PoC for vulnerability in Renault ZOE Keyless System CVE-2022-38766
This vulnerability raised the question of whether ZOE electric vehicles are safe form RF hacking. For this reason, the actual ZOE vehicle released this year was targeted and attacked. A study was also conducted on how this attack bypass the rolling codes, a defense technique of RF hacking, and a lot of thought was needed about the handling method in case the car breaks down.
Most cars still open and lock their doors via RF communication. That's why the classic hacking method can open the car's door.
My laptop and HackRF are running on the car
- Renault 2021 ZOE Electronic car
FCC ID : KR5IK4CH-01
Frequency : 433.92MHz
Modulation : FSK
- HackRF One + Portapack H2
- GNURadio
- GQRX
- Universal Radio Hacker
- rtl_433
Rolling Codes, otherwise known as hopping code
Through this process, we found that the id, flags values are signaled through approximately 8(<=) different values that are fixed. All signals with these values are captured through gnuradio-companion and saved as a file. And you can continue to send signals based on that file.
When a signal is detected data is written as 0 and 1. However, as shown in screenshot, if there is only one stored id value, it has to be sent until the signal is correct, and the open button of the smart key is pressed several times to capture all the stored signals with all ids. So I thought I could bypass the Rolling codes.
A better way is to analyze the binary code of the signal and send it after coding.