Это видео недоступно.
Сожалеем об этом.
Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]
HTML-код
- Опубликовано: 7 авг 2024
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
An educational look at cyber security, this time on Hak5:
Security researcher Dale Wooden, aka @TB69RR, joins us to demo a zero day vuln against Ford keyless entry/ignition that will be dropping at DEF CON 27
* Attack demonstrated in controlled environment by security professionals with automaker permission
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
Our Site → www.hak5.org
Shop → www.hakshop.com
Subscribe → ruclips.net/user/Hak5Darr...
Support → / threatwire
Contact Us → / hak5
Threat Wire RSS → shannonmorse.podbean.com/feed/
Threat Wire iTunes → itunes.apple.com/us/podcast/t...
Host: Shannon Morse → / snubs
Host: Darren Kitchen → / hak5darren
Host: Mubix → / mubix
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.
![Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]](http://i.ytimg.com/vi/UAVYZvd0ACQ/mqdefault.jpg)
![Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]](/img/tr.png)
Moral of the story: Don't use your key fob around Star Lord's father.
Best comment so far
Real moral of the story: Don't buy a Ford! Actually, don't buy a vehicle made by a US-owned or US-affiliated manufacturer (yes, that also includes Fiat).
@@yorickhunt3371 this can happen in many vehicles of different manufacturers in all the world not only in the US or with Ford. Learn more about signals and practice with Hack RF One
All these systems just give you a sense of security , when in reality they really are not secured.... If somebody with the right set of skills really wanted to do something nefarious it would be done no questions asked!!@ Good work by the way ...
This was a long time coming. Incredible.
Kind of interesting to see Snubbs so energetic and hyped.
3:30 "This is not user-friedly!" LMFAO
Awesome, Dale! Hope you puppy, and rest of family doing well
Thanks we are.
This video was awesome , you guys together doing some really cool stuff , like old times
Finally a video of snub and darren on one video
"It works on my machine" should never be a response to a security bug
0x0 that engineer was just smoking his own stuff.
Awesome! I'd love to see this work on a Raspberry Zero ^_^
Ooooohh Enterprise is gonna be pissed 😂
😮 wow carnt belive what I’ve just watched 2019 car hacked love this guy great vid
14:54 Engineer was covering his own arse. I bet he gave the testing methods he was forced to use to test the lock he developed. He probably doesn't have much freedom outside those parameters either. So to have his job on the line for something he wasn't allowed to test for sound kinda terrible for him. Especially when some outside hacker gets to throw away the rule book he has to follow.
These are the rules in a big company. Not looking for the ultimate solution, but to look for a solution that is legally recognized: “hey look we did develop a security system that works 99% of the time. Not our fault if these 1% are specialized hackers, they would find a way anyway…”
"I had the one negative c*nt, but the rest of them were great." 😂
"Listen Ford, if you don't give me one million dollars, I'll put online the instructions to open every one of your cars latest than 2018. Do we have a deal?"
Real bounty hacking
do you have the instructions now sir? haha
Fantastic detail
That's why I love my 89 Jetta, no key, no entry or ignition, also why I hate it, cause I lost the key....
Lmao, I will take my chances if the alternative is to drive a 30 year old pos VW.
Can't wait for defcon now!
3:34 😲 Shannon! XD
@6:35 - Rule 31 - Check the back seat.
zombieland
@@RakshithPrakash Yup :)
That's a neat looking zune .
great work
awesome video!
I did a project on this for graduate level cyber sec class. It's not hard to do and it works across the board not just with Ford vehicles. Excited to hear the def con speech. At times the presentation was confusing, thankfully the other guy was able to ask deciphering questions
This technique is Ford specific. There are other techniques that work for some other models.
Happy that Hak5 is pushing the Portapak, maybe it will encourage Havoc to continue working on the firmware.
I remember watching Shannon what 15 or so years ago? You all have been on the air for a LONG time.
She's still just as pretty! Oh and by the Way, i'd like to thank the Fed for supplying you the funds you've needed to make this show as great as it is.
