing to complete, however I will just go over the solutions to each of them without the hours of frustration — the tl;dr of each one if you will.
Challenge 1 ( GUASS RIFLE ) — A book cipher requiring you to parse various words from lines in books
Challenge 2 ( RADIATION POISONING ) — An LSB Stego QR code that needed to be decoded and then parsed
Challenge 3 — Not completed
Challenge 4 ( FACSIMILE ) — A audio fax that needed to be decoded
Challenge 5 ( GREEN SKIN ) — A literal jigsaw puzzle representing 4 sides of a puzzle piece with 3 characters
Challenge 6 ( WHIRLPOOL ) — A multiple times rotated image that needed to be ‘unrotated’
Challenge 7 ( SCORCHED EARTH ) — An Office document with a weak password
Challenge 8 ( SMOG AND SMOKE ) — A Modified playfair cipher that needed to be recronstructed based on solar systems
Challenge 9 — Not completed
Challenge 10 — Not completed
If you have the writeup to challenges 3/9/10 please let me know so I can link to them!
All the challenges/instruction text and solutions are available on the following github: https://github.com/AndrewMohawk/HackFu2016
This blog post will discuss the implementation of Codegrabbing / RollJam, just one method of attacking AM/OOK systems that implement rolling codes (such as keeloq) — these systems are commonly found on modern vehicles and entry systems such as gates and garages. This technique has been used and spoken about for a number of years (Marko Wolf describes it in “Security Engineering for Vehicular IT Systems” from 2009).
However the advancement in easy to use and cheap hardware has made this a readily available research path for almost anyone. Samy Kamkar showed it at Defcon 2015, you can read about that and his device at http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/. This blog entry will be more discussing the integral parts of how it works and how easy it is to do.
I was optimistic that the 2015 talk @elasticninja and myself did at zacon on this topic would be published so that I could lazily just link to the video instead of having to write it up, but alas, here we are! ;)
Naturally its important to have a spoiler before the long boring text. Here is a video carefully crafted by my friend Roelof Temmingh showing us opening a VW car with two YS1 (YardStick One):
Its been absolutely ages since I’ve posted anything on the blog, not that I havent been doing things, just really not many things I felt good enough to write an entry about. I got a lot of feedback regarding my previous entry about Hacking Fixed key remotes and I decided to build on that slightly.
One of the pains of the previous method was that it was a rather tedious to do the following:
* Finding the key for the remote essentially it was broken into:
* Finding the signal with RTLSDR
* Saving demodulated .wav
* Running a script to decode that audio
* Replay remote with RFCat
* Transmitting the remote also meant another piece of hardware (RFcat) and then taking the signal from the decoded script into a format RFCat understands.
So much like the sex pistols album I am also going to be flogging a dead horse, this time the AM/OOK one. In this blog post I will explore discovering signals as well as replaying them with RFCat.
It has been absolutely ages since I have written a blog post – genuinely I really havent simply been slacking off, i’ve just been busy! Anyway, figured it was time to do a writeup on some stuff I have been working on. (Please note this is almost the exact same post from the Paterva blog).
Predominately I want to show you some of the work we had to do for Blackhat 2013 – my first BH talk ever! My section of the work was what we ended up calling ‘KingPhisher’ as well as the multi-threaded Python script to crawl websites for some parts of ‘Teeth’ (Roelof’s offensive Maltego transforms).
A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email and include a link on which they *will* click. Additionally we have used Maltego to gain context on people for a while, specifically using social networks (including transforms provided commercially via the SocialNet package). We also accept that there are certain types of mail we seldomly check (in terms of headers/other), we have been semi-programmed by automatic spam filtering and anti-virus to notify us if something is bad. Bottom line — we don’t inspect every link on every mail and we doubt if you do too.
So with this in mind we decided to integrate the two sides – 1) targeted phishing attacks and 2) information gathering in Maltego.
Not the quickest of cats
on the best of days.