Intro To Car Hacking: Replay Attacks

Andrew Bellini provides a beginner-friendly tutorial to car hacking in this week's newsletter, focusing on replay attacks. Andrew is our in-house IoT and hardware hacking expert; he created our IoT and hardware hacking course as well as the Practical IoT Pentest Associate (PIPA) certification, formerly the Practical Junior IoT Tester (PJIT).

Let us know if you want to see more of this type of content - we are expecting similar blog posts and videos in the near future! Happy hacking!

Modern Car Theft

In Canada (where I live), car theft has become somewhat of an epidemic. In 2022 alone, over 100,000 cars were reported stolen, that’s approximately one every five minutes, and enough to land Canada on Interpol’s list of top 10 worst countries for car theft.?

A lot of these thefts are done with old-fashioned methods such as breaking and entering into a house to steal keys; however, a growing number are making use of specialized tools and exploits to enter and start the car. At one point recently, the Canadian government even considered banning Flipper Zeros in an attempt to curb car hacking thieves.?

This proposed ban, along with all of the news coverage detailing car hacking thefts, piqued my interest to learn more about how these attacks work and if I could replicate them. In this blog, I’ll walk through how a basic replay attack records a vehicle’s key fob transmission and plays it back. We’ll start by building a mock keyless entry system using inexpensive aftermarket parts, so you have something to test on that won’t break your car or the law. Then, we’ll learn how you can use a cheap Software Defined Radio (SDR) and Raspberry Pi to pull off a replay attack. Lastly, we’ll learn about prevention measures car manufacturers have taken, including rolling codes and some methods for defeating those.

The Gear

If you want to follow along with this blog, you can pick up everything I use for around $100. I’ve listed Amazon links below for convenience. However, you can pick most of this gear up from other places and sometimes for even cheaper. I’ve split the list into two parts, the first contains the parts to build out the keyless entry system, and the second contains the parts required for performing the replay attack.

Keyless Entry System Parts

Keyless Entry System: https://www.amazon.com/Shkalacar-Universal-Central-Locking-Vehicle/dp/B09BNMBCDH/

12V Power Supply: https://www.amazon.com/ALITOVE-Adapter-Converter-100-240V-5-5×2-1mm/dp/B01GEA8PQA/

Terminal Block (Optional): https://www.amazon.com/Positions-Terminal-Pre-Insulated-Barrier-MILAPEAK/dp/B07CLW5FPS/

Breadboard, LED, and Resistor (Optional): https://www.amazon.com/Smraza-Breadboard-Resistors-Mega2560-Raspberry/dp/B01HRR7EBG/

For the minimum practice target system, you only need the keyless entry system and a 12V power supply. The keyless entry system receiver has relays inside that are fairly audible so you can hear when an unlock signal is received, but, to give some visual appeal, I’ve added lights using LEDs and a breadboard. I also used terminal blocks to make the wiring cleaner and to avoid soldering.

Replay Attack Parts:

RTL SDR: https://www.amazon.com/RTL-SDR-Blog-RTL2832U-Software-Defined/dp/B0CD745394/ or https://www.amazon.com/RTL-SDR-Blog-RTL2832U-Software-Defined/dp/B0CD7558GT/

Raspberry Pi: https://www.amazon.com/Bluetooth-Package-Raspberry-Pre-Soldered-Headers/dp/B0C3QHMMPT/

In this blog, I’m using a Raspberry Pi Zero 2W because it’s the cheapest. However, you can use any model from 2B on. If you do choose to use a Zero, you’ll need to make sure it has header pins and you’ll also need a USB micro to USB adapter. The one I’ve linked comes packaged with the adapter and header pins pre-installed.

Replay Attacks 101

Let’s start by doing a quick, simplified review of how our keyless entry system works to send an unlock signal to the receiver and how we can abuse this system with a replay attack.?

