Hacking the Airwaves: Beyond Relay Attacks! - Robin Roodt

Okay. Hello everyone. Um, this is my first time talking with a mic, so I might be a little bit weird. Um, and I am going to do a little bit of a demo today. So, uh, apologies if I potentially drop the mic, but if that happens, bear with me. Okay. Um, so welcome everyone to my talk, hacking the airwaves, uh, beyond relay attacks. So this talk is meant to be sort of a sort of like a sequel from my Joeberg um talk earlier the year but also not really. So I'm going to try and fill in the blanks for any type of concept that I um covered last time. However, of course it is sort of a little bit more focused

with the newer topics. So who am I? Uh my name is Robin Ruit or Rude as they say in English. Um I'm a cyber security consultant at NWR cyersc where my primary focus is actually application security. Uh but of course I'm dabbling in kind of a lot of things now um especially like um radio frequency hacking and I started with it currently actually as just a hobby but sort of where it actually starts out with. So I was a university student at TUX um computer engineering where I basically dived into a lot of fundamentals of signal processing and my final year project was the synthetic aperture radar sort of an output but you can see there on the right hand side

it's basically just a big sonar and uh this allowed me to sort of dive deep into that fundamentals of signal processing. So my sort of journey started in that final year varsity project and then I went to a security company and I basically thought to myself well in the security company they taught us how to think like an attacker like a criminal basically right what would you be able to do if you started looking at signals and the sort of wider world and attack surface surrounding that so my first question is diving into the concept of the security aspects of uh signal processing and all the devices that uses it. Um I immediately started to look at my mom's Mazda and that's

essentially I didn't have a car at the time so I didn't really have another choice. So of course I started hacking it immediately without permission. I should have thought about that especially I only learned after the fact that you could break quite a lot of things and I didn't know that at the time. Luckily I did play around I want to say safely and uh only the type of things I was looking at is mainly the key fob and the technology thereof. So previously um we for this is for the sort of a summary from my talk in uh Joberg discussed a bunch of the tooling aspects behind uh signal processing. What type of tooling would

you want to use when you look at signals? Um and then we with the main focus on automative cyber attacks or automotive cyber attacks sorry and then the main attacks we discussed in depth there was how to attack rolling codes what's the roll back attack and then the relay attack. The main focus last time was on the roll back attack and then this time it's going to be a little bit more on the actual relay attack. Today going to do a recap on how key fobs work. Then just another recap and also a demo on the conventional relay attack on cars. Then uh pushing it a little bit further beyond the conventional relay attack. So with that said, let's dive

into little dive into a little bit of depth on how key fobs work. I do notice that it looks like the key is just floating there, but I swear he is holding it. Um, so when you dive into looking to signals, you usually have some type of spectrum analyzer and I used the hacker F to basically capture all the signals that I could find. Looking at a bunch of devices and so forth. So, as I mentioned, starting off with my mom's Mazda, I started looking at the signal here. I Googled on what frequency it is, zoomed in, and I saw these peaks. What did they mean? I had no idea. Just two peaks. Why is there

two? I thought there would be one. it doesn't make sense, right? So then I dived into a little bit deeper and I remember from my varsity days, of course, there has to be some type of modulation because when you're transmitting data, for some reason when I thought of like Wi-Fi or things like that, it's binary sending packets and it makes sense. When you think about sending signals, for some reason, we forget that it's still binary in data doesn't change. So there's going to be some type of dig digital modulation. You're just sending ones and zeros, which essentially is all the data packets and things like that. For digital modulation, there are a bunch of methods to do it. And

essentially what this boils down to is how can you transform or embed the binary data into an actual signal that has to travel over a distance. Right? Sorry, there we go. So one of the methods is amplitude shift keying and this is um one of the common methods for um automotive uh communication and essentially what that means is whenever there's a higher amplitude it means one whenever there's a lower amplitude it means zero as simple as that right when we look at frequency shift keying however it's a little bit different because with the higher frequencies it's going to mean a one and the lower frequencies it's going to mean zeros but maintaining the same amplitude. Taking that back to what I

