Possibly the best answer for the public acceptance of Def Con, literally laying out the pathway of how vastly distributed insecure systems can be horrifically exploited because security standards weren't even a consideration. The arc from innocent fooling with your garage door to literally stealing any vehicle anywhere so long as you have cased it earlier is just a solid gradient from happy fun to full GTA superthief. Samy Kamkar did a wonderful job, not just as a sploiter, but as a presenter, this is top level Def Con.
This is a very interesting talk. It gives even a non nerd a great insight into how insecure our world has become. "Just because it's invisible, doesn't mean it's safe" is a very eye opening statement. You have given me a new respect for hackers. Samy is a terrific presenter.
A safe way to lock/unlock a car is, instead of using a rolling key, use RSA with timestamp encryption. The car would send a public key to the key fob, and the key fob would respond with an encrypted and salted hash containing the encrypted pass plus the command. That would by encrypted via a timestamp as well, as part of the public key. The private key would be used to decrypt the (command + pass) hash, but would never be sent via radio. Edit: Just saw the final of the video, and you suggest the same. Nice!
i dont mean to be off topic but does any of you know a tool to get back into an instagram account?? I was dumb forgot the password. I appreciate any help you can give me.
@Patrick Collin thanks for your reply. I got to the site thru google and im waiting for the hacking stuff now. Takes a while so I will get back to you later with my results.
Sammy this video is so good man. Never heard such an interesting talk with such technical details and so much knowledge. Memes were on point too.you da man .
Oh the days of FSK Modulated Bit Shift Keys were sweet..Could open Garage any Garage Door so easy.. Remote gates were easy as well..But my oh my how things have changed... Great Presentation... Thank You
I've been a Ham for over thirty five years and can remember driving around with my dad's car as a teenager with a CB and a 600 watt amplifier and activating bank alarms, opening electric gates and garage doors, and emptying the nightclubs by causing an ear piercing feedback to their sound systems.
For those who did not get the concept : there is a synchronization counter C which gets incremented each time you press the key (of transmitter). Same way the receiver also stores the most recent validated synchronization counter it has received (N). Now when ever you press the key and send the pseudo-random number to the transmitter the transmitter also takes the synchronization counter C from transmitter (and to update itself will overwrite N with C). Now receiver will also produce the Cth code (corresponding to C i mean) and match with the code send by transmitter. There is also rolling window of acceptance for rolling codes say 100 or 1000 or whatever (depending upon which system you using for your Garage or Car keys). Now also note that C-N
True story. My neighbors think I'm a little strange. They locked their keys in their car two months ago. Was walking the dog and talked to them. I told them I can take any sauce pan, put a rock in it, scream loudly in the pan and put the lid on, it will unlock any car. Went inside the house, got the pan and did this. Their jaws hit the floor. They tried for hours after I left. Maybe I should tell them I recorded their keyfob with my LimeSDR previously just in case and my daughter hit the mouse button after I told her to wait for my signal.
One thing I think would be cool to add in the section relating to MITM attacks would be the usage of a deathentication attack or a re-pair attack as its known in Bluetooth. This can help capture that wireless handshake as well as cause a device to connect to your false network.
@@DupczacyBawol Correct. But, Samy created the code to successfully capture the signal and do so as mentioned above. He obviously will not release the code due to malicious use. Look at his site/google for the article. RollJam by Samy Kamkar
there is a synchronization counter C which gets incremented each time you press the key (of transmitter). Same way the receiver also stores the most recent validated synchronization counter it has received (N). Now when ever you press the key and send the pseudo-random number to the transmitter the transmitter also takes the synchronization counter C from transmitter (and to update itself will overwrite N with C). Now receiver will also produce the Cth code (corresponding to C i mean) and match with the code send by transmitter. There is also rolling window of acceptance for rolling codes say 100 or 1000 or whatever (depending upon which system you using for your Garage or Car keys). Now also note that C-N
that moment he opened the recorded garage door signal modulation waveform in audacity.... genius. Crystal clear! This is the core essence of hacking.... learning and understanding technologies, and use them in ways they weren't designed for.
What's the indicator for a car to know that a code has been used before? Does it have a memory and logs history codes? Or go through a list of possible codes one by one in a random sequence? What if you've maxed out all the possible codes, does it start repeating codes?
@@masskiller9206 I would love to see someone transmitting that code with stupidly high transmitting power, just to open random garage doors in a city all at the same time. Just for the lols.
This is a very interesting lecture with a wealth of information. It would have been awesome of you to leave links for everything you are talking about.
The problem with rolling codes... They all roll around back to the beginning. In a way, they are exactly as easy to crack as a stationary code of the same length. If you roll... 123, 234, 345, 456, 567... 901, 012, 123... Just broadcasting "123", every single time, you will eventually hit "123", after it rolls-around, as fast as if "901" was the ONLY code, and you had to step-up to "901". As for being a rolling "set" of fake randoms... That makes it even easier, because there are even MORE values that are "true", not "less", in that same range. It will accept "123" OR "567" OR "091", because any of those could be "possible" as your random "next" code that it has to accept as "true".