When you press the unlock button on the key fob, the electronics inside broadcast a message on a predetermined frequency that the receiver in the car is tuned to listen on. The content of the message itself, after it’s demodulated and decoded, is actually a string of binary numbers that will usually contain a unique identifier code matched to the receiver, you can think of this like a passcode. This is how a different key from the same manufacturer won’t (or shouldn’t) work with a receiver it’s not paired to. When the message is received, the receiver will verify that the code being sent matches its own. Since our keyless entry system (along with older car models) uses a single hardcoded identifier, it’s possible to perform a very simple replay attack.

All an attacker needs to do is listen with their own device on the key’s broadcast frequency when an unlock command is sent and save a recording of the broadcast to play back later.`

An attacker can then return at any time and replay the saved broadcast within range of the car, and it will unlock.

This type of keyless entry is not only found in cars but is also used for things like garage door remotes which are also potentially vulnerable to replay attacks. This simple version of the attack can be performed with a Flipper Zero or, as I’ll demonstrate in this blog, a cheap SDR and a Raspberry Pi.?

Nowadays, most modern cars use more secure methods for transmitting and receiving signals, such as rolling codes, which are more resistant to this simple replay attack. We’ll talk more about rolling codes and some methods for defeating them later on in this blog. Spoiler alert, though, you’ll need more gear than just a Flipper Zero.

Wiring Up The Keyless Entry System

In order to test the attack, we’ll need something to perform it on, like an aftermarket keyless entry system. These aftermarket kits are designed to either convert older cars without keyless entry or replace keyless entry systems where reprogramming a key is not cost-effective. We will wire up the system similar to how it would be in a car, except instead of wiring the outputs to lock and unlock motors, we’ll wire them up to LEDs so we can see when they are triggered. I’ve attached mine to a board, leaving some space for adding additional car electronics at a later time.?

Before wiring, a quick note on electrical safety. This system is designed to run off of 12VDC from an unmodified and certified power supply. In most jurisdictions, any voltage levels below 30V are considered safe to work on without additional training or posing a shock risk. The power supply used in this tutorial has a terminal adapter to allow for wiring; power supplies should never be modified or cut to expose wires. Finally, while 12V does not generally pose a shock risk, creating a short circuit can potentially heat wires or connectors up to temperatures that could burn or cause a fire. Care should be taken to avoid shorting the power supply positive and negative connections.

Consulting the wiring guide that comes with the system, I chose to wire mine following Fig. B for a positive trigger. This way, we can wire the lock and unlock signal wires to the positive lead of an LED and have them flash on to indicate when these signals are received from the key fob (or a replay attack).

If you’re following along with the parts that I’m using, you can use the below wiring table and wiring diagram. If you’re using LEDs, don’t forget to add in a current-limiting resistor to prevent the LEDs from burning out. To make the connections easier and allow for further expansion, I’ve used a breadboard to wire in the LEDs and resistors.

Note that I’ve removed the additional orange wires, which aren’t used in this configuration, to keep the wiring cleaner. This is totally optional, and you can also leave them unconnected.

Setting up the Raspberry Pi for Replay Attacks

To pull off the replay attack, we’ll be making use of a Raspberry Pi with a USB-connected SDR. The reason we’re using a Raspberry Pi is because the lower-cost SDRs that you can buy in the $20-30 range can only receive and cannot transmit. Luckily, Raspberry Pis are able to transmit at the frequency most key fobs operate on with just their GPIO pins. This type of replay attack can also be performed without a Raspberry Pi by using a more expensive SDR that can transmit and receive, like the HackRF One, Adalm-Pluto, or BladeRF. Additionally, this basic relay attack can be performed by the trusty Flipper Zero.?

In this demo, I’ll be using a Raspberry Pi Zero 2W with Raspberry Pi OS installed and accessing it via SSH. I won’t be covering how to install Raspberry Pi OS as there are already very good guides on it, including the official documentation from Raspberry Pi. I suggest following the steps for editing settings so you can pre-setup your WiFi and enable SSH.

