Introduction
Over the past three years, a small tool has taken the Information & Physical Security world by storm: The Flipper Zero. Used by Cybersecurity professionals, hobbyists and script-kiddies alike; The Flipper Zero is a versatile hacking “multi-tool” designed by and for cybersecurity enthusiasts. Packed with features like RFID/NFC cloning, infrared control, and hardware hacking capabilities, it’s a compact gadget engineered for exploring and experimenting with various security and tech applications.
Among these tools is the Sub-GHz plugin. This versatile feature allows users to detect, record, and transmit various Radio Frequencies (RF) below the 1 Gigahertz threshold. This specific functionality will be our focus for the remainder of this article.
Security with Keyless Entry (Key Fobs)
Keyless entry systems in vehicles operate on specific radio frequencies, and these frequencies can vary across regions. In the United States and Japan, keyless entry systems predominantly use the 315MHz frequency, while in Europe, the frequencies commonly employed are 433.92MHz and 868MHz. These frequencies facilitate communication between the key fob and the vehicle, enabling convenient and secure access, remote start, amongst other features.
To enhance security, many modern keyless entry systems incorporate rolling code encryption. This technology constantly changes the code sent between the key fob and the vehicle, making it extremely challenging for potential attackers to intercept and replay the signal in an attempt to gain access to the vehicle.
As a result, the implementation of rolling code encryption plays a crucial role in safeguarding keyless entry systems from unauthorized access and potential security breaches. The dynamic nature of rolling codes adds a layer of complexity, rendering traditional replay attacks less effective, however, there are still techniques an attacker can employ to defeat this security measure.
How conduct a Replay Attack to defeat rolling code encryption
Picture this: You’re seated in a coffee shop and decide to visit the restroom, leaving your jacket and keys on the table. Seizing the opportunity, a hacker swiftly approaches your unattended table, snatches your key fob, and employs a specialized tool to effectively record an “Unlock” signal. If your vehicle does not receive this signal during the recording phase, the attacker can later replicate the recorded signal, executing a replay attack to effectively bypass the rolling code encryption.
Essentially, the attacker reproduces the captured signal later, deceiving the vehicle into recognizing it as a valid transmission. While rolling code encryption is effective in preventing direct interception during key fob-vehicle communication, its vulnerability emerges when an attacker manages to record a signal pre-vehicle interaction, enabling a replay attack that compromises the security of the keyless entry system.
It’s worth mentioning that the outlined scenario is merely one tactic in a series of possible methods attackers might use to bypass rolling code encryption. Other tools in their arsenal could include signal jamming, eavesdropping on the communication channel, or exploiting vulnerabilities in the implementation of the encryption itself, to name a few.
Putting it into practice
(WARNING: It’s crucial to note that engaging in the following activities without express authorization of the system owner is both illegal and unethical. This information is provided for educational purposes only)
1 - Information Gathering
Before this exploit can be executed, the attacker must gather the necessary information on both the patterns of their target, and the technical vulnerabilities of the system in question. Conducting open-source reconnaissance on the specific frequencies of a target vehicle (such as a 2014 Jeep Wrangler for this demonstration) involves researching publicly available information to identify the frequency bands used by its keyless entry system. Online forums, technical documentation, and radio frequency databases can be sources of great detail (such as effective key fob ranges, interior configurations, etc.). The target frequency determined for this attack is 315MHz.
2 - Signal Interception
Once the target frequencies are determined, an attacker will likely utilize various Software-Defined Radio/RF tools (such as the HackRF One or Flipper Zero) to analyze and potentially decode signals; seeking vulnerabilities in the rolling-code encryption implementation and to devise a potential attack strategy. Once the attacker records the desired signal, they will store the value for the opportune moment of replay and exploitation. For this demonstration, the attacker is utilizing the Flipper Zero via the following steps:
Sub-GHz -> Read RAW -> (Config -> Set to 315MHz) -> Back -> Record -> Engage key signal 3–4 times -> Stop -> Save
3 - Signal Replication
(CAUTION: Testing a replay attack with a recorded signal could potentially desynchronize your key fob from the rolling code. Exercise caution to avoid potential access issues)
Once the signal has been recorded/stored, the attacker waits until the target vehicle is unattended and proceeds to replicate the key fob using the the following commands:
Sub-GHz -> Saved -> (*Select Saved Signal*) -> Send
Conclusion & Mitigation Techniques
To effectively mitigate the risks of replay attacks, it’s crucial never to leave key fobs unattended, especially in public spaces where they can be vulnerable to interception. If your vehicle offers the option, consider utilizing RFID keyless entry, as it adds an additional layer of security.
When attempting to locate your parked vehicle in a crowded setting, opt for the “Lock” signal to trigger audible cues without transmitting sensitive unlock codes. However, for the actual unlocking, rely on manual key use rather than the keyless entry feature to minimize exposure to potential replay attacks. Stay vigilant, stay informed, and adopt these practices to enhance the security of your keyless entry system and protect against unauthorized access.
Thanks for reading! Follow me here on Instagram for more content