RF are so easy to hack, some time ago spend a day researching them. I found 315 and 433 Mhz are reserved for home automatization and basic security use. I got a Chinese universal remote controller that supports IR and RF on 315 and 433 Mhz and with push of a button I was able to clone and resend the signals for most of the things I have at home like door bell, car unlock and lock smart light switches panic buttons and others. It takes just few seconds to record the signal. But for more detailed knowledge Samy's video is just perfect. It's saves you allot time. Thanks man.
Interesting information. This shows that there is nothing quite like a hidden kill switch on your vehicle. Put the switch in line with power to the starter or ignition and make it hard to find easily. Hardware trumps software. The best place might be the power line to the fuel pump. The engine will crank and might start, until it shortly runs out of fuel.
Hey Samy, do you know is it possible (in theory) to duplicate car remote key (it’s features) onto a different device with remote capabilities? - If using my own key, there is an option to duplicate it to other digital device with remote options.
I wonder, if you attempted to brute force a garage door in a residential area then what's preventing you from opening other garage doors in the area during the process?
TheBreakfastGod you are not wrong. My car has no keys or locks for that matter and starts with a screwdriver. That said, perhaps not so easy to gain access to when at speed on the road 🤣.
To prevent the jam+replay hack, if the rolling code is just continuing for every keypress, locking the car should invalidate the previously recorded unlock code.
nope, wont work, the reciever misses some of the transmitted rolled codes and thus is out of sync and dous not know what rolledcode it missed in the series excpected codes (in a recieve only setup), to fix this you could use spectrum of possible rolled codes (with reset evry x try`s , but his increases accessibility of brute force.
some one just hacked my key fob yesterday and remote started my vehicle. 2 hours later they also unlocked the doors while i was inside a restaurant. How do I protect against this?
To view wider RF spectrum then use hand held spectrum analyser with small embedded display - they are about $100 up to few thousands dollars in price depending on capabilities. You may get basic hand help SA for $200 or so and view all frequencies say from 15 MHz up to few GHz in freq.
Sir how my thinking hacking by radio frequency, becoze when ever iam thinking inside me my formor church pepole (hackers) sending same recomondations in youtube,in 2016 i sleep in church premisis i experience some eloctric shock in my right side belli area,then iam manuepulated by them i canot live myself no privasi to i feel so bad plz replyto my comment.
what if remote just send a password+ current datetime and its encrypted into jwt for example and receiver decrypt this data and reading the password and checks id the date\time he got is not expired? I believe this solution should work, so if a hacked will replay the signal then car will not be unlocked because the date\time passed in the signal already expired, what do u think?
Wait so if his garage door opener operates on a single frequency, does that mean it is an AM signal? Alternatively for my cell phone, there is a lower and an upper bound. Does this mean my phone does FM with a bandwidth of (Higherbound-Lowerbound)? Thanks. I'm sort of interested in this stuff. I took a class on antennas but I wished I asked more questions.
What effect would an over powering blank carrier have on the working freq. utterly swamping the lock receiver? or even pulsed RF from a 100watt sender? Some of these lock receivers are just super regen., not noted for high front end dynamics or adjacent channel selectivity. 433 Mhz is/was a common freq. Right inside the 70cm Amateur band? 100 watts mobile with a high gain often available a few cars away ?
@@cinibar Not interested in making the RX react. Quite the reverse. Talking in terms of simply swamping it. Some are only super regens. Hardly a front end with much dynamic range. Desensing must be a serious prob. A 2 watt tx with its antenna in the garage, close to the Rx and switched on after the garage were locked, might render the code u.s. to the hacker? While the garage is empty normal security would suffice.
@@MauriatOttolink Oh okay. This is different however this brings up another situation. In electrical theory it should work fine but if you use a power that is higher than the FCC allows for unlicensed items, especially in that ham band, you could interfere with amateur radio operations. Not good! Maybe an easier way would be to simply ground the RX antenna input when you were done using it. That way no signal could make the RX do anything.
@@cinibar Mr Sparks 51.. Couldn't agree more! I was certainly being a bit heavy handed. With a1 watt transmission in the garage and a direct coupling (no antenna) you'd certainly swamp garage receiver against any intruder attempts but you'd swamp your own attempts to open the garage when you arrive home... Now that would be very useful!!!! A grounded antenna input wouldn't stop somebody with a big signal 5 feet away unless the entire set up were Faraday screened to a very great extent. I've tried it for close in direction finding. Can't eliminate sigs creeping in, inside the DF antenna! Thanks Mr Sparks.
@@MauriatOttolink Hi again, here's another thought. Use a transmitter/receiver key fob system to turn on and off power to the other receiver that you don't want hacked. It's pretty unlikely anyone would think they needed to double hack a system like that. Yeah it's sort of headed toward a Rube Goldberg conglomeration but security is security! And for a little more security, add a timer into the system so you only have a certain amount of time to activate the main receiver and or the key fob receiver! heh heh heh!
I am trying to setup RTL-SDR and one of the challenges seem to be an antennae that scans all GPS frequencies. Does anyone know how to contact Sammy? My understanding is there are 5 frequencies, and I wonder if I can do this with two antennae.
For time frame of 30:00 today ARM MCU have the capability of securing all communications by HW under supervisory mode, unless you are dealing with older technology then you will be at risk because todays ARM MCU have very strong security and strict supervisory mode preventing unauthorised users to intervene. Old technology did not have the ability to lock supervisory mode and allowed intruders to switch from User Mode to Supervisory Mode wirelessly or via WiFi or even if cable connected.
