Hardware components | ||||||
 |
| × | 1 | |||
Modern cars, garage doors, and other systems use keyless entry and start systems that operate using radio frequency signals. These systems are very convenient, but they can also be vulnerable to attacks. An attacker with the right equipment can intercept the signal emitted by the key, and then use it to open the vehicle or door without the need for the original key.
The Electronic Cats Flipper Add-On SubGhz is a powerful tool that can help you protect your keyless systems from keyless entry attacks. This Add-On allows you to intercept, read, and emulate radio frequency signals below 1 GHz. This means that you can test relay attacks on keyless entry and start systems, and identify any vulnerabilities that your car or any other keyless system working on the SubGhz frequencies may have.
DemonstrationTo demonstrate the functionality of Electronic Cats Flipper Add-On SubGhz, we will perform a relay attack on a car's keyless entry.
Note: This article is purely for demonstration and educational purposes. The demonstration was performed with the permission of the vehicle owner.
First, we will need to set up the Flipper’s Sub-Ghz Mode to external, this way the Flipper will use the Electronic Cats Flipper Add-On SubGhz instead of the internal SubGhz module.
Now we need to check in which frequency our car’s key works, for this we will use the Sub-Ghz Frequency Analyzer. It is not necessary to set up anything here, just open the app get your flipper close to the flipper, and click the unlock button on your keys, Flipper will recognize the signal and the frequency.
In this case, our car keys’ signal was detected at 433.656 Mhz, you can click the save button (+T) for later use.
You can also use the app Spectrum Analyzer to detect the signal, but it could be a little tricky since it is slower, and you need to move around the frequency ranges to visualize in which frequency the signal is.
Now we know the frequency of the signal! It is time to read it and save it for later emulation. The app Read allows us to verify the frequency we read is correct, however, the app Read RAW allows us to read, see the signal, and save it, so it is way better. You can name the read signal, it is useful when you have been reading tons of Sug-Ghz signals.
The signal is now saved, it is time to emulate to unlock our car. It is as simple as going to our saved signals, opening them, and sending/emulating them by pressing the center button.
And there you go, the car is unlocked.
Here is a complete video performing this test.
Editor's note: you can even notice my surprise reaction when the car opened after sending the signal from the Flipper.But, how is this possible?
All this is possible thanks to the CC1101 Sub-Ghz transceiver. Here is some technical information about it.
The low-cost CC1101 sub-1 GHz transceiver is developed for very low-power wireless applications.
A highly customizable baseband modem is included inside the RF transceiver. With a programmable data rate of up to 600 kbps, the modem supports several modulation types.
This device offers exceptional RF performance with high sensitivity (-116 dBm at 433 MHz and 0.6 kBaud, -112 dBm at 868 MHz and 1.2 kBaud) and low current consumption (14.7 mA at 868 MHz and 1.2 kBaud).
Frequency bands covered are 300-348 MHz, 387-464 MHz, and 779-928 MHz, and it allows programmable output power up to +12 dBm for all supported frequencies.
Now, it is not this simple and there are a few considerations to take in mind when performing these tests:
- Flipper already features a CC1101 chip, the same as the Add-On, however, using the Electronic Cats Add-On allows you to have a larger distance range and a better reading of middle frequencies.
- The frequency and modulation used by the keyless entry system. You can read more about this here: Flipper Docs: SubGhz.
- Most of the modern keyless entry systems are already protected from replay attacks. To prevent this, the key fob does not use the same unlock code each time but a rolling code system; it contains a pseudorandom number generator which transmits a different code each use.
- At the moment Flipper is not able to use both CC1101, internal and external, allowing block and read the signal at once. To achieve this article you may need a second flipper or an external device to create a virtual wall between the key and the car to SubGhz Add-On read and copy the signal for further use.
You can learn more about this and other Electronic Cats Add-Ons in our wiki here: https://github.com/ElectronicCats/flipper-shields/wiki
Electronic Cats Flipper Add-On SubGhz is a very powerful tool that allows us to perform relay attacks on keyless entry and start systems. This tool is very useful for security researchers, as it allows us to assess the security of these systems.
Obtain yours at our store: Electronic Cats Flipper SubGhz Add-On.
In the future, we plan to improve the Electronic Cats Flipper Add-On SubGhz to make it even more powerful. Plus, enable the LoRa capabilities by developing the LoRa application for the Flipper.
With these improvements, Electronic Cats Flipper Add-On SubGhz will become an even more valuable tool for security researchers and audits.
You can also visit our Store or the Flipper Add-Ons repository to meet and learn more about the other Flipper Add-Ons.
Hope this article has been informative and helpful. If you have any questions or comments, please feel free to leave them in the comments section.
We encourage you to share your thoughts and projects with us once you get your Electronic Cats Flipper SubGhz Add-On. We want to know how you are using this powerful device and learn from your experiences.
Comments
Please log in or sign up to comment.