I Hacked Into My Own Car
ฝัง
- เผยแพร่เมื่อ 2 ธ.ค. 2020
- The first 100 people to go to blinkist.com/stevemould will get unlimited access for 1 week to try it out. You'll also get 25% off if you want full membership.
Gaining unauthorised entry to someone else's car is illegal. Jamming is illegal in the UK. It might be illegal where you live too.
Car key fobs transmit a binary code to the car over radio. If the car recognises the code it unlocks. There are various systems in place to make that process secure. This video is about the way vulnerabilities in those systems can be exploited. Including replay and rolljam attacks.
"but most of all, Samy is my hero"
You can buy my books here:
stevemould.com/books
You can support me on Patreon here:
/ stevemould
just like these amazing people:
Nathan Williams
Matthew Cocke
Glenn Watson
Mark Brouwer
Joseph Rocca
Joël van der Loo
Doug Peterson
Yuh Saito
Rashid Al M
Paul Warelis
Will Ackerly
Marcel K
Twitter: / moulds
Instagram: / stevemouldscience
Facebook: / stevemouldscience
Buy nerdy maths things: mathsgear.co.uk - วิทยาศาสตร์และเทคโนโลยี
Let's just pretend this worked flawlessly the first time.
The sponsor is Blinkist: The first 100 people to go to blinkist.com/stevemould will get unlimited access for 1 week to try it out. You'll also get 25% off if you want full membership.
What are you talking about of course it worked the first time :)
Lmao
Someone hacked your video, too
No worries.
I got the notification the second time, so you got that going for you. I know sometimes TH-cam punishes people for re-uploads to fix something. You got it re-uploaded pretty quick.
1:00 Nice detail on the Bmw parking hahah
̣
I died 🤣
Mini is owned by BMW.
you beat me to it by like 20 seconds... the timestamp is nice though
+
I also have no idea what I'm doing most of the time.
With all your great research on the topic, how much time is spent coming up with the cool project names vs the actual coding? Rolljam, Magspoof, PoisonTap, Glitchsink...etc. 50/50, right?
samy is my hero
samy is my hero
I’m now imagining a Mr Magoo like scenario where someone just stumbles upon vulnerabilities
I'm not a fancy security expert like you, but I am a software developer working on a web-based fintech app, and... yes, can confirm, a large portion of any development/IT/tech is just trial and error. And lots of banging your head against a desk trying to figure out why the debug output doesn't match what you expect 😂
I love how you can tell he genuinely enjoys doing this. The smile, the laugh, the energy. Keep up the work!!
I just discovered your channel today and already watched two hours of your videos I mean amount of the research and effort you put in each of your video is impressive... Really appreciate what you are doing..
6:48
"I tweaked some variables, I didn't have a clue what I was doing, but I noticed that it changed things"
- said almost every engineer at some point. That's how you make discoveries! I love your videos, Steve :D
He pretty much summed up my job there... And according to my resume I know what I am doing :P
That's just called debugging
It's like I'm back in my matlab class... **stares of into space due to painful memories**... good times lol
Yep. The real work is going back and figuring out what part of the five different variables you tweaked in "throw everything at the wall until something sticks" mode that made the difference.
"Huh, my code work, and I have no idea why." said the greatest engineer I know.
I like how the poorly parked car was a BMW, that made me laugh.
It's funny cos it's true
Its ironic because Mini is BMW.
Typical
Seeing this comment first then finding the BMW made me laugh.
I laughed as well then I remembered I drive a bmw and also can’t park.
A big advantage of Manchester encoding is that every bit guarantees a transition. This means that your signal contains the data and the data rate clock. As you mentioned that the fob can't maintain a consistent transmit frequency, the same is true for the data clock. Manchester allows the receiver to synchronize the data rate. Also, the transmit signal likely starts with the same start byte (most commonly AA or 55) to allow that receiver to lock onto the signal (timing wise) and also adjust its gain (AGC).
This is important for magnetic strip credit cards, as an example. The card reader needs to know how quickly you're swiping the card and it uses a standard starting sequence to synchronize. It doesn't matter how fast you swipe the card (within reason) as long as you don't vary the speed and the whole strip goes through the reader.
@@theodoric4270 i always thought this was dumb since maintaining a constant velocity is not always easy. I think a better system is either to use two tracks with a clock track or a second magnetic polarization axis. But magstripe is slowly dying anyway...