Yeah, We know your comped. :)
Try mayhem instead
Aww, cool story bro. So really what your saying is,You totally used to pull it to her while learning about hacking stuff at the same time. "She is still as pretty now but boy i wish she was 15 still!
Yay! Darren and Shannon together again!!
If you hold unlock and lock at the same time for about 30 seconds.
It will resynchronize your car an the remote and then you can use it again.
Hmmm, so this procedure sends the seed?
Poor Snubsy, her car will never be the same! Cool video though!
i was doing this 5 years ago when i first got in to sdr this works well on many makes
Tell me more
This is a little different then the replays we usually do. Ford added something that makes this work a bit different. No Jamming and we use codes that are recycled.
@@tuathadedanaan1424 hey , so would this device respond by picking up the radio signal without the owner using their key fob ?
I found a critical vulnerability in a 2018 Camry. Doubt they'll fix it because of people like the engineer you spoke to
Is there a way to record the key signal to useyour phone or smartwatch to open the car?
Can you use the data captured to clone a key fob so you could essentially have a fob for the victim’s car to use when ever as well? Or at least clone your own key rather than paying huge dealer fees to make a 2nd or third key?
No.
It can be used to perform a relay attack.
What ever happened with challenge response?
Man stuff like this is just impresses me he's something like an old scroll wheel iPod but it is extremely creepy and awesome
Awesome... Next iris eye & fingerprint sniffing. lol :v
Well I trust no one now lol
What is the actual range of this device? Must a criminal be really close or would it be possible that they are hiding somewhere behind a wall or something?
I dont' get it why it gets reset ? if generated number is 4 bytes value it's 2^32 unique codes! So owner has to press keyfob 2^32 times to start it over
Hmm I’m surprised that works I thought this only does static codes? Doesn’t ford use rolling
Sorry for my bad english.
You could just transpond data from 433.85 MHz or 355.2 MHz (depending on the frequency your keys transmit data on) to the same frequency, this will transmit data with a 2-3 ms delay on top of the original signal and corrupt it. I've tested it with a raspi 3b+ and RPITX runing on nexmon firmware and a RTL-SDR (Note: i've done it against an old car from 1998, IDK if that'll work on a more recent one). That's way cheaper than a $250 HackRF one. But still, this little badboy is amazing !
I highly doubt any key transits at 300+ GHz. That's like infrared
@@RiwenX oops my bad, meant MHz ^^
I can't believe you need a permission of the automaker!
He really doesn't, but it's the right thing to do.
Didn't have to do it but wanted to do the right thing and let them know.
The one engineer didn't have the capacity to see the big picture and was more concerned about being right than actually admitting that there is a problem. I've worked with guys like that before. It's bad for the company when they get into leadership positions.
His response was akin to finding out a bump key works on a lock, telling the lock maker about it, and them saying "Now try it with a potato instead. See? It didn't work. Nothing to see here!"
why would you compromise your security code by using key fob when you have keyless entry? on my Lincoln you have to be within 3ft of the Lock that you’re trying to open. after I leave my home I never take the key out of my pocket. it’s not foolproof, but is has to be more secure than sending a signal across the parking lot every time you unlock your door. it’s a different code for the PATS so I get in the car, CLOSE THE DOOR, then start the vehicle, and i’m out of there.
Is it possible ex: to modulate your own signals and transmitt them using SDR? + all the signal processing that is needed for communication? Or is the SDR limited to some level?
First if you modulate your own signal how would you know the exact bandwidth that car is communicating with
Of the bandwidth is between 300 and 400 you have 100 guesses
@@trevenbutler1625 My question is a bit of topic of the video content. I just wanted to know limits of the SDR.
Hackrf + portapack + charger . You welcome. But it's still restrict by the rolling code cause he needs to sniff and Replay. I don't really understand why he doesn't jamm the fréquences and Replay the code After ...