saw earlier, um, essentially we can see the two peaks there and this is a specttogram. So we have the frequencies on the bottom and we can see it's at 434 megahertz. And then if we look at the diagram below, it makes a little bit more sense that there are two peaks here. It's going to be give us an indication that the Mazda key fob, which of course the one I'm hacking is making use of FSK. And we can see there's a the farther right over there is going to be the higher frequency. So that's all of the ones. And then the lower frequency is all of the zeros. Just another form of communication. When we look at um uh

any type of RF communication, a lot of cars, as I mentioned, mainly makes use of ASK and FSK. There's also PSK, which is phase shift keying. That's just not common, at least not with cars. When we look at key fob communication, when we're at the point where we understand what the signals look like and now we understand what the data looks like, how do key fobs actually secure your car in terms of um unlocking it and things like that, right? In the olden days, there were a bunch of attacks with any type of RF communication with replay attacks. So with rolling codes, it essentially prevents a re um a replay attack from happening. How it does this? The car

would have a window of sort of acceptable um codes that the key fob could transmit and then whenever the key fob transmits a specific value, the car is going to cor um check its list and see is the value actually inside of the list or not. If it is, it's going to unlock the car. If the actual key fob number, of course, we just have like integers over here, which makes it a lot easier to understand. But if the key fob number is further down line from the sequence or even before the replay attack won't work. So here we have a the fourth um sort of increment of the signal. And if we were to replay the

third signal, the car won't unlock because it's not inside of the rolling window. That's how we would prevent replay attacks. So now we have sort of a just a very brief overview in terms of the uh key fob communication and the rolling codes and things like that. The main focus for today is relay attacks. So I'm going to jump into a little bit more I want to say overview and conceptualize it. But first let's jump into what it actually is. So with the relay attack we're going to look at a specific example for attacking keyless entry. So with keyless entry, it's essentially whenever you have, you know, a car um that allows you to enter the car with your key still

inside of your pocket, if the um key is nearby the door, the door will actually unlock. Same thing goes for keyless start. So essentially, if we look at this diagram over here, how how an attacker might want to exploit any type of relay attacks attacking keyless communication. One attacker would um follow you inside of a shop while you have parked your car outside in the mall's parking lot. One attacker stands nearby the car. The attacker nearby the car is going to pull on the door handle which essentially the car is going to ask is the key fob nearby. Then the attacker will relay that signal back to the attacker inside of the mall following the actual victim in this

case. And then the uh key fob's going to respond, yes, uh I'm nearby. And then it relays that back to the car. And the car actually thinks the key fob is nearby. And the car will unlock. Keyless entry works with exactly the same communication. So that's why you can unlock the car, start the car, and drive away. So I'm just going to quickly show a demonstration of that. I believe this was in UK or something like that. Um, it's quite a interactive one and something that's a little bit interesting. Note how the sort of demographic differences between here they would park their cars without any gates. It's actually going to be important when understanding how an

attacker would want to use a relay attack, but we'll get to that in a second.

So you can see the attackers are basically going to stop by the car. And you'll note, of course, we need two attackers. Currently, the key fob is inside of the house, sitting on a table or something like that. And then both of them are basically carrying a transceivers. One is going to stand nearby the door handle asking um pulling on the door handle where the car is going to ask is the key fob nearby. And you can see the guys there at the wall over there. And then see in a second performing relay attack there. The car unlocks. Get into the car. But thing is the attackers actually forgot you have to start the car as well. So the second

attacker is going to go back. Oh wait, what's going on? Still very confused. And there you can see the second relay attack for the keyless start happens. The car starts and they can successfully drive away. The the fob could be anywhere inside of the house. Um for example, um it depends that second transceiver that's against the wall. It depends how strong that is. I've seen videos before where they would literally carry an antenna as big as a door frame and then just press that against the wall and then that signal would go into the house where the key would respond and the key you'd think wouldn't respond with a strong signal but it actually is a similar strength