Hey buddy. Quick question… There’s a frequency in my home that sounds like uhf or vhf that is either somehow about to read my mind or hear the low waves of me thinking out aloud. Have you ever heard of this and any idea on how to combat such a thing? Thanks.
Rolling codes are very easy to catch, simply create a higher amplitude signal near there garage door and have a receiver where about they would activate it to open it. Sometimes they press it too soon anyway out of range, but as you said exactly repetition but rolling codes themselves are actually *breakable*. If you can capture numerous codes from opens and closes, you can actually use a deductive algorithm to reduce the time to what I calculate could be only a few days as there is no lockout. I call this attack deductive unrolling ;-) as you s aid, might be easier to kick there door in and get the keys. But, I don't like to give too many ideas publicly somewhat reluctant to even post this. Another thing, the rolling codes do have limits on older units so I believe it's usually 65k codes, newer one's have larger bit sequences. Now, WiFi enabled openers are gaining popularity and using pcap and simple wifi security flaws like one in Chamberlain (liftmaster) they leave ports open and you can pull the API cgi page which interfaces with the mobile app and it's easy enough for people like you and me. On car keys such as that on one of my older benz's, it actually uses IR for LoS functions like lowering windows and the IR portion may even have other functions. Again, I may delete this post as I'm a bit nervous over the possibilities and potential attention on this, and I was able to capture that with a learning IR remote and replay it. Worked once assuming I was near the transmitter unlock.
The scrolling code of clicker is not random but quasi random, meaning the series of passwords repeat after certain number of passwords had elapsed - for example the scrolling codes list repeat after 60 times of using different password codes. Professional thieves attach a receiver to your car without your knowledge to record all the rotating codes of your car and store it in their receiver then copy those codes into their transmitter to have complete control over your car - they use the same scrolling code of your car or garage. You will know that there is something attached to your car when the Bluetooth of your car keeps disconnecting and reconnecting or your mobile gets disrupted at times, then you need to inspect your car for some magnetically attached bug to your car from under your car. Use your camera phone with long stick to pass it all under your car and observe any attached bug. Once you find it present it to the police and have it investigated for finger prints, if any. When the police refuse to cooperate then you know they may have attached it to your car, or were instructed not to cooperate LOL
This is a fantastic video. Glad Samy is on the good side of the law. Do you know if auto manufactures are only fixing new car systems or do they also have some kind of hardware upgrade system to improve older cars?
All well said - how about some suggestions on how to protect yourself from key fob attacks? A simple one is to shield the key fob with a simple faraday cage, such as an aluminum foil, while at home or in the parking lot, if it comes to that.
Agreed. The last 5 minutes, roughly, were useless since we couldn't hear the questions and there weren't enough context clues to figure out what was being asked.
Interesting! I did something similar to reproduce the remote to an adjustable bed. Found out it used a CC2500. Now I can use my phone or Alexa to control the bed. :)
So isn't the rolling "code" window a math problem. If your outside and record the lock / in lock commands how many in a row do you need to get the equation, smells three would do. I have had to reset MB cars it only takes hitting the remote a dozen times to get out of the " window"
The part where talks about spoofing a ship's gps signal really made me think of the Key bridge incident. I'm not saying it was hacked, but the fact that it's possible is mind boggling.
Buncha cool stuff! google WebSDR if you aren't already familiar to get a taste for sniffing the airwaves. I prefer the one in the Netherlands, I get lost in it for hours sometimes
Wow! Thanks for doing this. Are you saying that we don't need to use an expensive spectrum analyzers to find signals? Signet Intelligence has that capability. Id like to find out who is bombarding v2k technology to my head. Noticed sonar rays hitting my head while wearing a tight head wrap. Can hear a tracking sound.
Brilliant!!! VERY Interesting!!! I sure hope the car manufactures whom you shared your discoveries, of the "vulnerabilities in security" offered you more than a handshake, and a thank you. I'm sure this discovery to you was only one of curiosity, and a hacker's delight, although with this information you sir, have helped progress technology as we know it.... not to mention saved alot of peoples cars from getting jacked!!! (LOL) I thank you. keep on hacking brother.
even scarier !!! with technological backdoors like this one can easily perform a terrorist attack or a murder, just take control of his car and slam him offroad or lets say in whitehouse ?! crazy, this guy is like Tony Stark of hacking, good job Samy, you are my new idol ! :)
41:32 when a victim locks the car, your previously recorded codes become invalid. Isn't that you said eariler? That's not working scenario. The most probable scenario is when a victim locks a car at a parking lot and goes shopping. That's where an attacker may apply his perviously recorded code. But this will work only if the car uses the same code for both locking and unlocking. I haven't seen such sceurity systems since 90s
In the mid 70’s I had a Genie Alliance remote garage opener. I drove around my neighborhood on my bike with an Allen wrench and turned the adjustable ferrite coil (changing the frequency) and actually got someone’s garage to open.
I drive old trucks so I can actually repair myself. Lot less electronic and less sensors, the dealerships essentially run on replacing sensors, some service technicians even refer to the check engine light as "the dummy light." My neighbor had to bring his 2018 Ford F250 in to replace a traction control sensor and it ran him $900. With the oldies there is a Lot less to go wrong or haywire on me. I have destined to stick with the simpler, old but good vehicle models. I am mechanically inclined, but a noob when it comes to electronics.