It's not, though. He found another implementation vulnerability that resets the rolling counter. The only caveat to this attack is that you have to then replay all the sequences up until that point in order.
Jamming and replaying would be too easy I think. Especially since there are devices which detects that somebody is jamming. Somewhere on hackaday there's a cheap project for a jamming detector, from a South African guy, because it was a thing down there some years ago.
So my wife's key fob oftenly stops working and she plugs it into the car for a week and just uses the smart phone to unlock I think she probably usually uses the fob to lock/unlock but I just use the door handle and unusually don't have an issue
I'm curious how safe i am from this and what are the steps to get the keyfob to work again
Gregory Krisa what car?
@@j4s0nmuzik 2016 Ford taurus sho
It doesn't work if you try it this way... Yeah, if I see someone messing with my car, I'll make sure to let him know that he's doing it wrong and it doesn't work. When he locks me out of my car, I'll tell him that he did it wrong. XD
Is what happened to the Microsoft Zune?
That's why I drive a 1999 Opel Astra G which is really easy to repair and if someone steals it, then I only loose like 530$ worth of car and 30$ OEM CD/FM car stereo
Here in Australia I've blocked a car remote with a 30 dual band baofeng and it blocks it well.
Has as many risks as this
Good vid and very interesting
Show how?
Remember we are not jamming.
@@alexk77ae I'm guessing possibly scanning for channels when the fob is bouncing it's signal
How am I locked out of my car? Don't have some vehicles key fob have some sort of key built into it?
That's to much work but very interesting... I can gain access to the vehicle with my lishi decoder and subsequently program in a new fob in under 15 minutes.
Alexis Ramirez share more details 😂
Why are they still using rolling codes? Surely even some variant on CHAP would be more secure.
WIZARDS!!!! 🧙♂️
Tank you
Hi can i use my wifi booster i got from hak5 with my hackrf one thanks
I can see why manufactures dont play ball its cuz they dont have control of there own product once it leaves the floor. Nobody is going to go back to the dealer for an update for every scenario. This is why people carry insurance when all else fails you got a way to replace what thieves took.
Lexus should take notice.
Was this git repo eventually released?
Awesome video, but the dialog is hard to keep up with because of the jumping around and partial explanations
Sorry we have to leave some out. It’s for a reason. It will all be released but have to let them try to fix it. The goal was to let people know it’s real.
Would hate to work with an engineer who thinks all other results are invalid because they don't conform to their test methodology/parameters.
The engineer did not deny other parameters worked, but proved his parameters valid. Establishing his parameters valid gives him, and Ford, plausible deniability.
would this work on mazdas as well ? (i own a 2006)
Indeed it will (:
It seems my ford keyfob had no battery 😂
Looks like sdr sharp on a pi
Where to get that device?
It's a HackRF with a PortaPack
yes
So it's not only my car then lool
This would be good for the repo people. But this is crazy how easy it is to compromise your keys fobs. Back to the drawing board Ford
What is happening behind. Is this typical replay attack done by hackrf or something else , because keys were jammed . Can anyone tell me ?
No jamming. Reset the Cars counter so old codes would now be valid.
@@tuathadedanaan1424 then why that key was bit working again ??
@@patrickben3924 we will cover it at Defcon but no jamming of any kind. We trick the system into reseting its key count. The other side is we cause the vehicle to do a security feature that disables the fob.
Я еще год назад опробовал на своем финике , машина переходит в режим ожидания и только открыть ключом. Это происходит из за того что у машины и ключа зашифрованный ключ и он отправляется кажды раз новый так как есть алгоритм а алгоритм не знает ваш hackrf one
What is the git?
Do you feel some impact from youtube about hacking videos?
YES! Good old Hak5 has returned :)
"With automaker permission" ? Why? This isn't even disclosure just a proof of concept, and frankly they shouldn't have any influence over either.
I am thinking that we need to go back to early 1970's cars. At least those lacked wireless vulnerabilities... Too bad the crash safety is so horrific.
