While the rest of Black Hat buzzed with phrases like "planar homography" and "bitcoin botnets," Silvio Cesare's presentation had more of an old-school hobbyist feel to it. His talk was all about the experiments he did hacking and reverse-engineering baby monitors, home security systems, and car key fobs. If you ever wanted to learn how to have a lot of fun with radio gear, this was the talk to attend.
Hack All the Radios
He began with baby monitors, explaining how to identify the transmissions flying through the air, capture them with software-defined radio (basically, a computer connected to an antenna, doing radio things), and demodulate the signal, and then tune in on what's being broadcast.
Fun fact: most baby monitors transmit constantly. The receiver has a pre-defined volume threshold that only plays audio that exceeds that threshold.
Building from his work on baby monitors, Cesare then turned to consumer grade home security kits available from any hardware store. Nearly all of these, Cesare explained, used a remote key fob to enable and disable the alarm system. By observing radio traffic, Cesare found he was able to capture the codes transmitted by the key fob. The next step was crafting a device to replay those codes in an aptly-named replay attack.
How much did such a device cost? About $50, or the cost of the Raspberry Pi and Arduino micocontroller.
We Have to Go Deeper
The home security systems were susceptible to a replay attack because they used one code for each function of the key fob. The remote key fobs used for cars are smarter. Cesare found that these fobs transmitted a three-part signal containing an identifier, a command (such as, unlock or lock), and an authorization code. The first and second sections are static, but the authroization portion was a rolling code generated by the fob that changed with each press.
Cesare came up with a number ways to defeat this system, but first he had to create a button-pushing robot. This way, he was able to capture an enormous dataset of keyfob codes, and conduct a variety of analyses. He eventually found a weakness in the fob's psuedo-random number generation and was eventually able to predict the next code after two presses of the button, but he wanted a solution that didn't require the foreknowledge of button presses.
Instead, he worked out the constraints of the number generation and found that the result was just under one million possible codes. That's a lot, but small enough to brute-force in about an hour.
One of the surprising discoveries Cesare made while broadcasting thousands of possible keyfob combinations was his target car had a backdoor code built-in. Certain codes, he discovered, worked every time but would then stop working after about a week. But probably the most interesting portion of this attack was Cesare's construction of a homemade Faraday cage out of aluminum-lined freezer bags.
The Fun of Hacking
Part of the hobbyist element of Cesare's presentation was not only that the entire operation was homemade, but that it was certainly not the straightforward way tohack these devices. It would probably have been infitely easier to tear down the car's key fob, rather than analyze its utterances.
But that's not really the point, I don't think. Cesare's presentation was about security, yes, but it was mostly about the satisfaction that can be had from working on a problem. That might be one message that gets lost amidst Black Hat's cavalcade of zero-day this and exploitable vulnerability that.
Image via Flickr user Michael Hicks