his signal then but you would press your key fob. Main reason for that is with that second communication coming back to the um car, it uses the same antenna from what you would press the button. Um that's why it's similar strength and things like that. So the sort of concept that I want to um relay to you guys over here is uh basically the fact that you can relay or extend the communication of essentially any signal. It doesn't really matter if you if you think about the actual physics of the signal. You have a signal being transmitted. You should be able to capture that signal and then relay it as far as you want. That's essentially the

concept that we're going about here. But of course, um there are some type sometimes dependencies on what type of attacks you could perform. Let's say you're looking at some type of communication where there's time dependencies. An example of this is a pause device. So with a pause device where you're looking at NFC communication, there is a challenge response and you only have I believe it was 500 milliseconds to complete the challenge response. otherwise the payment won't go through. So in those cases for your attack you need to make sure that you set it up properly so that you can perform the attack within the 500 milliseconds. And if you think about it uh radio signals travels pretty fast,

right? That is with direct line of communication. But of course we're going to spice it up a bit. How else can we try and perform this communication? which is exactly what I started to think when I um looked at a lot of the videos of these attackers performing these relay attacks to steal cars. It was almost always line of sight. So then I thought to myself, okay, but what if there is a big wall? What then? What if what if it's not direct line of sight? What if you want to do it over a larger distance? So as I mentioned the initial concept with a relay attack is you want to essentially um take a signal and then

relay it to another transceiver which then performs the final piece of the communication. In the case of the keyless entry it would be where the car would ask is the key nearby and then the key would respond yes I am. So you're essentially just extending that range of communication when we're looking at the range of communication there. It's meant to be like 2 meters or so. So that's something I want to keep in your mind with whenever you're looking at these type of technologies. We're trying to think how can we bypass the initial assumptions made by the designer or whoever made that piece of equipment because they probably assumed no one would actually want to extend the range

after or beyond 2 mters because that's not nearby that's not that's not worthwhile for the keyless entry right but they didn't think the fact that you can't actually um extend the range for this. So when I sort of built this presentation and we went through all of the demos for this um conceptually we thought we had the idea down but then Matt oh sorry Matt over here um made me realize no the communication can't really work and I hope all of you saw it this is never going to work. We have an Audi key and a Mercedes. This experiment is completely flawed but that's okay. at MWL we think of solutions and we fixed [Applause]

it. So now that we fixed our experiments and we know exactly what we're doing and we know um from here on if we have direct line of communication the idea remember is how can we extend the range of this communication. My initial thought is well what if we do it over the internet and then I heard of Bides Cape Town. I was like, well, what if we do it over the internet over a large distance? That's when we started to dabble a little bit into um this specific concept and how can we try and perform any type of relay between point A and point B, but specifically over the internet. And the main reason is because

with direct line of sight communication with radio frequencies, there's a lot of dependencies and things that could get in the way. Yes, it's doable, but I'm not an electronic engineer. I'm sorry. I I I don't have the skill set to actually do this, but I'm an IT guy, so I'm going to chuck these things over the internet. Right. So, that's exactly what we started doing. And essentially, this is sort of the experiment we've set up. Um, and what this looks like here, okay, I think you guys spot it. Um, yeah, this was also a late night decision of me. So, uh, yeah. Um, it's my mom's uh car, the Mazda, as I mentioned, and she calls it her Mazda

