I Hacked Into My Own Car
HTML-код
- Опубликовано: 2 дек 2020
- The first 100 people to go to blinkist.com/stevemould will get unlimited access for 1 week to try it out. You'll also get 25% off if you want full membership.
Gaining unauthorised entry to someone else's car is illegal. Jamming is illegal in the UK. It might be illegal where you live too.
Car key fobs transmit a binary code to the car over radio. If the car recognises the code it unlocks. There are various systems in place to make that process secure. This video is about the way vulnerabilities in those systems can be exploited. Including replay and rolljam attacks.
"but most of all, Samy is my hero"
You can buy my books here:
stevemould.com/books
You can support me on Patreon here:
/ stevemould
just like these amazing people:
Nathan Williams
Matthew Cocke
Glenn Watson
Mark Brouwer
Joseph Rocca
Joël van der Loo
Doug Peterson
Yuh Saito
Rashid Al M
Paul Warelis
Will Ackerly
Marcel K
Twitter: / moulds
Instagram: / stevemouldscience
Facebook: / stevemouldscience
Buy nerdy maths things: mathsgear.co.uk - Наука
Let's just pretend this worked flawlessly the first time.
The sponsor is Blinkist: The first 100 people to go to blinkist.com/stevemould will get unlimited access for 1 week to try it out. You'll also get 25% off if you want full membership.
What are you talking about of course it worked the first time :)
Lmao
Someone hacked your video, too
No worries.
I got the notification the second time, so you got that going for you. I know sometimes RUclips punishes people for re-uploads to fix something. You got it re-uploaded pretty quick.
1:00 Nice detail on the Bmw parking hahah
̣
I died 🤣
Mini is owned by BMW.
you beat me to it by like 20 seconds... the timestamp is nice though
+
6:48
"I tweaked some variables, I didn't have a clue what I was doing, but I noticed that it changed things"
- said almost every engineer at some point. That's how you make discoveries! I love your videos, Steve :D
He pretty much summed up my job there... And according to my resume I know what I am doing :P
That's just called debugging
It's like I'm back in my matlab class... **stares of into space due to painful memories**... good times lol
Yep. The real work is going back and figuring out what part of the five different variables you tweaked in "throw everything at the wall until something sticks" mode that made the difference.
"Huh, my code work, and I have no idea why." said the greatest engineer I know.
I love how you can tell he genuinely enjoys doing this. The smile, the laugh, the energy. Keep up the work!!
A big advantage of Manchester encoding is that every bit guarantees a transition. This means that your signal contains the data and the data rate clock. As you mentioned that the fob can't maintain a consistent transmit frequency, the same is true for the data clock. Manchester allows the receiver to synchronize the data rate. Also, the transmit signal likely starts with the same start byte (most commonly AA or 55) to allow that receiver to lock onto the signal (timing wise) and also adjust its gain (AGC).
This is important for magnetic strip credit cards, as an example. The card reader needs to know how quickly you're swiping the card and it uses a standard starting sequence to synchronize. It doesn't matter how fast you swipe the card (within reason) as long as you don't vary the speed and the whole strip goes through the reader.
@@theodoric4270 i always thought this was dumb since maintaining a constant velocity is not always easy. I think a better system is either to use two tracks with a clock track or a second magnetic polarization axis. But magstripe is slowly dying anyway...
@@donaldviszneki8251 it worked well enough, and that's always going to be the standard to hit. When magstripes fail it tends to be from demagnetization or it physically chipping off rather than a rate error
From a security standpoint, a lot of the RFID upgrades for credit cards and badges just became "Spooky replay vulnerabilities at a distance" rather than proper challenge/response implementations
I also have no idea what I'm doing most of the time.
With all your great research on the topic, how much time is spent coming up with the cool project names vs the actual coding? Rolljam, Magspoof, PoisonTap, Glitchsink...etc. 50/50, right?
samy is my hero
samy is my hero
I’m now imagining a Mr Magoo like scenario where someone just stumbles upon vulnerabilities
I'm not a fancy security expert like you, but I am a software developer working on a web-based fintech app, and... yes, can confirm, a large portion of any development/IT/tech is just trial and error. And lots of banging your head against a desk trying to figure out why the debug output doesn't match what you expect 😂
I like how the poorly parked car was a BMW, that made me laugh.
