Block Harbor’s Ayyappan Rajesh on Advanced RF Exploitation Techniques for Automotive Systems

From intercepting key fob signals with HackRF devices to setting up rogue cellular networks with USRP transceivers, Ayyappan Rajesh, Offensive Security Engineer at Block Harbor Cybersecurity, takes Casey deep into the technical underbelly of wireless security testing in this illuminating episode of Ahead of the Breach. 

As an offensive security engineer with Block Harbor's VCL team, Ayyappan specializes in testing "everything that has a radio on it" — from automotive systems operating at 315 MHz to Bluetooth-enabled tire pressure monitoring systems and cellular networks requiring sophisticated Faraday cage environments. He shares how teams can intercept SPI and I2C communications to extract firmware directly from chips, implement GPS spoofing using NASA satellite constellation data, and why many vulnerabilities now require physical access rather than just wireless interception.

Topics discussed:

• The evolution of RF exploitation from replay to rollback methodologies that deliberately desynchronize key fob counter synchronization, allowing security testers to exploit implementation weaknesses rather than breaking encryption algorithms directly.
• Hardware-based firmware extraction techniques using direct chip interfaces that bypass wireless protections entirely, revealing how security researchers connect via SPI and I2C protocols to obtain proprietary algorithms from automotive security chips.
• Lateral movement strategies from infotainment systems to critical vehicle controls through careful analysis of gateway implementations that act as rudimentary firewalls between entertainment and control networks.
• Creating isolated cellular test environments using programmable SIM infrastructure and open-source base stations that enable comprehensive security testing without FCC violations through controlled Faraday environments.
• Manipulating GPS-dependent systems through satellite constellation spoofing that leverages NASA ephemeris data processed through GPS-SDR-SIM to generate deceptive signals targeting both location and time-dependent security controls.
• Building cost-effective wireless security testing labs that leverage increasingly affordable software-defined radio platforms like HackRF and USRPs, enabling more researchers to conduct sophisticated wireless security assessments.
• Leveraging automotive security education resources like the Cyber Auto Challenge that provide aspiring security researchers with manufacturer-supported environments for learning without the significant financial barriers traditionally associated with automotive security testing.