Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Power Privacy Security Transportation IT Technology

Radio Attack Lets Hackers Steal 24 Different Car Models (wired.com) 228

An anonymous reader writes from a Wired article: A group of German vehicle security researchers has released new findings about the extent of a wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops. The Munich-based automobile club ADAC recently made public a study it had performed on dozens of cars to test a radio 'amplification attack' that silently extends the range of unwitting drivers' wireless key fobs to open cars and even start their ignitions (in German). The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away. "This clear vulnerability in [wireless] keys facilitates the work of thieves immensely," reads the post. "The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner." [...] Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW's 730d, Citroen's DS4 CrossBack, Ford's Galaxy and Eco-Sport, Honda's HR-V, Hyundai's Santa Fe CRDi, KIA's Optima, Lexus's RX 450h, Mazda's CX-5, MINI's Clubman, Mitsubishi's Outlander, Nissan's Qashqai and Leaf, Opel's Ampera, Range Rover's Evoque, Renault's Traffic, Ssangyong's Tivoli XDi, Subaru's Levorg, Toyota's RAV4, and Volkswagen's Golf GTD and Touran 5T.
This discussion has been archived. No new comments can be posted.

Radio Attack Lets Hackers Steal 24 Different Car Models

Comments Filter:
  • Scary ... (Score:5, Interesting)

    by gstoddart ( 321705 ) on Tuesday March 22, 2016 @10:32AM (#51752379) Homepage

    I had this in a rental car recently, and once I figured out there was not place to put the key (never seen it before, never even occurred to me) I did wonder just how secure it was.

    So, what, it just continuously broadcasts "you can start now", with no intermediate encryption or anything? There's clearly no user interaction required to start the car (I never did get used to having the "key" in my pocket to start the car), no button to push or anything.

    TFA says "every second semester electronic student should be able to build such devices without any further technical instruction." That positively screams of something which was built to be cool, but with no real thought about security.

    I wonder if this is something which even changes on each invocation, or if you could simply record and play back the signal ... in which case this is a pretty pathetic system.

    And, once again, the security of such things is purely an afterthought when it's pointed out how trivial it is to bypass. And, once again, I say companies need to have legal liability for shit like this.

    • People have been able to use replay attacks to get into houses via garage door openers for forever. I'm surprised by the lack of strong encryption on this, but do you even need to replay? If it's just MITM as an amplifier, no intermediate decoding is needed to get in and steal belongings anyway. It's a bad design all around.

      • I'm surprised by the lack of strong encryption on this, but do you even need to replay?

        Well, think about it ... sit in a parking lot at an office or something, and passively collect a bunch of these things as people enter the building or something.

        Instead of stealing belongings, you target a bunch of cars, come back the next day with a bunch of people, and drive off with a dozen or so cars in one go.

        Why steal stuff when you can just drive off with the cars later and without needing to get the thing near eno

        • I don't think they are replay attacks. They are using MITM to amplify both sides of the conversation with the keys. The keys and car respond as if the victim is standing next to their car. Imagine a MITM HTTPS attack where the attacker didn't need to actually decrypt the data - just pass it along. So the encryption itself does nothing to protect the car.

          That's not to say they can't do it with an entire office full of people, but it's not something you could do without the victim within range of your dev

          • by sudon't ( 580652 )

            The keys and car respond as if the victim is standing next to their car.

            Doesn't the owner have to press a button, though? It'd be kinda nuts if your car unlocked and/or started everytime you walked near it, (or a window facing your driveway). Sorry, I couldn't RTFA due to some kind of pop-up, but I don't get exactly how this works.

            • The keys work via proximity (like RFID or NFC) and the iginition is a button. The door unlocks as you approach the car. And is as full of as many problems as you might imagine.

              • One nice thing is it's impossible to lock the fob in the trunk of my BMW. One day I kept closing the trunk and and the car kept opening it right back up. I was about to start swearing at the car when it occurred to me to check by briefcase. Behold, there was my fob.