It's funny cos it's true
Its ironic because Mini is BMW.
Typical
Seeing this comment first then finding the BMW made me laugh.
I laughed as well then I remembered I drive a bmw and also can’t park.
Great video! Thanks.
It’s worth pointing out that looking at a chip under a microscope to reverse-engineer it is pretty challenging, although not technically impossible if you use mechanical-chemical polishing.
Back in 1995 (or thereabouts) when my company at the time was working with something like 2-micron fabrication technology, I was able to diagnose a power-drain by eye-droppering a liquid-crystal solution onto a chip to find the hot spot on the chip. However, even at 2 microns, the image was pretty blurry. 2 microns is about 4 times the smallest wavelength for visible light, so it’s possible, but difficult, to image the chip.
Nowadays though, when the features approaching 1/100 the shortest wavelength of visible light, you pretty much have to use electron microscopes, which only show you the surface. So, to see the internal structure, you have to extremely precisely polish off layer by layer, re-imaging each layer. That’s definitely possible, yes, but very difficult.
I understand some of these words.
Your sir are a smart cookie. But I'm sure you know that. Thanks for the information. For reasons I do not have the ability to explain. The fact that wavelengths have lengths and how they react to specific objects at different sizes escaped my knowledge. I can confidently say it will not escape it again, at least for another 15 years. So thanks
@@dorjanhajdari2670, thanks. Well, experienced anyway…
I had a guitar teacher a few eons ago who said, “not sure I’m ‘experienced,’ but I have had a lot of experiences!”
@@mr88cet Clever teacher! I love how he defines what he seems to contradict only to prove it true through his definition.
X-ray it. Stitch the images. Make a circuit diagram and analyze. Voila. I did this as a project in an EE grad class.
I just discovered your channel today and already watched two hours of your videos I mean amount of the research and effort you put in each of your video is impressive... Really appreciate what you are doing..
How to recognize a passionate person? If you approach him with the smallest achievement in his field, he instantly goes "That's great! How does it feel?".
Samy is my hero.
Sounds like the whole Kerbal Space Program community
@@carchocolate93 ya
Really ought to be a word for this wonderful opposite of gatekeeping.
@@carchocolate93 yup
"I'm in my car! Amazing."
@@EternamDoov awhhh
lmao
I'm in my mum's car. Brum brum
😂.
me 2
I love that you blurred out your key bitting in the opening scene.
10:19 I think it would have been good to mention here how jamming works in this case. If you are sending out a jamming signal to the car on the broad spectrum, you are not jamming the airwaves so much as you are jamming the equipment. You are causing the car to process useless signals - meaning that the car has no processing power left at that time to process the real signal. You are essentially flooding the car with bad signals, keeping its computer occupied while you listen out for the good signal.
Sounds similar to a DDOS attack?
Actually it has little to do with processing power. The signal you are jamming with is basically noise to the car, and if that noise is "louder" that the actual signal from the key, then all the car "hears" is that noise. It's like trying to have a conversation next to a jet taking off - your voice and the jet engine emit different frequencies, but since your ears listen to the whole frequency range, the jet completely overpowers, but a microphone with a frequency response tuned to the frequency of your voice could hear you.
Remember: never park your car next to someone in a hoodie and with a laptop
Just run him over instead
Even if he reserves the spot for you on a busy day?
Specially not someone who looks like the villain in a horror movie like at 1:22 :)
... But the hacker with the hoodie and laptop is in the passenger seat, trying to gather WPA PMKIDs... Do I just not park?
EDIT: Instructions unclear; vehicle is now in lake and hacker is very angry about his laptop getting soaked. Something about SSH keys being irreplaceable?
Remember: don't judge a book by it's cover.
"What this demonstrates really well is that I have no idea what I'm doing." XD
Thats me every day in online school lol
He nailed that so well on the comedic spectrum.
