Let's just pretend this worked flawlessly the first time. The sponsor is Blinkist: The first 100 people to go to blinkist.com/stevemould will get unlimited access for 1 week to try it out. You'll also get 25% off if you want full membership.
I got the notification the second time, so you got that going for you. I know sometimes TH-cam punishes people for re-uploads to fix something. You got it re-uploaded pretty quick.
With all your great research on the topic, how much time is spent coming up with the cool project names vs the actual coding? Rolljam, Magspoof, PoisonTap, Glitchsink...etc. 50/50, right?
I'm not a fancy security expert like you, but I am a software developer working on a web-based fintech app, and... yes, can confirm, a large portion of any development/IT/tech is just trial and error. And lots of banging your head against a desk trying to figure out why the debug output doesn't match what you expect 😂
6:48 "I tweaked some variables, I didn't have a clue what I was doing, but I noticed that it changed things" - said almost every engineer at some point. That's how you make discoveries! I love your videos, Steve :D
Yep. The real work is going back and figuring out what part of the five different variables you tweaked in "throw everything at the wall until something sticks" mode that made the difference.
To anyone wondering and for the sake of saving history, This video was reuploaded, because on the first upload it did not have sound in the moments of talking with Samy
A big advantage of Manchester encoding is that every bit guarantees a transition. This means that your signal contains the data and the data rate clock. As you mentioned that the fob can't maintain a consistent transmit frequency, the same is true for the data clock. Manchester allows the receiver to synchronize the data rate. Also, the transmit signal likely starts with the same start byte (most commonly AA or 55) to allow that receiver to lock onto the signal (timing wise) and also adjust its gain (AGC).
This is important for magnetic strip credit cards, as an example. The card reader needs to know how quickly you're swiping the card and it uses a standard starting sequence to synchronize. It doesn't matter how fast you swipe the card (within reason) as long as you don't vary the speed and the whole strip goes through the reader.
@@theodoric4270 i always thought this was dumb since maintaining a constant velocity is not always easy. I think a better system is either to use two tracks with a clock track or a second magnetic polarization axis. But magstripe is slowly dying anyway...
@@donaldviszneki8251 it worked well enough, and that's always going to be the standard to hit. When magstripes fail it tends to be from demagnetization or it physically chipping off rather than a rate error From a security standpoint, a lot of the RFID upgrades for credit cards and badges just became "Spooky replay vulnerabilities at a distance" rather than proper challenge/response implementations
How to recognize a passionate person? If you approach him with the smallest achievement in his field, he instantly goes "That's great! How does it feel?".
Great video! Thanks. It’s worth pointing out that looking at a chip under a microscope to reverse-engineer it is pretty challenging, although not technically impossible if you use mechanical-chemical polishing. Back in 1995 (or thereabouts) when my company at the time was working with something like 2-micron fabrication technology, I was able to diagnose a power-drain by eye-droppering a liquid-crystal solution onto a chip to find the hot spot on the chip. However, even at 2 microns, the image was pretty blurry. 2 microns is about 4 times the smallest wavelength for visible light, so it’s possible, but difficult, to image the chip. Nowadays though, when the features approaching 1/100 the shortest wavelength of visible light, you pretty much have to use electron microscopes, which only show you the surface. So, to see the internal structure, you have to extremely precisely polish off layer by layer, re-imaging each layer. That’s definitely possible, yes, but very difficult.
Your sir are a smart cookie. But I'm sure you know that. Thanks for the information. For reasons I do not have the ability to explain. The fact that wavelengths have lengths and how they react to specific objects at different sizes escaped my knowledge. I can confidently say it will not escape it again, at least for another 15 years. So thanks
@@dorjanhajdari2670, thanks. Well, experienced anyway… I had a guitar teacher a few eons ago who said, “not sure I’m ‘experienced,’ but I have had a lot of experiences!”
... But the hacker with the hoodie and laptop is in the passenger seat, trying to gather WPA PMKIDs... Do I just not park? EDIT: Instructions unclear; vehicle is now in lake and hacker is very angry about his laptop getting soaked. Something about SSH keys being irreplaceable?
I just discovered your channel today and already watched two hours of your videos I mean amount of the research and effort you put in each of your video is impressive... Really appreciate what you are doing..
I have worked for two different US companies that develop software-defined radios for commercial and government customers. Your opening explanation of rolling codes was fantastic (far outstripping the initial explanation I received when working on our rolling codes project, despite being like 2 minutes long compared to an hour-long briefing at work). Thank you for your dedication to science communication and bringing these awesome aspects of science to the fore!
@@pahvalrehljkov in things like business related videos, they artificially inflate the information to fill a certain amount of time. Because the person creating the presentation isn't gonna get shit for a two minute presentation compared to one that looks like he put more effort into it. Even if it's better for everyone if it's short.
Didn't mention a relay attack which works with modern fobs with passive unlock (where you can walk to the car and just open the door so long as you have the fob). Two thieves park near a restaurant and observes patrons entering. When they observe a car they want one of them follows the target into the restaurant and walks near them with a transceiver. His partner walks to the car (from which they observed the targets exit from) with the paired transceiver which then relays the passive code from the fob via his partners relay transceiver and the perp opens the door and drives off.
@@stuartd9741 Yes, of course. Some of the cars share the same platform, so that's to be expected. But that doesn't mean that Mini is part of the BMW brand. It's a separate brand owned by the company BMW. That's what I meant.
10:19 I think it would have been good to mention here how jamming works in this case. If you are sending out a jamming signal to the car on the broad spectrum, you are not jamming the airwaves so much as you are jamming the equipment. You are causing the car to process useless signals - meaning that the car has no processing power left at that time to process the real signal. You are essentially flooding the car with bad signals, keeping its computer occupied while you listen out for the good signal.
