How is everybody doing? (Applause) All right. Boy, this conference would be more fun if more people came, right? A couple of notes. How many first time attendees do we have here? That is awesome! Awesome! This is DEF CON. This is not like a conference that you usually have been to. There are shenanigans happening. Shenanigan may be encouraged. Some may involve your badge. You never know. I have seen people wandering around with paper badges. That means if you have one of these fancy badges, they are probably going to be in high demand. Right? Now one challenge that we had with the badge as you probably already figured out is, how in the world do I wear this thing around my neck? Let me release a zero day vulnerability in the badge. If you are clipping this with the little clip, that is a bad idea. They will fall off or somebody will take them and jerk them and take them. So if you are or have the paper around there, that's dumb. Harden your badge while sitting here, poke the laniard through the hole, find a cord or something like that. The other thing is, yes, it's big. It may not be fun to wear, but you need be wearing your badge at all times. Otherwise, you're going to be getting some feedback from the sock goons. And as you might be able to tell based on the situations in the hallway, they might be a little bit grumpy. All right? So, wear your badge at all times. Secure your badge and we'll be good. I want to thank you guys for being so cooperative in moving around and getting plenty of people in. We have a lot of great, great talks today. And this is the point where we are going to transition from talking about things that are broken, that we already know are broken like our trust of the government, and our regulatory system, and we are going to start moving into where we are going to start breaking stuff. And that is awesome. How many people feel like bricking stuff? (Applause) And we are going to start breaking some really expensive stuff too. Not that. That's expense itch but we won't break that. We will break other things. So you probably have read about this sock in the press. Just like many talks in this track. Samy heads been doing really, really interesting stuff and I think we are all really excited to see some of this research in person. I want you guys to give a big welcome to Samy. (Applause) Have a good talk >> SAMY KAMKAR: Everyone hear me okay? Okay. Man, I'm so excited! It's been years since I have been at DEF CON. It's five years ago. So today, you are at drive it like you hacked it. So we are going to talk about cars. And I'm super excited about this. My name is Samy Kamkar. I am a security researcher, as that's pretty much what I look like when I wake up. And I pretty much spend my time doing research. There are so many really cool areas of devices. All sorts of security from networks to physical. I worked on a couple of different projects. These are some of the fun ones. I'll be doing a quick talk tomorrow if you have kids, it's kids only. I will be showing the convo breaker, a 3D printed -- you can break any combination lock in like 30 seconds. So, we are going to talk about car hacking specifically I'm interested in a lot of the like radio and some portions of the connected computers we have within our devices, within our cars. I think we first need to talk about the awesome work from some other people. (Applause) Who heard about Charlie miller and Chris? If you haven't heard about them, I feel bad for your son or daughter. But Charlie miller and Chris have actually, their work probably in the last few years has gotten me into this just seeing them like make Andy greenburg go scared over and over again. And there is so much other really interesting research. They have been attacking all sorts of things over the mobile network, car, Dan vass. There is some cool research in 2010 from the University of Washington where they are seeing what else they can do to a car from the CD player, from BlueTooth, from any other wireless communication. Recently talk about amplification attacks, which is super interesting. It's basically saying a lot of our cars, we have keys that we can put in our pocket and go to our car and hit a button on the car and that will unlock the vehicle as long as the key fob is near us. So what is cool about this is that the car sends a radio signal to your key fob. It's a keyless entry system. And your key fob will see that signal and respond. Essentially a challenge response. When it sees that it responds with a proper code and the car will unlock. As you get in the car, a couple of receivers inside the car are then sending a signal when the hit the start button. When you hit start engine, it will send a signal to your key fob and your fob is responding. That is really cool. So, what people have divides and there is a paper on this, what they have been able to relay that communication hundreds of meters away. Either wirelessly or wired. And you can basically take a wireless device go up to the vehicle and have a friend with another wireless device near the car key, so someone in their house, someone in a park, some of you at DEF CON, sorry, and can actually hit the start button and that will trigger the system will send a signal to your key, the key will