@@donaldviszneki8251 it worked well enough, and that's always going to be the standard to hit. When magstripes fail it tends to be from demagnetization or it physically chipping off rather than a rate error
From a security standpoint, a lot of the RFID upgrades for credit cards and badges just became "Spooky replay vulnerabilities at a distance" rather than proper challenge/response implementations
Great video! Thanks.
It’s worth pointing out that looking at a chip under a microscope to reverse-engineer it is pretty challenging, although not technically impossible if you use mechanical-chemical polishing.
Back in 1995 (or thereabouts) when my company at the time was working with something like 2-micron fabrication technology, I was able to diagnose a power-drain by eye-droppering a liquid-crystal solution onto a chip to find the hot spot on the chip. However, even at 2 microns, the image was pretty blurry. 2 microns is about 4 times the smallest wavelength for visible light, so it’s possible, but difficult, to image the chip.
Nowadays though, when the features approaching 1/100 the shortest wavelength of visible light, you pretty much have to use electron microscopes, which only show you the surface. So, to see the internal structure, you have to extremely precisely polish off layer by layer, re-imaging each layer. That’s definitely possible, yes, but very difficult.
I understand some of these words.
Your sir are a smart cookie. But I'm sure you know that. Thanks for the information. For reasons I do not have the ability to explain. The fact that wavelengths have lengths and how they react to specific objects at different sizes escaped my knowledge. I can confidently say it will not escape it again, at least for another 15 years. So thanks
@@dorjanhajdari2670, thanks. Well, experienced anyway…
I had a guitar teacher a few eons ago who said, “not sure I’m ‘experienced,’ but I have had a lot of experiences!”
@@mr88cet Clever teacher! I love how he defines what he seems to contradict only to prove it true through his definition.
X-ray it. Stitch the images. Make a circuit diagram and analyze. Voila. I did this as a project in an EE grad class.
Remember: never park your car next to someone in a hoodie and with a laptop
Just run him over instead
Even if he reserves the spot for you on a busy day?
Specially not someone who looks like the villain in a horror movie like at 1:22 :)
... But the hacker with the hoodie and laptop is in the passenger seat, trying to gather WPA PMKIDs... Do I just not park?
EDIT: Instructions unclear; vehicle is now in lake and hacker is very angry about his laptop getting soaked. Something about SSH keys being irreplaceable?
Remember: don't judge a book by it's cover.
How to recognize a passionate person? If you approach him with the smallest achievement in his field, he instantly goes "That's great! How does it feel?".
Samy is my hero.
Sounds like the whole Kerbal Space Program community
@@carchocolate93 ya
Really ought to be a word for this wonderful opposite of gatekeeping.
@@carchocolate93 yup
Hehehe! I love the hacker face in the dark. :D The green lighting for the call was pretty cool too.
Interesting how far back you have to go for all this. Keys were already code-hopping before the end of the 90s, I think, and your Mini had rolljam projection in 07. I put an aftermarket remote on my Peugot 309 around 03, but I didn't care if it was a good one because it was an 80s 5-door hatch & not even the latest model. Bit of a street sleeper, that one; remarkably fun to drive.
Your explanations are incredibly engaging and interesting! Thank you so much for inspiring my curiosity :)
"I'm in my car! Amazing."
@@EternamDoov awhhh
lmao
I'm in my mum's car. Brum brum
😂.
me 2
that "hacker sitting in the dark in a hoodie" cliche was so well done. love it.
Doesn't it have proven psychological causality?
Me too 👍
This video is as entertaining as it is informative! enjoyed watching and learnt some seriously interesting tech stuff, thankyou!
Samy is the man. been following his work for years. related, LTC (timecode used to sync audio/video dual system or multiple cams in production) is essentially manchester encoded as well. i have had to actually manually decode it by looking at the bits before lol. silly thing to have to do but it works in a pinch. so if you are syncing your cam using timecode, you may have been using it all this time.
"What this demonstrates really well is that I have no idea what I'm doing." XD
Thats me every day in online school lol
He nailed that so well on the comedic spectrum.
Hilarious!
*fairly
Me during chemistry class be like
:D That double spot taking BMW made me laugh!