Actually it has little to do with processing power. The signal you are jamming with is basically noise to the car, and if that noise is "louder" that the actual signal from the key, then all the car "hears" is that noise. It's like trying to have a conversation next to a jet taking off - your voice and the jet engine emit different frequencies, but since your ears listen to the whole frequency range, the jet completely overpowers, but a microphone with a frequency response tuned to the frequency of your voice could hear you.
Something you need to be careful of: replay attacks on cars can cause at least one remote to go out of sync. You might be able to recover it by pressing a button on the second remote, but it'll require resynchronizing it yourself or taking it to someone who can if you're unable to
To jam a car you don't need to think about range of frequencies, just use directional antenna on car receiver, this jamming won't affect the 2nd spy receiver.
I managed to open my microwave e by downloading app to unlock microwaves. Just run the app and boom! Now you can open microwave doors without any key :) bluetooth may be needed tho
Samy is the man. been following his work for years. related, LTC (timecode used to sync audio/video dual system or multiple cams in production) is essentially manchester encoded as well. i have had to actually manually decode it by looking at the bits before lol. silly thing to have to do but it works in a pinch. so if you are syncing your cam using timecode, you may have been using it all this time.
@@matthewkambic Burglary is specific to thievery in buildings. And either the way, the comment states nothing concerning thievery. So it would only be a hacker. But if the hacker stole the car, he'd be a car thief and he'd be commiting grand theft auto
@@marksworkshop8724No one's being a prick😂 I swg, people wanna make drama out of anything and everything. @Matthew Kambic, did you feel like I was tryna be a prick towards you?
That video was absolutely fascinating. I'd never really thought about how these keyfob systems actually work; somewhat ironically, as I'm a fairly decent electronics repair tech and have fixed plenty of car keyfobs in the past!
I know this will probably get lost on a 3 year old video but just wanted to say that this is my favorite of your videos. Hope to see more like this in the future
Social engineering: Use your SDR to be receiving. Make an app or script or whatever, so that every time a signal is received it plays an interesting sound clip. Each one is different, and after introducing it everyone will try theirs to see what noise it makes. For example, having a party at home, say "watch this" and get out my key fob, show them when I press the button, an old-fashond "auuuuuga" horn sounds from the home theater sound system in surround sound. Much more dramatic than a laptop sound. "Now try yours!"
@@simonseis744 _"That's not really social engineering, that's just tricking..."_ That's exactly what Social Engineering is: "The use of deception to manipulate individuals into divulging confidential or personal information."
@@simonseis744 They don't necessarily need to particularly be friends though, this is the sort of attack someone could pull off by investing a few weeks infiltrating say a company so they can produce their party trick at the office Christmas party. Especially easy to pull off given how many companies hire temporary staff during the Christmas period which would give a would-be gang of car thieves a chance to infiltrate the employee social group.
Alright, I never ever bother to leave a comment but THIS video was so fun, informative, engaging and most of all so damn easy to follow for a beginner like me, hats down! I'm just starting my journey of learning how to program and code, researching fields that I'd like to focus on in the future, you've inspired me to pursue cybersecurity engineering! Big thanks!
Very interesting, I love the way you had to think about it as an incremental approach, not knowing what you were doing and figuring it out as you go. A few questions to think about : - When you're jamming the key with your emission, couldn't you just substract what you're currently emitting from what you're receiving, instead of broadcasting on a different frequency ? Kind of the same way active noise cancellation work, if you know exactly what you're emitting then the difference with what you're receiving is what comes from the key right ? - What happens if you press they key while the car is not in range ? Doesn't that mean that the key will skip to the next code, while the car, completely unaware of the fact that you pressed the key, stay on its current code ? Or is the car looking for the code in N possible "future" codes ? If so, what if you press the key N times while away from your car, will the key and the car be "un-synchronized" forever basically ? - Some cars can have several keys am I right ? Back in the day when you had several keys only one of them was remote (which is understandable), but now I think that you can have several remote keys for your car. Is this a more complex algorithm ? Or does the car simply have several registers, one for each key ?
From Wikipedia: "A typical implementation compares within the next 256 codes in case receiver missed some transmitted keypresses." So I guess that probably means that if you click your key more than 256 times while out of range would that essentially brick your key and door i.e. receiver.
Watching this is like actually doing a project that involves manipulating remote-control keys or key fobs. You have to get deeper and deeper into the specifics of the device you are trying to emulate. It can be sometimes thrilling and sometimes tedious.
Hehehe! I love the hacker face in the dark. :D The green lighting for the call was pretty cool too. Interesting how far back you have to go for all this. Keys were already code-hopping before the end of the 90s, I think, and your Mini had rolljam projection in 07. I put an aftermarket remote on my Peugot 309 around 03, but I didn't care if it was a good one because it was an 80s 5-door hatch & not even the latest model. Bit of a street sleeper, that one; remarkably fun to drive.
The preamble isn't nessecarily saying 'im a key', it's actually pretty standard. Since Manchester encoding guarantees transitions, this preamble is used to synchronise the receiving clock exactly to the right edges so that the important payload doesn't get corrupted. (Phase locked loop circuit)
Lol! I didn't realize it was *that* Samy! I still have that on my Facebook profile as an homage to that infamous Myspace hack. For those who don't know, check out the Wikipedia page on Samy Kamkar or "Samy (computer worm)".