Once you’ve installed the OS and you’re connected, the first step I’d suggest is updating and upgrading your apt repository.

sudo apt update && sudo apt upgrade        

Next, we’ll install the drivers and binaries for the RTL-SDR we’ll be using. If you want more details about these steps, they’re pulled from the official RTL-SDR quick start guide.

sudo apt purge ^librtlsdr
sudo rm -rvf /usr/lib/librtlsdr* /usr/include/rtl-sdr* /usr/local/lib/librtlsdr* /usr/local/include/rtl-sdr* /usr/local/include/rtl_* /usr/local/bin/rtl_*
sudo apt-get install libusb-1.0-0-dev git cmake pkg-config build-essential
git clone https://github.com/rtlsdrblog/rtl-sdr-blog
cd rtl-sdr-blog/
mkdir build
cd build
cmake ../ -DINSTALL_UDEV_RULES=ON
make
sudo make install
sudo cp ../rtl-sdr.rules /etc/udev/rules.d/
sudo ldconfig
echo 'blacklist dvb_usb_rtl28xxu' | sudo tee --append /etc/modprobe.d/blacklist-dvb_usb_rtl28xxu.conf        

At this point, restart your Raspberry Pi, connect the SDR to the USB port, and then SSH back in. Once reconnected, run rtl_test to make sure the SDR is identified and working properly. You can let it run for 15-30 seconds, and if you don’t see any messages, that means everything is working fine. You can use Ctrl+C to exit.

Next, we’ll need to install rpitx which is a library and utility that will allow the Raspberry Pi to transmit RF signals via its GPIO pins. If you’re curious to learn more about the project, check out the Github repo for it and toss them a star!

To install rpitx clone the repo and run the installation script:

git clone https://github.com/F5OEO/rpitxcd rpitx./install.sh        

Before using rpitx we’ll need to perform another reboot. Once completed, you’ve now got all the software setup in order to perform a replay attack.

Antennas and FCC Regulations

The last step to set up our Raspberry Pi for transmitting is to choose whether to attach an antenna, or not. Before we do so, though, I’d like to briefly discuss Federal Communications Commission (FCC) regulations and the importance of not breaking any laws. When in doubt, you should do your own research about laws and regulations and come to your own conclusions and decisions.

The FCC (or other agency that regulates radio transmission outside the U.S.) controls and limits who is allowed to broadcast on specific frequencies to prevent interference. For example, some bands of the spectrum are reserved for different telephone carriers, some are reserved for AM and FM radio transmissions, some are reserved for satellite communications, and some are even reserved for amateur radio operators. In the U.S. and most other countries, broadcasting on blocked frequencies and causing interference can result in serious penalties and fines. Any commercial devices used in the US that broadcast a radio signal must be FCC compliant, meaning that they have undergone testing and applied to the FCC to prove that their device operates within the frequency range and at the power it’s allotted and doesn’t cause interference. These devices will be provided with an FCC ID that proves they have undergone this testing and application process.

The key fob we’re using operates at 433.92 MHz, as you can see by consulting the operating manual. This frequency falls inside the band allocated for amateur radio operators, and more specifically, a special subset of this band called an ISM band. ISM bands are special bands that are allocated to allow interference from industrial, scientific, and medical equipment. Some examples include things like microwave ovens or medical scanning equipment. Because the operation of these devices (like running your microwave) can disrupt other transmissions, other devices that operate within this band must be able to tolerate interference. Due to the fact this frequency is already reserved for potential interference from devices, ISM bands have now become very popular for short-range, low-power wireless communication like that of our key fob, but also things like baby monitors, garage door openers, and cordless phones.?

This still doesn’t mean that you are allowed to cause interference on this channel. In fact, in the U.S., to use a non-compliant FCC device on this frequency, you must have a HAM Radio License. There are some exceptions, one of which is for home-built devices. However, one very important condition of operation is that:?

“…no harmful interference is caused and that interference must be accepted that may be caused by the operation of an authorized radio station, by another intentional or unintentional radiator, by industrial, scientific and medical (ISM) equipment, or by an incidental radiator.”?

The key factor here is that no harmful interference is caused.?

The Raspberry Pi via rpitx uses GPIO Pin 4 to transmit. In my testing, without attaching any sort of antenna or wire to the pin outside of the standard header, I was able to receive transmissions on 434 MHz from up to 6-7 feet. Adding a short wire to the header pin can increase the range to the tens of feet. For local testing, going without an antenna is sufficient and reduces the likelihood of interference with any other devices since they will most likely be out of the range.

