How to Unlock Millions of Autos

Tuesday, August 16, 2016 @ 10:08 AM gHale


There is a way to unlock millions of cars from multiple auto makers around the world.

“While most automotive immobilizer systems have been shown to be insecure in the last few years, the security of remote keyless entry systems (to lock and unlock a car) based on rolling codes has received less attention,” said Researchers Flavio D. Garcia, David Oswald, and Pierre Pavlidès from the School of Computer Science, University of Birmingham, UK, and Timo Kasper, Kasper & Oswald GmbH, Germany, in a paper. “We close this gap and present vulnerabilities in keyless entry schemes used by major manufacturers.

RELATED STORIES
Black Hat: Hacking a Car, Again
Zero Days in BMW Web Portal
SUV Hack via Wi-Fi
Radio Attack Breaks into Autos
Tips on Securing a Vehicle

The researchers devised two attacks:
• One that target cars of the Volkswagen Group (VW, Seat, Škoda, and Audi), and includes recovering the cryptographic algorithms and keys from electronic control units that allows them to clone the signal that will open the car
• The second takes advantage of the cryptographically weak cipher in the Hitag2 rolling code scheme used by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, Ford and other car makers. The result of the attack is the same: An unlocked car.

“Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles,” the researchers said in the paper on the subject.

The attacks are perhaps not extremely easy to execute, as they require specific technical knowledge and effort, but the hardware tools required to pull them off are accessible to anyone.

One case in point, an Arduino-based RF transceiver costs less than $40, and can eavesdrop and record rolling codes, emulate a key, and perform reactive jamming.

Both attacks can end up performed in minutes. The researchers did not probe the security of the remote control systems installed on all of the vehicles manufactured by the aforementioned automakers, but those they managed to compromise are present (in VW’s case) on hundreds of millions of cars, most of which are probably still being driven around.

While these attacks do not allow the attacker to start the car and drive away with it, they can be paired with attacks that allow that, the researchers said.

Also, stealing valuable objects from inside the car is easy enough to do without leaving a trace on how the car was accessed – victims might even think they forgot to lock the car.

There is not much car owners can do about this problem, apart from not leaving valuable things in their cars, and from using the remote control system altogether.

“Completely solving the described security problems would require a firmware update or exchange of both the respective ECU and (worse) the vehicle key containing the remote control,” the researchers said.

The team said they do not know if attacks are currently carried out by criminals, but that it’s likely they are.

“There have been various media reports about unexplained theft from locked vehicles in the last years. The security issues described in this paper could explain such incidents,” they said.

Click here to download the paper and find a list of affected cars.