Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016

Possibly the best answer for the public acceptance of Def Con, literally laying out the pathway of how vastly distributed insecure systems can be horrifically exploited because security standards weren't even a consideration. The arc from innocent fooling with your garage door to literally stealing any vehicle anywhere so long as you have cased it earlier is just a solid gradient from happy fun to full GTA superthief. Samy Kamkar did a wonderful job, not just as a sploiter, but as a presenter, this is top level Def Con.

This is a very interesting talk. It gives even a non nerd a great insight into how insecure our world has become. "Just because it's invisible, doesn't mean it's safe" is a very eye opening statement. You have given me a new respect for hackers.
Samy is a terrific presenter.

loved this presentation and how you displayed the slides too, very informative and kept it laughable and fun.

Sammy this video is so good man. Never heard such an interesting talk with such technical details and so much knowledge. Memes were on point too.you da man .

Nice lecture, good overview of fun stuff to play with and the hardware/software starter tools.

GM is the perfect example of listen when someone is speaking to you, and have the respect to, at least somewhat, hear it out.

Thanks to Samy, you can’t buy an IM-ME, now, for under $800. Believe me, I’ve been watching for one. My wife and I also go to antique malls, thrift stores, flea markets, etc, and I always look through the toys, hoping to find one of these. I haven’t seen a single one, in six years of looking. Thanks Samy! 😂

This is a very interesting lecture with a wealth of information. It would have been awesome of you to leave links for everything you are talking about.

I think this is one of the most interesting videos I've ever seen ! Thank you for all the great information and details 👌👏

This is so fascinating. I want to learn more

This was an excellent presentation, well explained! Thank you!

Recently discovered Samy. Great stuff, Man! TY!

This talk is so damn interesting, loved it :D

Oh the days of FSK Modulated Bit Shift Keys were sweet..Could open Garage any Garage Door so easy.. Remote gates were easy as well..But my oh my how things have changed... Great Presentation... Thank You

Had my attention the entire time. That is even more impressive than your brute force 4 second average cracking time.

extremely helpful ,full of interesting information. Thank you

Fascinating. Great job on the presentation. Ten stars

Worth every minute😍😍 RF is a very interesting topic. Dude😍😍

This is a brilliant lecture, natural teacher

Absolutely brilliant lecture!

I thoroughly enjoyed every minute of this video. Superb content, clear and concise. A lot of details all at once lol, but perfect. I hope they pay you well 😆!

This is just amazing ! I'll order a RTL-SDR right next month :) I'm sooo excited what i'll find...

I've been a Ham for over thirty five years and can remember driving around with my dad's car as a teenager with a CB and a 600 watt amplifier and activating bank alarms, opening electric gates and garage doors, and emptying the nightclubs by causing an ear piercing feedback to their sound systems.

True story.
My neighbors think I'm a little strange. They locked their keys in their car two months ago. Was walking the dog and talked to them. I told them I can take any sauce pan, put a rock in it, scream loudly in the pan and put the lid on, it will unlock any car. Went inside the house, got the pan and did this. Their jaws hit the floor. They tried for hours after I left.
Maybe I should tell them I recorded their keyfob with my LimeSDR previously just in case and my daughter hit the mouse button after I told her to wait for my signal.

I definitely need to hear about this bc it's been a problem with this in my on life ... thank you so much for this

A safe way to lock/unlock a car is, instead of using a rolling key, use RSA with timestamp encryption. The car would send a public key to the key fob, and the key fob would respond with an encrypted and salted hash containing the encrypted pass plus the command. That would by encrypted via a timestamp as well, as part of the public key. The private key would be used to decrypt the (command + pass) hash, but would never be sent via radio.
Edit: Just saw the final of the video, and you suggest the same. Nice!

Great talk Samy!

One thing I think would be cool to add in the section relating to MITM attacks would be the usage of a deathentication attack or a re-pair attack as its known in Bluetooth. This can help capture that wireless handshake as well as cause a device to connect to your false network.

From half an hour to just eight seconds - This is insanely fast.

that moment he opened the recorded garage door signal modulation waveform in audacity.... genius. Crystal clear! This is the core essence of hacking.... learning and understanding technologies, and use them in ways they weren't designed for.

That was awesome. I learned 1 new thing so excited.

I like how he is so excited but ham radio operators have been using this equipment for a while. Everything begins with the understanding of RF.

Great presentation, Samy.

Brilliant!!! VERY Interesting!!!
I sure hope the car manufactures whom you shared your discoveries, of the "vulnerabilities in security" offered you more than a handshake, and a thank you. I'm sure this discovery to you was only one of curiosity, and a hacker's delight, although with this information you sir, have helped progress technology as we know it.... not to mention saved alot of peoples cars from getting jacked!!! (LOL) I thank you. keep on hacking brother.

