Any mitigation for the 'fobrob' vulnerability?

[EquinnoxX]

I haven't seen anything on here for this so I figured I'd ask if anyone knew of a fix. Seeing as how some of our cars are 10+ years old at this point, I'm not holding my breath. Maybe some increased visibility would help light a fire to get one but I haven't looked at this in depth enough yet to see if it would just be a software patch or new hardware required to fix.

 

Posting the readme and link below for anyone who hasn't seen it or wants to try it out!

 

Github page here:

https://github.com/tomwimmenhove/subarufobrob

 

Description of the vulnerability

The rolling code used by the key fob and car is predictable in the sense that it is not random. It is simply incremental.

 

Impact

 

An attacker can 'clone' the key fob, unlock cars and, when increasing the rolling code with a sufficiently high value, effectively render the user's key fob unusable.

 

Affected vehicles

The exploit has only been tested on a 2009 Subaru Forester but the same fob is used, and the exploit should work on, the following vehicles:

 

2006 Subaru Baja

2005 - 2010 Subaru Forester

2004 - 2011 Subaru Impreza

2005 - 2010 Subaru Legacy

2005 - 2010 Subaru Outback

 

Solution

 

Don't use the most predictable sequential type of rolling code. Don't send the command twice so that, in case of Samy Kamkar's rolljam attack, not even the XOR checksum has to be recalculated when changing a lock to an unlock command, since the 2 commands cancel each other out, leaving the checksum intact.

 

Required hardware

In order to run the exploit, a receiver and transmitter, capable of receiving and transmitting on the 433MHz ISM band, are necessary. In our case, we're using an RTL-SDR RTL2832U DBV-T tuner USB dongle as a receiver and a Raspberry Pi B+ v1.2 with rpitx as a transmitter. The Raspberry Pi is also used as the host computer for the exploit to run on. Furthermore, a USB WiFi dongle is used in conjunction with hostapd in order to be able to remotely connect (ssh) to the Raspberry Pi for control. Alternatively, a Raspberry Pi Zero W could probably be used in order to negate the need for the additional WiFi dongle and further reduce the physical footprint and cost of the device, although this has not been tested. The RTL-SDR dongle should be fitted with a suitable 433MHz antenna to allow for acceptable reception of the key fob's signal. On the Tx side, a quarter-wavelength (173mm or 6.8") wire can be soldered directly to GPIO 18 (Pin 12 of the GPIO header P1) on the Raspberry Pi. Finally some type of portable power source is required for portable operation, I.E a li-ion power bank. Total cost of the hardware, when using the Raspberry Pi Zero W, should under $25 (not including a power bank).

[EquinnoxX]

n/m just saw this thread http://legacygt.com/forums/showthread.php/key-fob-vulnerability-4th-gen-models-265724.html. Need more coffee this morning.

[utc_pyro]

This has been talked about a few times already, there are at least three threads on it. Worse case someone can rummage through your glove box, saving you from a broken window if someone was going to do this anyway. Your imobalizer system will still secure the car unless they haul a Subaru SSM tool with them or an aftermarket ECU and plug and play harness.

 

The issue is the hardware in the keyless entry system, there isn't any way to patch it in software. The only midigation is to discontinue use of your fobs, or install an aftermarket keyless entry/remote start system.

[laz]

I think a rock through the window will get the thief in your car faster.

 

I don’t see this as an urgent issue. Do you have an example of it happening out in the wild?

 

The amount of geekyness needed to accomplish this exploit is beyond the head of most criminals.

[Phate]

I think a rock through the window will get the thief in your car faster.

 

I don’t see this as an urgent issue. Do you have an example of it happening out in the wild?

 

The amount of geekyness needed to accomplish this exploit is beyond the head of most criminals.

 

Or you know, just pry the glass away from the door and reach in with a wire hanger to press the unlock button. Frameless windows makes this hilariously easy.

[GTEASER]

Or you know, just pry the glass away from the door and reach in with a wire hanger to press the unlock button. Frameless windows makes this hilariously easy.

 

Yet another reason why the 5th Gen boats are better than the 4th Gens.

[Phate]

Yet another reason why the 5th Gen boats are better than the 4th Gens.

 

Yeah, but they're huge and boring. Compared to the 4th gen they're like AWD camry's.

 

Comfy though.

 

I like the fact that my 2005 still feels like a 90's car, with the nice benefits of a mid-2000's car.

[laz]

4th gen is the old Camry. The 6th gen is the new Camry. The 5th gen was a mix. I have owned all three of them and have a 6th gen now.

[CapnJack]

I think a rock through the window will get the thief in your car faster.

 

I don’t see this as an urgent issue. Do you have an example of it happening out in the wild?

 

The amount of geekyness needed to accomplish this exploit is beyond the head of most criminals.

 

This ^^^^^

 

Thieves break into cars to steal stuff to sell to get money for their next fix. (most of the time) They are going to smash, grab, and get out. If they have the technology to clone your transmitter, they are breaking into something other than a 7-12 year old Subaru.

[Legacynomore1]

n/m just saw this thread http://legacygt.com/forums/showthread.php/key-fob-vulnerability-4th-gen-models-265724.html. Need more coffee this morning.

 

Send me a PM man I can't seem to send you one for some reason... Its LILGT