If you are adding an antenna or any amplification, it’s possible you could cause harmful interference. One mitigation to this is adding a bandpass filter that blocks frequencies outside of the intended range you want to broadcast on. This is important because the Raspberry Pi will not only transmit at the intended frequency, but also at harmonic frequencies with diminishing power as well.

Pulling off the Replay Attack

Now that we’ve got our device all set up and configured, we’re ready to pull off a replay attack.?

The first step is to capture a transmission from the key fob, which we’ll do with the RTL-SDR and the tools we installed previously. Take note of the -f option in the command below, which requires the frequency we want to record; the frequency of the key fob. In a real-world scenario, if you’re not sure of an operating frequency, you can usually find it with a little OSINT, such as googling for manuals or even FCC documentation. You can also use your SDR and software that scan or “waterfall” over frequencies to detect what frequency a device is transmitting at.

rtl_sdr -s 250000 -g 35 -f 433.92e6 key fob_capture.iq        

Once the capture is running, you’ll now need to press the unlock button on the key fob a few times, but keep in mind that the replay will send multiple unlocks. After you’ve sent some unlocks with the key fob, use ctrl+c to end the recording.

Now that we have a recording of the unlock transmission, we can play it back using the rpitx tools we installed previously. Make sure you’re in the rpitx directory to run the below command.

sudo ./sendiq -s 250000 -f 433.92e6 -t u8 -i keyfob_capture.iq        

If everything works properly, and your keyless entry system is within range, then you should see the device receiving the unlock command and turning on the unlock light.

Congratulations, you’ve pulled off a replay attack!

Rolling Codes

Pulling off that replay attack seemed a little easy, didn’t it? An attacker could easily sit in a parking lot and capture large amounts of unlock transmissions (or near a driveway for a more targeted attack) and later replay the transmission to easily break into a car. Luckily, most modern cars use more complex and secure methods for transmitting commands such as lock, unlock, or even remote start. A very common method is to use rolling codes.

With rolling codes, instead of the car and the key fob using a fixed single code for verification, they are each programmed with an algorithm that generates codes based on an initial seed number and an iterator. When the key fob is pressed, it sends the current code from the algorithm, and when the car receives it, the code is checked to make sure it matches the car’s current code (or a future one) via its algorithm.

If the codes match, then the car will perform the action, such as ‘unlock.’ In this scenario, both the car and the key fob will increment their rolling code to the next valid one. You might be wondering what happens if the car doesn’t receive the message from the key fob and only one end rolls to the next code. This is why the car will not only accept the current rolling code but also a pre-allocated range of future codes.

This ensures that the key fob and the car remain in synchronization with their rolling codes. This method helps to prevent replay attacks because if an attacker manages to capture an unlock command, it will contain an old rolling code. As such, it can’t be replayed unless the car did not receive the signal from the fob.?

Keep in mind that this is somewhat of a simplified example of how these work and most modern cars also add a layer of encryption to the messages being transmitted. This encryption prevents reverse engineering of the transmission, which could potentially allow an attacker with enough captures to calculate the rolling code algorithm and identify the other parts of the message, like what command is being sent.

Attacking Rolling Code Systems

There are some more complex replay attacks that can work against rolling codes, which I’ll outline here without a demonstration. If you’re tempted to try any of these on your own car, a word of caution, not all cars are resilient to their rolling codes getting out of sync. Some of these attacks may put a key fob and car out of sync, causing the key fob to no longer work until the car and fob are reprogrammed. In addition, jamming of signals in any format is highly illegal in most countries.?

The first attack that can still be performed on most rolling code systems is the same as the previously demonstrated attack, except you must capture a fob transmission that is out of range of the car. This is, of course, less useful to most attackers since, to pull it off realistically, you’d need to have access to the key outside of the range of the car and would most likely just steal the key. In addition, the code that’s captured would only work until the next time the key fob communicates with the car, which would then bump up the rolling code.?

