An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Enjoy!
A significant consequence of this attack is that the original, legitimate keyfob is immediately desynchronized from the vehicle and ceases to function. This could be the first sign for an owner that their vehicle’s security has been compromised.
I think the first sign would be the stolen car
How does this work if a family is using two keyfobs? Does each one have its own rolling code?
Technically, the other fob shouldn't be affected if it works the way I think it does. There's usually a maximum number of keys synced to the vehicle.
This attack basically forces the key fob the flipper zero is substituting itself for to fall out of sync because the flipper zero doesn't transmit the rollover response from the vehicle back to the key fob. So the F0 sends the rolling code it intercepted from the key fob to the vehicle. Vehicle is like, yep, that's matches, and then it does it's rollover and sends out the rollover response. The response doesn't get back to the key because of range etc and then the key remains a step behind the vehicle in the rollover sequence from then on out.
Technically I think ~~they~~ the key could potentially be resynced to the car. (My understanding is that a key of the correct type could be synced to any car that it can be programmed for so long as the key isn't physically damaged, and the security module isn't compromised with malicious code that would prevent it).
Yeah. This is what I assumed also. Thanks for your input.
Yeah I would assume there's a maximum number of fobs you can register to an individual car and it just keeps the state for all of them individually
That's the only way I think it could work. Makes sense. Thanks for your input.
Until I see proof of concept in action I'm going to be suspicious that this is as bad as the sensational headlines claim.
Hysterica gets clicks, gets news coverage then turns into nothing more times than not.
Talking Sasquatch did it to his car on video, it's on his youtube.
I once tried to record / replay my FIAT keyfob with my F0, and it did unlock the car once. Then I spend a bunch of money having the remote lock replaced.
I'd like more evidence that this works reliably before attempting the same thing again...
Potentially misunderstanding but that's exactly what this is, right?
You recorded the code for a given unlock (I'm assuming out of range of the vehicle), replayed it, the car then rolled the code on to the next one and your replayed code was no longer valid and your existing fob didn't know to rollover too, so was left out of sync.
So yes I guess there's the risk it hasn't been implemented correctly, but adds the necessary functionality you were missing to accomplish this before.
Though it would still leave the fob out of sync, in theory I feel like it could be possible for the flipper to send the necessary information to allow the fob to be resynchronised too. Of course someone would need to write this functionally
So you’re saying if you don’t like someone you can unlock their car once. Sit back as they have a shitty day and are forced to replace their key fob.
Then you can unlock their car one more time and their shitty day repeats itself.
No, this would still desync your key. You in theory could maybe figure out how to pair it to your car as a spare fob, depending on what rolling codes fiat uses or how that pairing process works on fiats, but you'd have to set it up like that to not desync your regular fob.
And people wonder why I use my key toget into the car.
Why do you use your key toget into the car?
To get to the other side
Because of some potential but low risk attack in the future that would be covered by insurance? Sounds like a posting in the ass for little gain.
I'm not going to deal with insurance if I can prevent a theft in the first place.
Anybody know if this disables any fob or just one? I wouldn’t mind using my Flipper for my car, but my wife still needs to drive it.
So you'd just carry your flipper everywhere you go? Any benefit to that?
It’s got a rechargeable battery unlike my car fob.
I do it, my old ass car doesn't use rolling codes so I use it to keep my car running but locked while I run into the gas station real fast for snacks on break during the winter. Yes this means I'm vulnerable to other people with flippers, but they'd still have to know and sniff my fob's signal which is easier said than done, and as long as it's not accessed when I leave it running all they can steal is my jumper cables since I don't leave anything in the car (theives can also just break the damn window, or use the wedge, inflatable bag, hanger method, they sell the kits at Autozone lol.)
I can also control some Touchtunes jukeboxes in my area, and any TV I come across; doctors office TV has Fox running? Oh look at that now we're watching Forensic Files, odd. Some drunk moron played the Kid Rock version of Sweet Home Alabama? Oh no it got skipped! How happen?! Also a wealth of other IR or Sub-GHz signals provided by the IRDB (for IR) and elsewhere on github (for SubGHz), fans, AC, even vibrators, you name it.
Also it has a wealth of RFID fobs stored, I have access to some gyms and pools that I otherwise shouldn't, and a rewritable RFID fob on my keys so I don't have to show the flipper at the door I can just write it to the fob before I exit my car and look like I have an approved fob. Same with NFC.
Some other cool random things too, ROT13 and Caesar cipher decoders, a key copier, BadUSB, I have a GPIO attachment that lets me trade any pokemon to myself to my GBC, and of course the wifi board loaded with mayhem and evil portal (haven't played around with flipperHTTP yet, nor the social media app, among others, that use it), it can break into some keypad sentry safes using just the flipper and two wires, lots of stuff! Don't use much of that very often but I have before and will again.
Alright I'm sold. $200 seems pretty steep though
Yeah that's true, I've heard there may be an updated version coming out eventually, maybe then it'll drop a little. It's definitely not for everyone, but if you think you'll use it a lot it can be worth it.
Also if you do get one I recommend installing the Momentum firmware, which isn't this "darkweb" firmware and can't do the attack in the article. This firmware is sold (iirc on telegram) and serial locked, an unlocked version is out there, but not where we can get it, maybe it'll leak one day. I'd eat my farts before I paid for it, Momentum is free both monetarily and FOSS. Momentum can do a less sophisticated version of the attack, but any such attempt on a rolling code fob will desync your fob, in both firmwares. It may be possible however to pair it with your car as a second fob, depending on your car. (Or if you're whipping an '02 like me enjoy your lack of rolling codes.)
Just one, there's no way your multiple fobs could sync with each other to begin with.
I would check YouTube to see how complicated pairing a new fob with the car is. Some are pretty straightforward with just a few button presses on the fob and in the car.
If that's easy to do I don't see why you couldn't clone the original fob and then re-pair it as a 'new' key afterwards.