(Car Hacking) PKES Passive Key Entry System Attack KEY RELAY attack. (Two Factor Authentication for Cars)
Hello
There is an attack on PKES for key-less push start cars. These are any cars that have a keyfob that works by starting vehicle or opening door by being in range.
I am going to go over the research I did last year and the research that has been submitted by the security researchers this year and will be submitted at blackhat. They made an 11 dollar device that can relay the key from some ones pocket to the vehicle out in the parking lot.
Here is my setup I used last year to start a Durango a quarter-mile away from its key.
So This works by demodulating the radio waves at the key and re-modulating them at the vehicle This in effect allows the bad guys to start a Car with out the key. This attack worked the length of the mall parking lot i did it in. As you can see the further away from the key I got the less reliable it became.
The Setup I had was a custom built (DSP) Digital signal processor I built using an (FPGA) field-programmable gate array which i used to lossless "sample" 314-433 Mhz which is the frequency that the keys operate at to the vehicle immobilizer.
This setup used two Ettus N210 Software defined radios. One on each side. This setup would fit inside of a backpack or a suitecase and you can about imagine if it was placed at a rental key return box or a dealership key return the amount of vehicles that would be susceptible to this type of attack. This attack cost about 2700 dollars for the setup.
The most recent attacks they have lowered the price to 11-20 dollars which is the point when it become scary cause now any one with the know how can steal cars using this method.
.png)
This was my first test i did on my neighbors car :-) With her permission of coarse.
So i started with a wire ran across street and moved to wireless methods. which work upto 18ms of latency so it could work on 4G or other technology. after a certain point the (BEP) Bit error percentage goes threw the roof and the device range is limited. but there is a possibility of further attacks.
So this year at DEFCON 25 (Hacker Convention in Las Vegas) I should be demoing my mitigation method that I have made (its free open source code and hardware) Its based on a 11 dollar Arduino build.
One of my next posts will be how to build this open source vehicle immobilizer that works on all cars that have PKES or any type of RFID keys. so 125 Khz 13.56 Mhz 315 Mhz 433Mhz.
In a nutshell the system I built costs 11 dollars to built and takes about 30 min to make. but protects against this type of attack.
It works by Jamming/De-authenticating the key-less Fob until a 2.4 (Token) Comes into range this token could be any wifi or Bluetooth enabled device. I have a working prototype for smart watch, Bluetooth keychain, Smart phone, Infotainment systems in vehicle is the next platform i am working on.
Here is an example of how the device protects the vehicles radio radius when activated
This is my first post on here and I will be sharing more security research and how to build the device and perform the attack once I have time to post them. Please feel free to comment and give me feedback.
For more information please google PKES attacks, Relay attacks, and they have a great wired article about the Chinese researchers who did the cheap 11 dollar attack on key relays.
Thanks
Hello my dear friend, Weston Hecker! How can I find out more information about this project? I'm a pentester from Ukraine, I want to make/receive a copy of such a device. And make a newspaper/television report about the vulnerability of modern machine safety systems in Ukraine. How can I talk to you about this?
Hit me up on twitter and message me I will send you one :-) I will be demoing it in lasvegas at defcon
https://www.defcon.org/html/defcon-25/dc-25-demolabs.html also talking about it in the carhacking village.
хорошего дня