Hacking Toyota’s super duper fantastical secure rolling-code Key Fob.
A few hundred dollars + a few custom lines of code, that’s all it takes now to swipe a brand new vehicle off a driveway.
The system for locking and unlocking cars remotely is called Remote Keyless Entry (RKE), and it’s more complex than it might seem. Each button-press is unique, which prevents an attacker from simply recording you hitting the unlock button and playing it back later.
RKE systems use a rolling-code, which is highly regarded as the industry standard for keeping your vehicle “un-hackable”. The key fob and the car have a counter that increases each time a button is pressed. That way, a previously recorded button press will not be accepted.
But what if some of your key fob presses never make it to your car? Perhaps you’re out of range, behind thick glass, or just fidgeting with your keys, or perhaps someone with a nefarious motive is lurking and waiting to intercept the signal, or even easier, has access to your keys for just a few seconds. These button-presses move the counter on the key fob forward, but not the car. To prevent accidental button-presses from locking out car owners, RKE systems reset to the lower counter number if they detect that the fob has more button-presses than the car.
The reset system assumes that as long as the counter number on the fob is higher than the car, it can’t be a replay attack. But this means that codes captured before the reset occurred-which never made it to the car-would be accepted, this is demonstrated in the next post, and clearly proves that rolling-code RKE systems used by the biggest players in the automotive industry are extremely vulnerable and very easily exploited, perhaps just as vulnerable as the predecessor “static-code” type of key fob, if we can capture and replicate lock/unlock commands, we can also capture remote start commands.
Please note, we are not advocating the use of these devices to hack or break into vehicles, we are simply exploiting a vulnerability which is tightly and neatly kept under wraps from consumers, despite the issue having been brought to the attention of automotive manufacturers before.
www.tinytxs.com
Пікірлер: 74
aight guess Im sticking to physical access now for my toyota haha
Technically, it's easy to make the codes much more secure- tie both ends into an accurate clock. But that means the user can't easily replace their own fob battery, among other things. At least ignition is a lot more secure.
@tinytx
Жыл бұрын
Yes very true! But we’ve actually demonstrated on our Instagram page starting the car remotely using the same method!
Are you familiar with how newer proximity unlock key fobs work, the ones that don't require you to press a button but rather unlock the car as soon as you get near it automatically? Is there some sort of more proper handshake? Also, how many valid codes does the vehicle hold on to at a time? If I was out of range of my vehicle and pressed the unlock button 200/2000/however many times, would the car think the code was invalid because the counter in the fob is so far ahead of the car?
@ForgedEggs
11 ай бұрын
The Passive Keyless entry systems work on 2 different wireless systems. First, when you touch the handle, the car sends out a 315KHz RFID signal which the fob sees and responds to with an open command at 433MHz (315MHz in the US)
I could be wrong (won't be the first time or last for sure!) but I was under the impression that rolling codes are specific and in order hence the reason you can replace the battery without the fob needing to be reprogrammed. There is a list of codes but you can actually send a bunch of false codes and the vehicle will revert back to the initial base code it starts with. Regardless this is a good video. More important to me is, where did you get that Hakrf?!?! I love that yours has a pentometer/knob seperate from the selecting buttons! Mine is consolidated and I'm NOT a fan. Is that an aftermarket unit?? And as mentioned in other comments, The Flipper is a cool gadget but by no means new tech.
@tinytx
11 ай бұрын
Hi! Yes it’s an aftermarket version, they’re actually available on Amazon. Loaded with MAYHEM and everything, much better than stock version IMO.
@JohnSmith-zn3js
11 ай бұрын
@TINYTX INC. Sweet! Thanks for the info. Will definitely have to check those out. Can always use a spare!!
Since the release of the flipper zero everyone is going crazy thinking these attacks are brand new. By the way I saw I comment regarding desync the fob. How come it does not affect it? Awesome video !
@tinytx
Жыл бұрын
That’s right, they’ve been around for years, just with different tools. If you desync the fob the vehicle will no longer recognize the fob, but codes can be captured and stored for later, you can capture hundreds or even thousands and store them for use at your leisure.
I can tell you on the ranges they are cutting out a section on the body to gain access to the can bus lines, same with new toyota/lexus vehicles…
Thanks for interesting video. How much is average or maximum recieving distance from keyfob to hackrf in Urban conditions? You also press long the button. In real life, the owner of the car just clicks one time and that's all. Does this sdr simply send the same code that recieved or can also modify it? For instance if sdr accepted signal "lock", can it send signal "unlock" ? How to deal with that
@tinytx
Жыл бұрын
With different antennas you can extend range significantly, at the least 10’s of metres. Regardless of long press or short press the signal will be captured, I long press in the video to show the signal appearing on the waterfall of the analyzer for those watching, the SDR will only repair the captured signal, no modification done at all, if received signal lock, SDR will play lock, same with unlock, car-start etc, SDR cannot modify signal, only replay captured signal and that’s all👍
@dimitridimitri8740
Жыл бұрын
@TINYTX INC. So what's the practical ways of recieving signal "lock" and send command "unlock" or get "unlock" signal that will really work? If keyfob ( keyless entry) is out of range, is it possible to copy that from 1-2 meters distance by sdr tools or flipper zero? I know that russian some devices can accept signal lock and then send command "unlock".. they cost expensive . But they don't work on all cars.. Also, get interested, how is possible to bruteforce the rolling code cars? Several devices needed?
What about when you touch the door handle and that unlocks. I never rest the key fob.
How do transfer that copied single into a remote
We’re do you buy a device like that
You've described the RollJam attack, which isn't Toyota specific so it's a little unfair to rag on them for that. Instead, rag on them for not properly using a CAN gateway in the RAV4 models. With a CAN injector and a little brute force to the inside wheel well you can hit the headlights with a CAN spike attack to unlock the doors and replay a key auth packet to start it.