@@dwellner502 nice! Another great feature is the older vehicles are made with much more metal and heavier frames. Thick steel, studf that wont crush like a tin can. Back when they were so concerned with MPG
Like seriously tryna get some help locking your cash app I recommend y’all to *HOOKTECHIE* on instagram this dude surprised me by unlocking my locked MacBook successfully....💻
Sammy this video is so good man. Never heard such an interesting talk with such technical details and so much knowledge. Memes were on point too.you da man .
The idea that 'these gadgets weren't even real then' is something to beware of. I knew a man who was working on them (automated signal radio frequency listeners and repeaters for car (un)locking devices, alarms, etc), working indirectly for the UKs intelligence services, over 20 years ago. The military is miles ahead of what is released to the public, or to industry, per-se. Don't underestimate what they know and are capable of, and yes, many of them (from those I have met) are in layman's terms 'evil', cowards with few or no friends, and little/no understanding of society, community, truth or loyalty, and therefore they derive their kicks from getting praise and recognition from their superiors/hirers - who else would praise them?
What if someone sent a random video to my phone. And when that video was finished it was gone. With no trace. It looked like a RUclips video but didn't show up in history. How do I find out who sent it?
![Blox Fruits Dragon Rework Update [Full Stream]](http://i.ytimg.com/vi/EqDAp8udhm0/mqdefault.jpg)
Possibly the best answer for the public acceptance of Def Con, literally laying out the pathway of how vastly distributed insecure systems can be horrifically exploited because security standards weren't even a consideration. The arc from innocent fooling with your garage door to literally stealing any vehicle anywhere so long as you have cased it earlier is just a solid gradient from happy fun to full GTA superthief. Samy Kamkar did a wonderful job, not just as a sploiter, but as a presenter, this is top level Def Con.
This is a very interesting talk. It gives even a non nerd a great insight into how insecure our world has become. "Just because it's invisible, doesn't mean it's safe" is a very eye opening statement. You have given me a new respect for hackers.
Samy is a terrific presenter.
Yeah he is one of the gang stalkers. That's why he teaches classes on this shit.
A waist of time
Wrong ail and or websight not mine?
Samy Kamkar one of the most brilliant people you'll ever hear !!! Samy is my HERO 😁
GM is the perfect example of listen when someone is speaking to you, and have the respect to, at least somewhat, hear it out.
So how would you defend against this sort of attack
@@foreverhidden0465 A medieval shield
A safe way to lock/unlock a car is, instead of using a rolling key, use RSA with timestamp encryption. The car would send a public key to the key fob, and the key fob would respond with an encrypted and salted hash containing the encrypted pass plus the command. That would by encrypted via a timestamp as well, as part of the public key. The private key would be used to decrypt the (command + pass) hash, but would never be sent via radio.
Edit: Just saw the final of the video, and you suggest the same. Nice!
I feel like as long as the action remains electronic it will always be vulnerable. Hence: the killswitch.
@@j4k3z sure but this is WAAAY harder to hack than regular rolling codes.
Had my attention the entire time. That is even more impressive than your brute force 4 second average cracking time.
i dont mean to be off topic but does any of you know a tool to get back into an instagram account??
I was dumb forgot the password. I appreciate any help you can give me.
@Vicente Andrew instablaster =)
@Patrick Collin thanks for your reply. I got to the site thru google and im waiting for the hacking stuff now.
Takes a while so I will get back to you later with my results.
@Patrick Collin it did the trick and I actually got access to my account again. I am so happy!
Thank you so much, you saved my ass :D
@Vicente Andrew glad I could help xD
Sammy this video is so good man. Never heard such an interesting talk with such technical details and so much knowledge. Memes were on point too.you da man .
Oh the days of FSK Modulated Bit Shift Keys were sweet..Could open Garage any Garage Door so easy.. Remote gates were easy as well..But my oh my how things have changed... Great Presentation... Thank You
I've been a Ham for over thirty five years and can remember driving around with my dad's car as a teenager with a CB and a 600 watt amplifier and activating bank alarms, opening electric gates and garage doors, and emptying the nightclubs by causing an ear piercing feedback to their sound systems.
lol
People in my area use to stop at a red light near a furniture store and turn on the touch lamps at night with their little 100-200 watt amps.
What an explicitive generator you are.
@@jerrygaber6150huh?
For those who did not get the concept :
there is a synchronization counter C which gets incremented each time you press the key (of transmitter). Same way the receiver also stores the most recent validated synchronization counter it has received (N). Now when ever you press the key and send the pseudo-random number to the transmitter the transmitter also takes the synchronization counter C from transmitter (and to update itself will overwrite N with C). Now receiver will also produce the Cth code (corresponding to C i mean) and match with the code send by transmitter. There is also rolling window of acceptance for rolling codes say 100 or 1000 or whatever (depending upon which system you using for your Garage or Car keys). Now also note that C-N
True story.
My neighbors think I'm a little strange. They locked their keys in their car two months ago. Was walking the dog and talked to them. I told them I can take any sauce pan, put a rock in it, scream loudly in the pan and put the lid on, it will unlock any car. Went inside the house, got the pan and did this. Their jaws hit the floor. They tried for hours after I left.