see it because it's amplified by this device, radio device, transmitting much further. The key responds and normally, the RSSI or the signal within the car is actually, the receiver within the car are looking for the signal, RSSI, to see how strong that signal is. And if it is strong enough inside the car, the car turns on. The key is not in the car. The amplifier is. It's near the car. So that amplifies the signal and now the car turns on. So this is existing research. People are getting their cars jacked like this. I'm excited about the Tesla talk later today. That's pretty cool. There has been cryptographic attacks on key lock. It's a rolling code system we'll talk about later. It's been cracked over and over again in pretty cool ways specifically on the cryptocide. A lot of cars have RFID immobilizers as well. So some keys will have a passive RFID device inside so when you put your key in the ignition and turn, it is sending a low frequency, 125, 134 signal to your key. The passive RFID key fob response. So it has to be within a few inches. You may be able to do amplification attacks using penetration testing toolkit that is awesome if you're interested in RFID, you can do so much crazy stuff. Cool keys coming out at DEF CON that is pretty exciting. Also cool work from opening garages. And other things. Check that out if you're interested in car research. Also wanted to thank the E if. F. I supported them for a long time and a few months ago I reached out and said, I don't want to get sued. And I mean 10 years ago I released something called the MySpace Worm and I ended up not being able to touch a computer for about three years of my life. So, I want to prevent that from happening again. So I'm not releasing worms anymore. Not under my name ( Laughs ) And I did use a image without asking. I hope that's okay, EFF. Please don't sue me. So let's start talking about car hacking. Nothing we all want to be more like Nicholas cage -- we all -- the first thing to get to the a car from what I learned in gone in 60 seconds. You need to locate the car and get into it. I know there is pretty sweet cars behind this garage. How do we get behind it? We will take a look at garage doors. Who has a garage door with a clicker? Everyone? Hold on. Got it. So we are going to talk about basic RF research. So the first thing you want to do, I'm going to walk you through from start to finish. I have like a garage door opener here. If you have any device, even if you pull your phone out right now, you'll see on the back, it will say, FCCID and an ID number. I want to learn what this garage door is sending. What is this clicker sending to my garage that makes it open and how can we open it? So if you take your clicker on your phone, you will see that number on the back. Take that SSCID and it puts up, publishes all the data about that device online. If you have the device in your hand, you won't always have it in your hand but you can take that number and we can go to a website called SCC.IO. That website is awful. You can go to FCC.IO/whatever the ID is, and it will pull up the page. Access everything from the SCC on that. So if we do that, there is a couple of cool things we see here the first thing is we have the frequency. We can see the frequency this is sending on. If you have a device and you don't have an SSSID you can use a frequency scanner. This is 390 megahertz for example. So it also has other stuff like internal photos is always really interesting. They will open it up and a small percentage of the time if you're lucky, you can see the chips they are using. You can see the name of the chip set that is being used. Without even having the device in your hand, you can find the data sheet of that device, learn all about it. Another thing that happens is there is a test report. So the FCC tests every device they authorize. What is awesome is they are putting information about the signal, the frequency, the modulation, a lot of you can see from the way that their test report look because they are showing a spectrograph of the way form that the device is creating. So here it looks like amplitude modulation or amplitude shift key. So I want to tell you about the hardware I use to do a lot of this development. And research. Hacker F1 is pretty invaluable to me. This is an incredible device for software defined radio or SCR. It's a little over 3 helped dollars. Extremely powerful. I mean some of the comparable stuff out there is 1000 dollars and up. It can receive and transmit between one megahertz and 6 gigahertz. You can get raw IQ samples. You can record, demodulate, use all sorts of really cool software. If you know nothing about SDR, like I didn't earlier this year, you can just be cool and use hacker F transfer, a consulate and just record and replay signals. Half the garages out there, just type hacker F transfer. The free see we saw and then save to a file and later when you want to open that garage, hit replay. You don't need to know about the modulation or any about the schemes. It's like copy and paste. It's amazing. Another tool I use is RTLSDR. Another software defined radio. The chip set inside someone discovered can be used as a software defined radio. So you can see all sorts of cool stuff on the