Hilarious!
*fairly
Me during chemistry class be like
Your explanations are incredibly engaging and interesting! Thank you so much for inspiring my curiosity :)
Samy is the man. been following his work for years. related, LTC (timecode used to sync audio/video dual system or multiple cams in production) is essentially manchester encoded as well. i have had to actually manually decode it by looking at the bits before lol. silly thing to have to do but it works in a pinch. so if you are syncing your cam using timecode, you may have been using it all this time.
that "hacker sitting in the dark in a hoodie" cliche was so well done. love it.
Doesn't it have proven psychological causality?
Me too 👍
1:00 BMW is the Apple of cars,
Their motto is “park different”
You know Mini is actually a BMW automobile?
Ahh thanks. I thought he made a jab at BMW drivers for parking recklessly which doesn't ring completely untrue in my experience
@@joepbeusenberg Well, yes and no. Yes, as in the company BMW, but no as in the BMW brand. Mini is not part of the BMW brand.
@@DirtyPoul but you will find many components of a mini have bmw on them? Infact the same parts that fit on some of the BMW range.
@@stuartd9741 Yes, of course. Some of the cars share the same platform, so that's to be expected. But that doesn't mean that Mini is part of the BMW brand. It's a separate brand owned by the company BMW. That's what I meant.
Hehehe! I love the hacker face in the dark. :D The green lighting for the call was pretty cool too.
Interesting how far back you have to go for all this. Keys were already code-hopping before the end of the 90s, I think, and your Mini had rolljam projection in 07. I put an aftermarket remote on my Peugot 309 around 03, but I didn't care if it was a good one because it was an 80s 5-door hatch & not even the latest model. Bit of a street sleeper, that one; remarkably fun to drive.
This video is as entertaining as it is informative! enjoyed watching and learnt some seriously interesting tech stuff, thankyou!
To anyone wondering and for the sake of saving history,
This video was reuploaded, because on the first upload it did not have sound in the moments of talking with Samy
Thank you, I was wondering
yeh
Same, thanks
Thank you love you
:D That double spot taking BMW made me laugh!
I clearly saw that it was a bmw and parked like that, but the joke didn't register in my head for some reason lmao
Ironically, Mini is owned by BMW and is usually driven by women.
@@SangheiliSpecOp it is like when you see something so many times your brain ignores it because it is the norm
@@Leo-zt7fo do you have any sources on those car ownership demographics?
@@SentientTent the picture on 1:00 has a tiny BMW logo on the badly parked car.
Something you need to be careful of: replay attacks on cars can cause at least one remote to go out of sync. You might be able to recover it by pressing a button on the second remote, but it'll require resynchronizing it yourself or taking it to someone who can if you're unable to
Thanks for sharing and Samy is a legend no doubt.
"Authorities report nationwide wave of smashed car windows. Suspects say 'Steve told me it was easier'".
Or just collect the keys from the fishbowl party
Thank you, stole my first car today :)
oh no.
Oh yyyyyyy
Nice dude! Hope you get more cars soon!
Lol
Just unlocking a car is not enough.
Didn't mention a relay attack which works with modern fobs with passive unlock (where you can walk to the car and just open the door so long as you have the fob).
Two thieves park near a restaurant and observes patrons entering. When they observe a car they want one of them follows the target into the restaurant and walks near them with a transceiver. His partner walks to the car (from which they observed the targets exit from) with the paired transceiver which then relays the passive code from the fob via his partners relay transceiver and the perp opens the door and drives off.
Thankyou. This is good stuff.. covered many things in just 20min.
Steve Mould : i hacked into my own car
Robber : i hacked into Steve Moulds car
Mark Rober: I hacked into Elon Musk's car (to save the world)
It would be a burglar as a robbery would only take place if you were in the car 😁
@@matthewkambic4939 Burglary is specific to thievery in buildings. And either the way, the comment states nothing concerning thievery. So it would only be a hacker. But if the hacker stole the car, he'd be a car thief and he'd be commiting grand theft auto
Dude, way to be a prick.
