If you drive a keyless car that lets you in when it picks up on your key fob’s radio signal, you’d be wise to push aside the ice cream and make room in your freezer to stash that fob.
A new study, released last week by the Berlin-based automobile club ADAC, has found that thieves can use a $225 signal booster to fool cars into thinking their owners are nearby, thereby easily unlocking the cars and even starting them up: a silent theft that doesn’t leave a scratch.
The study was first reported by the German business magazine WirtschaftsWoche and then picked up by Wired.
A translated excerpt from the ADAC’s site:
The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.
The ADAC says that the attack allows thieves to also overcome a car’s alarm system.
What’s particularly insidious about this type of attack is that the car will keep running, without a key, until it runs out of gas.
But even an empty tank won’t necessarily stop a thief, since he can still fill the tank with the engine running, the ADAC says.
As Wired notes, passive keyless entry systems’ vulnerability to having their radio signals boosted in this type of theft isn’t new: Swiss researchers published a paper demonstrating a similar radio-amplification attack back in 2011.
What’s new here is how cheap it is to pull off the theft.
The Swiss researchers relied on radios costing thousands of dollars to carry out their attacks, but the ADAC researchers said they could do it for far less: they could pull it off with only $225 in commercial electronics components.
The ADAC published a list of the 24 vulnerable car models.
The list includes the Audi A3, A4 and A6, BMW’s 730d, Citroen’s DS4 CrossBack, Ford’s Galaxy and Eco-Sport, Honda’s HR-V, Hyundai’s Santa Fe CRDi, KIA’s Optima, Lexus’s RX 450h, Mazda’s CX-5, MINI’s Clubman, Mitsubishi’s Outlander, Nissan’s Qashqai and Leaf, Opel’s Ampera, Range Rover’s Evoque, Renault’s Traffic, Ssangyong’s Tivoli XDi, Subaru’s Levorg, Toyota’s RAV4, and Volkswagen’s Golf GTD and Touran 5T.
As Wired reports, the researchers’ attempts to get into the cars were foiled by only one model – the BMW i3. They were still able to start the i3’s ignition, though.
The ADAC shared what appears to be surveillance footage of thieves stealing a car:
Wired talked to the researchers and gives this description of how they pulled off the attack with a pair of radio devices:
[O]ne is meant to be held a few feet from the victim’s car, while the other is placed near the victim’s key fob. The first radio impersonates the car’s key and pings the car’s wireless entry system, triggering a signal from the vehicle that seeks a radio response from the key.
Then that signal is relayed between the attackers’ two radios as far as 300 feet, eliciting the correct response from the key, which is then transmitted back to the car to complete the “handshake.”
The full attack uses only a few cheap chips, batteries, a radio transmitter, and an antenna, the ADAC researchers say, though they hesitated to reveal the full technical setup for fear of enabling thieves to more easily replicate their work.
Though they were reticent about teaching would-be thieves how to copy their devices, ADAC researcher Arnulf Thiemel told Wired that it’s so simple that “every second semester electronic student should be able to build such devices without any further technical instruction.”
There’s not much that keyless-car owners can do to protect their rides from getting ripped off, beyond ensconcing their key fobs in refrigerators or some other Faraday cage that can block radio signals.
But as Thiemel told Wired, even a refrigerator might not do the trick: as it is, the researchers don’t really know how much metal shielding you’d need to block variable strengths of amplification attacks.
At any rate, the responsibility for closing this vulnerability should rest with manufacturers, he said:
It is the duty of the manufacturer to fix the problem. Keyless locking systems have to provide equal security [to] normal keys.
The car manufacturers can add wireless key entry systems to a growing list of hacking vulnerabilities. As it is, the FBI and the US National Highway Traffic Safety Administration last week put out a public safety announcement about the dangers of cars getting hacked.
The bureau noted that risks come with the increasing number of computers in vehicles, in the form of electronic control units (ECUs) that control a wide array of functions, from steering, braking, acceleration, on up to lights and windshield wipers, many of which have wireless capability, be it keyless entry, ignition control, tire pressure monitoring, and diagnostic, navigation, and entertainment systems.
Security researchers have been able to take over cars remotely because automakers don’t always do a good job at limiting how car systems interact with wireless communications. What’s more, even cars that aren’t internet-enabled can be taken over via third-party devices that introduce connectivity, such as through the diagnostics port.
Remote exploits have included security researchers Chris Valasek and Charlie Miller taking over a 2014 Jeep Cherokee, controlling the car’s brakes, accelerator, steering and more by wireless connection: a demonstration that resulted in more than 1 million Fiat Chrysler vehicles being recalled for patching.
If the auto industry doesn’t act on the mounting cybersecurity risks of connected cars, the US’s top auto safety regulator in January vowed that it will step in.
As Automotive News reports, the National Highway Traffic Safety Administration “currently lacks regulations for the security protocols governing the roughly 100 million lines of software code used to control many functions in modern cars.”
Having an expensive car stolen because of vulnerable key fobs? That’s bad enough.
But having no regulations in place when it comes to cars that can be forced off the road and into a ditch, or worse?
It hasn’t happened in the real world yet, as far as we know, but security researchers have shown that it can.
That makes the lack of regulation quite literally a car wreck, just waiting to happen.
Image of Frozen pork chop courtesy of Shutterstock.com
Mahhn
Da Benz is safe for now :)
Alan Robertson
Put the key in any sealed metal box – biscuit tins work well. This works for mobile phones too. If you are concerned it might leak any RF then put a battery powered radio in the box and close the lid – it should not be able to receive the station it is tuned too.
If you really feel like giving yourself sleepless nights try looking at 433MHz with SDR. You will find that over half the rolling code doesn’t change….
As ever if you are worried about theft apply some common sense – well lit areas / locked garage / physical anti-theft devices / CCTV etc. all help.
David Pottage
The way I see it, the real problem with these technical attacks is not that they are possible, but convincing your insurance company that they have happened. Putting your car key in a metal box would help with this particular attack, but what about the next one? What happens if the crooks find a way to unlock the car remotely over the internet, or find a vulnerability in the remote unlocking algorithm so that a specially crafted unlock request will unlock the car or start the engine without knowing the crypto key. With any of these attacks the first thing that most people will know about is that their car vanishes from outside their house in the middle of the night, with no sign of forced entry.
The solution then is not to find a way to defeat a particular attack, but to make sure there is evidence that one has happened. If I owned a modern luxury car that might be vulnerable to this sort of thing, I would mount a CCTV camera on my house, so that if my car mysteriously vanished, I would have a recording showing the crooks taking it, which should be enough to convince my insurers that there realy was a theft, and not that I had been careless with my keys or suchlike.
justiceISfake
your insurer wont care if you left your keys in the car and it was stolen… its still a stolen vehicle.
Steven
WRONG. Many insurance policies SPECIFICALLY exclude theft due to leaving the keys in the car.
TFS
Most Toyota remote key fobs, (at least those after 2016, and possibly earlier) can be turned OFF, by holding the LOCK button, and pressing the UNLOCK button TWICE. The LED then flashes four times to confirm. If you then try and use the door handle to open the car, it will not work. You have to re-activate the fob by pressing the UNLOCK button. This is also useful for long-term storage of a spare key, to ensure that it does not go flat over time.
Many new cars, like the BMW Mini have a motion detector in the fob. After 40 seconds with no movement, the fob turns the Wireless signal off.