@TheLostAdventuress
10 ай бұрын
No I tried
@crsv7armhl
8 ай бұрын
He also neglected to mention that rolljam only gets you one good code, which is only valid *if* you use it before the keyfob is used again. Key windows are a thing; and as soon as the fob is used again, which has a code aheadof the one you got, your code is invalid. Rolljam is a fun concept but not practical. There are other, easier techniques.
I know someone who developed an even more secure security system than rolling codes they said they will make a video about it soon
awesome
Does turning the signal off while out of the vehicle work?
@tinytx
Жыл бұрын
Yes, one needs to only be a few metres away, depending on the antenna used you can be even 10’s of metres away.
First I want to say very good explanation. But you can only open and close the door and not start the vehicle that has start a button, right?
@user-wu6mc8es5w
2 ай бұрын
I think it makes sense because the key has also immobilizer which is not used to unlock the car but to start the ignition, so yeah in theory you are able to open the car in this way but that device I think is not the same what relay attack that must just extend the signal to start a vehicle. Which is the biggest problem in case they want to steal your car. Basically keyless entry best option to turn off that crap until we really get a safe one. I have also installed one more special one there is no way to start my car it cuts the fuel pump and whole ignition.
My pet turtle told me that the majority of 90s vehicles use a fixed code. I trust him though and he made a backup of my vehicle's fob just in case my dog steps on the lock button when I make a quick stop at a gas station... its happened before!
You just blew my mind with this one👀 just got my flipper but I need this what's the link?
@labizcochadequeso
Ай бұрын
This you can do with flipper
So whay you're doing with this device is you're stop the signal from getting to the car and then you save it and can use it lster?
@tinytx
Жыл бұрын
Yes, that’s what the device does👍
Tip: Remove your antenna to produce cleaner signals that are close to the HackRF (receiver)
@musicmusic3646
8 ай бұрын
:D
Lock and unlock works, but can you start the engine?
@tinytx
5 ай бұрын
On majority of models you can if you follow the same sequence of recording the “start” command.
Cuánto saldrá un aparato como ese?
You cant compare this sec flaw to the static code.. With rolling code you need to either to jam the car and sniff the keyfob, or get physical access to keyfob itself. Both are more risky and complicated, and limited in use (depends on haw many keypresses you manage to catch). With static code you need to capture the keyfob signal ONCE and you have unlimited access to the vehicle anytime you want. I'm not saying it's undoable with rolling code, but statement that it's as unsecure as static code is also exaggeration. Much easier for thieves is to use the Bulgarian "Gameboy" - not only does it open/close a car, it also starts the engine, and all of that WITHOUT any neccessity of keyfobs being even close to the thief.
@tinytx
Жыл бұрын
Good points made👌 thank you for sharing!
Doesn't this desync the fob?
@tinytx
Жыл бұрын
No, it does not alter the fob in any way whatsoever!
I tried that on a car I have 2014 Kia Optima & 2010 Lexus 250h ... Nothing works
How much for this device?
@tinytx
Жыл бұрын
We do not sell this device on our website but if you’d like one please contact us on Instagram @tinytransmitters you may also find clones of this device on AliExpress but please read the listing carefully, some clones have been reported to have severe issues.
Can one of these not capture and jam at the same time?
@tinytx
3 ай бұрын
You cannot capture as you are deploying a jammer as you’ll capture the jamming signal as well inadvertently
What is this device called?
@tinytx
Жыл бұрын
“HackRF Portapack”
@anglerdanger7270
Жыл бұрын
@@tinytx how can I learn how to use this device? Just KZread?
Wouldn’t the flipper zero also be able to do that
@tinytx
Жыл бұрын
Yes just with slightly limited features and reach but absolutely👍
please .next time turn the car around so you are not filming in the sun
This does work for rolling code does it
@tinytx
Жыл бұрын
Yes
@soapy5343
Жыл бұрын
@@tinytx if the hackrf sends the signal and there is a new code, what happens to the key fob
@tinytx
Жыл бұрын
@@soapy5343 nothing! The handshake never occurred in the first place so the vehicle will authenticate the signal and accept it either way
@labizcochadequeso
Ай бұрын
@@soapy5343in most cases the car and the original fob are desinc and this is a mess to solve. Dont play with important devices, use your spear car😂
No rolling codes?
@tinytx
10 ай бұрын
There are rolling codes but we capture a set of codes using the device in the video while blocking the signal to the vehicle, so the vehicle just doesn’t have a chance to authenticate the code so it thinks it’s a code that has never been used before.
@brodicollins3657
10 ай бұрын
@@tinytxso where do you find these devices at?
@brodicollins3657
10 ай бұрын
@@tinytxif you was gonna buy em
how babout brute force codes until the car runs out of new codes
@tinytx
Жыл бұрын
This would not work, although this was a common attack on garage door openers back in the early 2000’s.
How do you do it with out the key fob tho???
@tinytx
Жыл бұрын
You need access to the fob just one time for a few seconds, the codes are then copied and stored for later single-time use
@tinytx
8 ай бұрын
@@ChucklesMcGurk most thieves do not want to steal the physical key as to not arouse suspicion, they just need to clone it quickly, that way they can come back at will without raising any alarms about missing physical keys.
Rolling codes can be brute forced.
@tinytx
Жыл бұрын
Yup, they are not as secure of a system as has been touted.
Mercedes uses 2 freqs w rolling codes.
But nobody opens the car and then goes away?! If someone opens the cars they go inside and drive away? You can't steal a car when the owner is inside and driving lol
Stop displaying our tricks😆
@stiv7170
Жыл бұрын
I need a new HC… vrooms for days
@tinytx
Жыл бұрын
😂😂😂