Bad rolling code in key fob for many Subaru cars

Most cars you see on the road have key-less entry. This means that you do not have to use your key in the door, and can lock/unlock you car door from a few meters away, making life much easier. First a short explanation on how rolling codes work, and then how Subaru’s rolling codes failed.

Inside your key fob is a small radio transmitter, and inside the car is a corresponding radio receiver. When you press the unlock or lock button, a new 40 digit rolling code is generated from a pseudo-random number generator. The car and fob both use the same generator, so they both get the same new code without anyone on the outside being able to predict the pattern. If the code from the fob matches the code in the car, the car unlocks and locks. When the car receives a valid code, it generates the next number in the sequence. To account for things like pressing the lock/unlock buttons when the car is out of range, the car stores around 250 of the next numbers from the generator, so the fob can match any of those.

How Subaru failed is their rolling code was generated using an incremental algorithm, meaning by intercepting enough signals you could figure out how it increments and calculate the next code. Even worse, it is surprisingly easy and also cheap to execute this attack. The few supplies you need are: A raspberry pi with WiFi, a radio receiver, a wire, 433 MHz antenna, and smartphone. All you need to do is connect the receiver and antenna, wire it to the pi, connect to the pi, and run a script. Once a signal is received, the next code in the sequence is calculated and you can use it to unlock the car. If you don’t feel like committing grand theft auto, you can flood the car with hundreds of new rolling codes, meaning any code from the fob won’t work. This means you will not be able to use remote lock, and you have to take the car into a dealership to put it into programmer mode and reset the codes.

On newer models across all cars, some form of encryption is used to transmit the rolling code, and only the car knows the decryption key. The list of affected cars is:

2006 Subaru Baja
– 2005 – 2010 Subaru Forester
– 2004 – 2011 Subaru Impreza
– 2005 – 2010 Subaru Legacy
– 2005 – 2010 Subaru Outback

However, more Subaru vehicles could be affected.


Noah Kalinowski


Smartwatches designed for children have become a target for hackers.

Smartwatches are becoming more and more popular to the general population. However did you know even young children are starting to wear smartwatches. In theory this sounds like not such a bad idea they give the parent a way to see where their young child is and communicate with them if need be. These watches also offer a way for the child to quickly call their parents in case of an emergency. This all sound good until you realize a hacker can get into the watch and do the same things.

The Norwegian Consumer Council tested some of these watches and found that some were transmitting the GPS data without encryption. This allows for hackers with basic tools to get into the watch and track the movements of the child wearing the watch, which is an incredibly dangerous problem. The hacker could also spoof the location and make it look like the child is in a completely different place. They also found that the hacker could communicate with the child and eavesdrop on the conversations the child is having with others on the watch. Thankfully many of the company’s who designed and produce the watches have recalled the watches and started to fix the problems and make them more secure.

-Levi Walker



RSA Key Factorization Attack

Following the revelation of the KRACK WPA2 vulnerability,  another widespread vulnerability, dubbed ROCA, appeared affecting millions of devices running Infineon Technology’s Trusted Platform Module chips.

Cryptographic RSA pairs generated on Infineon’s TPM are vulnerable to a factorization attack. It allows attackers to reverse-calculate someone’s private key based solely off of their public key. The risks of this vulnerability are that the attacker can impersonate the key owner, decrypt the user’s data protected by this key, injecting malware into signed software, etc.

Major vendors including Infineon, Google, and Microsoft have already released the software updates for affected hardware and software as well as guidelines for mitigation of the vulnerability.

End users are encouraged to patch their affected devices as soon as possible.

– Matthew Turi


Reaper Botnet Dwarfs Mirai


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here

U.S. Proposes New Cyber Security Controls to Protect Power Grid

Image result for picture of power lines

The US Federal Energy Regulatory Commission (FERC) aims to mitigate the risks of attacks on the power grid.

The controls that they proposed are intended to increase the reliability and resilience of the grid, according to a federal regulator.

These controls are set to implement mandatory controls to mitigate risks posed by malware from devices such as laptops, flash drives and other devices.

On top of that, the regulator has told the North American Electric Reliability Corporation (NAERC), a corporation that monitors the grid, to seek ways to reduce the threat of malicious code. They were also told to define clear criteria and provide modifications for electronic access controls for low-impact cyber systems.

US FERC said: “These modifications will address potential gaps and improve the cyber security posture of entities that must comply with the Critical Infrastructure Protection (CIP) standards.”

This is, in part, a response to their report in January. In this report, the Energy Department said that the grid was at a great risk and needed better security measures put into place in order to prevent a large scale attack.


-Kyle Smith