Dude, where’s my car? Vehicle hacking trends & analysis – #8 in the series
Real World Attack-Key Fob Attack
The key fob presents its own set of issues involving its wireless transmission as the mode of communication. The German automobile club ADAC released a report demonstrating how to break into cars produced by nineteen different manufacturers and twenty four vehicle models (Tatarevie, 2016). This attack involves the passive keyless Entry and Commence (PKES). This is also known as the remote keyless entry (RKE). This has been a vulnerability since at least two thousand eleven (Francillon, Daner, & Capkun, 2011). In effect this permits the car to be unlocked and commenced (Vaas, 2016). The attacker could keep the car running until the vehicle would run out of gas.
The affected vehicles are the Audi (A3, A4, and A6), Mazda CX-5, Toyota RAV-4, BMW 730d, Citroen DS4 Crossback, Ford (Galaxy and Eco-Sport), Honda HR-V, Hyundai Sante Fe CRDi, Kia Optima, Lexus RX 450h, Mini Clubman, Mitsubishi Outlander, Nissan (Qashqal and Leaf), Opel Ampera, Range Rover Evoque, Renault Traffic, Ssangyong Tivoli XDi, Suburu Levorg, and Volkswagen (Golf GTD and Tauron 5T) (Vaas, 2016; Zorz, 2016b).
The key fob contains the radio frequency identification chip. The old attack required the attacker to be very close to the vehicle (Crilly, 2015). The fresh equipment mitigates this with the signal extension. This was done with ADAC building the two devices that extended the service (Tatarevic, 2016). This equipment is not costly at $225 (Zorz, 2016).
The attack method is rather direct and straight-forward. A is holding a instrument a few feet from the target’s car. B is near the fob. A impersonates the car’s key and pings the car’s wireless entry system, triggering a signal form the vehicle that seeks a radio response from the key. The signal is relayed inbetween A and B’s equipment up to three hundred feet. The correct response is elicited from the key, which is transmitted back to the vehicle (Vaas, 2016).
The defense for this is to shield the key with metallic shielding or a faraday cell or eliminate the battery (Francillon, Daner, & Capkun, 2011). These modes of defense are not very practical, but do work.
Zorz, Z. (2016b, March 23). Cheap radio attack can be used to unlock and steal twenty four car models. Retrieved from https://www.helpnetsecurity.com/2016/03/23/cheap-radio-attack-unlock-steal-cars/
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.
No comments