2024-07-20 –, Track 1
This talk will dive into the world of hacking wireless communication, focusing on the automotive industry, access control, and IoT communications. We will jump into the mind of how attackers view wireless communication and explore various attack vectors that could allow them to unlock your car and drive away or bypass your office access control to gain access to sensitive areas such as the server room.
- Introduction
An introduction to radio frequency hacking and the topics that are going to be covered during the talk. The talk will mostly cover the types of attacks that already exist, with less focus on defence. The main aim of the talk is to raise security awareness surrounding radio frequency hacking.
- Tooling
Introduction on the tooling that is going to be used during the talk and what attackers might use. Quick demonstration of how it works and to show the attacker's mindset when it comes to radio hacking. (Demo 1).
- Automotive attacks
An explanation of how car keyfobs work with rolling codes and how they prevent replay attacks. Following the rolling code explanation, there will be a short demo to illustrate how an attacker can capture these signals.
This explanation will aid in understanding potential weaknesses of rolling code communication and how attackers could exploit this to perform various actions, such as unlocking or starting the car. This will be followed by a demo of how an attacker could analyse the 2012-2017 Kia Rio's rolling code communication and use it to brute force or predict rolling codes to unlock the car (Demo 2).
With this knowledge we will also go through some of the security considerations of the rolling code communication, ending with how encryption can be a good mitigation, but not a complete fix. This will include an explaination of how attackers could break the cryptography, extracting information from the keyfob itself on a hardware level.
For more practical examples, a conceptual explanation of the Roll Back Attack and demonstrations of how the attack is performed on a Mazda CX-5 and Hyundai i20 to unlock or start the car will be shown. (Demo 3)
Understanding how keyless entry and start works and what an attacker might want to target to exploit it will form the final part of the automotive component of the talk. We will go through a conceptual explanation of the Relay attack and have a demonstration of how the attack is performed on a Mazda CX-5 to unlock and start the car. (Demo 4). Emphasising the dangers of this attack, as it leverages the principles of radio communication and not a flaw within the technology itself as well as going through potential defenses for this attack will allow us to further understand the core issues. This will also focus on how attacker techniques had to evolve to perform this attack due to different living environments around the world.
- Access Control
Due to similarities between automotive attacks and how access control cards work, we will use the knowledge developed from the previous part to understand how basic access control cards work. (Demo 5)
This will highlight the potential shortfalls of physical access control with access cards such as Access Card Cloning and cracking with a quick demonstration. It will also contain a conceptual explanation of how the Relay Attack used on cars can also be used with access control as well as potential defenses for the attack.
- More RF Attacks
Basic jamming concepts, explaining how jamming can be used against cars and exploring attacks such as jamming keyless start or jamming the car tracker will be discussed. We will also take a brief dive into how jamming can be used to bring down services in corporations (WiFi), mining, and hospitals, which will include a demonstration of how a jamming attack can work (Demo 6). We will also discuss some potential defenses against jamming.
- Closing remarks
Quick recap on some of the topics that we covered, then explaining the overall impact RF attacks could have and why it should matter to us as security professionals.
Demos in presentation:
Demo 1: How the tooling works
Demo 2: Demonstration of how attackers can capture and analyse Kia Rio rolling codes to perform a brute force attack to unlock the car
Demo 3: Demonstration of the Rollback Attack on Mazda CX-5 and Hyundai i20 to unlock the car
Demo 4: Demonstration of the Relay Attack on Mazda CX-5 keyless start
Demo 5: Demonstration of how access cards could be cloned/cracked
Demo 6: Demonstration of how a jamming attack can jam car trackers, keyless start, and wifi
I am an ambitious and adaptive individual with a logical mindset and practical approach to problem solving. This makes me good at analyzing and extracting information to make sure that the team understands the problem and their roles on how to solve it. This also allows me to see where possible improvements can be made within the company to enhance overall performance of the team to give the best possible results. I am eager to be challenged to grow and further my current skills. My greatest passion in life is to provide innovative solutions to current challenges.