Saturday, July 06, 2013

Hardly 'hackproof': Vehicles' remote keyless entry systems vulnerable

Grits earlier mentioned that I've been spending some time post-session, as a diversion from political topics, immersing myself in the history and functioning mechanical locks and keys. But of course, these days electronically controlled locks are replacing mechanical ones in many settings, perhaps most commonly with the advent of "remote keyless entry" (RKE) for automobiles. As it turns out, the keyless locks used in many modern vehicles are just as vulnerable as the pin-tumbler lock on your front door to somebody who understands how they work.

The auto industry has relied on "security through obscurity" in this arena, hoping ignorance and a lack of technical expertise among car thieves would prevent them from bypassing RKE locks. That worked for a while, but now auto thieves have discovered how to bypass many of those systems, often more quickly than they could have 30 years ago with a "slim jim" or a pick gun. NBC's Today Show reported on June 5:
You think when you lock your car and set the alarm, your car is pretty safe. But criminals have designed a new high-tech gadget giving them full access to your car. It's so easy, it's like the criminals have your actual door remote. Police are so baffled they want to see if you can help crack the case.

A Long Beach, Calif., surveillance video shows a thief approaching a locked SUV in a driveway. Police say he's carrying a small device in the palm of his hand. You can barely see it, but he aims it at the car and pops the locks electronically. He's in, with access to everything. No commotion at all.

Then his accomplice shows up and hits another car, using that same handheld device.

Long Beach Deputy Police Chief David Hendricks is mystified. "This is bad in the sense we're stumped," he told us. "We are stumped and we don't know what this technology is."

He said it's almost like the thieves are cloning your car remote, which is virtually impossible to do. Here's why: On most cars, when you hit the unlock button, it sends a code to the car. That code is encrypted and constantly changing — and should be hackproof.
Except RKE devices are decidedly NOT "hackproof," clearly.  See more background on how thieves may be spoofing them. These vulnerabilities were known long before this recent episode in California. For example, in 2011 USA Today reported that, "Those remote key fobs nearly all automakers offer -- turns out they're fairly easy to hack so the bad guys can unlock your car and high-tail it before you even finish your shopping, Swiss researchers discovered." For that matter, here's an informative item from 2008 titled, "Hacking car security system and remote keyless entry." So at least five years ago these vulnerabilities were well known. In 2009, a commenter at Car and Driver offered up this detailed explanation of one method to bypass such systems:
it's been already over 15 years since car thieves began to use not single but double code-grabbing. with keyless entry systems it works a little more complicated, but the general principle is like this:

1) a driver comes to his car. The key in his pocket sends a code to the car to open

2) while this is performed, car thieves wirelessly capture the sent code, and instead send a wrong one to the car, which the car rejects

3) in a few seconds, the key again sends a code to the car (the "next" floating code, generated by both key and the cars safety system)

4) which thieves again capture, but then immediately send to the car the FIRST code which was captured.

5) the car unlocks (by the first code), the owner drives in a car somewhere, being followed by car thieves who have the next correct code which the car's safety system will be awaiting next

6) when driver leaves the car, thieves simple come and open the car with this "2nd" code.
Clever. Apparently, the Long Beach police and Today Show reporters don't use Google or they'd have figured this out.

This method allows thieves to open doors and trunks but not necessarily start the car. However, last year it was widely reported in Europe that BMW key fobs could be easily reprogrammed using the vehicle's onboard diagnostic port and actually start the vehicle. See here for a video explaining the details of keyfob programming and footage of BMW thieves making use of the tactic.

These vulnerabilities will apply to a huge number of cars on the road for the foreseeable future. It's easy to purchase key fob blanks and clearly knowledge of their detailed functioning is filtering down to the criminal class.

While locking technology will improve over time, historically secrecy surrounding the locksmith's trade has caused technology in that field to innovate at a snail's pace. Whereas most other technological fields operate within a relative culture of openness - e.g., the tradition of scientific publication and the filing of patents - locksmithing is a rather insular profession where detailed technical knowledge is rarely shared outside a relative handful of licensed commercial vendors. Even their trade journal restricts who can subscribe. That makes it less likely that vulnerabilities will be identified by the industry or that security upgrades will be promptly created to patch them when they're exploited by others. The development of encoded keys was one of the most significant improvements in lock technology in the 20th century. But unfortunately, we're now in the second decade of the 21st century and technology that was cutting edge two decades ago is already becoming outdated.

Bottom line: There's no such thing as a "hackproof" lock, there are only locks that no one has hacked yet. And increasingly, there aren't that many of those.


Jefe said...

Regardless of locks, your car is run by computers that are not encrypted and easily hacked.

Gritsforbreakfast said...

Exactly what allowed the BMW hack, Jefe. It's an economic thing - if they encrypt the onboard diagnostics then only the dealerships could work on them. Catch 22. Safer if they encrypt but then your neighborhood mechanic goes out of business and car repair costs double.

Brett said...

Dang, that's unfortunate to hear - I guess, in the end, it comes down to a numbers game; moral of the story, try not to park anywhere desolate?