DEF CON 23 Last month, pro hacker Samy Kamkar caused a kerfuffle at General Motors when he successfully hacked the car giant's RemoteLink mobile app to unlock and start vehicles, and now he's explained how it's done – and how to get into the garage that houses a target car.
Speaking at a packed DEF CON talk on Friday, Kamkar explained that the key to these hacks is poor radio security and a lack of basic defenses. The hack was accomplished using parts worth a couple of hundred dollars, and a reprogrammed Mattel GirlTech IM-ME, a text-messaging box in a fetching shade of pink.
The IM-ME has a couple of things that hackers like Kamkar love, specifically a useful Texas Instruments chipset and a gigahertz transceiver, along with circuit-board pins that allow the device to be reprogrammed into a very effective theft tool.
The first stage was to get the garage door open. Using a radio analyzer, Kamkar discovered that wireless garage doors typically require a 12-bit access code to open, meaning he'd only need to check a maximum of 4,096 combinations to find the right one, which would take about 30 minutes to transmit.
That's not so useful – people would get suspicious. After examining the signals sent, he discovered that the fob that transmits the code to the garage door sends its code five times, with a two millisecond pause in transmissions to be sure the receiver picks it up. Eliminating that repetition cut the opening time to just six minutes, and eliminating the pause cut that time in half.
Three minutes was still too long, so Kamkar utilized a an algorithm developed by Dutch mathematician Nicolaas de Bruijn. The sequence is the optimal bit stream to fire into receiving electronics to run through all the possible combinations in as few bits as possible. This cut the cracking time to just eight seconds, which is fine for crime.
Kamkar will be releasing the code that enabled him to do this, but with a couple of deliberate bugs in the software. DEF CON attendees could almost certainly fix the errors, but petty criminals would have a much tougher time of it, he said.
As for hacking a car, Kamkar borrowed a friend's GM motor, and analyzed the radio signals between the vehicle and the RemoteLink smartphone app. RemoteLink is a component of OnStar, GM's service that provides internet access to cars via the cellphone network. The OnStar equipment in the vehicles connects to the mobile network, and relays 'net access to and from the onboard Wi-Fi. This also allows the RemoteLink app to connect to the car remotely and control it.
Kamkar discovered that the app didn't use cryptographic certificates to check it really was talking to a legit GM vehicle, and that it was easy to perform a man-in-the-middle attack.
All Kamkar had to do was rig up a gizmo that masqueraded as a car, and if someone used the app nearby, the software would communicate with his box of tricks rather than the vehicle. That would give him enough information to connect to the car pretending to be the smartphone app, and take control of the motor. (The security of the software has now been beefed up.)
He assembled a Raspberry Pi, a GSM module loaded with a prepaid SIM card, and an Edimax Wi-Fi dongle, and used the Mallory open source toolkit to stage the man-in-the-middle attack. The hardware, which he dubbed OwnStar, was left under the vehicle and operated remotely.
Using this, he was able to spoof the RemoteLink software and use the app to track the car, unlock the doors, and start the engine. He couldn't drive it, since that requires a key, but there may even be ways around that, he discovered.
Wireless electronic car keys typically send 40 to 60-bit unlock codes over the air. The codes are generated using a rolling code algorithm: each press of the key fob generates a new code, and once the car has received the code, it will not accept it again. This prevents replay attacks. However, it is possible to jam the transmission of a code so that the car never receives it, but the attacker does, and thus can be replayed to unlock the car.
It's easy to work out which band the devices operate on, and thus which frequencies to jam, because all FCC-approved devices have their frequencies listed on the agency's website.
Using a basic radio setup, Kamkar was able to jam the signal from the electronic car key, so the car couldn't receive it. However, he was able to pick up the broadcasted key, and record a copy of it. By keeping the jamming going, the person with the key fob would try a second time, leaking a second key. When the jamming is turned off, the fob works, and the eavesdropper has two available unlock codes to use.
This won't work with all cars: many makes have keys with wireless RFID chips in them that the vehicle must detect before it can be driven off.
Nonetheless, Kamkar's presentation showed that motor manufacturers have a long, long way to go on securing their cars against the crafty. ®