Study: Key Fobs of 100 Million Cars Vulnerable to Easy Hacks

Man's at car using remote control key

Insurance companies have long suspected that thousands of theft reports involving allegedly locked cars in recent years were really nothing more than insurance fraud. New evidence suggests many of those reports may be real.

Researchers from the University of Birmingham in the United Kingdom and consulting firm Kasper-Oswald say key fobs for nearly 100 million cars worldwide contain outdated security precautions that leave them vulnerable to thieves. With little more than some technical know-how and $40 in equipment from Radio Shack, thieves could clone the codes that run keyless entry systems and gain access to cars without leaving a trace.

Or, worse, criminals could easily bypass equally weak security measures in the immobilizers that are supposed to prevent thieves from starting a car’s engine.

Much of the research concentrated on vehicles made by the Volkswagen Group, including Audi, SEAT, and Skoda. Researchers say VW’s vehicles are particularly vulnerable because the company has used only four basic schemes for protecting its remote-keyless entry systems since 2002.

Attacks could be “highly scalable and could be potentially carried out by an unskilled adversary,” wrote the study’s authors, who are scheduled to present their paper, Lock It and Still Lose It, Friday at the USENIX Security Conference in Austin, Texas. “Since they are executed solely via the wireless interface, with at least the range of the original remote control, and leave no physical traces, they pose a severe threat in practice.”

We can unfortunately only recommend to stop using or disable/remove the remote keyless entry part of the car key.

This isn’t the first time the University of Birmingham researchers have investigated Volkswagen’s security measures. A previous study, conducted in 2012, unearthed similar problems with a 96-bit code exchanged between the key fob and vehicle. But the researchers didn’t release those findings until last year—Volkswagen sued them to prohibit publication of the results.

This time around, the researchers say they’ve omitted information from their publicly available report that would identify cryptographic keys, part numbers of vulnerable electronic control units, and details about their reverse-engineering process, information that would make it easy for criminals to follow in their footsteps.

Their latest work examined two specific areas. First, they determined how to eavesdrop upon and clone the signals sent by Volkswagen remote fob and then match the cryptographic algorithms and keys kept on the vehicle’s electronic control units. Second, they found ways to similarly clone signals sent on another type of cryptographic protection called Hitag2, which has been used since 1996 by automakers including General Motors, Peugeot, Renault, Alfa Romeo, and Ford.

Salesman holding out car key in automobile showroom

The Hitag2 protections are more complex than the four general schemes used by Volkswagen. They rely on rolling codes that change each time car owners press the button on their key fobs. But the researchers found a way to eavesdrop on these exchanges and narrow the possibilities to the point they can break the codes in approximately one minute.

Breaching the Hitag2 security required the researchers to intercept at least four of the rolling codes initiated by the press of the key fob button. Researchers suggested a criminal could jam the signal, which would encourage a targeted car owner to keep pressing their key fob buttons and, thus, quickly cycle the codes.

Because both the Volkswagen and Hitag2 security measures have been in place for more than a decade, the findings suggest roughly 100 million vehicles are vulnerable worldwide. The researchers say that a large-scale attack targeting Volkswagen vehicles is possible via an automated approach that could affect all cars in a single area, such as a mall parking area or a dealership lot.

In a written statement, Volkswagen spokesperson Mark Gillies says the company “takes the security of our customers and their vehicles very seriously. Volkswagen’s electronic and mechanical security measures are continuously being improved. Volkswagen is in contact with the academics mentioned and a constructive exchange is taking place.”

But the researchers are skeptical that there’s a simple solution that would better protect current car owners. “We can unfortunately only recommend to stop using or disable/remove the remote keyless entry part of the car key,” they wrote, “and fall back to the mechanical lock.”

from Car and Driver Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s