My old palm pilot would do something similar about 20 years ago. You could point a remote control at the IR transmitter/receiver, it would record the remote’s power code. Then you could use the palm pilot as a universal remote. Even arrange the button placement/size. Great technology
@sokol Actually, I would say it's not that different. In both cases, you have a unidirectional, wireless transmission of a binary code whenever a key is pressed, and in both cases, a device can be built to sniff this transmission and repeat it. So, if a car key would send a simple, static signal whenever the "open" button is pressed, it could be sniffed once and repeated any number of times, which may be possible in rare cases, but since this is quite easy to do, the key manufacturers understand that it's very insecure, therefore better, more complex solutions have been developed. But a simple IR remote control does not need this advanced level of security, therefore, the manufacturers still (to this day) simply send a simple, static signal every time a key is pressed, so once you recorded the signals for all keys that exist, you can simulate all the keys perfectly, any number of times. The manufacturers of the remote controls know that this is possible, but since nobody ever complained about it, they don't care at all. A simple solution (static code) is always cheaper and more robust than a complex one after all. The highest level of security that could be built would be a bidirectional connection between the car key and the car, on other words, a handshake, like when a TLS connection is established, could be made, and then, the actual command could be sent over this encrypted channel. The key would of course only transmit anything interesting after the handshake would have been completed, so no sniffing would be possible at all. As far as I understand it, this is the way wireless keyboards work, to make sure that it's not easy for an aggressor to sniff any passwords you type on the wireless keyboard.
When I was young and you locked your keys in the car, which I can't do in my modern car, all you needed was a wire coat hanger. A policeman taught me how to do it and it was frighteningly easy. The advancements in car security have been phenomenal. This is the first video I’ve seen of yours, I really enjoyed it as it was interesting and humorous.
It's still very easy, now you GENTLY pry the door open, then you insert an air bag (to inflate and widen the gap more safely), then you use a wire to press the unlock button. But there is a very real risk of paint damage, so it's not recommended on a really high end car. If you have a Ferrari, you should just be careful to not lock your shit in the car. 😂
Even today if you are able to access the inner skin of the Door where the mechanical cable is housed (provided it is still mechanical. Some newer cars such as Range Rovers have fly by wire door handles) you can simply get a wire coat hanger and tug on the cable inside.
@@nl_morrison Senator? Wrong country, surely! :D would just be MP (often referred to as "The Right Honourable" gentleman/colleague/representative of [constituency] in the actual parliamentary debates)
Awesome demonstration of working and security features of car keys and great way to point out the loopholes in simple terms. Great work. First time watching this channel. Loved ur work. 👍
I think the biggest issue is with passive entry. Using repeaters to make a car parked in the driveway think the key is next to it instead of in the house.
It's ok to be completely lost, i think this is the real hacker's journey! Not knowing anything at first and slowly building up knowledge! Keep up the good work!! :)
Military radio systems use a similar technique to prevent jamming, called frequency hopping. It's like what Samy was saying; you have the two radios with synchronized clocks, and an encryption key determines the pattern of frequencies. The radios "hop" pseudo-randomly but remain synchronous, preventing jamming or interception.
Didn't expect to see Steve dipping into the world of cybersec. Good stuff, would love to see more of this kind of thing. Your inquisitive and science-minded worldview is a really great way to look at understanding the cat and mouse game we play. I'd love to see you dig into the physics of other elements of physical or cyber security.
@@f7p1764 if I understand you correctly the car saves its last state. (e.g. unlocked) and the key only sends one code from one code list (same list for lock&unlock) and thus reverses its state from (unlocked -> locked and vice versa). However. If the key has two buttons and you press the lock button twice, this would be very stupid wouldn't it? because then the lock button would also unlock the car if its already in a locked state. my guess is that two code lists are being used or some sort of encryption is in place that actually hides the state that the key sends.
You could have an accelerometer on the attached capture device to basically intelligently detect when the car is in park and likely to have been locked. Especially if you combine it with a clock as another data point. You can figure out when they are driving and then stopping+locking to know when to throw away the lock code.
After you did this first replay attack with your car outside the room, how does your car know to use the next code? Is it checking if the code is a solution to the algorithm you discussed earlier or is there something else going on? Great video, love the poorly parked BMW. I have a very similar history with BMW drivers!
My uninformed assumption is that the car has a sequential database of every valid code. Whenever it receives a new code it checks the database such that it is higher in the sequence than anything previously received. That way if you press your key fob repeatedly while away from your car, the next time your car unlocks any codes prior are now invalid. If you tried a replay attack it would see it is a code from earlier in the database. That is why it blocks two key presses then replays the first and records the second. It doesn't matter that the second code follows the first. You could block 10 key presses and replay the first, any of the next 9 will be valid.
The simplest attack, is to have a device jam the car's reciever, while sounding an identical horn on the attack device, so when the car owner walks away, the car is still unlocked, and ready for your nefarious plans.
Regarding other ways to secure keyfobs, you can have the key merely be an unencrypted request for the car to initiate a challenge-reponse. The car sends the key a challenge, the key encrypts/hashes/signs this challenge with the secret key, and the car checks the response. With an only slightly higher level of sophistication, you can measure the timing of the response and compare it against time-of-flight of radio signals. If it's too far (e.g. further than 50m, or about one cycle on a 5 MHz processor), reject the response as invalid. That way you also protect against a signal extension attack.
@@spongeboimebobbbsome high end gaming wireless mouse almost similar latency if not better compared to wired. Watch Linux tech tips comparing the mouses So its definitely possible. But data rate lower for mouse compared to headphones. So don't know if it'll reach the latency of wired
Could the key be using two sets of rolling codes. 1 for unlock, a second for lock. That could explain why the two codes were always completely different
If the code generation is different for lock and unlock, there will be a vulnerability: If the code generator is the same, but includes some variables for lock or unlock, if someone records the next unlock code (with the method in the video), when the user locks the car, the code will be cancelled. But if the code generators are different, if I record the next unlock code, when the user locks the car, the cancelled code will be in the lock list. The unlock list will be unaltered, so the hacker can still use the code. Lock and unlock codes are different because when the key has de new code, applies some calculations to it, that the car knows, so the car can decrypt the code in each case.