Maybe I should tell them I recorded their keyfob with my LimeSDR previously just in case and my daughter hit the mouse button after I told her to wait for my signal.
Just a question: Why do you have the car door codes for your neighbor's car?
@@ovencake523 Just in case...
Great lil story if it's true. Hehehehe
Priceless
Haha that is hilarious! Great thinking by playing a little joke with the sauce pan! I wonder if you ever told them what you really did!?
One thing I think would be cool to add in the section relating to MITM attacks would be the usage of a deathentication attack or a re-pair attack as its known in Bluetooth. This can help capture that wireless handshake as well as cause a device to connect to your false network.
maybe
I like how he is so excited but ham radio operators have been using this equipment for a while. Everything begins with the understanding of RF.
@@maxwellryanryan1839 zq
Am and FM to throw it off.
I think I will 'record' the frequency for my car and keep that data just in case I loose my key.
funniest comment on here ...
good
It is not gonna work. Car key signals are encoded and encrypted using random numbers and algorithms like KeeLoq cipher.
@@DupczacyBawol Correct. But, Samy created the code to successfully capture the signal and do so as mentioned above. He obviously will not release the code due to malicious use. Look at his site/google for the article. RollJam by Samy Kamkar
there is a synchronization counter C which gets incremented each time you press the key (of transmitter). Same way the receiver also stores the most recent validated synchronization counter it has received (N). Now when ever you press the key and send the pseudo-random number to the transmitter the transmitter also takes the synchronization counter C from transmitter (and to update itself will overwrite N with C). Now receiver will also produce the Cth code (corresponding to C i mean) and match with the code send by transmitter. There is also rolling window of acceptance for rolling codes say 100 or 1000 or whatever (depending upon which system you using for your Garage or Car keys). Now also note that C-N
that moment he opened the recorded garage door signal modulation waveform in audacity.... genius. Crystal clear! This is the core essence of hacking.... learning and understanding technologies, and use them in ways they weren't designed for.
Chris Savage hi there seen your comment and thought you must know what your talking about I’ve got some questions on translating rf into binary
@@dandwrasan2342 Go ahead
What's the indicator for a car to know that a code has been used before? Does it have a memory and logs history codes? Or go through a list of possible codes one by one in a random sequence? What if you've maxed out all the possible codes, does it start repeating codes?
From half an hour to just eight seconds - This is insanely fast.
now you understand the power of Math ;)
Every garage door on the block opens in an 8-second span
@@masskiller9206 I would love to see someone transmitting that code with stupidly high transmitting power, just to open random garage doors in a city all at the same time. Just for the lols.
@@GODofTimewaste2 regular power, very high gain antenna lol
@John fine, _suburban area of a city_ . I bet there are devices that would react to this even in an urban center though.
When you find a video which already you hit like on it but you don't remember it, do you watch it again?
This is a very interesting lecture with a wealth of information. It would have been awesome of you to leave links for everything you are talking about.
The problem with rolling codes... They all roll around back to the beginning. In a way, they are exactly as easy to crack as a stationary code of the same length.
If you roll... 123, 234, 345, 456, 567... 901, 012, 123...
Just broadcasting "123", every single time, you will eventually hit "123", after it rolls-around, as fast as if "901" was the ONLY code, and you had to step-up to "901".
As for being a rolling "set" of fake randoms... That makes it even easier, because there are even MORE values that are "true", not "less", in that same range. It will accept "123" OR "567" OR "091", because any of those could be "possible" as your random "next" code that it has to accept as "true".
This is so fascinating. I want to learn more
RF are so easy to hack, some time ago spend a day researching them. I found 315 and 433 Mhz are reserved for home automatization and basic security use. I got a Chinese universal remote controller that supports IR and RF on 315 and 433 Mhz and with push of a button I was able to clone and resend the signals for most of the things I have at home like door bell, car unlock and lock smart light switches panic buttons and others. It takes just few seconds to record the signal. But for more detailed knowledge Samy's video is just perfect. It's saves you allot time. Thanks man.
SS Suleyman is it so easy like you say to hack these signals ?
The wave the car key sends is encrypted
No, you are wrong regarding digital transmission.
Abdallah Shuaibu that’s true 👍🏻
What would you use to find out if somebody is chipped a frequency detector or a emf detector??
So if you take someone's key fob and press unlock 1000 times while it is out of range of the receiver, that key fob would stop working forever?
I can not hear the questions coming from the audience.
Wat about remote neural monitoring can you detect that at ulf ultra low frequency from 0mhz to 70mhz
Interesting information. This shows that there is nothing quite like a hidden kill switch on your vehicle. Put the switch in line with power to the starter or ignition and make it hard to find easily. Hardware trumps software. The best place might be the power line to the fuel pump. The engine will crank and might start, until it shortly runs out of fuel.
Hey Samy, do you know is it possible (in theory) to duplicate car remote key (it’s features) onto a different device with remote capabilities? - If using my own key, there is an option to duplicate it to other digital device with remote options.
I wonder, if you attempted to brute force a garage door in a residential area then what's preventing you from opening other garage doors in the area during the process?
Range mostly
Revert back to key only. Could cc TV recordings be compromise by external player's . What's safe !
How would it work if there are 2 keys? Does that mean they aren’t using riling code?