Rati. So, anyways, with the experiment we've set up here, um, we wanted to initially perform a relay attack with the actual keyless entry and keyless start. However, to actually do that with the keyless start, it work the communication actually is a lot more complex than just unlocking your car. It works in different frequencies, one a lower one and the other one the normal 434 MHz. So essentially to do the relay you just need the right receivers. We couldn't get the right receivers. So um either you have to build it yourself which obviously takes time still doable but just in terms of investment of going into the idea of not performing a specific attack but rather let's

conceptualize the whole idea of relay attacks and then after that thinking okay now that we understand the concept of relay attacks let's apply it to anything. Right? That's the idea we want to go for. So, if we look at the um setup here, uh we've got um a laptop in Cape Town. Laptop in Cape Town with the key fob. Key fob. So, this is the spare key fob that I have here with me. And then we've got the receiver. So, I'm not going to pick it up because I'm very scared of breaking it. I don't have good uh luck with my antennas. Um I think some of you would remember. Um so, I have my antenna over here. Um it yeah um

and then what we're going to do is we are going to essentially capture a signal here in Cape Town. We're going to process it on this laptop where the laptop's going to send it to an EC2 and then the EC2 is going to forward it to a laptop sitting in Ptoria. Then that that laptop is going to process the signal and then send it to our Maserati with the main goal of unlocking the car. Once again try this is about the actual concept of a relay attack and then we explore the attack surface further. So I am going to try and do the demo live. Um but in case it fails I do have a video at least so you guys can

believe me unless I'm good at Photoshop. Let's see here. Just going to put the mic down. I think I need to press a few buttons.

Don't know who said that, but yes. Um um so as we can see here, sorry. Does your mom know about this? Um she does. She does. She does. Uh yeah. No, no, she she does know. But uh once again, with my research, she didn't know I started doing the research. That's the one bit that uh she didn't know about and yes she was mad but I didn't break it so that that's good news. But on the topic um a quick mention to one of our principal consultants um while doing my research I did doss his car. Um so essentially I was trying to find patterns in those rolling codes and um basically within the rolling code you have a rolling

window. If you press the button too many times outside of the range of the car, the car is not going to have the rolling code inside of the rolling window and your key fob's not going to work. I didn't know that was a thing at the time. Um, so I basically asked and he's the kindest principal consultant you've ever meet. So I asked him, can I just do some research for the whole day? For the whole day, I pressed that button the whole day. And his car was in the basement, so it's out of reach of the key fob. And basically at the end of the day, I wanted to show him, "Ah, I found

an attack. Let's go do it." I take the whole office um down to the basement and then I do the attack. Nothing happens. And it's like, "Oh, okay. Yeah, my my equipment doesn't work or whatever." And he's like, "Oh, well, locks his car, nothing. Unlock, nothing, nothing." And he looked at his key and his key stopped working. Um, luckily he had the physical key with him so he could unlock his car and still drive home. Uh, apparently after a few days of using the spare key, his original key started working again. Not sure if this might be some type of reyncing mechanism between the two keys. But yeah, that was very stressful cuz I think I was still

in probation at the time. So, uh, yeah. So, just want to show the the setup here. This is a uh screen share of this laptop. Let me move the mouse. There we go. And then um we've got the Maserati here at the right in Ptoria currently. And we can see here, someone asked me earlier, what's that rock on the bonnet? Um that's actually the the original key or the main key. And there's a very dirty fluff ball attached to it. Um yeah, and we've got the hacker F on the bonnet as well with a USB extended cable to the actual laptop on a table next to it which is going to uh perform all the processing.

Right. So what I'm going to do here is just show you the code. Well, not well sorry I mean the show me uh running the command here. So it just needs to be ready because it's quite fast. So the demo is essentially when I press this button, it's going to open up the receiving end. I have to press the button. I have to press the button and then it's going to capture the signal, relay it, and it should transmit. Okay, there we go. Now it's going to transmit the signal. 11% 17% is going to the EC2 going to the other laptop going to Ptoria. Go to Ptoria. You can do it. And then we can look at the car over here

and we should see There you [Applause] go. I'm very happy that worked. [Applause] Yo. Yeah. So, the six hour teams meeting uh I had to keep I had to ask my family to just join the meeting. Um and then I just left it. So, yeah. Uh and that was just the automatic lock signal. Um yeah, not sure if you saw the lights there. Um, so I just wanted to also add on some of the things that I guess complications I had this week trying to set this up because it's quite interesting. And I mentioned earlier with that roll back attack. With the roll back attack, the Mazda is vulnerable essentially to reyncing the key and the Mazda again