Let's just pretend this worked flawlessly the first time.
The sponsor is Blinkist: The first 100 people to go to blinkist.com/stevemould will get unlimited access for 1 week to try it out. You'll also get 25% off if you want full membership.
What are you talking about of course it worked the first time :)
Lmao
Someone hacked your video, too
No worries.
I got the notification the second time, so you got that going for you. I know sometimes TH-cam punishes people for re-uploads to fix something. You got it re-uploaded pretty quick.
1:00 Nice detail on the Bmw parking hahah
̣
I died 🤣
Mini is owned by BMW.
you beat me to it by like 20 seconds... the timestamp is nice though
+
I also have no idea what I'm doing most of the time.
With all your great research on the topic, how much time is spent coming up with the cool project names vs the actual coding? Rolljam, Magspoof, PoisonTap, Glitchsink...etc. 50/50, right?
samy is my hero
samy is my hero
I’m now imagining a Mr Magoo like scenario where someone just stumbles upon vulnerabilities
I'm not a fancy security expert like you, but I am a software developer working on a web-based fintech app, and... yes, can confirm, a large portion of any development/IT/tech is just trial and error. And lots of banging your head against a desk trying to figure out why the debug output doesn't match what you expect 😂
I love how you can tell he genuinely enjoys doing this. The smile, the laugh, the energy. Keep up the work!!
6:48
"I tweaked some variables, I didn't have a clue what I was doing, but I noticed that it changed things"
- said almost every engineer at some point. That's how you make discoveries! I love your videos, Steve :D
He pretty much summed up my job there... And according to my resume I know what I am doing :P
That's just called debugging
It's like I'm back in my matlab class... **stares of into space due to painful memories**... good times lol
Yep. The real work is going back and figuring out what part of the five different variables you tweaked in "throw everything at the wall until something sticks" mode that made the difference.
"Huh, my code work, and I have no idea why." said the greatest engineer I know.
To anyone wondering and for the sake of saving history,
This video was reuploaded, because on the first upload it did not have sound in the moments of talking with Samy
Thank you, I was wondering
yeh
Same, thanks
Thank you love you
A big advantage of Manchester encoding is that every bit guarantees a transition. This means that your signal contains the data and the data rate clock. As you mentioned that the fob can't maintain a consistent transmit frequency, the same is true for the data clock. Manchester allows the receiver to synchronize the data rate. Also, the transmit signal likely starts with the same start byte (most commonly AA or 55) to allow that receiver to lock onto the signal (timing wise) and also adjust its gain (AGC).
This is important for magnetic strip credit cards, as an example. The card reader needs to know how quickly you're swiping the card and it uses a standard starting sequence to synchronize. It doesn't matter how fast you swipe the card (within reason) as long as you don't vary the speed and the whole strip goes through the reader.
@@theodoric4270 i always thought this was dumb since maintaining a constant velocity is not always easy. I think a better system is either to use two tracks with a clock track or a second magnetic polarization axis. But magstripe is slowly dying anyway...
@@donaldviszneki8251 it worked well enough, and that's always going to be the standard to hit. When magstripes fail it tends to be from demagnetization or it physically chipping off rather than a rate error
From a security standpoint, a lot of the RFID upgrades for credit cards and badges just became "Spooky replay vulnerabilities at a distance" rather than proper challenge/response implementations
I like how the poorly parked car was a BMW, that made me laugh.
It's funny cos it's true
Its ironic because Mini is BMW.
Typical
Seeing this comment first then finding the BMW made me laugh.
I laughed as well then I remembered I drive a bmw and also can’t park.
How to recognize a passionate person? If you approach him with the smallest achievement in his field, he instantly goes "That's great! How does it feel?".
Samy is my hero.
Sounds like the whole Kerbal Space Program community
@@carchocolate93 ya
Really ought to be a word for this wonderful opposite of gatekeeping.
@@carchocolate93 yup
Great video! Thanks.
It’s worth pointing out that looking at a chip under a microscope to reverse-engineer it is pretty challenging, although not technically impossible if you use mechanical-chemical polishing.
Back in 1995 (or thereabouts) when my company at the time was working with something like 2-micron fabrication technology, I was able to diagnose a power-drain by eye-droppering a liquid-crystal solution onto a chip to find the hot spot on the chip. However, even at 2 microns, the image was pretty blurry. 2 microns is about 4 times the smallest wavelength for visible light, so it’s possible, but difficult, to image the chip.
Nowadays though, when the features approaching 1/100 the shortest wavelength of visible light, you pretty much have to use electron microscopes, which only show you the surface. So, to see the internal structure, you have to extremely precisely polish off layer by layer, re-imaging each layer. That’s definitely possible, yes, but very difficult.
I understand some of these words.
Your sir are a smart cookie. But I'm sure you know that. Thanks for the information. For reasons I do not have the ability to explain. The fact that wavelengths have lengths and how they react to specific objects at different sizes escaped my knowledge. I can confidently say it will not escape it again, at least for another 15 years. So thanks
@@dorjanhajdari2670, thanks. Well, experienced anyway…
I had a guitar teacher a few eons ago who said, “not sure I’m ‘experienced,’ but I have had a lot of experiences!”
@@mr88cet Clever teacher! I love how he defines what he seems to contradict only to prove it true through his definition.
X-ray it. Stitch the images. Make a circuit diagram and analyze. Voila. I did this as a project in an EE grad class.
that "hacker sitting in the dark in a hoodie" cliche was so well done. love it.
Doesn't it have proven psychological causality?
Me too 👍
Remember: never park your car next to someone in a hoodie and with a laptop
Just run him over instead
Even if he reserves the spot for you on a busy day?
