Slashdot Mirror

← Back to Stories (view on slashdot.org)

Radio Attack Lets Hackers Steal 24 Different Car Models (wired.com)

Posted by msmash on from the car-hacking dept.

An anonymous reader writes from a Wired article: A group of German vehicle security researchers has released new findings about the extent of a wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops. The Munich-based automobile club ADAC recently made public a study it had performed on dozens of cars to test a radio 'amplification attack' that silently extends the range of unwitting drivers' wireless key fobs to open cars and even start their ignitions (in German). The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away. "This clear vulnerability in [wireless] keys facilitates the work of thieves immensely," reads the post. "The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner." [...] Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW's 730d, Citroen's DS4 CrossBack, Ford's Galaxy and Eco-Sport, Honda's HR-V, Hyundai's Santa Fe CRDi, KIA's Optima, Lexus's RX 450h, Mazda's CX-5, MINI's Clubman, Mitsubishi's Outlander, Nissan's Qashqai and Leaf, Opel's Ampera, Range Rover's Evoque, Renault's Traffic, Ssangyong's Tivoli XDi, Subaru's Levorg, Toyota's RAV4, and Volkswagen's Golf GTD and Touran 5T.

21 of 228 comments (clear)

  1. Scary ... by gstoddart · · Score: 4, Interesting

    I had this in a rental car recently, and once I figured out there was not place to put the key (never seen it before, never even occurred to me) I did wonder just how secure it was.

    So, what, it just continuously broadcasts "you can start now", with no intermediate encryption or anything? There's clearly no user interaction required to start the car (I never did get used to having the "key" in my pocket to start the car), no button to push or anything.

    TFA says "every second semester electronic student should be able to build such devices without any further technical instruction." That positively screams of something which was built to be cool, but with no real thought about security.

    I wonder if this is something which even changes on each invocation, or if you could simply record and play back the signal ... in which case this is a pretty pathetic system.

    And, once again, the security of such things is purely an afterthought when it's pointed out how trivial it is to bypass. And, once again, I say companies need to have legal liability for shit like this.

    --
    Lost at C:>. Found at C.
    1. Re:Scary ... by omnichad · · Score: 2

      People have been able to use replay attacks to get into houses via garage door openers for forever. I'm surprised by the lack of strong encryption on this, but do you even need to replay? If it's just MITM as an amplifier, no intermediate decoding is needed to get in and steal belongings anyway. It's a bad design all around.

    2. Re:Scary ... by Aaden42 · · Score: 5, Interesting

      It’s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They don’t continuously require it since if the process failed for some reason as you’re going down the highway & the engine just cut out... Not good

      There’s some rudimentary obufscation at the protocol level, and recent-ish models have a reasonable degree of replay attack prevention. This attack appears to just amplify the radio signal in both direction with a repeater near the car & the key. You’d need one person ready to drive the car away and another to get close enough to the owner.

      It’s only going to be good for one use though. Unless you can steal the key or stay on top of the owner, the car won’t re-start after you turn it off. Maybe you could slip the repeater in their bag or something to buy a little more time, but it’s pretty limited. Okay if you’re planning to scrap the car for parts, not so much if you expect to be able to keep driving it or sell it off after stealing it. It doesn’t look like this attack does anything to clone the key or defeat the challenge/response between key & car. It just lets you carry out that C/R at a distance.

      Honestly, I might like a set of these to enable remote start at long range on my own car.

    3. Re:Scary ... by gstoddart · · Score: 2

      I'm surprised by the lack of strong encryption on this, but do you even need to replay?

      Well, think about it ... sit in a parking lot at an office or something, and passively collect a bunch of these things as people enter the building or something.

      Instead of stealing belongings, you target a bunch of cars, come back the next day with a bunch of people, and drive off with a dozen or so cars in one go.

      Why steal stuff when you can just drive off with the cars later and without needing to get the thing near enough to the keys to re-transmit?

      You could have a bunch of cars in a chop shop before anybody even knew they were gone.

      --
      Lost at C:>. Found at C.
    4. Re:Scary ... by omnichad · · Score: 2

      I don't think they are replay attacks. They are using MITM to amplify both sides of the conversation with the keys. The keys and car respond as if the victim is standing next to their car. Imagine a MITM HTTPS attack where the attacker didn't need to actually decrypt the data - just pass it along. So the encryption itself does nothing to protect the car.

      That's not to say they can't do it with an entire office full of people, but it's not something you could do without the victim within range of your device (which could still be a long distance in the office).

    5. Re:Scary ... by lgw · · Score: 2

      Here you go: a physics prof demonstrates and explains the antenna effect. https://www.youtube.com/watch?...

      Sixty Symbols is a great channel for debunking commonly held physics misconceptions (whether they're right here or not).

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Pudding pops? by DNS-and-BIND · · Score: 4, Interesting

    "their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops"

    Huh? Pudding pops? What does that even mean? I thought the new Slashdot management was going to get rid of these horrible summaries that don't make any sense. Since the word is capitalized, I assume this means Jell-O Pudding Pops? The frozen snack from the 80s? They stopped making these a long, long time ago. So you should keep your key fob in the freezer? How does that help?

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    1. Re:Pudding pops? by Anonymous Coward · · Score: 5, Informative

      Freezer = faraday cage.