I have a 2011 car with 2 keys.
I think this is one of the most interesting videos I've ever seen ! Thank you for all the great information and details 👌👏
Wow, the De Bruijn sequence is amazing! I wonder if vehicle makes now perform validation or hash their pw's.
Exciting and disturbing in roughly equal measure. I like classic cars all the more now!
lol I hear that one .
but classic cars are much easier to break into
TheBreakfastGod you are not wrong. My car has no keys or locks for that matter and starts with a screwdriver. That said, perhaps not so easy to gain access to when at speed on the road 🤣.
Yep oldies but goodies. Lot less to go haywire, lot less sensors. All this tech in vehicles has amounted to big bucks for the dealerships.
@@yams3954 yes they are, but if a person wants to steal something bad enough they will find a way usually.
To prevent the jam+replay hack, if the rolling code is just continuing for every keypress, locking the car should invalidate the previously recorded unlock code.
nope, wont work, the reciever misses some of the transmitted rolled codes and thus is out of sync and dous not know what rolledcode it missed in the series excpected codes (in a recieve only setup), to fix this you could use spectrum of possible rolled codes (with reset evry x try`s , but his increases accessibility of brute force.
loved this presentation and how you displayed the slides too, very informative and kept it laughable and fun.
some one just hacked my key fob yesterday and remote started my vehicle. 2 hours later they also unlocked the doors while i was inside a restaurant. How do I protect against this?
To view wider RF spectrum then use hand held spectrum analyser with small embedded display - they are about $100 up to few thousands dollars in price depending on capabilities. You may get basic hand help SA for $200 or so and view all frequencies say from 15 MHz up to few GHz in freq.
Samy is still my hero!
My space
@@noson_ is your space
@@Cygnus0lor sorry I do not understand want you are writing me
whizhackz ofoz .com
Good for you kid, living villains are becoming heroes to ppl nowadays. Where the world has come into.
Sir how my thinking hacking by radio frequency, becoze when ever iam thinking inside me my formor church pepole (hackers) sending same recomondations in youtube,in 2016 i sleep in church premisis i experience some eloctric shock in my right side belli area,then iam manuepulated by them i canot live myself no privasi to i feel so bad plz replyto my comment.
You have schizophrenia
what if remote just send a password+ current datetime and its encrypted into jwt for example and receiver decrypt this data and reading the password and checks id the date\time he got is not expired? I believe this solution should work, so if a hacked will replay the signal then car will not be unlocked because the date\time passed in the signal already expired, what do u think?
Wait so if his garage door opener operates on a single frequency, does that mean it is an AM signal? Alternatively for my cell phone, there is a lower and an upper bound. Does this mean my phone does FM with a bandwidth of (Higherbound-Lowerbound)? Thanks. I'm sort of interested in this stuff. I took a class on antennas but I wished I asked more questions.
Yes, you nailed both cases
Nice lecture, good overview of fun stuff to play with and the hardware/software starter tools.
What effect would an over powering blank carrier have on the working freq. utterly swamping the lock receiver? or even pulsed RF from a 100watt sender?
Some of these lock receivers are just super regen., not noted for high front end dynamics or adjacent channel selectivity.
433 Mhz is/was a common freq. Right inside the 70cm Amateur band? 100 watts mobile with a high gain often available a few cars away ?
High power isn't going to do it. You still need the code to make the receiver react.
@@cinibar
Not interested in making the RX react. Quite the reverse. Talking in terms of simply swamping it. Some are only super regens. Hardly a front end with much dynamic range. Desensing must be a serious prob.
A 2 watt tx with its antenna in the garage, close to the Rx and switched on after the garage were locked, might render the code u.s. to the hacker?
While the garage is empty normal security would suffice.
@@MauriatOttolink Oh okay. This is different however this brings up another situation. In electrical theory it should work fine but if you use a power that is higher than the FCC allows for unlicensed items, especially in that ham band, you could interfere with amateur radio operations. Not good! Maybe an easier way would be to simply ground the RX antenna input when you were done using it. That way no signal could make the RX do anything.
@@cinibar
Mr Sparks 51.. Couldn't agree more! I was certainly being a bit heavy handed.
With a1 watt transmission in the garage and a direct coupling (no antenna) you'd certainly swamp garage receiver against any intruder attempts but you'd swamp your own attempts to open the garage when you arrive home... Now that would be very useful!!!!
A grounded antenna input wouldn't stop somebody with a big signal 5 feet away unless the entire set up were Faraday screened to a very great extent.
I've tried it for close in direction finding. Can't eliminate sigs creeping in, inside the DF antenna!
Thanks Mr Sparks.
@@MauriatOttolink Hi again, here's another thought. Use a transmitter/receiver key fob system to turn on and off power to the other receiver that you don't want hacked. It's pretty unlikely anyone would think they needed to double hack a system like that. Yeah it's sort of headed toward a Rube Goldberg conglomeration but security is security! And for a little more security, add a timer into the system so you only have a certain amount of time to activate the main receiver and or the key fob receiver! heh heh heh!
I am trying to setup RTL-SDR and one of the challenges seem to be an antennae that scans all GPS frequencies. Does anyone know how to contact Sammy? My understanding is there are 5 frequencies, and I wonder if I can do this with two antennae.