Specially not someone who looks like the villain in a horror movie like at 1:22 :)
... But the hacker with the hoodie and laptop is in the passenger seat, trying to gather WPA PMKIDs... Do I just not park?
EDIT: Instructions unclear; vehicle is now in lake and hacker is very angry about his laptop getting soaked. Something about SSH keys being irreplaceable?
Remember: don't judge a book by it's cover.
I just discovered your channel today and already watched two hours of your videos I mean amount of the research and effort you put in each of your video is impressive... Really appreciate what you are doing..
I have worked for two different US companies that develop software-defined radios for commercial and government customers. Your opening explanation of rolling codes was fantastic (far outstripping the initial explanation I received when working on our rolling codes project, despite being like 2 minutes long compared to an hour-long briefing at work). Thank you for your dedication to science communication and bringing these awesome aspects of science to the fore!
Therea missed part in rolling key explanation. Someone cover that plz lol
dalai lama once said:
if you need an hour to explain something, you know jack sh**...
@@pahvalrehljkov in things like business related videos, they artificially inflate the information to fill a certain amount of time. Because the person creating the presentation isn't gonna get shit for a two minute presentation compared to one that looks like he put more effort into it. Even if it's better for everyone if it's short.
"I'm in my car! Amazing."
@@BodywiseMustard awhhh
lmao
I'm in my mum's car. Brum brum
😂.
me 2
Didn't mention a relay attack which works with modern fobs with passive unlock (where you can walk to the car and just open the door so long as you have the fob).
Two thieves park near a restaurant and observes patrons entering. When they observe a car they want one of them follows the target into the restaurant and walks near them with a transceiver. His partner walks to the car (from which they observed the targets exit from) with the paired transceiver which then relays the passive code from the fob via his partners relay transceiver and the perp opens the door and drives off.
1:00 BMW is the Apple of cars,
Their motto is “park different”
You know Mini is actually a BMW automobile?
Ahh thanks. I thought he made a jab at BMW drivers for parking recklessly which doesn't ring completely untrue in my experience
@@joepbeusenberg Well, yes and no. Yes, as in the company BMW, but no as in the BMW brand. Mini is not part of the BMW brand.
@@DirtyPoul but you will find many components of a mini have bmw on them? Infact the same parts that fit on some of the BMW range.
@@stuartd9741 Yes, of course. Some of the cars share the same platform, so that's to be expected. But that doesn't mean that Mini is part of the BMW brand. It's a separate brand owned by the company BMW. That's what I meant.
"What this demonstrates really well is that I have no idea what I'm doing." XD
Thats me every day in online school lol
He nailed that so well on the comedic spectrum.
Hilarious!
*fairly
Me during chemistry class be like
10:19 I think it would have been good to mention here how jamming works in this case. If you are sending out a jamming signal to the car on the broad spectrum, you are not jamming the airwaves so much as you are jamming the equipment. You are causing the car to process useless signals - meaning that the car has no processing power left at that time to process the real signal. You are essentially flooding the car with bad signals, keeping its computer occupied while you listen out for the good signal.
Sounds similar to a DDOS attack?
Actually it has little to do with processing power. The signal you are jamming with is basically noise to the car, and if that noise is "louder" that the actual signal from the key, then all the car "hears" is that noise. It's like trying to have a conversation next to a jet taking off - your voice and the jet engine emit different frequencies, but since your ears listen to the whole frequency range, the jet completely overpowers, but a microphone with a frequency response tuned to the frequency of your voice could hear you.
:D That double spot taking BMW made me laugh!
I clearly saw that it was a bmw and parked like that, but the joke didn't register in my head for some reason lmao
Ironically, Mini is owned by BMW and is usually driven by women.
@@SangheiliSpecOp it is like when you see something so many times your brain ignores it because it is the norm
@@Leo-zt7fo do you have any sources on those car ownership demographics?
@@SentientTent the picture on 1:00 has a tiny BMW logo on the badly parked car.
I love that this covered your whole thought process from the ground up, rather than just stating information. Top notch stuff!
Something you need to be careful of: replay attacks on cars can cause at least one remote to go out of sync. You might be able to recover it by pressing a button on the second remote, but it'll require resynchronizing it yourself or taking it to someone who can if you're unable to
Thank you, stole my first car today :)
oh no.
Oh yyyyyyy
Nice dude! Hope you get more cars soon!
Lol
Just unlocking a car is not enough.
THANK YOU for showing all the attempts that didn't work. It's sooo important to show that success requires work.
Who cares?
@@yackfou2412 most people who are curious
To jam a car you don't need to think about range of frequencies, just use directional antenna on car receiver, this jamming won't affect the 2nd spy receiver.
1:00 Love the very realistic view of the parking lot🤣🤣
savage
Steve be like "click out of mouse, W is binding.."
I understand that reference, and am glad to see another man/woman of culture
Nose picking lawyer
Car-Jacking lawyer...
blood curdling lawyer
I love that you blurred out your key bitting in the opening scene.
Even funnier that he didn't blur it in all the other shots
cut to hacker in dark basement, reversing blurring algorithms.
"Authorities report nationwide wave of smashed car windows. Suspects say 'Steve told me it was easier'".
Or just collect the keys from the fishbowl party
Instructions unclear: I have opened my microwave with a skoda car key.
I managed to open my microwave e by downloading app to unlock microwaves.
Just run the app and boom! Now you can open microwave doors without any key :) bluetooth may be needed tho
I'd rather drive a microwave than a Skoda.
@@N.I.R.A.T.I.A.S. i will microwave a drive than a skoda
I unlocked my car with microwave. No need to use keys!
😂 happy frozen fooding!!