                If there was a app for biometric security here it is. Wireless fob paired with the owners thumb print. Of course we could just drop our fobs into a metal card file box and close the lid. Shields the RF and makes it harder to loose the fob (don't

        • It's a rolling code so you can't replay.

          This attack is just making the key work from a few hundred meters instead of a few meters.

      • by lgw ( 121541 )

        These are in fact "MITM as an amplifier" attacks. The key works by being within a certain range of the car - typically just a few feet. Boost that signal (both ways) enough, and the car is unlocked. The practical attack seems to be to steal a car parked on the street in front of the house/building the owner is in, as otherwise it's impractical (too many potential signals, too much amplification required).

        A useful, related trick when hunting for your car in a big parking lot - you can double-triple the ra

        • These are in fact "MITM as an amplifier" attacks. The key works by being within a certain range of the car - typically just a few feet. Boost that signal (both ways) enough, and the car is unlocked. The practical attack seems to be to steal a car parked on the street in front of the house/building the owner is in, as otherwise it's impractical (too many potential signals, too much amplification required).

          A useful, related trick when hunting for your car in a big parking lot - you can double-triple the range at which your remote works to lock/unlock your car to find it by pressing the remote against the side of your head.

          Try raising it above your head. The benefit comes from the height not the RF properties of a human head.
          Telling people to touch it to their head just get them to lift it higher.

          Separate the variables. Touch the transmitter to your head, then foot and see if the range improves. Then stand on your head and touch the transmitter to your elevated foot and your ground level head. Report back with results.

          • by lgw ( 121541 )

            Here you go: a physics prof demonstrates and explains the antenna effect. https://www.youtube.com/watch?... [youtube.com]

            Sixty Symbols is a great channel for debunking commonly held physics misconceptions (whether they're right here or not).

            • His explanation is a little odd. Either the head-antenna is a more efficient isotropic antenna, so more power is being drawn from the battery, or it's creating a more directional antenna with more of the energy pointed in the direction of the car, or both.

              Maybe we should fit our key fobs with Yagis.

      • yeah - the idea that the FOB is always awake surprises me. I'd have thought pressing the button would wake it up for "30 seconds" and then go back to sleep. "I did not initiate this request"

        More modern ones apparently don't allow replay (aside from that hacker thing - geez). I remember years ago (1998) my VW Beetle had a reprogrammable FOB - one simply placed the key in the ignition, turned it "on" and for 30 seconds any FOB near the car with both buttons held down would be allowed future entry to the ca

    • Re:Scary ... (Score:5, Interesting)

      by Aaden42 ( 198257 ) on Tuesday March 22, 2016 @11:18AM (#51752809) Homepage

      It’s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They don’t continuously require it since if the process failed for some reason as you’re going down the highway & the engine just cut out... Not good

      There’s some rudimentary obufscation at the protocol level, and recent-ish models have a reasonable degree of replay attack prevention. This attack appears to just amplify the radio signal in both direction with a repeater near the car & the key. You’d need one person ready to drive the car away and another to get close enough to the owner.

      It’s only going to be good for one use though. Unless you can steal the key or stay on top of the owner, the car won’t re-start after you turn it off. Maybe you could slip the repeater in their bag or something to buy a little more time, but it’s pretty limited. Okay if you’re planning to scrap the car for parts, not so much if you expect to be able to keep driving it or sell it off after stealing it. It doesn’t look like this attack does anything to clone the key or defeat the challenge/response between key & car. It just lets you carry out that C/R at a distance.

      Honestly, I might like a set of these to enable remote start at long range on my own car.

      • by tlhIngan ( 30335 )

        Itâ(TM)s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They donâ(TM)t continuously require it since if the process failed for some reason as youâ(TM)re going down the highway & the engine just cut out... Not good

        It's not continuous, but on all the models I've seen, when the engine is running the key is checked quite often. If you have the engine running and then walk out wit

        • On the Honda HR-V it does appear to be polled at least every 5 seconds.

