Radio Attack Lets Hackers Steal 24 Different Car Models

An anonymous reader writes from a Wired article: A group of German vehicle security researchers has released new findings about the extent of a wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops. The Munich-based automobile club ADAC recently made public a study it had performed on dozens of cars to test a radio 'amplification attack' that silently extends the range of unwitting drivers' wireless key fobs to open cars and even start their ignitions (in German). The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away. "This clear vulnerability in [wireless] keys facilitates the work of thieves immensely," reads the post. "The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner." [...] Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW's 730d, Citroen's DS4 CrossBack, Ford's Galaxy and Eco-Sport, Honda's HR-V, Hyundai's Santa Fe CRDi, KIA's Optima, Lexus's RX 450h, Mazda's CX-5, MINI's Clubman, Mitsubishi's Outlander, Nissan's Qashqai and Leaf, Opel's Ampera, Range Rover's Evoque, Renault's Traffic, Ssangyong's Tivoli XDi, Subaru's Levorg, Toyota's RAV4, and Volkswagen's Golf GTD and Touran 5T.

Scary ...

[gstoddart]

I had this in a rental car recently, and once I figured out there was not place to put the key (never seen it before, never even occurred to me) I did wonder just how secure it was.

So, what, it just continuously broadcasts "you can start now", with no intermediate encryption or anything? There's clearly no user interaction required to start the car (I never did get used to having the "key" in my pocket to start the car), no button to push or anything.

TFA says "every second semester electronic student should be able to build such devices without any further technical instruction." That positively screams of something which was built to be cool, but with no real thought about security.

I wonder if this is something which even changes on each invocation, or if you could simply record and play back the signal ... in which case this is a pretty pathetic system.

And, once again, the security of such things is purely an afterthought when it's pointed out how trivial it is to bypass. And, once again, I say companies need to have legal liability for shit like this.

Re:Scary ...

[Aaden42]

It’s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They don’t continuously require it since if the process failed for some reason as you’re going down the highway & the engine just cut out... Not good

There’s some rudimentary obufscation at the protocol level, and recent-ish models have a reasonable degree of replay attack prevention. This attack appears to just amplify the radio signal in both direction with a repeater near the car & the key. You’d need one person ready to drive the car away and another to get close enough to the owner.

It’s only going to be good for one use though. Unless you can steal the key or stay on top of the owner, the car won’t re-start after you turn it off. Maybe you could slip the repeater in their bag or something to buy a little more time, but it’s pretty limited. Okay if you’re planning to scrap the car for parts, not so much if you expect to be able to keep driving it or sell it off after stealing it. It doesn’t look like this attack does anything to clone the key or defeat the challenge/response between key & car. It just lets you carry out that C/R at a distance.

Honestly, I might like a set of these to enable remote start at long range on my own car.

Pudding pops?

[DNS-and-BIND]

"their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops"

Huh? Pudding pops? What does that even mean? I thought the new Slashdot management was going to get rid of these horrible summaries that don't make any sense. Since the word is capitalized, I assume this means Jell-O Pudding Pops? The frozen snack from the 80s? They stopped making these a long, long time ago. So you should keep your key fob in the freezer? How does that help?

Re:Did anyone not see this as a dumb idea?

[Locke2005]

Actually, I kind of liked my Mazda key that was designed so that I never had to take it out of my pocket, except: 1) My sister-in-law drove the car, gave it back to me while it was still running, I drove my daughter friend home, turned the car off... then couldn't start it again, because I didn't have the key! and 2) You get so used to pushing the button on the door handle to unlock it that it comes as a shock when you push the button and noting happens, as you slowly realize you never put the key in your pocket that morning.