OMFG THS IS AN EPIC COMMENT THREAD!!
Samy is the man. been following his work for years. related, LTC (timecode used to sync audio/video dual system or multiple cams in production) is essentially manchester encoded as well. i have had to actually manually decode it by looking at the bits before lol. silly thing to have to do but it works in a pinch. so if you are syncing your cam using timecode, you may have been using it all this time.
Steve Mould : i hacked into my own car
Robber : i hacked into Steve Moulds car
Mark Rober: I hacked into Elon Musk's car (to save the world)
It would be a burglar as a robbery would only take place if you were in the car 😁
@@matthewkambic Burglary is specific to thievery in buildings. And either the way, the comment states nothing concerning thievery. So it would only be a hacker. But if the hacker stole the car, he'd be a car thief and he'd be commiting grand theft auto
Dude, way to be a prick.
@@marksworkshop8724No one's being a prick😂 I swg, people wanna make drama out of anything and everything. @Matthew Kambic, did you feel like I was tryna be a prick towards you?
That video was absolutely fascinating. I'd never really thought about how these keyfob systems actually work; somewhat ironically, as I'm a fairly decent electronics repair tech and have fixed plenty of car keyfobs in the past!
I know this will probably get lost on a 3 year old video but just wanted to say that this is my favorite of your videos. Hope to see more like this in the future
That is most accurate depiction of a car park I've ever seen @1:00
Steve does realize that Mini is made by BMW right? 😂
Doesn't matter though, does it?
Social engineering:
Use your SDR to be receiving. Make an app or script or whatever, so that every time a signal is received it plays an interesting sound clip. Each one is different, and after introducing it everyone will try theirs to see what noise it makes.
For example, having a party at home, say "watch this" and get out my key fob, show them when I press the button, an old-fashond "auuuuuga" horn sounds from the home theater sound system in surround sound. Much more dramatic than a laptop sound.
"Now try yours!"
Well shit. That's a very good idea that'd definitely get a lot of people to fall into the trap
I don't know about you but if I'm inviting people to my house for a party I'm not trying to steal from them haha. What kind of friends do you keep?
That's not really social engineering, that's just tricking your friends, also why you stealing from your friends?
@@simonseis744
_"That's not really social engineering, that's just tricking..."_
That's exactly what Social Engineering is:
"The use of deception to manipulate individuals into divulging confidential or personal information."
@@simonseis744 They don't necessarily need to particularly be friends though, this is the sort of attack someone could pull off by investing a few weeks infiltrating say a company so they can produce their party trick at the office Christmas party. Especially easy to pull off given how many companies hire temporary staff during the Christmas period which would give a would-be gang of car thieves a chance to infiltrate the employee social group.
i like how you tried to hide the key in the close-up but completly ignored it in the next clip where it's clear enough to be visible
Can we just appreciate that this man is still rocking is Pebble in 2020. I finally dont feel alone
there are dozens of us! Dozens!
Me too! Woop!
I love how passionate you are explaining the process and what you discovered. Nice video!
One subtle thing I noticed - the BMW taking up two spaces and parked squiffy, nice touch, I'm not a BMW fan either!
This was super interesting once again, Steve. I really value the _variety_ on your channel.
I'm like you, I find EVERYTHING (potentially) interesting.
Wait. I've seen this before..
Haha me too, missed somes sounds
But this is the first time I'm uploading it. Don't know what you're taking about!
@@SteveMould Second time worked a charm. First time I couldn't hear any of your chat or leave a comment? Posted before I saw this.
@Thu Nell Ⓥ I was trying to be funny. Failed at that too!
@Thu Nell Ⓥ he was joking. Check his community tab for more information :)
Alright, I never ever bother to leave a comment but THIS video was so fun, informative, engaging and most of all so damn easy to follow for a beginner like me, hats down! I'm just starting my journey of learning how to program and code, researching fields that I'd like to focus on in the future, you've inspired me to pursue cybersecurity engineering! Big thanks!
Very interesting, I love the way you had to think about it as an incremental approach, not knowing what you were doing and figuring it out as you go. A few questions to think about :
- When you're jamming the key with your emission, couldn't you just substract what you're currently emitting from what you're receiving, instead of broadcasting on a different frequency ? Kind of the same way active noise cancellation work, if you know exactly what you're emitting then the difference with what you're receiving is what comes from the key right ?
- What happens if you press they key while the car is not in range ? Doesn't that mean that the key will skip to the next code, while the car, completely unaware of the fact that you pressed the key, stay on its current code ? Or is the car looking for the code in N possible "future" codes ? If so, what if you press the key N times while away from your car, will the key and the car be "un-synchronized" forever basically ?
- Some cars can have several keys am I right ? Back in the day when you had several keys only one of them was remote (which is understandable), but now I think that you can have several remote keys for your car. Is this a more complex algorithm ? Or does the car simply have several registers, one for each key ?
From Wikipedia: "A typical implementation compares within the next 256 codes in case receiver missed some transmitted keypresses."
So I guess that probably means that if you click your key more than 256 times while out of range would that essentially brick your key and door i.e. receiver.
Watching this is like actually doing a project that involves manipulating remote-control keys or key fobs. You have to get deeper and deeper into the specifics of the device you are trying to emulate. It can be sometimes thrilling and sometimes tedious.
1:18 I liked for this scene alone. YOU LOOK SO SINISTER. That's textbook villain material right there.
1:00 I love how you made the BMW occupy 2 spaces XD
That face after he goes “I wasn’t expecting it to work first time”😂 I felt that😂
The title of this video was NOT CLICKBAIT: it really is EPIC!
I can't believe TH-cam actually sent me a notification as soon as the video went up.
the youtube algorithm sent it to you so quickly because it knew youd instantly click on it.
level of expertise: "actually that's manchester encoding"
Love your content bruh!
well hey, now we know too!
