Hacker movie reviews: Is Brat 2 accurate?

One of NordVPN’s cybersecurity geeks decided to share some insights with us about his favorite hacking scene from a Russian movie called Brat 2 (Brother 2).

Brat 2 in a nutshell

While you may not have heard of Brat 2, it’s a popular classic in Eastern Europe and Eurasia. This Russian crime film depicts emerging Russian nationalism and cultural clashes between Russia and the US.

The action is set into motion when Danila, the protagonist, discovers that his friend, Konstantin, has been shot dead by mobsters in Moscow. He decides to take revenge and ends up in Chicago. Although it is not a hacker movie, this controversial Russian mafia film has some hacking scenes. Let’s see how they measure up.

How accurate is it?

Our cybersecurity expert, who works to identify and eliminate potential vulnerabilities in NordVPN’s apps and infrastructure before they ever go public, weighs in on one of the film’s few hacking scenes.

Wireless car keys

In one scene, a hacker sniffs a radio signal while the car’s owner locks the car using their wireless car key. He then performs some calculations using special software. Finally, he sends a radio signal to unlock the car and uses a mechanical key to start the engine. This is possible.

Here are the methods that would’ve been at his disposal:

1. Simple shared secret. The key shares a secret value, like “12345”. When the car’s receiver receives it, it compares it to the one it knows. If they match, it unlocks the door.
2. Rolling code / pre-shared manufacturer secret. A one-time code is generated each time you use the wireless key. Both receiver and sender share a secret algorithm that they use to calculate the code. When the car’s receiver gets the key’s code, it verifies it using its algorithm. If they match and the pattern hasn’t been used previously, the door opens.
3. Rolling code / random key. This is the same as number 2, but each receiver is programmed to use its own key instead of one shared between all models from the same manufacturer.
4. Two-way communication / challenge. When the sender wants to unlock the car he sends a request. The receiver calculates a challenge using a number used once (nonce). The sender then calculates a code using the shared key and the nonce value they received. After that, the receiver calculates the same value using the same key and the nonce, and if it matches the one received – the door unlocks.

Wireless car key attacks

1. Replay. A simple radio sniffer can sniff the code and replay it. If the code never changes, this would be enough to gain access.
2. Side channel attack / KeeLoq. It is possible to extract the manufacturer’s key from receiver or sender equipment and then use the same vendor’s program code to generate (clone) a valid encoder. At least two valid codes need to be sniffed to successfully clone the key.
3. Code grabber. The attacker must be close to the victim’s car to be able to jam the wireless frequency. When the car owner sends the code, the attacker is able to sniff the code and prevent it from reaching the car. If the car owner sends the code again (thinking that maybe the key’s battery is low), the attacker again captures it and prevents the car from receiving it. The attacker then immediately turns off the jammer and sends the first code they blocked. The car owner believes that the second attempt worked, but it used the first code. The attacker can keep the second code for later use.
4. Relay. This attack is used with smart keys that do not require the owner’s interaction, automatically unlocking the car as soon as the owner is close enough. Two attackers are needed: one close to the owner carrying the key, and another close to the car (it’s best if the car and the owner are in different locations). The one close to the owner initiates two-way communication, including a request like, “Hey I’m your car, would you like to unlock me?” In response, the key initiates the sequence and sends the code. The attacker gets the code and transmits it to the second attacker next to the car, who then transmits the code to the car. The car responds with a challenge that is sent to the owner’s key in the same way. Next, the owner’s key generates an unlock code that the attackers transmit to the car. The door is now unlocked.

The attack most likely shown in the movie

• We can rule out attack 1. We saw the hacker use software to process what they intercepted, and a replay attack simply involves copying the key and using it without alterations.
• We can rule out attack 3. We clearly see that the owner only presses the key fob button once, and a code grabber attack requires multiple button clicks to succeed.
• We can rule out attack 4. The attack depicted did not involve both receivers and transmitters, which a relay attack requires. Also, the film is set in 2000, which is too early for such systems.

The attack was probably carried out using attack 2, or a side channel attack. The hacker could have a known or leaked manufacturer or vendor key to generate a valid encoder and use it to issue a valid unlock code.

Final verdict

This attack really could have happened in early 2000. Nowadays, pretty much all major car manufacturers have moved to more secure rolling code algorithms with AES encryption (no more rolling your encryption) or two-way challenge methods. However, some smaller vendors might still be using custom crypto with unreviewed closed-source algorithms. Be careful when choosing third-party wireless alarm systems or a Bluetooth lock toy – they could still leave you vulnerable.