@@marksworkshop8724No one's being a prick😂 I swg, people wanna make drama out of anything and everything. @Matthew Kambic, did you feel like I was tryna be a prick towards you?
Instructions unclear: I have opened my microwave with a skoda car key.
I managed to open my microwave e by downloading app to unlock microwaves.
Just run the app and boom! Now you can open microwave doors without any key :) bluetooth may be needed tho
I'd rather drive a microwave than a Skoda.
@@N.I.R.A.T.I.A.S. i will microwave a drive than a skoda
I unlocked my car with microwave. No need to use keys!
😂 happy frozen fooding!!
OMFG THS IS AN EPIC COMMENT THREAD!!
1:18 I liked for this scene alone. YOU LOOK SO SINISTER. That's textbook villain material right there.
i like how you tried to hide the key in the close-up but completly ignored it in the next clip where it's clear enough to be visible
I have worked for two different US companies that develop software-defined radios for commercial and government customers. Your opening explanation of rolling codes was fantastic (far outstripping the initial explanation I received when working on our rolling codes project, despite being like 2 minutes long compared to an hour-long briefing at work). Thank you for your dedication to science communication and bringing these awesome aspects of science to the fore!
Therea missed part in rolling key explanation. Someone cover that plz lol
dalai lama once said:
if you need an hour to explain something, you know jack sh**...
@@pahvalrehljkov in things like business related videos, they artificially inflate the information to fill a certain amount of time. Because the person creating the presentation isn't gonna get shit for a two minute presentation compared to one that looks like he put more effort into it. Even if it's better for everyone if it's short.
Steve be like "click out of mouse, W is binding.."
I understand that reference, and am glad to see another man/woman of culture
Nose picking lawyer
Car-Jacking lawyer...
blood curdling lawyer
a syncronised clock was actually one of the first solitions I thought of! was very satisfying when it was also presented in the video.
You could exchange with the car to get the current RTC time, and reduce cost.
It would also prevent changing the time on the keyfob into the future.
1:00 Love the very realistic view of the parking lot🤣🤣
savage
That face after he goes “I wasn’t expecting it to work first time”😂 I felt that😂
0:54 absolutely lost it at that graphic! Well played!
thanks for the video, was really helpful!!
THANK YOU for showing all the attempts that didn't work. It's sooo important to show that success requires work.
Who cares?
@@yackfou2412 most people who are curious
I love that this covered your whole thought process from the ground up, rather than just stating information. Top notch stuff!
When i saw that car park situation i had to pause for a few minutes for the giggles to go away. 😆
Thank you very much, i needed that.
Alright, I never ever bother to leave a comment but THIS video was so fun, informative, engaging and most of all so damn easy to follow for a beginner like me, hats down! I'm just starting my journey of learning how to program and code, researching fields that I'd like to focus on in the future, you've inspired me to pursue cybersecurity engineering! Big thanks!
5:57 That’s soooo Mr. Bean moment!!!! 😂😆🤣
it made my day actually xD
You’re right
That is most accurate depiction of a car park I've ever seen @1:00
Steve does realize that Mini is made by BMW right? 😂
Doesn't matter though, does it?
One of the best RUclips channels I've subscribed to.
Great video interesting content and presentation and also nice editing on the ahh ffff.. moment when the aerial fell off the table!
Social engineering:
Use your SDR to be receiving. Make an app or script or whatever, so that every time a signal is received it plays an interesting sound clip. Each one is different, and after introducing it everyone will try theirs to see what noise it makes.
For example, having a party at home, say "watch this" and get out my key fob, show them when I press the button, an old-fashond "auuuuuga" horn sounds from the home theater sound system in surround sound. Much more dramatic than a laptop sound.
"Now try yours!"
Well shit. That's a very good idea that'd definitely get a lot of people to fall into the trap
I don't know about you but if I'm inviting people to my house for a party I'm not trying to steal from them haha. What kind of friends do you keep?
That's not really social engineering, that's just tricking your friends, also why you stealing from your friends?