          Open door, get out and walk two steps and the car is already pinging saying the key has been removed.
          I haven't tried it, but I'd bet that if you passed the key out the window it would still do it that quickly.

        • by Lorens ( 597774 )

          It's not continuous, but on all the models I've seen, when the engine is running the key is checked quite often. If you have the engine running and then walk out with the key, the dashboard display immediately displays a warning that the key is no longer in the vehicle. Usually if this condition persists for about 5 minutes, the engine will shut off.

          TFA says that "usually" thieves drive away, even refueling while leaving the engine running, to get out of the country and be able to circumvent protections at leisure.

      • by eth1 ( 94901 )

        One start is plenty. It just needs to be driven somewhere out of the way, after which it can be ransacked for valuables/ID theft material at leisure. Then an accomplice can come pick it up with a tow truck/trailer to part it out, or whatever.

        It means all of the suspicion-generating activity can be done out of view. No one would give a second look at someone getting into a car and driving away. Nor would they pay much attention to someone "having car trouble" taking stuff out of a car while it's being loaded

      • by sudon't ( 580652 )

        Unless you can steal the key or stay on top of the owner, the car won't re-start after you turn it off.

        As long as you can get it to the chop shop, that's not a problem. Even if they weren't using the car merely for parts, I imagine this system could be replaced.

    • I started typing a long, in-depth reply but it's easier to just link to the Wikipedia article [wikipedia.org] as it covers your questions pretty thoroughly.

  • Pudding pops? (Score:5, Interesting)

    by DNS-and-BIND ( 461968 ) on Tuesday March 22, 2016 @10:39AM (#51752439) Homepage

    "their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops"

    Huh? Pudding pops? What does that even mean? I thought the new Slashdot management was going to get rid of these horrible summaries that don't make any sense. Since the word is capitalized, I assume this means Jell-O Pudding Pops? The frozen snack from the 80s? They stopped making these a long, long time ago [amazon.com]. So you should keep your key fob in the freezer? How does that help?

    • Re:Pudding pops? (Score:5, Informative)

      by Anonymous Coward on Tuesday March 22, 2016 @10:43AM (#51752485)

      Freezer = faraday cage.

    • I think so. I believe it's a common practice for people who want to horde/hide stuff to hide it in their freezers. I think the statistic on that is 1 in every 4 Americans.
    • by Nidi62 ( 1525137 )

      "their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops"

      Huh? Pudding pops? What does that even mean? I thought the new Slashdot management was going to get rid of these horrible summaries that don't make any sense. Since the word is capitalized, I assume this means Jell-O Pudding Pops? The frozen snack from the 80s? They stopped making these a long, long time ago [amazon.com]. So you should keep your key fob in the freezer? How does that help?

      I just assumed this was a hidden slashvertisement for a new car security service led by Bill Cosby.

    • by Khyber ( 864651 )

      "Huh? Pudding pops? What does that even mean?"

      If you can't figure out that this means "Put your shit in a faraday cage like a freezer" then you are showing either your ignorant youth or your increasing senility.

      Given your UID, I'll have to assume the latter.

      • by OzPeter ( 195038 )

        "Huh? Pudding pops? What does that even mean?"

        If you can't figure out that this means "Put your shit in a faraday cage like a freezer" then you are showing either your ignorant youth or your increasing senility.

        Or you don't have a shared cultural reference that allows you to connect the dots.

        Protip .. the internet doesn't end at the boarders of the USA.

      • If you can't figure out that this means "Put your shit in a faraday cage like a freezer" then you are showing either your ignorant youth or your increasing senility.

        Or maybe didn't grow up in your city with your parents and your diet. What the heck is a Pudding Pop anyway? And why would you keep Pudding in a freezer. That would just make it go hard.

        • And why would you keep Pudding in a freezer. That would just make it go hard.

          Being put in a freezer has quite the opposite effect on me...

        • by lgw ( 121541 )

          Pudding Pops were frozen snack, with Bill Cosby in their TV ads. There's a recent meme from those ads, good joke material given the recent allegations against him. Whether you're old and savvy, or young and hip, you should get the reference.

