New Hack Targeting Car Keys
We have previously written about the ongoing trend of car access systems being hacked and the cars subsequently stolen. While most of these attacks rely on either repeating a fixed radio signal or reverse engineering cryptographic secrets stored in the keys, a Chinese security research team known as UnicornTeam recently presented a novel approach to car hacking at HITB Amsterdam.
The attack specifically targets newer cars with the functionality to automatically unlock the car and engine if the owner of the vehicle is nearby. According to the researchers, such cars will send a radio signal when the door handle is operated. If the car key receives the signal it will answer with a cryptographically generated message. If the car receives the message from the key it unlocks the door.
The radio signal is relatively weak, meaning that car and key have to be in close proximity for the unlocking to succeed. Once the owner walks away from the car, the doors can no longer be unlocked and the motor won’t engage as the key is out of range.
The researchers used relatively inexpensive hardware to relay the radio signal over several hundred meters. To do so, they used two sets of antennas connected to laptops. One unit is positioned next to the car, the other one in close proximity to the owner. When the door handle is used, the signal sent by the car is received by the first unit and then sent to the second unit over Wifi or mobile data networks. The second unit then replays the request in close proximity to the key.
The key has no understanding of the car’s actual location and thus processes the replayed signal as it would the original one. Once the key sends the cryptographically generated answer, it too is captured (this time by the second unit), transmitted back to the first unit and replayed there.
Since the car receives the correct response message, it unlocks the door.
It is important to understand that this attack does not crack the secret information stored on the key in any way. Rather, it uses the real key to unlock the car while it is hundreds of meters away.
The car expects a response to its initial signal within a few hundred milliseconds, so the attack is limited to distances where the data can be transmitted over a network in the required time.
Nonetheless, the attack has great potential, especially when used against high value targets such as politicians, military leadership or executives. In all cases, the contents of the car would be more interesting to attackers than the car itself. Once access to the interior of a car is gained, the car’s computer system may also be more easily infected with malware for use in further attacks.
While this novel attack will be of relatively little concern to the average consumer (attacks against cryptographically weak older car key systems pose a much bigger threat here), it perfectly illustrates the challenges companies face when trying to secure any sort of hardware against cyber attacks: While the core authentication mechanism may be well thought through and secure, attackers routinely find holes in the mechanism’s logic itself which allows them to bypass the mechanism altogether.