For time frame of 30:00 today ARM MCU have the capability of securing all communications by HW under supervisory mode, unless you are dealing with older technology then you will be at risk because todays ARM MCU have very strong security and strict supervisory mode preventing unauthorised users to intervene. Old technology did not have the ability to lock supervisory mode and allowed intruders to switch from User Mode to Supervisory Mode wirelessly or via WiFi or even if cable connected.
What's the exact model of the CC1101 thingy? Can anyone tell me.
So how would you defend against this sort of attack if someone attacks your devices this way
Hey buddy. Quick question…
There’s a frequency in my home that sounds like uhf or vhf that is either somehow about to read my mind or hear the low waves of me thinking out aloud. Have you ever heard of this and any idea on how to combat such a thing?
Thanks.
i think i might be able to help you. can you tell me more like your exact set up?
It's happening to me now they can read my mind and what I'm thinking about it's fucken crazy
I'm a t.i
You have schizophrenia
Rolling codes are very easy to catch, simply create a higher amplitude signal near there garage door and have a receiver where about they would activate it to open it. Sometimes they press it too soon anyway out of range, but as you said exactly repetition but rolling codes themselves are actually *breakable*. If you can capture numerous codes from opens and closes, you can actually use a deductive algorithm to reduce the time to what I calculate could be only a few days as there is no lockout. I call this attack deductive unrolling ;-) as you s aid, might be easier to kick there door in and get the keys. But, I don't like to give too many ideas publicly somewhat reluctant to even post this. Another thing, the rolling codes do have limits on older units so I believe it's usually 65k codes, newer one's have larger bit sequences. Now, WiFi enabled openers are gaining popularity and using pcap and simple wifi security flaws like one in Chamberlain (liftmaster) they leave ports open and you can pull the API cgi page which interfaces with the mobile app and it's easy enough for people like you and me. On car keys such as that on one of my older benz's, it actually uses IR for LoS functions like lowering windows and the IR portion may even have other functions. Again, I may delete this post as I'm a bit nervous over the possibilities and potential attention on this, and I was able to capture that with a learning IR remote and replay it. Worked once assuming I was near the transmitter unlock.
… near *THEIR* garage…
The scrolling code of clicker is not random but quasi random, meaning the series of passwords repeat after certain number of passwords had elapsed - for example the scrolling codes list repeat after 60 times of using different password codes. Professional thieves attach a receiver to your car without your knowledge to record all the rotating codes of your car and store it in their receiver then copy those codes into their transmitter to have complete control over your car - they use the same scrolling code of your car or garage. You will know that there is something attached to your car when the Bluetooth of your car keeps disconnecting and reconnecting or your mobile gets disrupted at times, then you need to inspect your car for some magnetically attached bug to your car from under your car. Use your camera phone with long stick to pass it all under your car and observe any attached bug. Once you find it present it to the police and have it investigated for finger prints, if any. When the police refuse to cooperate then you know they may have attached it to your car, or were instructed not to cooperate LOL
@8:30
.....isn't that what they do when they climb for altitude?
A scrambler changes my code as i pressed the remote it automatically reconfigured and matched no air wave point's.
This is a fantastic video. Glad Samy is on the good side of the law. Do you know if auto manufactures are only fixing new car systems or do they also have some kind of hardware upgrade system to improve older cars?
no but can instal
what if your device is not made for USA. Will I have an ID for the regulation center of the country for which the device is made ?
All well said - how about some suggestions on how to protect yourself from key fob attacks? A simple one is to shield the key fob with a simple faraday cage, such as an aluminum foil, while at home or in the parking lot, if it comes to that.
Very interesting. One thing I would suggest to improve the recordings is to repeat or summarise the questions before responding.
Agreed. The last 5 minutes, roughly, were useless since we couldn't hear the questions and there weren't enough context clues to figure out what was being asked.
Yup thought the same thing. Someone get that man a microphone, or as you say, just simply repeat the question for us.
Legends without cars are watching ❤❤
Samy i really like this video but it’s 4 years old have you got an up date?
I did not understand the brute force part. Could someone explain that?
Interesting! I did something similar to reproduce the remote to an adjustable bed. Found out it used a CC2500. Now I can use my phone or Alexa to control the bed. :)
Wow incredible you must use sure app!
With RTL-SDR you can do much much more, AIS, Weather satellites and more
Is there anything to detect the frequency of high speed lead?
Hello,
Anyone knows about a book so I can get to start learning about radio frequencies ? Thanks.
So isn't the rolling "code" window a math problem. If your outside and record the lock / in lock commands how many in a row do you need to get the equation, smells three would do. I have had to reset MB cars it only takes hitting the remote a dozen times to get out of the " window"
This is a brilliant lecture, natural teacher
lmao good opener "we all love nic cage right"
Can this technique be used to unlock a car door ?
Yes but not as quickly as you can with a rock.
hey. just watched one of your videos and in it you speak about a toy called im me. any chance you have one spare to send to the uk please.
Does this video talk about hackers listening in on your car convos??
As soon as you started explaining that you were cutting the pauses between the signals I said to myself "we can use superpermutations here"
The part where talks about spoofing a ship's gps signal really made me think of the Key bridge incident. I'm not saying it was hacked, but the fact that it's possible is mind boggling.
This is just amazing ! I'll order a RTL-SDR right next month :) I'm sooo excited what i'll find...
