Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr Silvio Cesare Qualys. Introduction  Lots of electronic systems  Converging with computing  IT security techniques can be used.

Similar presentations

Presentation on theme: "Dr Silvio Cesare Qualys. Introduction  Lots of electronic systems  Converging with computing  IT security techniques can be used."— Presentation transcript:

1 Dr Silvio Cesare Qualys

2 Introduction  Lots of electronic systems  Converging with computing  IT security techniques can be used

3 Outline 1. Eavesdropping analog baby monitors 2. Disabling RF-based home alarm systems 3. Hardware tampering a home alarm 4. Defeating the keyless entry of a 2000-2005 Car

4 Eavesdropping analog baby monitors

5 Analog Baby monitors?  Buy new off Ebay and other places.

6 Using Software defined radio dongles  RTL-SDR ($15)  Funcube  Antennas

7 Using upconvertors  Lower frequencies not processed by SDR.  Upconvert frequencies.  Ham it up convertor shown:

8 Finding the signal using spectrum analysis  High-end hardware is expensive (below left).  Cheaper hw is available (RF Explorer below).  40MHz is pretty normal.

9 Demodulating the signal  Use software spectrum analysis tools.  Try AM, FM demodulation.  Gqrx (Linux)  HDSDR (Windows)

10 Mitigation  Use DECT  Yes.. I know DECT has been broken also.

11 Disabling rf-based home alarm systems

12 What home alarms use RF- remotes?  Heaps.. Almost everything at Big-W, K-Mart, Bunnings etc

13 Replay attacks  Real remote sends a “fixed code” to disable system.  Attacker captures code and replays it with USRP etc.  Works on almost all home alarms.  Alarm keyfobs generally use 315 MHz and 433.92 MHz RF.

14 The Hardware  USRP B200 right:  Antennas.

15 Replay attacks with GNURadio  Capture:  Source is USRP, Sink is File.  Replay:  Source is File, Sink is USRP.

16 What is in the RF signal?  Generally modulated by AM and PWM.  If we demodulate the RF signal, we can see if the remote code is fixed or rolling.  GNURadio and custom software.

17 Amplitude (am) Modulation

18 Pulse width modulation (pwm)  Square waves generated by am demodulation.

19 Using cluster analysis to determine pulse widths  pycluster  Group similar widths together  Find mean in each cluster  Mean of means is the threshold.

20 Building a $50 arduino-based hacking box  Wireless AM rx/tx pair

21 mitigation  Use rolling codes, or challenge-response.  Buy commercial alarm systems.  Avoid K-Mart, Big-W et al.

22 Hardware tampering an alarm system

23 A shop at Bunnings

24 Interfacing with the microcontroller  Disassembly reveals labelled IC (PIC) and test ports.  Solder header pins.  Attach PIC device programmer.

25 Reading secret passcodes  Device programmer software.  Firmware protected.  Data is readable.  Reveals passcode.

26 Potential attacks to read the firmware  Glitching?  Decapping the IC and changing the security fuse with UV light?

27 Mitigation  Don’t label ICs.  Assume hardware hacking.  Hard to stop a well resourced attacker.

28 Defeating the keyless entry of a 2000-2005 Car

29 Building a dataset of button pushes

30 Phase space analysis of the rolling codes  Used 10 years ago against TCP initial sequence numbers.

31 Predicting prng (rolling) codes  Capture 3 codes from real remote.  Existing software to predict PRNG.  Tx with USRP.

32 Increasing TX range  Use an amplifier.

33 Testing codes  Capture and Replay codes.  How to stop the car receiving codes?  Use a Faraday cage:  Aluminium Foil lined Freezer bag!

34 Defeating the keyless entry

35 Analysing the rolling code  Format  Preamble based on remote ID.  Followed by unlock/lock/panic/trunk code.  Then 16-17 bits for security in rolling code.  Bits  3 states per bit.  1, 0, or a gap.  Gaps are important.  Timing  1 is twice the pulse width as a 0.  An implicit gap after every 1 or 0.  A gap is the width of a 0. 1x1x1x1x1x1x11100x11... 1x1x1x1x1x1x11101x10... 1x1x1x1x1x1x11101x00...

36 Analysing more  The entire rolling code sequence is of a fixed time  all the ones, zeros, and gaps sum to a fixed number.  There are fewer x’s than 1’s and 0’s.  An x never follows an x.

37 Bruteforce?  Capture 1 transmission.  Use preamble of capture and then bruteforce rolling code part.  Generate all numbers in range.  Exclude numbers not meeting constraints.  Fewer than 1 million possibilities.

38 Does it work?  Unlocks generally in under 2 hours.

39 Hmm.. What’s this – a Backdoor?  Some codes in bruteforce list ALWAYS unlock the car.  Once known, unlocking car takes seconds not hours.  Appears to be a manufacturer backdoor.  TODO: How to generate from 1 capture without bruteforcing.

40 Mitigation  Hard to mitigate without a recall.  Recall is never going to happen.  Install an aftermarket keyless entry or just upgrade your car.  For car makers:  Don’t use an algorithm to generate the rolling codes.  Don’t put in backdoors.

41 Future work  Silicon analysis  Firmware recovery

42 Conclusion  Hardware hacking is fun.  Lots of real-world devices vulnerable.  PRNG attacks against rolling codes have been mostly uninvestigated.

Download ppt "Dr Silvio Cesare Qualys. Introduction  Lots of electronic systems  Converging with computing  IT security techniques can be used."

Similar presentations

Ads by Google