Skip to content

AUTOCRYPT-IVS-VnV/CVE-2022-38766

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2022-38766

PoC for vulnerability in Renault ZOE Keyless System CVE-2022-38766

Introduce

Company_logo

AUTOCRYPT [MalHyuk]

Overview

This vulnerability raised the question of whether ZOE electric vehicles are safe form RF hacking. For this reason, the actual ZOE vehicle released this year was targeted and attacked. A study was also conducted on how this attack bypass the rolling codes, a defense technique of RF hacking, and a lot of thought was needed about the handling method in case the car breaks down.

Attack Scenario

Attack Scenario

Most cars still open and lock their doors via RF communication. That's why the classic hacking method can open the car's door.

PoC

My laptop and HackRF are running on the car

Replay attack

Replay attack

DoS attack

Replay attack

Target Vehicle

- Renault 2021 ZOE Electronic car

Key Fob Information

ZOE Keyfob device

FCC ID : KR5IK4CH-01
Frequency : 433.92MHz
Modulation : FSK

More Information

Used to

- HackRF One + Portapack H2
- GNURadio
- GQRX
- Universal Radio Hacker
- rtl_433

How2Pwn ZOE? (feat. Mitigation)

Rolling Codes, otherwise known as hopping code

rtl_433

Through this process, we found that the id, flags values are signaled through approximately 8(<=) different values that are fixed. All signals with these values are captured through gnuradio-companion and saved as a file. And you can continue to send signals based on that file.

When a signal is detected data is written as 0 and 1. However, as shown in screenshot, if there is only one stored id value, it has to be sent until the signal is correct, and the open button of the smart key is pressed several times to capture all the stored signals with all ids. So I thought I could bypass the Rolling codes.

A better way is to analyze the binary code of the signal and send it after coding.

References

nonamecoder/CVE-2022-27254

Rolling code

Rolling-PWN

Renault ZOE

About

PoC for vulnerability in Renault ZOE Keyless System(CVE-2022-38766)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published