I clearly saw that it was a bmw and parked like that, but the joke didn't register in my head for some reason lmao
Ironically, Mini is owned by BMW and is usually driven by women.
@@SangheiliSpecOp it is like when you see something so many times your brain ignores it because it is the norm
@@Leo-zt7fo do you have any sources on those car ownership demographics?
@@SentientTent the picture on 1:00 has a tiny BMW logo on the badly parked car.
Great video interesting content and presentation and also nice editing on the ahh ffff.. moment when the aerial fell off the table!
Thanks for sharing and Samy is a legend no doubt.
1:00 BMW is the Apple of cars,
Their motto is “park different”
You know Mini is actually a BMW automobile?
Ahh thanks. I thought he made a jab at BMW drivers for parking recklessly which doesn't ring completely untrue in my experience
@@joepbeusenberg Well, yes and no. Yes, as in the company BMW, but no as in the BMW brand. Mini is not part of the BMW brand.
@@DirtyPoul but you will find many components of a mini have bmw on them? Infact the same parts that fit on some of the BMW range.
@@stuartd9741 Yes, of course. Some of the cars share the same platform, so that's to be expected. But that doesn't mean that Mini is part of the BMW brand. It's a separate brand owned by the company BMW. That's what I meant.
To anyone wondering and for the sake of saving history,
This video was reuploaded, because on the first upload it did not have sound in the moments of talking with Samy
Thank you, I was wondering
yeh
Same, thanks
Thank you love you
10:19 I think it would have been good to mention here how jamming works in this case. If you are sending out a jamming signal to the car on the broad spectrum, you are not jamming the airwaves so much as you are jamming the equipment. You are causing the car to process useless signals - meaning that the car has no processing power left at that time to process the real signal. You are essentially flooding the car with bad signals, keeping its computer occupied while you listen out for the good signal.
Sounds similar to a DDOS attack?
Actually it has little to do with processing power. The signal you are jamming with is basically noise to the car, and if that noise is "louder" that the actual signal from the key, then all the car "hears" is that noise. It's like trying to have a conversation next to a jet taking off - your voice and the jet engine emit different frequencies, but since your ears listen to the whole frequency range, the jet completely overpowers, but a microphone with a frequency response tuned to the frequency of your voice could hear you.
Thankyou. This is good stuff.. covered many things in just 20min.
"Authorities report nationwide wave of smashed car windows. Suspects say 'Steve told me it was easier'".
Or just collect the keys from the fishbowl party
Instructions unclear: I have opened my microwave with a skoda car key.
I managed to open my microwave e by downloading app to unlock microwaves.
Just run the app and boom! Now you can open microwave doors without any key :) bluetooth may be needed tho
I'd rather drive a microwave than a Skoda.
@@N.I.R.A.T.I.A.S. i will microwave a drive than a skoda
I unlocked my car with microwave. No need to use keys!
😂 happy frozen fooding!!
OMFG THS IS AN EPIC COMMENT THREAD!!
a syncronised clock was actually one of the first solitions I thought of! was very satisfying when it was also presented in the video.
thanks for the video, was really helpful!!
Thank you, stole my first car today :)
oh no.
Oh yyyyyyy
Nice dude! Hope you get more cars soon!
Lol
Just unlocking a car is not enough.
Steve Mould : i hacked into my own car
Robber : i hacked into Steve Moulds car
Mark Rober: I hacked into Elon Musk's car (to save the world)
It would be a burglar as a robbery would only take place if you were in the car 😁
@@matthewkambic4939 Burglary is specific to thievery in buildings. And either the way, the comment states nothing concerning thievery. So it would only be a hacker. But if the hacker stole the car, he'd be a car thief and he'd be commiting grand theft auto
Dude, way to be a prick.
@@marksworkshop8724No one's being a prick😂 I swg, people wanna make drama out of anything and everything. @Matthew Kambic, did you feel like I was tryna be a prick towards you?
I love that you blurred out your key bitting in the opening scene.
Even funnier that he didn't blur it in all the other shots
Awesome channel just subscribed let the binge watching begin 😂👍✌️😎
Steve be like "click out of mouse, W is binding.."