@@ms-fk6eb you're right!
Hehehe! I love the hacker face in the dark. :D The green lighting for the call was pretty cool too.
Interesting how far back you have to go for all this. Keys were already code-hopping before the end of the 90s, I think, and your Mini had rolljam projection in 07. I put an aftermarket remote on my Peugot 309 around 03, but I didn't care if it was a good one because it was an 80s 5-door hatch & not even the latest model. Bit of a street sleeper, that one; remarkably fun to drive.
The preamble isn't nessecarily saying 'im a key', it's actually pretty standard. Since Manchester encoding guarantees transitions, this preamble is used to synchronise the receiving clock exactly to the right edges so that the important payload doesn't get corrupted. (Phase locked loop circuit)
"but most of all, Samy is my hero"
Lol! I didn't realize it was *that* Samy! I still have that on my Facebook profile as an homage to that infamous Myspace hack.
For those who don't know, check out the Wikipedia page on Samy Kamkar or "Samy (computer worm)".
Samy is my hero
The bad parking of the BMW detail at 1:00 hahahaha
My old palm pilot would do something similar about 20 years ago. You could point a remote control at the IR transmitter/receiver, it would record the remote’s power code. Then you could use the palm pilot as a universal remote. Even arrange the button placement/size. Great technology
Ir is something complete different than radio. So no, it's not comparable. Completely different things.
@sokol Actually, I would say it's not that different.
In both cases, you have a unidirectional, wireless transmission of a binary code whenever a key is pressed, and in both cases, a device can be built to sniff this transmission and repeat it.
So, if a car key would send a simple, static signal whenever the "open" button is pressed, it could be sniffed once and repeated any number of times, which may be possible in rare cases, but since this is quite easy to do, the key manufacturers understand that it's very insecure, therefore better, more complex solutions have been developed.
But a simple IR remote control does not need this advanced level of security, therefore, the manufacturers still (to this day) simply send a simple, static signal every time a key is pressed, so once you recorded the signals for all keys that exist, you can simulate all the keys perfectly, any number of times. The manufacturers of the remote controls know that this is possible, but since nobody ever complained about it, they don't care at all. A simple solution (static code) is always cheaper and more robust than a complex one after all.
The highest level of security that could be built would be a bidirectional connection between the car key and the car, on other words, a handshake, like when a TLS connection is established, could be made, and then, the actual command could be sent over this encrypted channel. The key would of course only transmit anything interesting after the handshake would have been completed, so no sniffing would be possible at all. As far as I understand it, this is the way wireless keyboards work, to make sure that it's not easy for an aggressor to sniff any passwords you type on the wireless keyboard.
5:57 That’s soooo Mr. Bean moment!!!! 😂😆🤣
it made my day actually xD
You’re right
You could exchange with the car to get the current RTC time, and reduce cost.
It would also prevent changing the time on the keyfob into the future.
Veritasium did a similar video! His was about opening garage doors instead of cars, and also featured Samy
Halfway through I'm waiting for one of the other cars in the background to go *chirp chirp*.
a syncronised clock was actually one of the first solitions I thought of! was very satisfying when it was also presented in the video.
When I was young and you locked your keys in the car, which I can't do in my modern car, all you needed was a wire coat hanger. A policeman taught me how to do it and it was frighteningly easy. The advancements in car security have been phenomenal.
This is the first video I’ve seen of yours, I really enjoyed it as it was interesting and humorous.
It's still very easy, now you GENTLY pry the door open, then you insert an air bag (to inflate and widen the gap more safely), then you use a wire to press the unlock button. But there is a very real risk of paint damage, so it's not recommended on a really high end car. If you have a Ferrari, you should just be careful to not lock your shit in the car. 😂
Even today if you are able to access the inner skin of the Door where the mechanical cable is housed (provided it is still mechanical. Some newer cars such as Range Rovers have fly by wire door handles) you can simply get a wire coat hanger and tug on the cable inside.
The BMW parked over 2 spots, lol. Great stuff.
0:54 absolutely lost it at that graphic! Well played!
This is great Steve! You should try to get into parliament next and fix the country. Much love
Ah yes, the "run for office" hack.
@@SteveMould Senator Mould has a nice ring to it!
@@nl_morrison Senator? Wrong country, surely! :D would just be MP (often referred to as "The Right Honourable" gentleman/colleague/representative of [constituency] in the actual parliamentary debates)
@@EcceJack Right! Well while he is at it he can fix the USA too, I'm sure it's just a bit shifting issue.
None of them have any idea what they're doing either
Awesome demonstration of working and security features of car keys and great way to point out the loopholes in simple terms.
Great work.
First time watching this channel. Loved ur work.
👍
Can we just be thankful this dude blurred his key?
I think the biggest issue is with passive entry. Using repeaters to make a car parked in the driveway think the key is next to it instead of in the house.
That BMW parking reference. Spot on!
It's ok to be completely lost, i think this is the real hacker's journey!
Not knowing anything at first and slowly building up knowledge!
Keep up the good work!! :)
"I ain't never seen three zeros in a row. It’s always one of them gotta be a one." ~Manchester encoding
0:59 That a-hole BMW is a nice touch lol
That's BMW in its natural habitat
Military radio systems use a similar technique to prevent jamming, called frequency hopping. It's like what Samy was saying; you have the two radios with synchronized clocks, and an encryption key determines the pattern of frequencies. The radios "hop" pseudo-randomly but remain synchronous, preventing jamming or interception.