whenever it is out of sync. So what you could do is you can capture three signals, sequential signals off the Mazda's key fob and then replay that to the car and the car will unlock. So what I did was and we can't go into too much detail as to why. Well actually I don't know why it's because they built it into as a feature for the actual car. They didn't think it could be exploited essentially. So that's one of those things where you thinking about the design of the actual technology you're working with and they're thinking about did they think of how people could exploit this. So you're trying to think outside the box. But initially I had to

build the experiment so that I capture three signals and relay that because I was worried the fact that it's going to be out of sync and I need to unlock the car. When I did that initially of course that resynced the key fob and the car, right? And at that point they are synced. You don't need to replay those three signals anymore. So that was quite an interesting finding or learning I guess I had in this case. And the other thing I wanted to mention with some of the complications because I yeah I'm not sure if you guys saw Tina's talk but I was also sleep wasn't a thing this week. Um because we it was kind of working in

a phased approach on Monday and then everything broke. Um and I realized why. So my initial testing was only with af because that's the most reliable equipment I have and it's got the same functionality than this small receiver over here. Essentially what happened was I couldn't go through the whole approach of um doing it with a hacker F and the small receiver. I figured out those two the two devices worked completely different. This small one adds a lot of math for you which I didn't know and then the hacker doesn't. So that was essentially the uh differences and it took me a whole week to figure that out. But essentially when we go back to the

relay attack over here. So this the second slide here is literally just um the video in case that demo failed. So the next part of the the de the slides is essentially um a little bit more quicker. But I just want to go back to what does this actually mean because we did a relay attack from Cape Town to Ptoria. So fundamentally again this means we can extend the range of communication of any signal. This could be attacking keyless entry systems across the world. Yes, there's a lot of limitations for that attack. So, I'm not trying to scare anyone. It's just the fundamentals is that there is a possibility. But with these types of attacks, there's a bunch of things that

you need to take in account. For example, with keyless entry, there is also a challenge response and there's different levels of communications. So, it's not as easy as doing it across the world, especially the fact that there's different latencies across the world. So from um here to um Europe for example, that demo didn't work um because we had a VPN set up for something that's in Europe and then back that demo completely failed. So and it's just because there's a longer latency with the type of communication you were trying to attack essentially. Then of course we can relay this to building access control and pause devices. I want to reiterate all of this is essentially about thinking about

technology in a different way. Thinking beyond the designer's original assumptions. With that said, I want to deep not uh sort of just share a little bit with the same concepts apply to RFC and NFC. And before we go in there, last time I also spoke a lot about the attack surface here. There's relay attacks, there's eavesdropping, replay attacks, and card cloning. But for today I just want to quickly show something with um relay attacks regarding pause devices. So how does the communication actually work? To for this explanation I did take um a lot of sort of uh uh inspiration from this team over here um all about electronics. They really explain the communication quite well and

it was really hard to find a proper video of explaining it. And essentially it summarizes to um that it makes use of electromagnetic induction and you have active devices and passive devices. With active devices you have the two devices with both um devices having NF NFC chip and device device A would start the communication and device B would respond. They don't communicate at the same time. And also with these active NFC devices, both would have their own powering um mechanism like a battery or plugged in and that's going to power the actual antenna of these devices. With passive communication, it's a little bit more interesting. You have the NFC device which sends out a power signal to

the actual receiver and then it's going to power the antenna on the receiver like a card or anything like that. And then the card is essentially going to take power and release power based on whatever code or data is stored on that card. And this device over here, the one sending the actual power to the passive device is going to monitor the fluctuations in its power. That's it its signal that it's sending out. Because if you are transmitting a signal and someone is taking that energy, you can you can sort of um sense or measure the differences of fluctuations in that signal. So that's going to be the ones and zeros coming out. So this team over here um with

