Millions of cars all over the world are at risk due to two new remote keyless system attack techniques which can be used by car burglars to copy entry remotes and unlock the vehicles.
It doesn’t come as a surprise to anyone that hackers, using local or remote access, can hijack some functions of a moving vehicle. Despite the fact that most of these attack are not easy to perform, there are some weaknesses with immediate impact, due to which burglars are able to unlock and start cars.
Over the past years, thieves have been able to open and start cars many times with the help of electronic devices, without the manufacturers being able to puzzle out how they actually do it. Security researchers, however, have also managed to discover some attack techniques that may have already been used or others that may be about to be used.
Last year, researchers from Radboud University in the Netherlands and the University of Birmingham in the U.K. found a flaw in cars immobilizers. According to them, this flaw could have been leveraged to start various car models, including luxury ones. Even though, this problem was disclosed back in 2012, it wasn’t published because Volkswagen filed a lawsuit against the experts.
Now, at the USENIX Security Symposium in Austin, Texas, a group of experts from the University of Birmingham are revealing new findings, this time regarding remote keyless entry (RKE) systems` vulnerabilities. When the lock/unlock button on the electronic remote is pressed, the command is sent via signals generated by a radio frequency transmitter.
Nowadays, cars` RKE systems generate a rolling code signal by using cryptography and a counter value. The vehicle decrypts the signal and verifies the counter value to make sure that it’s new in an effort to prevent attacks.
The Volkswagen Group, with 12% market share, owns the Bentley, Bugatti, Audi, Lamborghini, Porsche, SEAT, Volkswagen and Skoda brands. And yet, researchers found that over the past 20 years Volkswagen has used only a couple of global cryptographic keys to secure this signal. According to researchers, car burglars are able to intercept the signal from the remote control from up to 330 feet (100 meters), decrypt it and create a copy of the original remote control, using the information.
Numerous cars which were made by the VW Group between 1995 and 2016 are affected, researchers believe. This includes models such as Skoda, SEAT, Audi, VW and many of them have actually been tested by experts. The majority of the 100 million vehicles sold from 2002 to 2015 are likely to be at risk. However, recent models like VW Golf 7, aren’t in danger due to the new platform they rely on.
It is clear that it would be a very difficult task for VW Group solve the problem completely. That’s why researchers think that deactivating or at least refraining using the RKE functionality and resorting to mechanical locks instead, would be a good enough alternative.
Moreover, the Hitag2 rolling code is another scheme which can be used in car thefts. Hitag2 is used in a lot of car models, including Chevrolet, Opel, Alfa Romeo, Renault, Ford and Peugeot. This Hitag2 scheme doesn’t rely on fixed cryptography keys, but researchers claim that the cryptographic key for a certain vehicle can be recovered based on 4-8 rolling codes. If these codes are intercepted, it would only take the attacker minutes on a laptop to recover the cryptographic key. Of course, that’s if they have managed to figure out the algorithm.
However, this attack is a little more complicated due to the fact the attacker would have to follow the victim around in order to intercept the signal from the remote control. An easier way is the signal to be purposely jammed by the attacker. This would probably make the victim press the button several times, allowing the thief to capture the codes more quickly.
“The necessary equipment to receive and send rolling codes, for example SDRs like the USRP or HackRF and off-the-shelf RF modules like the TI Chronos smartwatch, are widely available at low cost. The attacks are hence highly scalable and could be potentially carried out by an unskilled adversary.” researchers say. “Since they are executed solely via the wireless interface, with at least the range of the original remote control (i.e. a few tens of meters), and leave no physical traces, they pose a severe threat in practice.”