Steal That Car in Sixty Seconds
Introduction
Cars are everywhere and they are being upgraded with new technology as often as any other device we use. Taking some inspiration from the movie Knight and Day, let's talk about how to communicate with the remote device used to open and start a newer car.
FREE role-guided training plans
Car
While cars still use the normal manual keys, we are finding that increasingly people are using a smart key that will both open and start the car.
Car Remote, Picture 1
Car Remote Breakdown(Chip SMC918-4), Picture 2
Problem
For this problem, we will discuss how we can capture data delivered from a car remote, and use that to open a car. We can accomplish this using some inexpensive hardware.
Attack
1. Receive the Data
To attack, there is some hardware that serves to receive the signal, and software used to analyze the signal sent by the car remote. Here we are using DVB hardware with an Elonics chip E4000 and using application SDRsharp to see its spectrum.
DVB with chip Elonics E4000 , Picture 3
After we prepared the hardware and software set with SDRsharp installed, we found that the the datasheet located on a chip car remote is hard to find on the internet. As a workaround, I tried to find the signal that transmitted by remote to the car manually using the Spectrum.
SDRsharp spectrum (Push Lock Button) , Picture 4
Pictured above is a form of spectrum when I pressed the lock button on the car remote.
SDRsharp spectrum (Push Unlock Button) , Picture 5
Pictured above is the image of the spectrum when I pressed the unlock button on the car remote.
Both pictures above have a different spectrum. This is because when the lock button is pressed, the remote sends a signal at 415.098.612khz or 415.098612Mhz frequency, When the unlock button is pressed, the remote sends a signal at 415.094.805khz or 415.094805Mhz frequency. The raw data that is sent roughly as shown below.
Raw Data Transmit, Picture 6
Illustration Receive Data , Picture 7
1. Car remote sending data to unlock, lock, and etc
2. Car responding and following the orders from remote to unlock , lock , and etc.
Note: If anyone wants to try to decode the transmitted data can be downloaded its soundwave here:
[download]
2. Sending fake data (Idea)
After getting information data that is sent from the car remote, we had the idea to create a device that sends data. But our problem is that it is hard to find a chip with frequencies that is used by that remote.
Components or devices to generate the carrier signal with the frequency used by the remote (410-433 MHz) and documentation on how to encode / decode the data.
Illustration Sending Fake Data , Picture 7
1. Car remote sending data to unlock, lock, and etc
2. Car responding and follow the orders from remote to unlock , lock , and etc
3. DVB sniffs raw data sent by the remote to the car
4. DVB Sending fake data to car
Conclusion
FREE role-guided training plans
The conclusion from the above explanation is that communication data that is sent using the frequencies can be captured and translated using inexpensive hardware. Even if we have skill in the Microcontroller, we can design and duplicate the remote with ease.
In this Series
- Steal That Car in Sixty Seconds
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