The second attack is called a roll-jam attack, and this relies on jamming the communication with the car so that it doesn’t receive the transmission, therefore bumping up the rolling code. The attacker sends out a jamming signal strong enough to prevent the car from receiving the key fob transmission and records that transmission with the attacking device. At this point, the attacking device has a valid rolling code. However, the person who’s trying to unlock or lock their car is most likely going to push the key fob again, as they didn’t hear the honk or see the lights to indicate their car actually received the message. To take advantage of this, the roll jam attack briefly pauses the jamming to the car and replays the first rolling code to the car. When they press it a second time, they’ll hear the car horn honk, but this is from the first replay of the roll jam attack. The attacking device, at this point, has resumed jamming the car and is able to record the second transmission and rolling code, and now has a valid rolling code. In case you’re wondering, a Flipper Zero is not capable of pulling off this attack as it’s not able to coordinate sending a jamming signal and recording a transmission.?

In most scenarios, there is one more hurdle to pull this attack off: if someone is leaving their car, they are most likely going to be locking it via their key fob. Even if an attacker can capture a valid transmission and replay it, this will only be to lock the car again, which is not of much use. However, if encryption is not used or if the encryption can be broken, an attacker can modify the transmission to a different action, such as ‘unlock’ or ‘remote start,’ before replaying it while still keeping the valid rolling code that was captured.?

One method that can be used to prevent replay attacks of any sort is to add a time component to the transmission. Unless an attacker can reverse engineer the transmission to modify the time, the transmission will be stale and rejected by the receiver if they try to replay it at a later time.

Relay Attacks

Due to the advancements in car security noted above, along with the requirement of actually capturing a key fob transmission, replay attacks aren’t as common for car theft. Since I started this blog talking about replay attacks for car hacking, I wanted to end by outlining a similar attack that is sometimes used by thieves on current cars called a relay attack. I’ll leave the very specific details for another possible blog and just give the high-level details.?

Most modern cars have the added convenience of no longer needing to press the key fob to unlock the car or start it with the turn of a physical key. Instead, using radio communication, the key just has to be in range of the car. When you try to unlock the car with the outer unlock button or simply by pulling the handle, cars with this feature will send out a challenge broadcast and only unlock the car if the key is in range and responds back to the challenge. The same goes for pressing the ignition button to start the car.?

A relay attack takes advantage of the fact that most people leave their car keys close to their front door and their vehicle. In a relay attack, the attacker will trigger a challenge from the car by trying to unlock it using the handle or outer unlock button. They will then record the resulting challenge from the vehicle and immediately relay it to another device that is near where they suspect the key is located. This secondary device will broadcast the challenge, usually using a powerful antenna, and if the car key is within range, it will respond to the challenge. The second device will then relay this response from the key back to the first device, which will transmit it to the car.?

Most modern cars make use of timing to prevent relay attacks. However, in some cases, this implementation is not correct, and quick relay attacks are still possible. Specific makes, models, and years of cars that are vulnerable to these attacks are known by thieves and targeted. Flipper Zeros are also not able to pull off this relay attack, as it requires multiple devices working in synchronization.

Conclusion

The battle between car manufacturers and car thieves using car hacking methods is a cat-and-mouse game, with car manufacturers constantly needing to stay on their toes and update technology to stay ahead. This can be a challenging situation due to the long lives of cars and the potential difficulty of fixing or updating flaws in cars already on the road.?

In this blog, we saw the evolution of keyless entry systems and how basic methods of hardcoded IDs allowed for exploitation via replay attacks. This was replaced by rolling codes in an attempt to prevent replay attacks. However, we learned that there are still some methods to defeat the new anti-theft measure. Currently, relay attacks present a much greater risk for modern cars.?

In addition to the radio or RF attacks outlined in this blog, there are many other avenues for car hacking, including satellite communications and directly interfacing with internal car networks via connections that can be exposed through parts such as headlights. I hope to cover these topics further in additional blogs and videos.

If you want to learn more about IoT hacking, check out the Beginner’s Guide to IoT and Hardware Hacking at the TCM Security Academy or my blog series on IoT hacking.?

Want to see some more car hacking in action? Watch the below video to see Andrew Bellini go into car hacking replay attacks even further!