Buncha cool stuff! google WebSDR if you aren't already familiar to get a taste for sniffing the airwaves. I prefer the one in the Netherlands, I get lost in it for hours sometimes
what did you find? :D
@@Wiresgalore That is the best imo.
Did you get one??
Wow! Thanks for doing this. Are you saying that we don't need to use an expensive spectrum analyzers to find signals? Signet Intelligence has that capability. Id like to find out who is bombarding v2k technology to my head. Noticed sonar rays hitting my head while wearing a tight head wrap. Can hear a tracking sound.
Brilliant!!! VERY Interesting!!!
I sure hope the car manufactures whom you shared your discoveries, of the "vulnerabilities in security" offered you more than a handshake, and a thank you. I'm sure this discovery to you was only one of curiosity, and a hacker's delight, although with this information you sir, have helped progress technology as we know it.... not to mention saved alot of peoples cars from getting jacked!!! (LOL) I thank you. keep on hacking brother.
even scarier !!! with technological backdoors like this one can easily perform a terrorist attack or a murder, just take control of his car and slam him offroad or lets say in whitehouse ?! crazy, this guy is like Tony Stark of hacking, good job Samy, you are my new idol ! :)
41:32 when a victim locks the car, your previously recorded codes become invalid. Isn't that you said eariler? That's not working scenario.
The most probable scenario is when a victim locks a car at a parking lot and goes shopping. That's where an attacker may apply his perviously recorded code. But this will work only if the car uses the same code for both locking and unlocking. I haven't seen such sceurity systems since 90s
I’m not sure if he said or not what to do if you want your rfs back like someone hacking your rfs
Can that HackerRF thing be used for this??
Garage door openers haven't had DIP switches in a long time. All modern ones are rolling code.
In the mid 70’s I had a Genie Alliance remote garage opener. I drove around my neighborhood on my bike with an Allen wrench and turned the adjustable ferrite coil (changing the frequency) and actually got someone’s garage to open.
I just installed a new garage door opener and it has dip switches…
NEED ONE OF THESE FOR MY RESEARCH. PLEASE TELL ME YOU STILL HAVE ONE THAT YOU CAN LET GO OF?
are you talking abou the pink toy with the sub ghz transciever? i thought about emailing him but im a noob.
This was an excellent presentation, well explained! Thank you!
This talk is so damn interesting, loved it :D
This dude make things soooo easy, he should make courses
I drive old trucks so I can actually repair myself. Lot less electronic and less sensors, the dealerships essentially run on replacing sensors, some service technicians even refer to the check engine light as "the dummy light." My neighbor had to bring his 2018 Ford F250 in to replace a traction control sensor and it ran him $900. With the oldies there is a Lot less to go wrong or haywire on me. I have destined to stick with the simpler, old but good vehicle models. I am mechanically inclined, but a noob when it comes to electronics.
I’m in the same boat. I’ve decided to stick with buying old vehicles as well.
@@dwellner502 nice! Another great feature is the older vehicles are made with much more metal and heavier frames. Thick steel, studf that wont crush like a tin can. Back when they were so concerned with MPG
It would have been nice if you had repeated the unheard question. Fascinating video. I only drive old unfobbed vehicles lol
What is stingray?
Like seriously tryna get some help locking your cash app I recommend y’all to *HOOKTECHIE* on instagram this dude surprised me by unlocking my locked MacBook successfully....💻
When you do the q and a could you repeat the question asked? All I could hear was your response.
I have a key and a missing car. Any help is welcome
Find out where your on star antenna is and cut the antenna. It's now disabled.
What about of 3 of your windows don't roll down?
Worth every minute😍😍 RF is a very interesting topic. Dude😍😍
I’ve been researching forklifts… A forklift can do xyz… what if you come with your own forklift and do xyz FIRST?!
What??
Fascinating. Great job on the presentation. Ten stars
Samy is likely also an authority on cease-and-desist notifications. Pretty certain he could safely ignore most if not all of those.
My guess is that PSK (phase shift keying) is harder to decode. Your device would see a single, fixed frequency, continuous signal.
PSK is very easy to decode. SDR software has it built in.
Recently discovered Samy. Great stuff, Man! TY!
I just park on the street with my windows down now
No doubt.
Sammy this video is so good man. Never heard such an interesting talk with such technical details and so much knowledge. Memes were on point too.you da man .
The idea that 'these gadgets weren't even real then' is something to beware of. I knew a man who was working on them (automated signal radio frequency listeners and repeaters for car (un)locking devices, alarms, etc), working indirectly for the UKs intelligence services, over 20 years ago. The military is miles ahead of what is released to the public, or to industry, per-se. Don't underestimate what they know and are capable of, and yes, many of them (from those I have met) are in layman's terms 'evil', cowards with few or no friends, and little/no understanding of society, community, truth or loyalty, and therefore they derive their kicks from getting praise and recognition from their superiors/hirers - who else would praise them?
i want program and software for removing jamer connection
Hey Sammy, do you have any of the barbie IM MEs I am working on a similar project. Nothing shady. It's been a long time so I won't hold my breath
What if someone sent a random video to my phone. And when that video was finished it was gone. With no trace. It looked like a RUclips video but didn't show up in history. How do I find out who sent it?
You have schizophrenia