If you drive a keyless car that lets you in when it picks up on your key fob’s radio signal, you’d be wise to push aside the ice cream and make room in your freezer to stash that fob.
A new study, released last week by the Berlin-based automobile club ADAC, has found that thieves can use a $225 signal booster to fool cars into thinking their owners are nearby, thereby easily unlocking the cars and even starting them up: a silent theft that doesn’t leave a scratch.
A translated excerpt from the ADAC’s site:
The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.
The ADAC says that the attack allows thieves to also overcome a car’s alarm system.
What’s particularly insidious about this type of attack is that the car will keep running, without a key, until it runs out of gas.
But even an empty tank won’t necessarily stop a thief, since he can still fill the tank with the engine running, the ADAC says.
As Wired notes, passive keyless entry systems’ vulnerability to having their radio signals boosted in this type of theft isn’t new: Swiss researchers published a paper demonstrating a similar radio-amplification attack back in 2011.
What’s new here is how cheap it is to pull off the theft.
The Swiss researchers relied on radios costing thousands of dollars to carry out their attacks, but the ADAC researchers said they could do it for far less: they could pull it off with only $225 in commercial electronics components.
The ADAC published a list of the 24 vulnerable car models.
The list includes the Audi A3, A4 and A6, BMW’s 730d, Citroen’s DS4 CrossBack, Ford’s Galaxy and Eco-Sport, Honda’s HR-V, Hyundai’s Santa Fe CRDi, KIA’s Optima, Lexus’s RX 450h, Mazda’s CX-5, MINI’s Clubman, Mitsubishi’s Outlander, Nissan’s Qashqai and Leaf, Opel’s Ampera, Range Rover’s Evoque, Renault’s Traffic, Ssangyong’s Tivoli XDi, Subaru’s Levorg, Toyota’s RAV4, and Volkswagen’s Golf GTD and Touran 5T.
As Wired reports, the researchers’ attempts to get into the cars were foiled by only one model – the BMW i3. They were still able to start the i3’s ignition, though.
The ADAC shared what appears to be surveillance footage of thieves stealing a car:
Wired talked to the researchers and gives this description of how they pulled off the attack with a pair of radio devices:
[O]ne is meant to be held a few feet from the victim’s car, while the other is placed near the victim’s key fob. The first radio impersonates the car’s key and pings the car’s wireless entry system, triggering a signal from the vehicle that seeks a radio response from the key.
Then that signal is relayed between the attackers’ two radios as far as 300 feet, eliciting the correct response from the key, which is then transmitted back to the car to complete the “handshake.”
The full attack uses only a few cheap chips, batteries, a radio transmitter, and an antenna, the ADAC researchers say, though they hesitated to reveal the full technical setup for fear of enabling thieves to more easily replicate their work.
Though they were reticent about teaching would-be thieves how to copy their devices, ADAC researcher Arnulf Thiemel told Wired that it’s so simple that “every second semester electronic student should be able to build such devices without any further technical instruction.”
There’s not much that keyless-car owners can do to protect their rides from getting ripped off, beyond ensconcing their key fobs in refrigerators or some other Faraday cage that can block radio signals.
But as Thiemel told Wired, even a refrigerator might not do the trick: as it is, the researchers don’t really know how much metal shielding you’d need to block variable strengths of amplification attacks.
At any rate, the responsibility for closing this vulnerability should rest with manufacturers, he said:
It is the duty of the manufacturer to fix the problem. Keyless locking systems have to provide equal security [to] normal keys.
The car manufacturers can add wireless key entry systems to a growing list of hacking vulnerabilities. As it is, the FBI and the US National Highway Traffic Safety Administration last week put out a public safety announcement about the dangers of cars getting hacked.
The bureau noted that risks come with the increasing number of computers in vehicles, in the form of electronic control units (ECUs) that control a wide array of functions, from steering, braking, acceleration, on up to lights and windshield wipers, many of which have wireless capability, be it keyless entry, ignition control, tire pressure monitoring, and diagnostic, navigation, and entertainment systems.
Security researchers have been able to take over cars remotely because automakers don’t always do a good job at limiting how car systems interact with wireless communications. What’s more, even cars that aren’t internet-enabled can be taken over via third-party devices that introduce connectivity, such as through the diagnostics port.
Remote exploits have included security researchers Chris Valasek and Charlie Miller taking over a 2014 Jeep Cherokee, controlling the car’s brakes, accelerator, steering and more by wireless connection: a demonstration that resulted in more than 1 million Fiat Chrysler vehicles being recalled for patching.
If the auto industry doesn’t act on the mounting cybersecurity risks of connected cars, the US’s top auto safety regulator in January vowed that it will step in.
As Automotive News reports, the National Highway Traffic Safety Administration “currently lacks regulations for the security protocols governing the roughly 100 million lines of software code used to control many functions in modern cars.”
Having an expensive car stolen because of vulnerable key fobs? That’s bad enough.
But having no regulations in place when it comes to cars that can be forced off the road and into a ditch, or worse?
It hasn’t happened in the real world yet, as far as we know, but security researchers have shown that it can.
That makes the lack of regulation quite literally a car wreck, just waiting to happen.