@@simonseis744
_"That's not really social engineering, that's just tricking..."_
That's exactly what Social Engineering is:
"The use of deception to manipulate individuals into divulging confidential or personal information."
@@simonseis744 They don't necessarily need to particularly be friends though, this is the sort of attack someone could pull off by investing a few weeks infiltrating say a company so they can produce their party trick at the office Christmas party. Especially easy to pull off given how many companies hire temporary staff during the Christmas period which would give a would-be gang of car thieves a chance to infiltrate the employee social group.
0:59 That a-hole BMW is a nice touch lol
That's BMW in its natural habitat
The lighting is awesome ❤️
0:55...nice touch, Sir!! Nice touch, indeed!!!
I love how passionate you are explaining the process and what you discovered. Nice video!
"but most of all, Samy is my hero"
Lol! I didn't realize it was *that* Samy! I still have that on my Facebook profile as an homage to that infamous Myspace hack.
For those who don't know, check out the Wikipedia page on Samy Kamkar or "Samy (computer worm)".
Samy is my hero
Really, interesting, Steve. Great video.
“It’s interesting to see how far you could go for a really high value target”
This man is admitting something here
Wait. I've seen this before..
Haha me too, missed somes sounds
But this is the first time I'm uploading it. Don't know what you're taking about!
@@SteveMould Second time worked a charm. First time I couldn't hear any of your chat or leave a comment? Posted before I saw this.
@Thu Nell Ⓥ I was trying to be funny. Failed at that too!
@Thu Nell Ⓥ he was joking. Check his community tab for more information :)
That video was absolutely fascinating. I'd never really thought about how these keyfob systems actually work; somewhat ironically, as I'm a fairly decent electronics repair tech and have fixed plenty of car keyfobs in the past!
you keeping in the fails is GENIUS!
hhhh he is helping robbers 🤣🤣 every time he said "it's better than smashing the window"
Halfway through I'm waiting for one of the other cars in the background to go *chirp chirp*.
1:00 I love how you made the BMW occupy 2 spaces XD
your channel is amazing man :)
Awesome channel just subscribed let the binge watching begin 😂👍✌️😎
This was super interesting once again, Steve. I really value the _variety_ on your channel.
I'm like you, I find EVERYTHING (potentially) interesting.
Can we just appreciate that this man is still rocking is Pebble in 2020. I finally dont feel alone
there are dozens of us! Dozens!
Me too! Woop!
I like how you blurred the key out in the closeup but you can still easily see the cuts when you hold it up.
The title of this video was NOT CLICKBAIT: it really is EPIC!
Awesome demonstration of working and security features of car keys and great way to point out the loopholes in simple terms.
Great work.
First time watching this channel. Loved ur work.
👍
level of expertise: "actually that's manchester encoding"
Love your content bruh!
well hey, now we know too!
@@ms-fk6eb you're right!
One subtle thing I noticed - the BMW taking up two spaces and parked squiffy, nice touch, I'm not a BMW fan either!
It's ok to be completely lost, i think this is the real hacker's journey!
Not knowing anything at first and slowly building up knowledge!
Keep up the good work!! :)
The preamble isn't nessecarily saying 'im a key', it's actually pretty standard. Since Manchester encoding guarantees transitions, this preamble is used to synchronise the receiving clock exactly to the right edges so that the important payload doesn't get corrupted. (Phase locked loop circuit)
0:49 Serious warning. It's unimaginably simple to decode a keys' physical bitting from picture. The entire internet can now unlock your car.
Yep, might not have the digital code but showing your key to the camera is basically the same as letting them take a copy of it to reproduce.
he even hid the key in the first time he showed it
I mean isn't he already showing the whole internet how to unlock his car? Lol
Whoopsie
Lockpicking lawer comes in
I disabled the car key remote, it's exceedingly easy to break into even the most expensive cars. You can see them boast and do it online. The smartest thing one can do, is not play. In a digital world, analog is king. Like stick for automatic drivers and so on. Obviously, there's super easy ways to break analog locks (like Lishi) with relative ease, but that's for common car locks, which a smart owner would've replaced if they really value their car staying put.