spectrum. This is a much -- you get a smaller range like 24-1.7 gigahertz. Get up to 2.2 gigahertz -- there is an E4000 version. It only receives so you can't transmit with this and it has a smaller sample rate. And then another piece of software that a lot of people use is the new radio, which I haven't used because like this -- I don't understand all these boxes. You need to like draw a lot of boxes to do stuff and I just don't understand that. But most people use it. So, I'm going have to learn that soon. Another tool I have been using is GQRX, a few tool for Linux and OSXT looks pretty. I like pretty applications. It makes it very easy to see signals. You can test that in a second. If you're on windows, man, I don't know if this happened to anyone trying to install. Something happened. It locks like nothing is happening. If you're on windows you can use SER sharp. It also sort ever kind of works on OSX. I tried to compile with mono, but it looks awful at that point. Another tool I use is RTLFMT is a console app you can use RTLSD R and demodulate a signal. We'll talk about that in a second. These are all the tools I'm using. The cost of the tools, look HackRF 3000 dollars. RTLSDR20 dollars. That's about it. This is very in expensive and my research is always focused on making this stuff super in expensive. I want everyone to be able to access this stuff. So that's why everyone is open source, fully documenting everything and I hope more of you will get into this research because there is so many things that are -- we can demonstrate the crazy security weaknesses everywhere. Let's get back to this and check out the SCC document for a garage door opener. So this says ask. Modulation type. Ask is amplitude shift key to send digital data. So, what that looks like is here we have a signal. At the top we have our binary signal. So 0011001100. And amplitude shift key signal looks like the ask version there in green. So basically when you want to send a signal, send a 1, you go high. When you don't, you send nothing. Frequency shift key changes the frequency. Now amplitude shift keying is like a.m. radio. It's amplitude modulation. So when you listen to a.m. radio in your car it's doing amplitude modulation changing based off the frequency of the sound it is trying to send. Where frequencies f.m. radio, is doing what FSKs do for digital data. TS and a couple of other modulation sweeps. This is what it looks like F you're taking a device you have no idea what it looks like, and half the time I'm looking at signals I don't wherein they are coming from or what they are, you want to figure out what they look like. So here is an example of two. It means the frequency shifting is between two different frequencies. You can have like 4FSK and other variations. So what you'll see in something like GQRX or wart fall view is you'll see two separate signals going back and forth. For amplitude shift keying, or OOK on off keying, you'll see like on off, on off, that's why it's called on off keying. I'm going to like at tab. Maybe we can open GQRX and see if that works. So, I have a remote here. Is there a Spike? Sweet. That's remote. So that is amplitude shift keying. We can see actively what that looks like and we can just record that. So we can do that. Now with RTLFM or GQRX, you can save that data as an audio file and look tat on free audio viewer. Why don't we do that too. Should we? Okay. Let's do that. We'll do it live. Let's open up something here. So we'll do -- I can't do that. RTL -- I'll put on your screen in a sec. We know this is 300 megahertz and then RTV a simple program that swaps between RTL f.m. and hacker f.m. depending on which I have plugged in. And we'll call it DEF CON.waive. I'm reporting a signal and I'm going to hit something and control C and open this directory and I'm going to take that file and put it on that audacity. Cool. So, here we have the signal and if we zoom in, zoom, zoom, zoom. Enhance. Enhance. Enhance. Cool. So, we see -- you see some cool stuff here. What just happened? So what you're seeing is if you look closely, zoom in more if I can. You can't see that screen. I lost my mouse. Okay. I'll zoom in a little bit more here so you can see it really clearly. He refuses to zoom. So what can you see here is sort of long signals and short signals. Now if I open this key, I will actually see those long signals as ones or ons in your key. Who seen these remotes with dip switching in them? The garage remotes. They have a bunch of dip switching and that is your code. That's on a fixed code garage. What is happening is the long signals are a 1 and the short ones are zero. It's easy to understand what is happening here. We just recorded that live. Let's go back to the presentation. That is essentially what we see here. We see the dip switches within the remote control are exactly correlating to what we have here. Now this is after doing amplitude shift key demodulation from RTL f.m. T does it for you. You say I want to record at 300 megahertz and demodulate and that's what we did. Let's think about this for a moment. All of us have garages. There is most garages have 12 or 10 bit dip switches. If we think about that, we will see that that means there is two to the 12 possible combinations which is not a lot. Let's calculate that real quick. 