- 16th April 2019
- Posted by: Fidus
- Category: Research
Keyless Car Theft 101
Traditionally, cars were secured using a mechanical lock and a key. Car thieves would be able to circumvent this in a number of ways, including picking the lock, smashing a window, hotwiring the car and using tools to unlock the car from the inside. New breakthroughs in car technology introduced two new ways of entering a car, remote keyless entry (RKE), where the owner has a lock and unlock button on their keys that locks and unlocks the car remotely, and smart keys, where the owner only needs to have the keys in their pocket and the car will unlock automatically when the keys come within range of it.
As with all new technologies, these new methods of entry also brought about new vulnerabilities that allow for the theft of the car. With RKE, as the message between the keys and the car is one way, with no response from the car to the keys, the usual methods of securing this channel of communication, such as challenge/response, are not feasible.
In its simplest form, the message sent from keys to car simply consists of a unique identifier (UID) for the keys and a command appended to it, such as open/close. The car can check that the UID of the keys matches the keys it has registered to it and if so, carry out the command appended to it. The issue with this however is that an attacker who is situated within close proximity would be able to eavesdrop to the communication between the keys and the car and simply replay the message once the owner has left, granting them access to the car.
Here’s a video of car thieves trying to steal a Tesla protected by methods detailed at the end of this post – it’s always nice to see criminals leave empty handed.
Let’s Fix This.. Quickly..
To circumvent this issue, car manufacturers needed to add extra layers of security to ensure only the owner of the car could use this system to open their car. Turning to the Confidentiality, Integrity and Availability (CIA) method of security, manufacturers noted that both confidentiality and availability were not important. The confidentiality didn’t matter, as no sensitive information is sent and rather just basic commands to open/close the car, as well as the UID of the remote. Availability also didn’t matter, as the car owner could simply use the mechanical lock and key to gain entry to their car if the availability was compromised. To increase the integrity of the RKE system, manufacturers introduced a message authentication code (MAC) to the message to help ensure only the owner of the car could lock and unlock it. Similar to having no MAC however, if an attacker was able to eavesdrop and capture this message, they would be able to replay it at a later time and gain access to the car. To get around this, manufacturers added a counter to both the keys and the car. Once a message was sent from the keys, the counter would increase by one and be added within the message and would have to match the counter on the car for the command to be executed.
At a basic level, this is how car manufacturers secure the RKE system with changes being made to the different areas of the message by different manufacturers to add their own spin on securing it. The problem however, is that the same cryptographic algorithms are used on all keys from the same manufacturer and so an attacker with access to a set of keys and some patience is able to repeat the message thousands of times, in order to reverse engineer the message to its simplest format. Once this has been achieved, the attacker can then apply the same techniques to any other system using the same RKE protocol. This was proven to be the case against different iterations of the Volkswagen Group’s RKE systems, including not just Volkswagen cars, but also cars from its child companies; such as Audi, Seat and Skoda. Researchers were able to reverse engineer the cryptographic algorithms used against a number of different RKE systems utilised by the Volkswagen Group, meaning if they were able to capture a request from a legitimate key, they could then create their own message that the car would see as valid, granting them access. Once inside, thieves are able to start the vehicle through a number of different means, including using the car’s onboard computer to programme a new set of keys, attacks against the immobiliser, and good old-fashioned hotwiring.
Researchers Strike Back
At DefCon Las Vegas 2015, security researching Samy Kamkar revealed a device he’d designed to automate this process. Named ‘RollJam’, this small device only cost $32 in equipment and is smaller than a mobile phone. Designed to be planted on the victim’s car, the device waits for the victim to attempt to unlock their car and blocks the signal by using radios outputting noise on the frequencies commonly used by car keys. It then utilises another more sensitive radio to pick up the signal emitted from the car keys. The owner of the car instinctively will then press the unlock button again, with the second signal also being blocked and recorded. The RollJam device is then programmed to replay the first unlock signal sent out, unlocking the car and providing the attacker a second unlock code which can be used once the victim drives to wherever they are going, and locks and leaves their car.