          • you should get the reference.

            I don't think you quite get how localised some of the things you consider everyone should know really are.
            Bill Cosby? I've never seen him in an advert. Actually I think I've seen him more in the news than in any TV show (though at least I know he was in a TV show).

            • by lgw ( 121541 )

              I'm guessing from your UID that you weren't a kid in the 80s, or weren't watching US TV programs (even those that went abroad). TV Guide called it "TV's biggest hit in the 80s".

              • by OzPeter ( 195038 )

                TV Guide called it "TV's biggest hit in the 80s".

                You know you are not going to win an argument about specialized localization if you offer up the fact that a US based company called a US TV show a big hit, from which the main US based character was advertising a US based food product.

                • by lgw ( 121541 )

                  Slashdot is a US-centric site. Expect US-centric cultural references. Also, it's called "soccer", football is the US sport. :p

    • Re:Pudding pops? (Score:4, Informative)

      by gstoddart ( 321705 ) on Tuesday March 22, 2016 @11:39AM (#51753043) Homepage

      Well, there's this:

      After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times' former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car's keyless entry system into thinking the key was in the thieves' hand. He eventually resorted to keeping his keys in the freezer.

      Cuz, you know, Pudding Pops are frozen. And go really nicely with quaaludes, apparently [realitytvscandals.com]. ;-)

    • Huh? Pudding pops? What does that even mean?

      I too was somewhat puzzled with that one since I didn't bother RTFA and thought it was probably something American that nobody outside the USA would know of. Some pondering of the summary led me to conclude that it was something kept in the fridge since that would block radio signals, although other comments seem to indicate that they are stored in a freezer. Same difference, one might think, but even though car keys tend to have big plastic grips there's still enough exposed metal that I'd favour the fridg

      • ...it was probably something American that nobody outside the USA would know of.

        ...or anyone inside the USA who wasn't a total fat-ass at the time; for the rest of us, well some cultural references were meant to die a healthy death.

    • by sudon't ( 580652 )

      They stopped making these a long, long time ago

      Interesting. The disappearance of Pudding Pops coincides with the disappearance of Quaaludes. Coincidence?

  • Our lives aren't significantly enhanced by wireless keys. Are they?
    • by swb ( 14022 )

      If you haven't owned a car with keyless drive like this, you can't imagine how convenient it is to just walk up to locked car, open the door and drive away without digging out a ring of keys.

      I can go days without ever taking my keys out of my coat pocket.

      • LOL, hmmm ... I wonder if the rental Jetta I just had opened the doors as well with that thing.

        I'll feel like a right fool if I could have just walked up to it and opened the door instead of pulling out the fob to open the doors and then putting it back in my pocket before I got in.

        Because that struck me as kind of a waste of time.

        I was so baffled when I first couldn't figure out where to put the key to start the car it never even occurred to me it opened the doors as well. I spent over 5 minutes trying to

      • by gnupun ( 752725 )

        you can't imagine how convenient it is to just walk up to locked car, open the door and drive away without digging out a ring of keys.

        Wouldn't it be even more convenient if the doors had no locks at all? No need to worry about keys at all. The point of security and keys is to trade convenience for security... more the security, higher the inconvenience.

        BTW, if you're at a gas station and outside the car but close enough for the car to detect the key, wouldn't this be enough for a thief to enter the car and

      • by Macdude ( 23507 )

        All security is inconvenient. If it's convenient it's not secure. It's really convenient to leave your front door open so that you can just walk in, it's not very secure.

        Security is a trade off, you balance your convenience with your security at whatever point you feel comfortable. Does the convenience of using just a fingerprint to access your phone justify the level of security it offers? If so then use it. If not, don't. You don't get to complain that your convenient security didn't turn out to be very s

    • Our lives aren't significantly enhanced by wireless keys. Are they?

      Oh yes they are. Have you not heard of the Heisenberg Shopping Principle? The one that states the key to your car is always in the pocket of the hand most heavily loaded with shopping bags?