4000 possible combinations for garages. So that's on the 12-bit garage. 4000 combinations. If you have a two letter password for a website with alpha numeric and a couple of keys on top, that will be more secure than your 12 bit garage code. So, let's see how we can crack that. We don't even know if you have a 12 bit or a 8 bit garage code. So let's say we want to bit code the whole space. Each signal is two milliseconds plus a two millisecond delay and every time I hit the button it trans 5 times. If we do that for every type of dip switch then it will take about 30 minutes to open a fixed code garage. This does not apply to rolling code garages. Like Intel's code, genie, a couple other use rolling codes. We'll talk about that later. So this will take 30 minutes to brute force. But, I didn't want to stand outside for 30 minutes and my neighbors are looking at me because I live with a bunch of other units and I'm always outside with my computer. And the garages randomly opening and closing and opening and closing. So if we take a look that the signal closer, we see this, we can actually remove -- instead of taking the 5 transmissions we see on top. We only need to send one. No point in sending the code over and over. The reason devices do that is because they are cheap and sometimes the signal is hard to hear and there may be interference so sending more times insures the signal will be heard. If are hacking we assume we have something good enough that transmits well and we'll get it. So we orangey do it one time per code. So divide by 5 and you get 6 minutes to open any fixed code garage. From there, I was chatting in the Uber tooth IRC channel and Mike Ryan subjected I take away the wait times. So you see at the top there is a signal on the top left and then a wait period before the next signal. So he suggested just removing the wait period and send them, red, green, purple, blue, in sequence without that wait period. So that removed another 50% of the time that would take to open that. That reduced down to 3 minutes. Also he is doing an awesome talk on hacking electric skateboards where he takes over your skateboard. I'm excited about that talk with Michael and en Rico. I believe that is Saturday at 3 p.m. track 2. Right here. Check that out. So that is pretty cool. But as I was looking at the signal, there is something interesting about the signal. There is no preamble or order. Nothing to delineate and tell the garage door that this is the beginning of a garage code. It just raw data. It's like sending a packet without TCPIP hitter and sending a HTP request without an IP header. It doesn't know where it is going. The garage is blindly listening. How does it know where one code starts and the other ends in I thought maybe it is using a bit chip register. It is something that will take in a sequence of bits and as the buffer fills, once you have more bit available, it only drops one bit and then pulls in the next one and drops one bit and pulls in the next one. So what if I could do that with a garage? What if I could send 12 bits for one garage and 24 bits for two codes, what if I sent 13 bits? If it's a bit chip register, we'll have 12 bits that go in, it checks, is that the correct code? It will say no and then shifts on one bit and pushing everything over one bit and takes in the next bit, the 13th bit and tests a brand new 12-bit code. So there must be an efficient way to do this and there is a guy named deBrian. How do I pronounce his name? DeBrian. Okay. He was a mathematician who came up with a sequence to efficiently produce every unique combination of a number or series of numbers so you produce every possible overlapping code. So here we see if I want let's say the garage was two bits long, then I would send 8 bits to cover everything. But with this sequence, we can send 5 bits 00110. Because everyone overlaps. Garage will test 00 then it will test 01 in blue and then 11 in red and then 10. So if we do that with 12 bits, it takes eight seconds. (Applause) Now, theoretically we know how to do it so we have to implement this. So one of the things I love using is the art -- this is another device from Michael. There will be for sale soon. You can always use something CC111EMK. This device has something called the CC111 chip set from Texas Instruments. It basically -- we'll talk about that in a bit. But it's a sub gigahertz radio. It can receive and transmit. And the software I use a lot for this testing is RF cap. Also a talk later today at 5 p.m. and I'm excited about that. It is awesome. It's a console app no boxes like where you're dragging and dropping with your mouse. Who uses a mouse anyway? With this, you can just talk to this command line. The python command line and do, near says set frequency to 43 megahertz and sends on off keying and set the packet length and then transmit hello. Sted of hello. We can transmit some binary. The garage code for example. We need to set our baud rate to the baud rate of the garage. And another tool I have been using is from one of the most heinous devious companies out there. Mattel ( Laughs ) so, a couple of years ago, I hacker found that the Mattel IME has something called the Texas