I understand that reference, and am glad to see another man/woman of culture
Nose picking lawyer
Car-Jacking lawyer...
blood curdling lawyer
I have worked for two different US companies that develop software-defined radios for commercial and government customers. Your opening explanation of rolling codes was fantastic (far outstripping the initial explanation I received when working on our rolling codes project, despite being like 2 minutes long compared to an hour-long briefing at work). Thank you for your dedication to science communication and bringing these awesome aspects of science to the fore!
Therea missed part in rolling key explanation. Someone cover that plz lol
dalai lama once said:
if you need an hour to explain something, you know jack sh**...
@@pahvalrehljkov in things like business related videos, they artificially inflate the information to fill a certain amount of time. Because the person creating the presentation isn't gonna get shit for a two minute presentation compared to one that looks like he put more effort into it. Even if it's better for everyone if it's short.
Alright, I never ever bother to leave a comment but THIS video was so fun, informative, engaging and most of all so damn easy to follow for a beginner like me, hats down! I'm just starting my journey of learning how to program and code, researching fields that I'd like to focus on in the future, you've inspired me to pursue cybersecurity engineering! Big thanks!
When i saw that car park situation i had to pause for a few minutes for the giggles to go away. 😆
Thank you very much, i needed that.
1:00 Love the very realistic view of the parking lot🤣🤣
savage
I love how passionate you are explaining the process and what you discovered. Nice video!
your channel is amazing man :)
Really, interesting, Steve. Great video.
That video was absolutely fascinating. I'd never really thought about how these keyfob systems actually work; somewhat ironically, as I'm a fairly decent electronics repair tech and have fixed plenty of car keyfobs in the past!
I love that this covered your whole thought process from the ground up, rather than just stating information. Top notch stuff!
0:54 absolutely lost it at that graphic! Well played!
I like how all you have to do to be a hacker is have a hoodie. :D just discovered your channel, great content. subscribed!
THANK YOU for showing all the attempts that didn't work. It's sooo important to show that success requires work.
Who cares?
@@yackfou2412 most people who are curious
This was super interesting once again, Steve. I really value the _variety_ on your channel.
I'm like you, I find EVERYTHING (potentially) interesting.
The lighting is awesome ❤️
You could exchange with the car to get the current RTC time, and reduce cost.
It would also prevent changing the time on the keyfob into the future.
That is most accurate depiction of a car park I've ever seen @1:00
Steve does realize that Mini is made by BMW right? 😂
Doesn't matter though, does it?
Awesome demonstration of working and security features of car keys and great way to point out the loopholes in simple terms.
Great work.
First time watching this channel. Loved ur work.
👍
One of the best TH-cam channels I've subscribed to.
1:18 I liked for this scene alone. YOU LOOK SO SINISTER. That's textbook villain material right there.
5:57 That’s soooo Mr. Bean moment!!!! 😂😆🤣
it made my day actually xD
You’re right
Social engineering:
Use your SDR to be receiving. Make an app or script or whatever, so that every time a signal is received it plays an interesting sound clip. Each one is different, and after introducing it everyone will try theirs to see what noise it makes.
For example, having a party at home, say "watch this" and get out my key fob, show them when I press the button, an old-fashond "auuuuuga" horn sounds from the home theater sound system in surround sound. Much more dramatic than a laptop sound.
"Now try yours!"
Well shit. That's a very good idea that'd definitely get a lot of people to fall into the trap
I don't know about you but if I'm inviting people to my house for a party I'm not trying to steal from them haha. What kind of friends do you keep?
That's not really social engineering, that's just tricking your friends, also why you stealing from your friends?
@@simonseis744
_"That's not really social engineering, that's just tricking..."_
That's exactly what Social Engineering is:
"The use of deception to manipulate individuals into divulging confidential or personal information."
@@simonseis744 They don't necessarily need to particularly be friends though, this is the sort of attack someone could pull off by investing a few weeks infiltrating say a company so they can produce their party trick at the office Christmas party. Especially easy to pull off given how many companies hire temporary staff during the Christmas period which would give a would-be gang of car thieves a chance to infiltrate the employee social group.
This got me thinking about how car and key resynchronize after the key misses a code (another key is used or someone uses a laptop with a transmitter). Look up rolling code synchronization if you're interested!
Thanks for the very interesting video. One question, the part when you talked about when the hacker jams the signal and having the second box monitor the frequency to be able to get into the car. I was thinking, if the signal is jammed before the driver gets out of their car . When the driver presses the lock button on the fob the car is not going to get that signal and remain unlocked. That is, for a period of time before it auto locks. If the driver did not notice that the car did not lock a potential thief could just walk up to the car and open the door and take whatever was in there.
