Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Key fobs are a common way to open cars or even turn on cars now-a-days. My car does not even have a physical key hole anymore. With more technical integration, comes a larger likelihood of making a mistake though.

Key Fobs send a signal over radio in order to open the car or do something else. Because the data is sent over the air, it needs to be replay protected. It is common to use rolling codes in order to prevent replay attacks. This works by using a set algorithm and sending only values on this algorithm; the known place of the algorithm must be known.

The signal for the car uses Frequency Shift Keying (FSK). After decoding the values, the author noticed that the data being sent was the same every time. So, what would happen if we resent this signal? It just works!

The fob uses a header to sync to the car; this is so that multiple remotes cannot unlock the same car. Besides this though, everything else is completely constant. Once we know the identifier for the car, the code can be reconstructed to do other things than the original signal did!

As a result, somebody could be recording the key fob on the car for a lock request. Then, an attacker can modify the code to unlock or turn on the car. So, a single recording of anything on the car results in a complete compromise.

The authors tested this on 5 different cars, ranging from 2009 to 2020; but, it is assumed that all cars using the key fobs are vulnerable. Honda/Acura has refused to comment on this, even though the author tried to reach out all the way back in 2019. Hopefully the 2021+ models use rolling codes and are more secured.