EquinnoxX Posted October 24, 2017 Share Posted October 24, 2017 I haven't seen anything on here for this so I figured I'd ask if anyone knew of a fix. Seeing as how some of our cars are 10+ years old at this point, I'm not holding my breath. Maybe some increased visibility would help light a fire to get one but I haven't looked at this in depth enough yet to see if it would just be a software patch or new hardware required to fix. Posting the readme and link below for anyone who hasn't seen it or wants to try it out! Github page here: https://github.com/tomwimmenhove/subarufobrob Description of the vulnerability The rolling code used by the key fob and car is predictable in the sense that it is not random. It is simply incremental. Impact An attacker can 'clone' the key fob, unlock cars and, when increasing the rolling code with a sufficiently high value, effectively render the user's key fob unusable. Affected vehicles The exploit has only been tested on a 2009 Subaru Forester but the same fob is used, and the exploit should work on, the following vehicles: 2006 Subaru Baja 2005 - 2010 Subaru Forester 2004 - 2011 Subaru Impreza 2005 - 2010 Subaru Legacy 2005 - 2010 Subaru Outback Solution Don't use the most predictable sequential type of rolling code. Don't send the command twice so that, in case of Samy Kamkar's rolljam attack, not even the XOR checksum has to be recalculated when changing a lock to an unlock command, since the 2 commands cancel each other out, leaving the checksum intact. Required hardware In order to run the exploit, a receiver and transmitter, capable of receiving and transmitting on the 433MHz ISM band, are necessary. In our case, we're using an RTL-SDR RTL2832U DBV-T tuner USB dongle as a receiver and a Raspberry Pi B+ v1.2 with rpitx as a transmitter. The Raspberry Pi is also used as the host computer for the exploit to run on. Furthermore, a USB WiFi dongle is used in conjunction with hostapd in order to be able to remotely connect (ssh) to the Raspberry Pi for control. Alternatively, a Raspberry Pi Zero W could probably be used in order to negate the need for the additional WiFi dongle and further reduce the physical footprint and cost of the device, although this has not been tested. The RTL-SDR dongle should be fitted with a suitable 433MHz antenna to allow for acceptable reception of the key fob's signal. On the Tx side, a quarter-wavelength (173mm or 6.8") wire can be soldered directly to GPIO 18 (Pin 12 of the GPIO header P1) on the Raspberry Pi. Finally some type of portable power source is required for portable operation, I.E a li-ion power bank. Total cost of the hardware, when using the Raspberry Pi Zero W, should under $25 (not including a power bank). Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now