0:59 That a-hole BMW is a nice touch lol
That's BMW in its natural habitat
That face after he goes “I wasn’t expecting it to work first time”😂 I felt that😂
Tim Harford also hosts my favorite podcast: Cautionary Tales published by Pushkin Industries. Totally unsolicited recommendation; it's really good
0:55...nice touch, Sir!! Nice touch, indeed!!!
Wait. I've seen this before..
Haha me too, missed somes sounds
But this is the first time I'm uploading it. Don't know what you're taking about!
@@SteveMould Second time worked a charm. First time I couldn't hear any of your chat or leave a comment? Posted before I saw this.
@Thu Nell Ⓥ I was trying to be funny. Failed at that too!
@Thu Nell Ⓥ he was joking. Check his community tab for more information :)
1:00 I love how you made the BMW occupy 2 spaces XD
After you did this first replay attack with your car outside the room, how does your car know to use the next code? Is it checking if the code is a solution to the algorithm you discussed earlier or is there something else going on? Great video, love the poorly parked BMW. I have a very similar history with BMW drivers!
My uninformed assumption is that the car has a sequential database of every valid code. Whenever it receives a new code it checks the database such that it is higher in the sequence than anything previously received.
That way if you press your key fob repeatedly while away from your car, the next time your car unlocks any codes prior are now invalid. If you tried a replay attack it would see it is a code from earlier in the database.
That is why it blocks two key presses then replays the first and records the second. It doesn't matter that the second code follows the first. You could block 10 key presses and replay the first, any of the next 9 will be valid.
This is so fascinating!
"but most of all, Samy is my hero"
Lol! I didn't realize it was *that* Samy! I still have that on my Facebook profile as an homage to that infamous Myspace hack.
For those who don't know, check out the Wikipedia page on Samy Kamkar or "Samy (computer worm)".
Samy is my hero
level of expertise: "actually that's manchester encoding"
Love your content bruh!
well hey, now we know too!
@@ms-fk6eb you're right!
you keeping in the fails is GENIUS!
My guess, the last bit is CRC check... Once you have that figured out, a bruteforcing would be somewhat easy, although you would have to be ready to stop the bruteforcing once is unlocked, else you end up re-locking it, or even turning the alarm on
I've seen this video already, but it has come up to me a few times and I came back here to say that I just can't deal with your face in the thumbnail! It cracks me up every single time like I'm a toddler. So thank you.
Can we just appreciate that this man is still rocking is Pebble in 2020. I finally dont feel alone
there are dozens of us! Dozens!
Me too! Woop!
Steve, great video! I have a question that might have been addressed in it: how does the key know if it hast to send the lock or unlock code? Does it get a confirmation from the car whenever one of those codes work?
Static code were almost never used, because they are not secure at all.
I like how you blurred the key out in the closeup but you can still easily see the cuts when you hold it up.
Halfway through I'm waiting for one of the other cars in the background to go *chirp chirp*.
Watching this is like actually doing a project that involves manipulating remote-control keys or key fobs. You have to get deeper and deeper into the specifics of the device you are trying to emulate. It can be sometimes thrilling and sometimes tedious.
It's ok to be completely lost, i think this is the real hacker's journey!
Not knowing anything at first and slowly building up knowledge!
Keep up the good work!! :)
Didn't mention a relay attack which works with modern fobs with passive unlock (where you can walk to the car and just open the door so long as you have the fob).
Two thieves park near a restaurant and observes patrons entering. When they observe a car they want one of them follows the target into the restaurant and walks near them with a transceiver. His partner walks to the car (from which they observed the targets exit from) with the paired transceiver which then relays the passive code from the fob via his partners relay transceiver and the perp opens the door and drives off.
The BMW parked over 2 spots, lol. Great stuff.
Dropping the antenna we almost heard you say ffs hahahah. Love your content Steve!
great job
thank you 👌🏻
I did too just the other day! It's amazing what spare keys can do!
0:54 Busted out laughing! So true!
I can't believe TH-cam actually sent me a notification as soon as the video went up.
the youtube algorithm sent it to you so quickly because it knew youd instantly click on it.
