README
¶
Khaki
Unlock your car using your phone
What You Need
- Raspberry Pi model B
- Bluetooth 4.0 USB adapter
- A spare key fob that can unlock your car
- An iPhone
The Setup
We have a Raspbery Pi with Arch Linux for ARM installed on it. On top of that we have the bluez libraries installed as well as the Go compiler.
The Pi will be connected to the spare key fob, specifically the buttons that lock and unlock the car.
We will be using the github.com/paypal/gatt library to setup a BLE peripheral that can be connected to from a phone.
How It Will Work
As you approach the car, your iPhone will automatically connect to the car and authenticate with it. Then as you approach a specified distance the iPhone will send the command to unlock the car.
When you walk away from the car, the iPhone will send the command to lock the car.
The iPhone app will run in the background so you can keep your phone in your pocket and it will still work.
Security
Uses a challenge-response system with a shared key encryption.
Start the peripheral server with a secret key, that only you know.
./khaki --secret=hunter2
When the phone connects, it immediately starts the authentication process. If authentication isn't successful within 5 seconds, the Pi will close the connection.
S = Server/Central (Pi)
C = Client/Peripheral (iPhone)
// Client request challenge code
C -> READ auth
// Server generates random bytes for challenge
S -> [3e 48 5a 8d fb 30 0d 54 71 6e a6 68 18 72 b0 34]
// Client calculates HMAC of bytes, and sends it to to the server
C -> WRITE auth [88 62 38 70 73 03 ea d9 92 d6 e4 96 29 03 a2 90 e6 f2 2c 9e 3d d8 90 9c f5 e6 c7 02 58 98 41 b9]
// Server validates the HMAC and responds with status
S -> [01]
// Client can now lock/unlock the car
C -> WRITE lock 01
// Server responds with success
S -> Success
The challenge code is hashed using HMAC with SHA256.
h := hmac.New(sha256.New, secretKey)
h.Write(challengeCode)
result := h.Sum(nil)
This authentication process is only needed when the client first connects to the server. From then on the connection is marked as authenticated, and the client to unlock/lock the car.
When the client disconnects, the authentication status is reset. The server can only have one connection at a time, so it shouldn't be possible for an attacker to hijack an existing connection that has already been authenticated.
TODO: Research BLE security modes.
Services & Characteristics
Very simple interface, with just one service with two characteristics.
- Car
54a64ddf-c756-4a1a-bf9d-14f2cac357ad- Lock
WRITEfd1c6fcc-3ca5-48a9-97e9-37f81f5bd9c5 - Auth
READ,WRITE66e01614-13d1-40d6-a34f-c5360ba57698
- Lock
Pin Layout
o = used pin
. = unused pin
* = ground connection
+-----+
3v3 Power -> 1 | o o | 2 <- 5v Power
3 | . . | 4
5 | . * | 6
7 | . . | 8
9 | * . | 10
GPIO 17 -> 11 | o . | 12
13 | . * | 14
GPIO 22 -> 15 | o o | 16 <- GPIO 23
3v3 Power -> 17 | o o | 18 <- GPIO 24 19 | . * | 20 21 | . o | 22 <- GPIO 25 23 | . . | 24 25 | * . | 26 +-----+
Documentation
¶
There is no documentation for this package.
Source Files