Salvador Mendoza, they made a very nice P of how to perform a relay attack on an actual pause device. for their experiments. They essentially had a mobile phone emulating as a pause device. Basically the same thing these days. And then they would um take or press on the pause device, get ready for payment. Pause device is going to send out a signal. Where's the card? They're going to relay that signal to the credit card. The credit card is going to return with the data. Relay that data back to the pause device and the payment is completed. The main thing here, you can think about it being your normal tab to pay, but now increasing that

distance. You have a demo from Mr. Mendoza. I'm going to skip through it a little bit. So here starting we have the pause device and essentially they're just hitting a command to say uh that the phone is going to ask where's the card and there's the payment already done but where is the actual credit card right you can see here all the way at the end of this hallway.

So the relay attack for the pause device between the pause device and the actual credit card was done over this whole um the hallway over here. And you can see there's the other transceiver that accepted the um radio signals and then passed it on to the actual card over there. So, if we think about how this demo worked, it's essentially um if you walk in a mall and then you have your credit card in your pants um and then someone walks past you with one of these devices, they would essentially relay the signal from someone else's where they've got a pause device, relay the signal to your credit card, and the payment would be completed. Right? That

sounds horrible. And yes, yes, it is. But does this mean the world is on fire? No, I I wouldn't say so. Um, so essentially for these type of attacks, there are very easy security measures we can make use of and also these attacks are very complex and usually there are a lot of dependencies to make this attack actually work. For these um easy defenses we can use for your cards, just make sure you have a wallet that will protect you against RFID and NFC communications. Most wallets have this in by default. Um, well, I think probably not. I'm not entirely sure. At least where I've bought wallets before, it is by default there. Uh, so make sure you have

something like this in your wallet. Definitely useful to protect you against these type of attacks. And you don't have to stress at that point at all unless your card is somewhere else. Then for the key fob attack, um, with the relay attack against the keyless entry, the main defense that the manufacturers said was switch it off, but you paid for it. It just doesn't make sense. Um, so what else can you actually do? We would recommend, at least what's um recommended by the manufacturers and all the dealerships, and I agree with this, making use of a Faraday pouch. So, it's one of these pouches where you would put your key fob in and you can put your key fob in

whenever you um are at home essentially putting there on the table or when you're walking with it so that they can't actually perform this type of relay attack. So, it's quite easy to get these controls um or at least equipment and uh in this sort of thinking no the world is definitely not on fire. For my final remarks here, um there sort of uh three things that I want to mention. One is whenever you're looking at some type of technology, it's really about thinking beyond those barriers in terms of uh what the initial um designer thought they put in place. So thinking beyond that when you look at a piece of technology, what can you do?

Don't think it's just sort of this magic that happens. It's you can probably take it further. Um and then secondly, when you do find these things, it doesn't mean specifically um that every attacker can now just do this and the world's on fire and all those things. Uh you have to look deeper to understand what does the attack actually mean, especially for where you live and um the type of tech that you're using, why that matters, where the demographic part of it. uh the demo I showed you earlier with the relay attack that doesn't really work in South Africa because we essentially have a lot of gates right so attackers actually had to resort to different ways of

performing the attack and what they would do is they would actually go to the mall and follow you but that's like highly detectable if you just see someone following you right um and these devices are quite complex to build um and also to get it right it is hard to get it done um so essentially It's really about thinking further and I think that's the main message. I don't want to relay um today and I know I'm saying relay a lot. It's not a pun anymore. Um it's just in my head now. Um yeah, that's essentially all from my side. Um thank you everyone for [Applause] listening. Across the attack surface, scattered products and siloed views

create blind spots that feel unstoppable. The deadliest risks are in these gaps where attackers move in. It's time to unify fragmented snapshots into one allseeing view of risk and unleash a platform born with one intention. Isolate and eradicate your priority exposures. From IT infrastructure to cloud environments to critical infrastructure and everywhere in between. This is tenable. Your exposure ends here.