Instruments chip con 1101 chip set. It is a sub gigahertz transceiver and has a screen. It has a backlight and a keyboard and has a little buzzer. It is battery-powered and conveniently there are pins for reprogramming on the back when you open it up. It's not protected. You can rewrite everything. So, this is actually a picture of spectrum analyzer built. A couple of people have done awesome work on this. Dave originally found that you could hack it and reflash it and amazing thing is Mattel created this. So they did batch creation of this essentially 20 dollar toy for kids to communicate, for texting your friends with this dis -- device. It's discontinued so now really cheap, wenty 30 dollars. Travis sends me a ton of work. This is a spectrum analyzer. Here is the -- I used to get that for all sorts of things for 2.4 gigahertz hardware hacking. It's an open source J tag a at that pointer. Ultimately, I don't want to have to use the yardstick one in my computer to transmit because it's like, I already wear a ski mask all the time. I don't want to have to sit with a laptop as well so instead I just program the IME to do that 8 second ark tack. And that's I call open sesame. Let's see if the video plays for an example of it in action. (Laughs) (Applause) By the way, how much time do I have because I keep going out of my thing so it keeps resetting the clock. What time am I god until? Like 1:45, 1:50? What time am I good for? How much time? 20 minutes? Cool. I want to know what time to end. Cool. 1:50. So you can buy these IMEs unfortunately I released all the source for open sesame. I ripped it slightly something everyone here could probably fix but common thieves and criminals wouldn't be able to unless they learned a code. That is great. They probably will just get a job. Unfortunately, after a released it, the prices went up a little bit ( Laughs ) So, I do have a brand new one that I programmed with Michael spectrum analyzer so it's on here. Would anyone like this? It's a 900 dollar value ( Laughs ) cool, I'll just run out and give it to somebody here. Who wants it? Oh, my God! Someone has to come up here. All right. Someone in the second row. Second row. All right. Yes. You. Do it. Don't sell it S so that has a spectrum analyze or it. I use it all the time. It's more convenient than anything else I use. It's in your pocket and portable and my favorite color. So what we learned from this? If you're implementing a garage door system or similar system based off radio signals, don't use a small key space. That's just like -- no. Don't use fixed codes at all. Use like a preamble or sync word so the deBrian attack doesn't work. Or use a rolling code. So, now we are in the garage. We opened it up. We are able to see all these awesome cars. And let's -- if I use my special VR headset, I can see all these connected cars. Amazing connected cars. So I started looking at some of these basic connections. Just the basic stuff that some of these devices have. This is a screen graph of the on star remote link app. So remote link is really cool mobile app for Android IOS and windows. It allows you to locate your car wherever it is via GPS. Lock, unlock, remote start, horn and lights, the most fun. And also graph all sorts of PII from the owner. So you can see your name, e-mail address, your phone number, your home address, some billing information. So, I was taking a look that the because my friend had a car that had this remote link app and I thought okay, it's obviously going over the network, let's see if we can see that network traffic. So I got out my IOS device and I installed a certificate of authority. I wanted to do some man in the middle sniffing. I always have an SSL man in the middle certificate authority on there so I can sniff. So I started sniffing this and this is a log in request that we see. It's pretty much an HTPS post and there is some basic encoding here. When we unzip or when we remove basic we see user name and password. I have a certificate of authority this is my own phone and then I remembered I just reflashed my IOS device and never installed that certificate of authority. So, I was man in the middling SSL connection with an in valid certificate that my phone essentially behaving as a fresh phone didn't even know about. So there is no certificate handling. There is no certificate checking at all. And what that means is, if I'm on let's say if I'm on your network, I can then essentially DNS scoop and -- who is texting me. DNS scoop, and take over that API connection. Do an SSL man in the middle and no certificate warning, no issues, just for that host, and we'll be able to see all the traffic such as user name and password. So, we can do this pretty easily. We can take -- I took a raspberry pie, a GSM board and used Mallory, an open source SSL man in the middle toolkit. I DNS scooped this because instead of e-mailing old traffic, if you open up Safari or app store, I want it to, who. I don't want a man in the middle that because then it will either not work or get certificate warping. So now if I can get you on to my Wi-Fi network, I can do this. I also used the IP tables and alpha cards for Wi-Fi dongles and a SIM card that you can put into the GSM board and the nights thing is you