Military radio systems use a similar technique to prevent jamming, called frequency hopping. It's like what Samy was saying; you have the two radios with synchronized clocks, and an encryption key determines the pattern of frequencies. The radios "hop" pseudo-randomly but remain synchronous, preventing jamming or interception.
"The car door is locked, there's no way to get in." It is a convertible, so very easy to get in, no expensive tech needed, just a knife.
He's in UK. He would need a license for the knife
@@muhammadaryawicaksono4232 true that. You cant just carry knife or scissors like that in the street
Thats some stupid thinking
you dont even need a knife...
break into the window.
@@chalee3484 yep
The BMW parked over 2 spots, lol. Great stuff.
Tim Harford also hosts my favorite podcast: Cautionary Tales published by Pushkin Industries. Totally unsolicited recommendation; it's really good
I did too just the other day! It's amazing what spare keys can do!
8:20 Imagine going to a key party and Steve being there clicking away with his laptop :D
Steve out here telling swingers how to steal cars
I can't believe RUclips actually sent me a notification as soon as the video went up.
the youtube algorithm sent it to you so quickly because it knew youd instantly click on it.
0:56 love what you did with the BMW parked there 😜
the way the key code works, sounds almost like an Enigma machine
every new code sent has a different decryption key.
0:54 Busted out laughing! So true!
I'm never going to a swingers' party again!
Do you leave your keys in a bowl in swinger parties?
What kind of parties do you leave your keys in a bowl at?
@@ronwesilen4536 yes. That's how you decide who swaps with whom, you pick a key from the bowl, and hope it's not your spouse's.
I hear.
Uber. You're welcome.
@@davidgustavsson4000 honestly interested in this. I hope it is true. Also hope woman are the ones grabbing the keys so they can fill their keyhole
Like how he centers of bitting since I have heard of people making keys from images and even form memory
Thanks for the very interesting video. One question, the part when you talked about when the hacker jams the signal and having the second box monitor the frequency to be able to get into the car. I was thinking, if the signal is jammed before the driver gets out of their car . When the driver presses the lock button on the fob the car is not going to get that signal and remain unlocked. That is, for a period of time before it auto locks. If the driver did not notice that the car did not lock a potential thief could just walk up to the car and open the door and take whatever was in there.
The BMW taking up 2 spaces absolutely ended me hahaha
Watching this is like actually doing a project that involves manipulating remote-control keys or key fobs. You have to get deeper and deeper into the specifics of the device you are trying to emulate. It can be sometimes thrilling and sometimes tedious.
To jam a car you don't need to think about range of frequencies, just use directional antenna on car receiver, this jamming won't affect the 2nd spy receiver.
Great video. Enjoyed it
That BMW parking reference. Spot on!
Whenever you showed your key on camera I got anxious lmao
The fact that you blurred out your key was pretty brilliant
Regarding other ways to secure keyfobs, you can have the key merely be an unencrypted request for the car to initiate a challenge-reponse. The car sends the key a challenge, the key encrypts/hashes/signs this challenge with the secret key, and the car checks the response. With an only slightly higher level of sophistication, you can measure the timing of the response and compare it against time-of-flight of radio signals. If it's too far (e.g. further than 50m, or about one cycle on a 5 MHz processor), reject the response as invalid.
That way you also protect against a signal extension attack.
"I ain't never seen three zeros in a row. It’s always one of them gotta be a one." ~Manchester encoding
This is great Steve! You should try to get into parliament next and fix the country. Much love
Ah yes, the "run for office" hack.
@@SteveMould Senator Mould has a nice ring to it!
@@nl_morrison Senator? Wrong country, surely! :D would just be MP (often referred to as "The Right Honourable" gentleman/colleague/representative of [constituency] in the actual parliamentary debates)
@@EcceJack Right! Well while he is at it he can fix the USA too, I'm sure it's just a bit shifting issue.
None of them have any idea what they're doing either
This is so fascinating!