There is tremendous growth towards the concept of Smart Cities. As these highly efficient technologies flood the globe, there are certain security risks that arise with the implementation. High availability and efficiency also produce new vulnerabilities and risks in the field of Information Security. In this blog post, we explore the concept of securing the Smart Keyless Cars which use radio frequencies to lock and unlock doors. The aim of this research is to uncover the vulnerabilities of the keyless smart cars as well as to hack and exploit them through technologies like software-defined radio (SDR) and devices GNURadio and HackRF.
Further, countermeasures and mitigation models are also drafted for safeguarding keyless cars.
INTRODUCTION INTO EXPERIMENT
The traditional key method of locking and unlocking the car required manually inserting the key in the lock. This method was a bit tedious. To ease it, automotive industry came out with a concept of keyless cars. This system did not require the user to manually enter the key in the lock to lock or unlock the door. Instead, only a button needs to be pressed on the key. It uses radio frequencies to trigger the lock. When the button on the key is pressed, a specific frequency is emitted by the keys.
When the emitted frequency of the key matches with the car’s required frequency, the doors are locked or unlocked. A Software-defined radio (SDR) is a radio communication system which is implemented by software in an embedded system or a computer instead of using the modulators or amplifiers. A common software used for the implementation of SDR is GNURadio Companion. GNURadio is a software development toolkit which provides signal processing blocks for the implementation of SDR and radio signaling and tuning. An external RF hardware can be attached to the computer and the GNURadio provides the interface to perform the logical implementation using these radio frequencies and signals.
A commonly used RF hardware is HackRF. It provides a graphical user interface (UI) for the user to build flow graphs. HackRF is a hardware gadget developed by Great Scott Gadgets which works well with GNURadio for implementing the Radio Frequencies, replaying, tuning and signaling. It is a peripheral for the GNURadio companion. The whole concept of SDR can be implemented using GNU and HackRF.
This shows the concepts of Software-defined radio on the keyless smart cars for capturing and replaying the key frequencies with the concept of Cyber Security attacks like Man-in-the-middle, relay, and replay.
1) Man in the middle attack (MITM). In Information security, Man in the middle attack is a type of an attack in which the perpetrator secretly relays or alters the communication between two victims who are made to believe that they are directly communicating with each other. The victims are completely unaware of the presence of an attacker. MITM attacks can be either passive or active. Passive MITM attacks are done just to constantly sniff the traffic between two parties. The goal of an active MITM attack is to collect personal data, credentials, or to convince the victim to take an action such as changing login credentials, completing a transaction, or initiating a transfer of funds.
2) Replay attack. A replay attack in Information Security is a type of attack in which a data transmission between two parties is captured in-between and is replayed with or without manipulating it without the knowledge of the two parties. This attack is similar to MITM attack and can be considered a lower tier version of it.
3) Relay attack. A relay attack is similar to man in the middle attack in which the communication is initiated by the attacker in which the attacker simply relays the message without even manipulating it.
Threat models are typically made during the product development and design process. If a company producing a particular product has a good development life cycle, it creates a threat model when product development begins and continuously updates the model as the product moves through the development life cycle.
These models are living documents that change as the target changes and as you learn more about a target, so you should update them often. The high-level threats to smart cars are when an attacker can:
Remotely take over a vehicle
Shut down a vehicle
Spy on vehicle occupants
Unlock a vehicle
Steal a vehicle
Track a vehicle
Thwart safety systems
Install malware on the vehicle
An attacker could exploit the key fob connection to:
Lock out a key
Brute-force the key fob algorithm
Clone the key fob
Jam the key fob signal
The implementation of the hacking of the keyless smart cars is done through using the technology of Software-defined radio – GNURadio and HackRF.
The two phases are as follows:
A. Implementation and Exploitation.
1) Capturing the radio frequencies of the key.
The following is the flow graph which is used to capture the frequencies:
Options: ID is set to the top block and the Generate Options is set to QT GUI, which is a type of frequency graph for the graphical user interface. These are the basic and default parameters that are set in the GNU Radio Companion.
Osmocom Source: The Osmocom source is an abstraction layer that allows us to communicate with different hardware devices (HackRF in our case) for software radio. And it is a source which produces digital signals that will be consumed by the next block in the flow graph. This tells the HackRF to switch to the receiving mode via the USB. It has different parameters like the sample rate which we have specified in the earlier stage. We also specify the channel frequency of approximate signal and the car which is set to 433.9M Hz. The RF Gains are set to 0 to avoid any errors and actually are not used in our demo.
QT GUI Waterfall Sink: This is the graphical user interface for the user which will show a graphical structure and show the details of the frequencies that are being emitted at every second by the rates of 2M Hz. We define different parameters like the Center Frequency which is set to 0 by default and the Bandwidth for the flow graph in 2M Hz which is kept as the same for the sample rate. The captured frequencies are further stored in a file format in the computer using HackRF and GNU Radio Companion which are based on the technology of Software Defined Radio.
The peak denotes the captured frequency of the car key.
Fig.1. Flow graph for captured frequency
Fig. 2. Captured Frequency
2)Replaying the captured frequencies directly on the car Throttle Block: This is the block to refine the frequencies and emit them equally and repeatedly on the car i.e., to match the required frequency to crack the lock.
Fig. 3. Replay flow graph. These frequency flow graphs are replayed over the car repeatedly and the car unlocks.
Fig. 4. Replayed frequency B.
B. Mitigation Models and Counter Measures
1) Rolling Code
A rolling code, also known as a hopping code, is a mechanism used in keyless smart cars and systems to avoid the replay and relay attacks, where an attacker captures the radio frequency transmissions and replays it to cause the system or the car to unlock. These applications are widely seen in normal car doors and keyless entry systems. A rolling code in keyless section frameworks to mitigate and avoid replay attacks, where a perpetrator records the transmission and replays it at a certain time to make the victim “open” the lock and use the key to open the car and capture the transmitted frequency.
A pseudo random number is generated which is crypto-graphically secure from both the receiver and transmitter end.
Transmitter sends next number code in sequence.
Receiver compares this to its calculated next number code.
A typical implementation compares within the next 256 codes in case receiver missed some transmitted keys
KeeLoq “code hopping” encoders encrypt a 0-filled 32-bit block with KeeLoq cipher to produce a 32-bit “hopping code.” A 32- bit initialization vector is linearly added (XORed) to the 32 least significant bits of the key prior to encryption and after decryption.
Figure 2 shows the structure diagram of KEELOQ Encryption. The Counter which is used to shield the frequency numeric code from being captured. Once this encoder detects the press of the button, it reads the input and increments the Sync Counter value. The counter and keys are input to the encryption algorithm and the output is a 32 bit data. This will change with every press of the button of the key fob and its value will be randomly hoping and generated. Hence, this is the hopping portion of the data or the code. This 32 bit is combined with a fixed 34 bit portion which consists of the information about the serial number from which the code is transmitted to the receiver.