      Actually funny side story I lost my keys once. I was about to go back up to my apartment and check there but then I thought I'll see what happens if I push the start button, and sure enough the keys were under my car seat.

  • To be honest this wasn't entirely a surprise, wireless I have to admit is very convenient thou and well as they say there's a fine balance between convenience and security. On the other hand a lot of modern cars feature systems such as OnStar which means your vehicle can be tracked or disabled by the manufacturer so they're not exactly the most ideal cars to try to steal.

    And no, these keys are encrypted but the problem is they're using a "range-extender" to make make it seem like your key is right next to

  • by selectspec ( 74651 ) on Tuesday March 22, 2016 @10:49AM (#51752549)

    Solution:

    (Assuming the key/car are using private/public key pairs)

    You'd have to put a reasonably accurate clock in the key, and then have it encrypt and send timestamps to the vehicle using a sequence of rapidly fired request messages followed by response messages.

    The car could then decrypt the messages and compare the timestamps from the sequence of messages measuring the distance between the key and the car. The clock in the key would have to have similar accuracy to a laser ranger finder.

    The actual protocol would be a bit more complicated in the details, but the basics outlined above are what is needed.

    • by ledow ( 319597 )

      Or just make the user press a button to actually unlock / start their car.

      Which seems a fecking good idea anyway.

      All this "do things from out of visual range" junk is just asking for trouble when you have to a) touch the door to open it anyway and b) touch the pedals/wheel to drive it anyway.

    • Much simpler solution: the car should not wait more than 40 light-meters for the second, previously-encrypted answer from the key.

      Then again, most people right now need mitigation measures. I am not sure if removing the battery from the key is a good one - the design is bad enough to expect the key forgetting the data when left without power.
    • by idji ( 984038 )
      Light travels 1 meter in 3 nanoseconds. At 1GHz light travels 30 centimeters per clock cycle. You'd need a very fast response in everything. Even the Large Hadron Collider and the Italians had problems resolving nanosecond level timing problems.
      • This problem has been solved in TOF laser range finders, like the hand held ones used on golf courses. An expander chip takes the incoming analog signal and stretches it out a million times with considerable precision. The signal can then be analyzed by standard low cost and low power processors.

        The challenge here is that instead of a reflecting laser, you have the call/process/response in the equation. That process time will be orders of magnitude larger than the signal traversal. So, you'd have to hav

  • by swb ( 14022 ) on Tuesday March 22, 2016 @11:01AM (#51752661)

    They could add a secure lock mode, where if you affirmatively press the lock button on the keyfob, the car will require an affirmative unlock press on the keyfob and not unlock based on the "presence" of the keyfob.

    I also wonder why they couldn't have some means of shutting off the radio in the keyfob so it didn't produce a signal that could be relayed to the car. Maybe a motion sensor in the keyfob that when it wasn't moved for a period of time would shut off its radio completely until enough movement woke it up.

    • They could add a secure lock mode, where if you affirmatively press the lock button on the keyfob, the car will require an affirmative unlock press on the keyfob and not unlock based on the "presence" of the keyfob.

      Reminds me of a convertible we owned. One press on the key locked the car. A second press on the key locked the lock so you couldn't just reach over the window through the open roof and unlock the door.

  • Years ago you could open your neighbour garage door with a radio transceiver and a tape recorder. Today you can't because all of them use ROLLING CODES.

    Does this mean car FOBs don't use rolling codes?!?!

    • by Khyber ( 864651 )

      "Today you can't because all of them use ROLLING CODES."

      Wrong! Cars now days have the means to tune into the rolling code transmission (this is how newer cars have the ability to 'program' them with your garage door's rolling code, so you can open your garage door by pressing a button on your steering wheel or whenever the car detects it is getting near your home.)

  • by fraxinus-tree ( 717851 ) on Tuesday March 22, 2016 @11:07AM (#51752703)
    The doors never ever had locks (and even if they had, you can fold the tent without tools or access from the inside). It starts with a button on the dashboard.