I only had an inkling this was going on. Thanks for sharing.

Thank you, Samy!!! For the info...

To view wider RF spectrum then use hand held spectrum analyser with small embedded display - they are about $100 up to few thousands dollars in price depending on capabilities. You may get basic hand help SA for $200 or so and view all frequencies say from 15 MHz up to few GHz in freq.

it was a nice presentation. I am little curious about the questions end of the presentation. bt thanks for the knowledge .

This is a fantastic video. Glad Samy is on the good side of the law. Do you know if auto manufactures are only fixing new car systems or do they also have some kind of hardware upgrade system to improve older cars?

Interesting information. This shows that there is nothing quite like a hidden kill switch on your vehicle. Put the switch in line with power to the starter or ignition and make it hard to find easily. Hardware trumps software. The best place might be the power line to the fuel pump. The engine will crank and might start, until it shortly runs out of fuel.

Interesting! I did something similar to reproduce the remote to an adjustable bed. Found out it used a CC2500. Now I can use my phone or Alexa to control the bed. :)

This was great presentation

Great vid man! Thanks bro! Any spare kit would be awesome!

This was so fun to watch! Thanks

Wow, the De Bruijn sequence is amazing! I wonder if vehicle makes now perform validation or hash their pw's.

Hey Samy, do you know is it possible (in theory) to duplicate car remote key (it’s features) onto a different device with remote capabilities? - If using my own key, there is an option to duplicate it to other digital device with remote options.

Exciting and disturbing in roughly equal measure. I like classic cars all the more now!

Well timed sip at 20:54. Confidence is exuding from this man here lol.

Great presentation 👍

As soon as you started explaining that you were cutting the pauses between the signals I said to myself "we can use superpermutations here"

thank you for this video!

this video was so informative thank you

I think I will 'record' the frequency for my car and keep that data just in case I loose my key.

im glad your on our side

What would you use to find out if somebody is chipped a frequency detector or a emf detector??

I now remove my battery and all 4 wheels. It a pain but if they want my car they will have to really work for it. 🤣

lmao good opener "we all love nic cage right"

awesome presentation brother

Samy is still my hero!

For time frame of 30:00 today ARM MCU have the capability of securing all communications by HW under supervisory mode, unless you are dealing with older technology then you will be at risk because todays ARM MCU have very strong security and strict supervisory mode preventing unauthorised users to intervene. Old technology did not have the ability to lock supervisory mode and allowed intruders to switch from User Mode to Supervisory Mode wirelessly or via WiFi or even if cable connected.

What's the indicator for a car to know that a code has been used before? Does it have a memory and logs history codes? Or go through a list of possible codes one by one in a random sequence? What if you've maxed out all the possible codes, does it start repeating codes?

The more I listen to him the more interesting

@8:30
.....isn't that what they do when they climb for altitude?

Wat about remote neural monitoring can you detect that at ulf ultra low frequency from 0mhz to 70mhz

Very interesting. One thing I would suggest to improve the recordings is to repeat or summarise the questions before responding.

i like samys style to make us understand all this bs.....thanks man

With RTL-SDR you can do much much more, AIS, Weather satellites and more

Very good presentation :-) just one thing: please repeat the questions in the Q&A

Rolling codes are very easy to catch, simply create a higher amplitude signal near there garage door and have a receiver where about they would activate it to open it. Sometimes they press it too soon anyway out of range, but as you said exactly repetition but rolling codes themselves are actually *breakable*. If you can capture numerous codes from opens and closes, you can actually use a deductive algorithm to reduce the time to what I calculate could be only a few days as there is no lockout. I call this attack deductive unrolling ;-) as you s aid, might be easier to kick there door in and get the keys. But, I don't like to give too many ideas publicly somewhat reluctant to even post this. Another thing, the rolling codes do have limits on older units so I believe it's usually 65k codes, newer one's have larger bit sequences. Now, WiFi enabled openers are gaining popularity and using pcap and simple wifi security flaws like one in Chamberlain (liftmaster) they leave ports open and you can pull the API cgi page which interfaces with the mobile app and it's easy enough for people like you and me. On car keys such as that on one of my older benz's, it actually uses IR for LoS functions like lowering windows and the IR portion may even have other functions. Again, I may delete this post as I'm a bit nervous over the possibilities and potential attention on this, and I was able to capture that with a learning IR remote and replay it. Worked once assuming I was near the transmitter unlock.