can get free paid sim cars. T-Mobile has a two G network you can get a prepaid SIM card so if you're a criminal, you don't have to give up any information. Just get prepaid everything. One way to potentially do this attack is put this under something else. And then I can create a network. So what say network I can get them to use? I thought by default, I'll use ATT Wi-Fi. If you ever connected your phone to ATT Wi-Fi, you will connect to my device. As I woke up this morning, I saw ATT Wi-Fi in the hotel. I also saw NSA honey pot number 42. Which is funny because clearly NSA honey pot is probably like somebody's phone and ATT Wi-Fi was probably NSA honey pot. (Laughs) That is cool but no guarantee they are going to jump on to ATT Wi-Fi. Never they never been to Starbuck's. And instead, what I have done is I now sniff for requests. So using the alpha card we can see guests on your phone. Your phone will send out Wi-Fi requests to networks it connected to in the past. Saying I contacted here. Are you there. I can see the name of a network you connected to the on the past and on the fly generate that Wi-Fi network. So as soon as you go up to your car where I theft device underneath, then your phone sends a request. My device says I'll make a Wi-Fi network with my name, your phone jumps on. I man in the middle and then automatically require from a remote link. If you ever opened the app, and indefinitely I then have access to your car. Here is the hardware I use and again raspberry pie, the alpha, the Wi-Fi dongle and a phone and GSM board and this device I called, own star. (Laughs) Tested it on my friend's bolt here. It's a cool car. I was pretty happy with that. Let's see if that works. It says like only remote start when it is safe and legal. Which is true. You should only do that. Fortunately, I reach out to GM before releasing details of this and they were while very difficult to get to anyone, who knew anything about security or technology. I was going through like support -- oh, man. They were trying to tell me, no sir, your password is safe. Your password is safe. Trying to like escalate from support at G some impossible. However, I finally got to a cybersecurity executive over there and it sounds like he was awesome and very easy to work with. They fixed it within days. So I was happy about that. They did a great job. Within a day, just mentioning this was going to be part of my talk today, they had already resolved it. (Laughs) On about 3 million remote link apps. So what did we learn? Validate your search. Like always validate a certificate from a CA. Now if you don't trust the Hong Kong post office which has a certificate, which is a certificate of authority by the way, and trusted in most browsers, use your own certificate. Use certificate pinging that way you will only ever use your certificate. Even if the CA, even if they are Hong Kong says this certificate is legit, your dice, your mobile app will ignore it and only use yours. Also harsh your passwords. Always assume the network you're on is hostile. Because someone here is going to make that network hostile if it wasn't before. It doesn't matter if you're on a mobile network, cellular or Wi-Fi. You are -- it is a hostile network. So, sweet. We did that. That affected Chevy, Cadillac, GMC, Buick, but one other thing I wanted to talk briefly about. And that is key fobs. Which are pretty cool. Most people have a key fob. Raise your hand if you have a car key fob that unlocks and does cool stuff with your car. Sweet. Hold on. Scanning. Scanning. Amplification. So here is one that I took a look at. I took a look at a couple. This is NM95HS01 or 02. Semi-conductor called a high security rolling code generator. And this is a signal. There is a lot more like births of data here. Also modulated a little bit differently so with our previous garage signal, we learned that a long signal is 1 and a short was 0. We'll that you can do that in a sec. What is a rolling code? Let's say you have a car key. Essentially it has a pseudo random number generator inside and the same is in your car. So when you hit this the button, it will send a code to that car. Now the next time you hit that button on your key, it will send the next code in the HRG based off your initial seed. Now as long as the car and the key have the same seed, what will happen is, the key or car will also continue to down that logical progression of the seed. And you always matchup. However, if you're accidently or if you like have a key in your pocket and accidently press it, you will then be out of sync with the car. So the car also has an allowance. So the car will allow something like 200 to 1000 additional codes. That may seem like a lot but fortunately, most rolling code systems use such a large key space that 1000 is really negligible. I'm seeing typically like 40-60 bits for the rolling codes. So that 1000 doesn't really help us. It helps us like guess a little bit but not much. We are not going to guess that code in this lifetime unless we have a crypto graphic attack on the rolling code. So it hits a button and sends a code and then the next code. If you don't know the rolling code, you're not going to figure out what those numbers are unless you find it. This prevents a