
Using RTL-SDR to Open Car Doors (2016) - weinzierl
https://anthonys.io/using-rtl-sdr-to-open-car-doors/
======
xgbi
So, what is the solution? Implementing a PKI over between the key and the car?
This would be quite nice, wouldn't it?

-Key asks car to unlock and sends public key for recognition,

-Car sends challenge encrypted with key Public key

-Key sends back private-key-encrypted challenge

Bing, authenticated.

~~~
exhilaration
A simpler solution is that the car should not accept a "skipped over" code.
This attacks works by jamming code A and storing it for later use. The car
owner assumes a signal loss and clicks again, opening their car with code B.
If the car knows to reject code B in the future, why can't it also know to
reject code A?

~~~
echion
The car isn't being opened by B; it's being opened by A, and B is jammed and
stored for later use. See other comment about the attacker always being "one
[code] ahead" of the legitimate key fob user.

~~~
exhilaration
Thank you for the clarification!

------
mkesper
The article states the need to jam the transmission (illegal in many
countries) but does not explain why.

~~~
yial
Many key fobs now (to my limited knowledge ) use an expanding one time use
"code "essentially so once that transmission has been made, the same
transmission won't unlock the car a second time. (On new vehicles at least )

~~~
ipunchghosts
This isn't a replay attack in the traditional sense. The attack works by
simultaneously receiving the fob signal while jamming it to the car so it
doesnt see it. Then, the car can't roll ahead its table.

To say another way, it exploits the fact that you can be a hundred miles from
your car and push the unlock button on your fob but then return next to your
car, push the fob, and the car unlocks.

~~~
lucaspiller
Why aren't the previous codes invalidated though? If the attacker catches code
X, and the owner presses the button again to send code X+1, why is code X
still valid?

~~~
lunixbochs
Both X and X+1 are jammed, then the attacker replays X. The car never sees X+1
to revoke either.

~~~
ipunchghosts
Yes. There is a rolling code both inside your car rx and the fob tx. They get
out of sync (think of pushing your car unlock when your car is not around) but
the fob can never be behind the car.

By jamming the the rx at the car it never gets code X+1 but the attacker does
so the car never rolls ahead. Then, the attacker replays X+1 and the car
unlocks.

This attack has been known for a quite a long time along with the TPMS hack
(made famous but rutgers and U South Carolina
[http://www.sc.edu/news/newsarticle.php?nid=1202#.WRXDdVXythE](http://www.sc.edu/news/newsarticle.php?nid=1202#.WRXDdVXythE))

[https://www.theregister.co.uk/2010/09/21/car_jammer_vehicle_...](https://www.theregister.co.uk/2010/09/21/car_jammer_vehicle_theft_scam/)

------
Unhackable
Hey author here, I have since removed the core information but left all the
mechanisms to carry out the attack still. If anyone is interesting or have any
questions I'll be here and Twitter.com/tech

~~~
tropo
There is no need to remove the info. We can talk about jammers in the USA.
Here: cut a hole in the door of a microwave oven. That's a jammer.

~~~
ConroyBumpus
Enjoy your subsequent trips to the oncologist.

------
disqk
samyk did it first: [http://samy.pl/defcon2015/](http://samy.pl/defcon2015/)

------
grymoire1
One has to wonder about a technical blog that starts off with "Using the
orginal RTL and pair that with HDSDR software on linux". So I did a search,
and HDSDR only runs on Windows.

~~~
Kostic
Maybe the post author used Wine[1] to run HDSDR on Linux.

[1][https://www.winehq.org/](https://www.winehq.org/)

------
ge96
Can you listen for the communication and play it back... range maybe. Put a
sticker under the car door handle haha

------
StavrosK
Does anyone know a good alternative for HDSDR for Linux?

~~~
fleg
I've used gqrx for some simple stuff and liked it:
[http://gqrx.dk/](http://gqrx.dk/)

~~~
StavrosK
Thank you.