Would rather die in a car crash then live a life of misery and keep getting my car's stolen. Going to install a GPS with remote cutoff in my old girl 😉
If you think it's easy to hack a car with radios, it's much easier to lockpick them. Gps is the way to go.
This is something that should only be possible with Ford's proprietary dealer level scan tool.
Can you start the car with it?
Just use a FORScan to reprogram the fob.
I'm gonna test my manufacture of Car..
Where can we buy this product?
It's not just gonna work the moment you buy it, the device is used for whole lot of other things so you need to configure it with the script that will perform this particular task. If you are looking to get it for EDUCATIONAL PURPOSES I can help get and configure it for you.
now imagine doing this on a mass scale
OHHHHHHHHH THE HUMANITY
Maybe to sow enough chaos in a parking lot as a diversion for some other attack?
@@MikeTrieu
exactly and the ideas in my head im not posting cause ya know wing nuts just love ideas( see flat earth)
what about Toyota ?
I hope Ford can do over the air updates to their keyfob systems....
This is gonna be a physical fix. Not an over the air fix from what we saw. I could be wronge.
@@tuathadedanaan1424The problem is in the software processing of the rolling code counter so it would have to be able to be fixed on the software side. The only question is if the software can be reprogrammed over the air (cheapest option), Flashed by the dealer (High cost) or requires hardware replacement (Highest cost). Since Ford is being open about this, my guess is they will be able to push an update out to the car to fix the problem.
@@aquatrax123 There is another thing happening that we are not releasing yet also. It might be able to be done over the air but I'm guessing not. Ford was not super open about this. They have yet to report it to consumers. I reported it to them Months ago. They have not sent out any notifications.
None that i know of and as a owner of an effected vehicle i've not been notified.
Fab
✌🏻.✌🏻.
Goog How much is this device sir
Why is it so hard to get this right? Imagine this, the fob has a public and private key pair and the car keeps a list of public keys it trusts.
Fob: I want to unlock the door! Here's my public key.
Car: Ok you're on the list. Decrypt these 8 bytes of pseudorandom data in the next 50 ms and I'll let you in.
Fob: GG EZ, here's your data!
You could shorten the response window depending on how fast the hardware in the fob is. Pairing a new fob could be done by making a physical connection with an interface inside the vehicle, for instance via USB. I imagine putting hardware into the fob that allows it to do proper public key crypto will increase its cost and perhaps reduce its battery life but if it means the car is more secure I'm totally fine with that.
Am I missing something here? Why aren't automotive engineers using proper crypto?
Matthew Carr most don't think its possible to hack into their systems
The regular Joe only cares about
Comfort
Looks
And safety ratings
That's about 99% of automotive customers
So the big names only focus on those things because it brings in more profits with less money invested in security details and etc
But no matter what types of defenses they use, they will be defeated.
Setting up defenses around technology is ultimately pointless
Seeing as how you will always have people on the inside making these things possible
It's a battle with no wins for either side
Just a cat and mouse game
Both sides ultimately will lose
i bet this works on most car's
+Tuatha De danaan
hello, can you help me in this project? Do I need only portapack or also I need any special software for unlocking signals? ..
BRAZIL!!! ❤
So what about Tesla?
Oldwick NJ
0h H3nry!
Just use your regular key..
oh man. 😂 they try to replay a rolling code. that’s what rolling code is meant to do. the car is not accepting the same code again. and while there is a transmission on that frequency, they can’t open the car. yes that is also normal. 🤣 there is no security risk here. they actually failed to attack here. 😂
Helo mam send link this device kit pls
It's not really a plug and play device. You need to configure to perform this kind of task because the device does whole lot of other things. If need it for EDUCATIONAL PURPOSES then I can be of help to you to get and configure it for this and other things to use it for.
looks like your using backtrack
But does this work on the Ford Raptors at Area 51? 🙄.... 😄
👽
This product how to purchase
You get it online but needs configuration after that to perform this particular operation. If you are looking for it for EDUCATIONAL PURPOSES I can help you get and configure it.