replay attack it's when we can sniff and replay the same signal. So with the fixed code garages, if we sniff the signal we can replay it later. It's irrelevant because it takes 8 seconds to brute force every garage out there but this prevents that. One thing you can do about replaying rolling codes is you can capture a signal while the remote is out of range. And you use that. So if I broke into your home, press your remote control and recorded that, I can go to your car and unlock it, for example this is super lame because you need physical access to the device. And also, as soon as the key is pressed again, let's say the owner of the cargoes to the car and locks or unlocks, that will in validate all previous codes. So, what if there is another way to get that code from the user? And I found -- and this has been known and talked about for years and years and years and years. And I never seen actually demonstrated. I never seen any code or examples of this. What if we jammed the signal? What if I'm at your car and I'm jamming that, let's say it's 350 megahertz and I'm jamming that signal so when the user goes their car and they hit unlock, the signal sends, my jamming device is sending a signal as well and the car won't hear it because now it is seeing so much data. Simultaneously, what I can do is I found that most -- when I say most, every vehicle I tested, we'll just say all vehicles have essentially a receive window of a frequency they are looking at. So if you're key is 350 megahertz and your car is listening on that, technically it's listening probably between 314.5 and 315.5. So this is receive window of one megahertz. So, 500 kilohertz plus or Mina us from the primary frequency. So if I'm jamming somewhere in that frequency range, your car won't be able to listen to the key. So I jam that signal and you hit the key and then I have a receiver as well. And my receiver has a nice good chip and has a much tighter receiver bandwidth. So my filter bandwidth is so much smaller that I'm evading or avoiding any jamming signal and I see your key code, your rolling code very clearly. So I now have a rolling code your car didn't hear and I can use that at my leisure because they are nonexpiring. Now let's say I stop jamming and I have this code and I'm happy. What will happen is, it's like that didn't work so they hit unlock again and it works and they drive away. My code is now in validated so again it will in validate as soon as another code, a future code has been set. All previous codes are in validated. Instead, what if I jammed twice? What do you do when your button doesn't work on your car key? You hit it again. Now I have two codes. So with two codes, we have -- I now have two codes and then I stop jamming and I replay the first one because we automate this. This happened in under one second. You hit unlock and that didn't work so you hit it again. The device within a second stops jamming and plays the first one and leaves me with a future code the car has not heard this applies to garages as well any garage with rolling codes. We now covered all the garages. We can just jam, listen, jam listen, replay the first code, abuse the next code later on. This is pretty incredible because it means I can go to your car later and do whatever I want to it. Depending on -- when I say do whatever I want, based off the key. Another thing I found is that this works on remote start vehicles. So, keys with remote start, this works. One thing I found that -- so people described this attack and another issue I found is let's say you want to steal stuff from their car. Go up to their car and break-in. If they hit lock, if the last thing they hit was lock, and you -- the last signal have you is a lock signal. If you replay that. All you're going to do is lock the car. Most signals have the data field separate from the rolling code. So as long as you know the rolling code, you can change the lock sill nag and weaponize it into a unlocked signal and open their car. This is roll jam. This is device releasing the full source and probably won't be putting any specific cars in it implementing cars, but this is the device you can use these chips. One will do the jamming and one will do the replaying whenever you hit had the button or use a remote to trigger it. So if you put it under a vehicle for example it will perform this full attack. I think that is about it. I'm out of time. I worked on every car I tested. It felt really good ( Laughs ) So the basic lessons, in crept or harsh your button. Use H mack to prevent flipping. Use a time-based algoriyhm. We had rolling codes for at least 20 years. I couldn't find how old they were. I couldn't find one. Now we have dual key lock which came out last year which also solves this. This has been an issue we known about for over 20 years that's been solved 20 years ago yet virtually every manufacturer is implementing this poor implementation. Another way is to use a challenge response. So use a transceiver ran just transmitting, will you say I want to unlock and the car will say, okay, here is my challenge. And then your key can receive that and respond appropriately. That is the best way to handle this stuff. I'll be releasing this stuff shortly. Thank you very much. (Applause)