The issue thieves have with this system however is that it relies on them capturing a message, meaning they must be in close proximity of the car and wait for its owner to lock or unlock it. As most thieves prefer the dark of night to carry out their crimes, they turned to alternative methods to gain access to cars. Smart keys are a recent technology introduced to cars and are now used within a large range of models, from luxury high end cars to more budget options. Smart keys allow the owner to simply walk up to their car and open the door without removing the keys from their pocket, as the car senses they are within close proximity of it and so unlocks the doors. The same then happens with the ignition, the car can be started through the use of a button without the keys ever leaving the owner’s pocket. Keyless technology is a wonderful thing, right?
Although a very convenient feature for the owner of the car, this feature makes it incredibly easy for thieves to steal their car. The problem with this feature lies in the fact that in order for the car to detect that the keys are within proximity of it, the keys must be constantly emitting a radio signal for the car to pick up. Thieves can utilise this in a Signal Amplification Relay Attack (SARA), where they intercept the signal emitted by the smart keys with one device by placing it nearby the keys and relay it to another device situated near the car, which then replays the signal, unlocking the car and even allowing it to be started. Security researchers at the German automobile club ADAC demonstrated it was possible to carry out this attack with just $225 worth of equipment; a radio transmitter and antenna, a battery and some simple chips. They were also able to use this attack against 230 of the 237 cars they tested; everything from Citroens and KIAs to BMWs and Range Rovers. Numerous videos have circulated on the internet of home CCTV systems showing the same thing; thieves walk up to the front door of the house and the car, and seconds later are driving off, without ever smashing a window or setting off any alarms.
So, what can be done to prevent these kinds of attacks?
As the vast majority of cars are not internet connected, simply rolling out an update to patch the issue as we so commonly see in more traditional computer-based exploits is not possible. Instead the owner of the car must look at ways to prevent thieves from being able to intercept signals from their keys, or use more traditional methods.
Firstly, a simple way of stopping both the attacks illustrated above is through the use of a device like a steering wheel lock. As most thieves using the methods above are expecting to just be able to unlock your car and drive off, they are likely to be unequipped to deal with such a device.
Car keys should also be kept away from the front door, which will also prevent the opportunistic type thieves who spot the keys and so smash a window to quickly steal the car. The keys could even be placed in a signal blocking pouch, purchasable on Amazon for as little as £5 (Faraday Pouches). These pouches block any signal emitted from the keys, preventing an attacker from being able to intercept the signal to unlock the car.
Use of standard house security products such as CCTV cameras and motion-detecting lights may also help to deter potential thieves. If you purchase a car second-hand, then it may be worth getting the keys reprogrammed, as the previous owners may still be able to gain access to your car. Similarly, if you lose your keys, it is worth getting an auto locksmith to remove the lost keys from your car’s key database, preventing them from being able to lock and unlock your car anymore.
What About a Proactive Approach to Security?
Some car manufacturers are ahead of others in this race, such as Tesla. Tesla are known for utilising Over-the-Air updates on their vehicles and, as such, they’ve added built-in features to all cars to help prevent keyless car theft all together.
Firstly, Tesla released a built in setting within the car to simply disable Passive Entry all together to prevent the car from automatically unlocking. Many owners have opted for this setting, but many, like myself, enjoy the convinience of not having to rummage for keys every-time I want to access my vehicle.
Again, to combat theft Tesla also released a feature which is unheard of in any other vehicles – PIN To Drive. PIN to drive works in the same way as 2-Factor Authentication and requires a 4 digit PIN each time you want to start the vehicle; thus totally removing the risk of keyless car theft. Granted, thieves will still be able to gain access to the vehicle if passive entry is left on and can steal belongings (if keys are not stored in a faraday pouch!) but the vehicle itself will not be going anywhere.
Fun fact: the PIN to drive prompt changes position each time the vehicle is unlocked, meaning your fingerprint smudges can’t be used to gain an insight into your PIN!
And what happens when you take a proactive approach to security? You get to watch the same thieves come back for a second shot at your car and watch them fail miserably.. once again..
Lock It and Still Lose It – on the (In)Security of Automotive Remote Keyless Entry Systems – Flavio D. Garcia and David Oswald, University of Birmingham; Timo Kasper, Kasper & Oswald GmbH; Pierre Pavlidès, University of Birmingham (2016)
List of cars tested by ADAC – https://dwkujuq9vpuly.cloudfront.net/news/wp-content/uploads/2019/01/Cars-tested-by-ADAC.pdf (2019)
Drive it like you Hacked it – DefCon talk by Samy Kamkar (2015)