Great video we can use block chain technology in cars unlocking code but the thing is car is not always connected to internet to get unique code so we can insert sim for getting connected to internet
Great video. Enjoyed it
Veritasium did a similar video! His was about opening garage doors instead of cars, and also featured Samy
My old palm pilot would do something similar about 20 years ago. You could point a remote control at the IR transmitter/receiver, it would record the remote’s power code. Then you could use the palm pilot as a universal remote. Even arrange the button placement/size. Great technology
Ir is something complete different than radio. So no, it's not comparable. Completely different things.
@sokol Actually, I would say it's not that different.
In both cases, you have a unidirectional, wireless transmission of a binary code whenever a key is pressed, and in both cases, a device can be built to sniff this transmission and repeat it.
So, if a car key would send a simple, static signal whenever the "open" button is pressed, it could be sniffed once and repeated any number of times, which may be possible in rare cases, but since this is quite easy to do, the key manufacturers understand that it's very insecure, therefore better, more complex solutions have been developed.
But a simple IR remote control does not need this advanced level of security, therefore, the manufacturers still (to this day) simply send a simple, static signal every time a key is pressed, so once you recorded the signals for all keys that exist, you can simulate all the keys perfectly, any number of times. The manufacturers of the remote controls know that this is possible, but since nobody ever complained about it, they don't care at all. A simple solution (static code) is always cheaper and more robust than a complex one after all.
The highest level of security that could be built would be a bidirectional connection between the car key and the car, on other words, a handshake, like when a TLS connection is established, could be made, and then, the actual command could be sent over this encrypted channel. The key would of course only transmit anything interesting after the handshake would have been completed, so no sniffing would be possible at all. As far as I understand it, this is the way wireless keyboards work, to make sure that it's not easy for an aggressor to sniff any passwords you type on the wireless keyboard.
Something you need to be careful of: replay attacks on cars can cause at least one remote to go out of sync. You might be able to recover it by pressing a button on the second remote, but it'll require resynchronizing it yourself or taking it to someone who can if you're unable to
I LOVE that you're wearing a pebble watch! I loved my pebble, but was kinda upset when they sold off to fitbit :(. I wish there was another simple, basic feature smart watch with a 7 day battery.
It finally gave up the ghost :(. Wasn't working so well with the latest version of Android anyway. I've switched to a Casio that updates it's time daily from a radio time signal and is solar powered. So it's always the right time and never runs out of battery. Pretty cool but nothing like a pebble!
That BMW parking reference. Spot on!
I really want to see you get a load of car keys for the 07 mini and compare the signals and see how they compare. Also a way to roll jam might be have a accelerometer and have the logic that when the past code was a unlock and the next code or 2 will be lock.
Also the 09 Kia would be susceptible as it has a single lock/unlock button
That's absolutely mind blowing video😍😍😍😍
The preamble isn't nessecarily saying 'im a key', it's actually pretty standard. Since Manchester encoding guarantees transitions, this preamble is used to synchronise the receiving clock exactly to the right edges so that the important payload doesn't get corrupted. (Phase locked loop circuit)
This is great Steve! You should try to get into parliament next and fix the country. Much love
Ah yes, the "run for office" hack.
@@SteveMould Senator Mould has a nice ring to it!
@@nl_morrison Senator? Wrong country, surely! :D would just be MP (often referred to as "The Right Honourable" gentleman/colleague/representative of [constituency] in the actual parliamentary debates)
@@EcceJack Right! Well while he is at it he can fix the USA too, I'm sure it's just a bit shifting issue.
None of them have any idea what they're doing either
17:10 i wonder what would happen when the clock in your fab dies though. When you replace the battery, you would have to have a way to synchronize the clocks again. Probably using some $10,000 piece of equipment that only dealerships will be allowed to buy.
I saw a video related to it, 5 years ago and I was thinking about it right now and this video came to my suggestion 😭😭😭
Whenever you showed your key on camera I got anxious lmao
I'd say more likely each button is a different rolling key set rather than the instruction being sent using encryption. Could you do a video on a relay attack using key less entry systems?
You could have an accelerometer on the attached capture device to basically intelligently detect when the car is in park and likely to have been locked. Especially if you combine it with a clock as another data point. You can figure out when they are driving and then stopping+locking to know when to throw away the lock code.
Very cool video steve!