Whenever you showed your key on camera I got anxious lmao
8:20 Imagine going to a key party and Steve being there clicking away with his laptop :D
Steve out here telling swingers how to steal cars
Didn't expect to see Steve dipping into the world of cybersec. Good stuff, would love to see more of this kind of thing. Your inquisitive and science-minded worldview is a really great way to look at understanding the cat and mouse game we play. I'd love to see you dig into the physics of other elements of physical or cyber security.
I'm never going to a swingers' party again!
Do you leave your keys in a bowl in swinger parties?
What kind of parties do you leave your keys in a bowl at?
@@ronwesilen4536 yes. That's how you decide who swaps with whom, you pick a key from the bowl, and hope it's not your spouse's.
I hear.
Uber. You're welcome.
@@davidgustavsson4000 honestly interested in this. I hope it is true. Also hope woman are the ones grabbing the keys so they can fill their keyhole
I wonder if the Mini uses two separate code lists, one for locking and one for unlocking. If yes, then it would be vulnerable to a rollblock attack.
Mini stores last state if it's locked or not, key sends allways one state there is no lock unlock command in key, simple and secure :)
@@f7p1764 if I understand you correctly the car saves its last state. (e.g. unlocked) and the key only sends one code from one code list (same list for lock&unlock) and thus reverses its state from (unlocked -> locked and vice versa). However. If the key has two buttons and you press the lock button twice, this would be very stupid wouldn't it? because then the lock button would also unlock the car if its already in a locked state.
my guess is that two code lists are being used or some sort of encryption is in place that actually hides the state that the key sends.
You could have an accelerometer on the attached capture device to basically intelligently detect when the car is in park and likely to have been locked. Especially if you combine it with a clock as another data point. You can figure out when they are driving and then stopping+locking to know when to throw away the lock code.
The BMW taking up 2 spaces absolutely ended me hahaha
0:49 Serious warning. It's unimaginably simple to decode a keys' physical bitting from picture. The entire internet can now unlock your car.
Yep, might not have the digital code but showing your key to the camera is basically the same as letting them take a copy of it to reproduce.
he even hid the key in the first time he showed it
I mean isn't he already showing the whole internet how to unlock his car? Lol
Whoopsie
Lockpicking lawer comes in
When i saw that car park situation i had to pause for a few minutes for the giggles to go away. 😆
Thank you very much, i needed that.
"The car door is locked, there's no way to get in." It is a convertible, so very easy to get in, no expensive tech needed, just a knife.
He's in UK. He would need a license for the knife
@@muhammadaryawicaksono4232 true that. You cant just carry knife or scissors like that in the street
Thats some stupid thinking
you dont even need a knife...
break into the window.
@@chalee3484 yep
That BMW parked like a jerk is hilarious!:)
After you did this first replay attack with your car outside the room, how does your car know to use the next code? Is it checking if the code is a solution to the algorithm you discussed earlier or is there something else going on? Great video, love the poorly parked BMW. I have a very similar history with BMW drivers!
My uninformed assumption is that the car has a sequential database of every valid code. Whenever it receives a new code it checks the database such that it is higher in the sequence than anything previously received.
That way if you press your key fob repeatedly while away from your car, the next time your car unlocks any codes prior are now invalid. If you tried a replay attack it would see it is a code from earlier in the database.
That is why it blocks two key presses then replays the first and records the second. It doesn't matter that the second code follows the first. You could block 10 key presses and replay the first, any of the next 9 will be valid.
11:48 "Instuctions" are how you get out of a situation where you're stuck.
0:54 Busted out laughing! So true!
The simplest attack, is to have a device jam the car's reciever, while sounding an identical horn on the attack device, so when the car owner walks away, the car is still unlocked, and ready for your nefarious plans.
7:00 I feel you! But that's what hackers do. Play around until they understand it.
11:43 INSTUCTIONS :)
Regarding other ways to secure keyfobs, you can have the key merely be an unencrypted request for the car to initiate a challenge-reponse. The car sends the key a challenge, the key encrypts/hashes/signs this challenge with the secret key, and the car checks the response. With an only slightly higher level of sophistication, you can measure the timing of the response and compare it against time-of-flight of radio signals. If it's too far (e.g. further than 50m, or about one cycle on a 5 MHz processor), reject the response as invalid.
That way you also protect against a signal extension attack.
1:21 i am steve mould and i am evil
11:57 Security expert using wired earphones.... makes sense
Wired headsets also have better latency haha 🍄
@@davidbergmann8948 true dat man, still waiting for bt tech to improve lmao
@@davidbergmann8948 ya wired r better ,but it depends on the use case.
@@spongeboimebobbbsome high end gaming wireless mouse almost similar latency if not better compared to wired. Watch Linux tech tips comparing the mouses So its definitely possible. But data rate lower for mouse compared to headphones. So don't know if it'll reach the latency of wired
I would've never thought to blur my key but it makes sense lol theoretically someone could recreate the key by seeing it on camera
Steve: *Locks keys in car*
Also steve: Hold up, let me get my laptop.
0:58 I love the BMW joke.
Like how he centers of bitting since I have heard of people making keys from images and even form memory
Could the key be using two sets of rolling codes. 1 for unlock, a second for lock. That could explain why the two codes were always completely different
If the code generation is different for lock and unlock, there will be a vulnerability:
If the code generator is the same, but includes some variables for lock or unlock, if someone records the next unlock code (with the method in the video), when the user locks the car, the code will be cancelled.
But if the code generators are different, if I record the next unlock code, when the user locks the car, the cancelled code will be in the lock list. The unlock list will be unaltered, so the hacker can still use the code.
Lock and unlock codes are different because when the key has de new code, applies some calculations to it, that the car knows, so the car can decrypt the code in each case.
Tom Holland sees a guy stealing a car... "It's my own car Tom..."
Contact @mj1mj123 on Instagram for fun
The fact that you blurred out your key was pretty brilliant