Radio Attack Lets Hackers Steal 24 Different Car Models

An anonymous reader writes from a Wired article: A group of German vehicle security researchers has released new findings about the extent of a wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops. The Munich-based automobile club ADAC recently made public a study it had performed on dozens of cars to test a radio 'amplification attack' that silently extends the range of unwitting drivers' wireless key fobs to open cars and even start their ignitions (in German). The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away. "This clear vulnerability in [wireless] keys facilitates the work of thieves immensely," reads the post. "The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner." [...] Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW's 730d, Citroen's DS4 CrossBack, Ford's Galaxy and Eco-Sport, Honda's HR-V, Hyundai's Santa Fe CRDi, KIA's Optima, Lexus's RX 450h, Mazda's CX-5, MINI's Clubman, Mitsubishi's Outlander, Nissan's Qashqai and Leaf, Opel's Ampera, Range Rover's Evoque, Renault's Traffic, Ssangyong's Tivoli XDi, Subaru's Levorg, Toyota's RAV4, and Volkswagen's Golf GTD and Touran 5T.

Re:Did anyone not see this as a dumb idea?

[Locke2005]

Actually, I kind of liked my Mazda key that was designed so that I never had to take it out of my pocket, except: 1) My sister-in-law drove the car, gave it back to me while it was still running, I drove my daughter friend home, turned the car off... then couldn't start it again, because I didn't have the key! and 2) You get so used to pushing the button on the door handle to unlock it that it comes as a shock when you push the button and noting happens, as you slowly realize you never put the key in your pocket that morning.

Re:Pudding pops?

Freezer = faraday cage.

Re:Scary ...

[Aaden42]

It’s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They don’t continuously require it since if the process failed for some reason as you’re going down the highway & the engine just cut out... Not good

There’s some rudimentary obufscation at the protocol level, and recent-ish models have a reasonable degree of replay attack prevention. This attack appears to just amplify the radio signal in both direction with a repeater near the car & the key. You’d need one person ready to drive the car away and another to get close enough to the owner.

It’s only going to be good for one use though. Unless you can steal the key or stay on top of the owner, the car won’t re-start after you turn it off. Maybe you could slip the repeater in their bag or something to buy a little more time, but it’s pretty limited. Okay if you’re planning to scrap the car for parts, not so much if you expect to be able to keep driving it or sell it off after stealing it. It doesn’t look like this attack does anything to clone the key or defeat the challenge/response between key & car. It just lets you carry out that C/R at a distance.

Honestly, I might like a set of these to enable remote start at long range on my own car.

Needs two factor authentication

[marciot]

This could be solved by two factor authentication. Not only would the key fob transmit a radio signal, but you would also need a metallic dongle with uniquely coded grooves that when inserted into a specialized slot would engage a mechanical door release mechanism.