    And then, you need to know how to drive it, be strong enough to actually do that, and a good reason to steal a pile of soviet-era rust. It is a very good city car.
  • and if it happens to your rental discover will not cover you. That will be 22K

    They may or may not of used a hack to take the car but as a renter you will be on the hook if they fail to update there car software.

    http://elliott.org/should-i-ta... [elliott.org]

  • by Knightman ( 142928 ) on Tuesday March 22, 2016 @11:21AM (#51752859)

    Do car makers really have good incentives to fix their security?

    Not really, since they can sell a new car paid by the insurance company when someones car gets stolen. The only downside is negative reporting - but that can be fixed by massive ad-campaigns; just look at VAG, they are running ads like crazy in Europe right now, but they have dropped their tag-line "vorsprung durch technik" (lead by technology). I guess they don't want to use the new and improved tag-line "vorsprung durch betrug" (lead by cheating).

    The whole wireless key fob thing is a pure convenience thing that when it fails becomes extremely inconvenient because convenience is security's biggest enemy. I can't understand that people would accept that their car have no physical security to speak of since it is quite a huge investment for many people.

    The only mitigation I can think of if you still want the convenience of a wholly wireless key fob is that they introduce a check for max latency for the key-challenge response which is like 27 picoseconds(?) for a 4 meter radius not including the electronics internal response time. This means of course that the timing of the key exchange must be wholly deterministic.

  • . . . my car starts in German.

  • Do you call the person who uses a slim-jim (not the meat sticks), lock picks or a slide hammer to steal your car a lock smith? No we call them car thieves. Simple, plain ol' un-glamorous car thieves. It IS useful to know the car makers are so stupid as to make car entry systems as simple as this, BUT, this is NOT hacking. It is practice for breaking and entering.
  • At least so far, no Tesla. This id interesting Considering that in 1.5 years they are expected to make a huge impact.
  • by marciot ( 598356 ) on Tuesday March 22, 2016 @11:36AM (#51753013)

    This could be solved by two factor authentication. Not only would the key fob transmit a radio signal, but you would also need a metallic dongle with uniquely coded grooves that when inserted into a specialized slot would engage a mechanical door release mechanism.

  • by burtosis ( 1124179 ) on Tuesday March 22, 2016 @11:39AM (#51753041)
    Many of these manufacturers plan on creating autonomous vehicles as well. Yet they DGAF about security, sometimes on this embarrassing of a level. I'm eager to see how that plays out, except perhaps for the inevitable deaths.
  • That'll teach you to buy a car that doesn't use a plain-old physical key you insert into a lock.

    While I'm on the subject, any car that has any sort of wireless systems built into it needs to have a hardwired switch you use to turn OFF the transceivers completely, so the car is isolated and can't be hacked into wirelessly.
  • Only has physical locks. #Baseline.
  • That is in 1960s/1970s can easily use a slim-jim or a coat hanger (bent with small hook), stick inside door at window line, push down and up until the hook grabs the mechanism and the door lock button pops up. I remember when a friend left keys in car, called a locksmith and arrived on scene, 5 seconds later unlocked the car with a slim-jim. His reaction, "well why in the hell even lock the car in the first place!!!" Then can easily hot wire the car by reaching under and digging up the wires. For column key

  • So, to defeat this attack, keep the key in a Faraday cage.
    Maybe inside my foil-lined wallet next to my NFC cards, then.

  • Wired.com will not permit access unless your web browser will run every script that every malware distributor who buy ads on every one of the ad server companies they use. Oh HELL no! I do not block ads. I do run NoScript, though. I would enable wired.com, but I'm not going to blanket allow all the malware-distributing ad servers.
  • Lexus of some sort, it was a car, not an RX wagon.

    Parked at McDonald's in Miami, a white van pulls up, not a minute later a guy from the van pops the door with his hand and just drives away. Security camera recorded it.

    Car was found later, no signs of forced entry.

Feel disillusioned? I've got some great new illusions, right here!

Working...