What home alarms use RF- remotes? Heaps.. Almost everything at Big-W, K-Mart, Bunnings etc
Replay attacks Real remote sends a “fixed code” to disable system. Attacker captures code and replays it with USRP etc. Works on almost all home alarms. Alarm keyfobs generally use 315 MHz and 433.92 MHz RF.
Analysing the rolling code Format Preamble based on remote ID. Followed by unlock/lock/panic/trunk code. Then 16-17 bits for security in rolling code. Bits 3 states per bit. 1, 0, or a gap. Gaps are important. Timing 1 is twice the pulse width as a 0. An implicit gap after every 1 or 0. A gap is the width of a 0. 1x1x1x1x1x1x11100x11... 1x1x1x1x1x1x11101x10... 1x1x1x1x1x1x11101x00...
Analysing more The entire rolling code sequence is of a fixed time all the ones, zeros, and gaps sum to a fixed number. There are fewer x’s than 1’s and 0’s. An x never follows an x.
Bruteforce? Capture 1 transmission. Use preamble of capture and then bruteforce rolling code part. Generate all numbers in range. Exclude numbers not meeting constraints. Fewer than 1 million possibilities.
Does it work? Unlocks generally in under 2 hours.
Hmm.. What’s this – a Backdoor? Some codes in bruteforce list ALWAYS unlock the car. Once known, unlocking car takes seconds not hours. Appears to be a manufacturer backdoor. TODO: How to generate from 1 capture without bruteforcing.
Mitigation Hard to mitigate without a recall. Recall is never going to happen. Install an aftermarket keyless entry or just upgrade your car. For car makers: Don’t use an algorithm to generate the rolling codes. Don’t put in backdoors.
Future work Silicon analysis Firmware recovery
Conclusion Hardware hacking is fun. Lots of real-world devices vulnerable. PRNG attacks against rolling codes have been mostly uninvestigated.