    2. Re:Pudding pops? by gstoddart · · Score: 3, Informative

      Well, there's this:

      After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times' former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car's keyless entry system into thinking the key was in the thieves' hand. He eventually resorted to keeping his keys in the freezer.

      Cuz, you know, Pudding Pops are frozen. And go really nicely with quaaludes, apparently. ;-)

      --
      Lost at C:>. Found at C.
  3. Re:Did anyone not see this as a dumb idea? by Locke2005 · · Score: 5, Interesting

    Actually, I kind of liked my Mazda key that was designed so that I never had to take it out of my pocket, except: 1) My sister-in-law drove the car, gave it back to me while it was still running, I drove my daughter friend home, turned the car off... then couldn't start it again, because I didn't have the key! and 2) You get so used to pushing the button on the door handle to unlock it that it comes as a shock when you push the button and noting happens, as you slowly realize you never put the key in your pocket that morning.

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  4. timestamps by selectspec · · Score: 2

    Solution:

    (Assuming the key/car are using private/public key pairs)

    You'd have to put a reasonably accurate clock in the key, and then have it encrypt and send timestamps to the vehicle using a sequence of rapidly fired request messages followed by response messages.

    The car could then decrypt the messages and compare the timestamps from the sequence of messages measuring the distance between the key and the car. The clock in the key would have to have similar accuracy to a laser ranger finder.

    The actual protocol would be a bit more complicated in the details, but the basics outlined above are what is needed.

    --

    Someone you trust is one of us.

    1. Re:timestamps by ledow · · Score: 2

      Or just make the user press a button to actually unlock / start their car.

      Which seems a fecking good idea anyway.

      All this "do things from out of visual range" junk is just asking for trouble when you have to a) touch the door to open it anyway and b) touch the pedals/wheel to drive it anyway.

  5. Re:User must still press the button by selectspec · · Score: 2

    No, they don't. The keys passively send out signals without user interaction, probably in response to a signal sent out by the car which has a bigger battery than the key. In either case, if you have a keyless car, the car communicates with the key without user interaction.

    --

    Someone you trust is one of us.

  6. Add a secure lock mode by swb · · Score: 2

    They could add a secure lock mode, where if you affirmatively press the lock button on the keyfob, the car will require an affirmative unlock press on the keyfob and not unlock based on the "presence" of the keyfob.

    I also wonder why they couldn't have some means of shutting off the radio in the keyfob so it didn't produce a signal that could be relayed to the car. Maybe a motion sensor in the keyfob that when it wasn't moved for a period of time would shut off its radio completely until enough movement woke it up.

  7. So good my '82 UAZ is completely keyless... by fraxinus-tree · · Score: 3, Funny

    The doors never ever had locks (and even if they had, you can fold the tent without tools or access from the inside). It starts with a button on the dashboard.

    And then, you need to know how to drive it, be strong enough to actually do that, and a good reason to steal a pile of soviet-era rust. It is a very good city car.

  8. Re:Insurance by pahles · · Score: 2

    Most cars in Europe are stick shift...

    --
    Sig?
  9. Re:Insurance by vtcodger · · Score: 4, Funny

    But do not fear. For just $5USD a month, we can install a package on your vehicle that will detect the theft, drive the vehicle to the nearest police station, lock the doors, tune the radio to celinedion.24_7.com, and turn the volume up to 135dB. You can contact us at www.makethebastardspay.com

    --
    You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  10. Incentive to improve security? by Knightman · · Score: 4, Insightful

    Do car makers really have good incentives to fix their security?

    Not really, since they can sell a new car paid by the insurance company when someones car gets stolen. The only downside is negative reporting - but that can be fixed by massive ad-campaigns; just look at VAG, they are running ads like crazy in Europe right now, but they have dropped their tag-line "vorsprung durch technik" (lead by technology). I guess they don't want to use the new and improved tag-line "vorsprung durch betrug" (lead by cheating).

    The whole wireless key fob thing is a pure convenience thing that when it fails becomes extremely inconvenient because convenience is security's biggest enemy. I can't understand that people would accept that their car have no physical security to speak of since it is quite a huge investment for many people.

    The only mitigation I can think of if you still want the convenience of a wholly wireless key fob is that they introduce a check for max latency for the key-challenge response which is like 27 picoseconds(?) for a 4 meter radius not including the electronics internal response time. This means of course that the timing of the key exchange must be wholly deterministic.

    --
    --- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
  11. OK, can we stop calling them hackers? by bferrell1047 · · Score: 2

    Do you call the person who uses a slim-jim (not the meat sticks), lock picks or a slide hammer to steal your car a lock smith? No we call them car thieves. Simple, plain ol' un-glamorous car thieves. It IS useful to know the car makers are so stupid as to make car entry systems as simple as this, BUT, this is NOT hacking. It is practice for breaking and entering.

  12. Needs two factor authentication by marciot · · Score: 5, Funny

    This could be solved by two factor authentication. Not only would the key fob transmit a radio signal, but you would also need a metallic dongle with uniquely coded grooves that when inserted into a specialized slot would engage a mechanical door release mechanism.

  13. Auto systems security is terrible by burtosis · · Score: 2

    Many of these manufacturers plan on creating autonomous vehicles as well. Yet they DGAF about security, sometimes on this embarrassing of a level. I'm eager to see how that plays out, except perhaps for the inevitable deaths.