It has been proven that hackers can communicate with the encrypted logic of a car's key fob to force it to unlock vehicles. What's more, these keys can be cloned and duplicated using off-the-shelf equipment, allowing anyone to open and drive a vehicle without the keys or validating authentication factors, which poses an entirely new application for radio-based attacks against remote locking systems.
First Published 27th April 2017 | Latest Refresh 14th May 2021
Key duplication - cheaper than an Uber.
3 min read | Reflare Research Team
We have previously written about the ongoing trend of car access systems being hacked and cars subsequently stolen. While most of these attacks rely on either repeating a fixed radio signal or reverse engineering cryptographic secrets stored in the keys, a Chinese security research team known as UnicornTeam demonstrated a novel approach to car hacking at HITB Amsterdam.
The attack specifically targets newer cars with the functionality to automatically unlock the car and engine if the owner of the vehicle is nearby. According to the researchers, such cars will send a radio signal when the door handle is operated. If the car key receives the signal it will answer with a cryptographically generated message. If the car receives the message from the key, it unlocks the door.
The radio signal is relatively weak, meaning that the car and key have to be in close proximity for the unlocking to succeed. Once the owner walks away from the car, the doors can no longer be unlocked, and the motor won’t engage as the key is out of range.
The researchers used relatively inexpensive hardware to relay the radio signal over several hundred meters. To do so, they used two sets of antennas connected to laptops. One unit is positioned next to the car, and the other one is in close proximity to the owner. When the door handle is used, the signal sent by the car is received by the first unit and then sent to the second unit over Wi-Fi or mobile data networks. The second unit then replays the request in close proximity to the key.
The key has no understanding of the car’s actual location and thus processes the replayed signal as it would the original one. Once the key sends the cryptographically generated answer, it too is captured (this time by the second unit), transmitted back to the first unit and replayed there.
Since the car receives the correct response message, it unlocks the door.
It is important to understand that this attack does not crack the secret information stored on the key in any way. Rather, it uses the real key to unlock the car while it is hundreds of meters away.
The car expects a response to its initial signal within a few hundred milliseconds, so the attack is limited to distances where the data can be transmitted over a network in the required time.
What is in the car will often be a more attractive target than the car itself.
Nonetheless, the attack has great potential, especially when used against high-value targets such as politicians, military leadership or executives. In all cases, the contents of the car would be more interesting to attackers than the car itself. Once access to the interior of a car is gained, the car’s computer system may also be more easily infected with malware for use in further attacks.
While this novel attack will be of relatively little concern to the average consumer (attacks against cryptographically weak older car key systems pose a much bigger threat here), it perfectly illustrates the challenges companies face when trying to secure any sort of hardware against cyber-attacks: While the core authentication mechanism may be well thought through and secure, attackers routinely find holes in the mechanism’s logic itself which allows them to bypass the mechanism altogether.
However, this vulnerability is not the only exploit you need to address. Learn how to mitigate risks of specific attacks before you find yourself having to react post-breach by checking out our research reports on other similar topics.