RF are so easy to hack, some time ago spend a day researching them. I found 315 and 433 Mhz are reserved for home automatization and basic security use. I got a Chinese universal remote controller that supports IR and RF on 315 and 433 Mhz and with push of a button I was able to clone and resend the signals for most of the things I have at home like door bell, car unlock and lock smart light switches panic buttons and others. It takes just few seconds to record the signal. But for more detailed knowledge Samy's video is just perfect. It's saves you allot time. Thanks man.

This dude make things soooo easy, he should make courses

All well said - how about some suggestions on how to protect yourself from key fob attacks? A simple one is to shield the key fob with a simple faraday cage, such as an aluminum foil, while at home or in the parking lot, if it comes to that.

For those who did not get the concept :
there is a synchronization counter C which gets incremented each time you press the key (of transmitter). Same way the receiver also stores the most recent validated synchronization counter it has received (N). Now when ever you press the key and send the pseudo-random number to the transmitter the transmitter also takes the synchronization counter C from transmitter (and to update itself will overwrite N with C). Now receiver will also produce the Cth code (corresponding to C i mean) and match with the code send by transmitter. There is also rolling window of acceptance for rolling codes say 100 or 1000 or whatever (depending upon which system you using for your Garage or Car keys). Now also note that C-N

Time well spent!

I am trying to setup RTL-SDR and one of the challenges seem to be an antennae that scans all GPS frequencies. Does anyone know how to contact Sammy? My understanding is there are 5 frequencies, and I wonder if I can do this with two antennae.

Glad he's one of the good guys!

Does this video talk about hackers listening in on your car convos??

Were can I buy THIS GADGET? 👍

So if you take someone's key fob and press unlock 1000 times while it is out of range of the receiver, that key fob would stop working forever?

very interesting and existing presentation :-)

45:50 “does Chrysler also have...” best part of video :) dyed laughing

Is there anything to detect the frequency of high speed lead?

in the old days my dad had a garage door opener that had a roller switch where you could just stand in front of whatever door hold down the button then roll the switch back and forth till it opened it took seconds

How would it work if there are 2 keys? Does that mean they aren’t using riling code?
I have a 2011 car with 2 keys.

Wait so if his garage door opener operates on a single frequency, does that mean it is an AM signal? Alternatively for my cell phone, there is a lower and an upper bound. Does this mean my phone does FM with a bandwidth of (Higherbound-Lowerbound)? Thanks. I'm sort of interested in this stuff. I took a class on antennas but I wished I asked more questions.

The part where talks about spoofing a ship's gps signal really made me think of the Key bridge incident. I'm not saying it was hacked, but the fact that it's possible is mind boggling.

Really good one, thanks.

Revert back to key only. Could cc TV recordings be compromise by external player's . What's safe !

Hello,
Anyone knows about a book so I can get to start learning about radio frequencies ? Thanks.

This video is essentially opening gates for new hackers

It would have been nice if you had repeated the unheard question. Fascinating video. I only drive old unfobbed vehicles lol

When you find a video which already you hit like on it but you don't remember it, do you watch it again?

Awesome content

what if remote just send a password+ current datetime and its encrypted into jwt for example and receiver decrypt this data and reading the password and checks id the date\time he got is not expired? I believe this solution should work, so if a hacked will replay the signal then car will not be unlocked because the date\time passed in the signal already expired, what do u think?

Great vid and a highly intelligent man

The scrolling code of clicker is not random but quasi random, meaning the series of passwords repeat after certain number of passwords had elapsed - for example the scrolling codes list repeat after 60 times of using different password codes. Professional thieves attach a receiver to your car without your knowledge to record all the rotating codes of your car and store it in their receiver then copy those codes into their transmitter to have complete control over your car - they use the same scrolling code of your car or garage. You will know that there is something attached to your car when the Bluetooth of your car keeps disconnecting and reconnecting or your mobile gets disrupted at times, then you need to inspect your car for some magnetically attached bug to your car from under your car. Use your camera phone with long stick to pass it all under your car and observe any attached bug. Once you find it present it to the police and have it investigated for finger prints, if any. When the police refuse to cooperate then you know they may have attached it to your car, or were instructed not to cooperate LOL

wow thx for sharing ive been trying to learn stuff like radio feq pwm etc which is a tough read but this made it easy to understand..literally everything is controlled by this stuff..this is scary i think ill throw away my dogs shock collar lol i only use it for vibration but who knows if my neighbors car or w.e. will make it go off..

Samy i really like this video but it’s 4 years old have you got an up date?

Samy is likely also an authority on cease-and-desist notifications. Pretty certain he could safely ignore most if not all of those.

I can not hear the questions coming from the audience.