This was covered in depth on the Security Now podcast in May 2015 (Transcript [1]). The Passive Keyless Entry and Start PKES system relies on the assumption that if the car can "hear" the key, the key is in close proximity. Normally that's true but it is technically trivial to build a radio system that picks up and amplifies the car's continuous "ping" transmissions. So the key, which might be in your pocket in a restaurant, hears its car's ping, it responds, and the bad guys pick that up and amplify it and the car says, ok, key is here, open the door.
I used to enjoy listening to Security Now! quite a bit, but then I began to feel and read that Steve is not the security expert he claims to be. I'd like to hear corroborating or opposing views from the HN community.
Side note: if you have a great infosec podcast to recommend, please share!
A big +1 for risky business - I've been listening to Patrick's podcast for well over five years and will happily advocate for the quality of the coverage.
Wow, that's an interesting hack. I can't think of any workarounds either.
EDIT: As pointed out in a comment elsewhere in this thread:
> The simplest defeat is to require the key ping round trip to complete in N microseconds, where N is sufficiently low. Researchers have demostrated that this is a practical solution.
On my Toyota Prius, it's possible to turn off the keyless entry system in the car's settings IIRC. You'd then have to use the removable key in the fob to open the driver's door.
Not my BMW, it's 25 years old and the driver's side door doesn't unlock even if you use a key :P
All jokes aside (although it's true about my car), it just seems like a fundamental truth that digitally-secured systems always provide convenience at the cost of, well, security.
In the "Win" column for digitally-secured systems, the electronic immobilizer basically eliminated auto theft. The cars that are still stolen in significant numbers are the last model-years to not have immobilizers.
Car door locks are immaterial anyway, since any thief is just going to break a window. The immobilizer matters, certainly, but even an immobilizer vulnerable to sophisticated attackers is doing two orders of magnitude better than purely mechanical security.
This article reminds me that I thought old busted stuff were less likely to be stolen. That's why I was pretty confident my very low grade, rusty, ugly single-pedal [1] bike would be safe for a day. Some guys proved me wrong, ripped my far too weak cable locks and did whatever they wanted with what was valuable of that bike (5$ for the metal frame ? the rest was plastic).
[1] wear made left pedal unscrew itself over time, I couldn't ride single legged anymore so I took the failing pedal, the seat and went to my appointment.
Sorry to hear that. Reminds me of a "best of craiglist" post where a "free washing machine" was left untouched for weeks.. but as soon as a price went on it, it was stolen that evening.
Harsh reality : cable locks below 4cm diameters are useless (only useful for young kids I guess). Even fat 2kg cable lock are useless, anyone can rob a bike in a street, the bolder the easier.
I'm still waiting for a cheap bike gps 'self powered' tagger so I can use a bike again.
I've always wanted to build a spring loaded 30cm titanium spike that would shoot from the seat pole through the seat if not disarmed. Obviously completely illegal, but a satisfying mental exercise.
When I was in college, like many struggling students, I didn't have much money, my means of transportation was a 3 speed Stermy-Archer 3 speed bike that had the best security system ever, I never locked it. It had something wrong with the 3 speed and if you stood up on the pedals it would slip and the rider would end up with their taint on the center bar, ouch. It was fine if you were not in a hurry and took your time. There were a number of times when I came out of class and would find it laying on the ground about 30 feet from where I had parked it.
The classic reason for that fault in an old 3-speed SA is minor misadjustment of the gear change cable. The gear lever basically pulls a chain further and further out of the hub, going from 3 at minimum pull to 2 to 1. Unfortunately there's a "neutral" between 3 and 2, so the cable needs to be carefully adjusted so that the 3/2/1 positions of the lever give you all three gears and avoid the neutral section. This design defect was apparently rectified in later versions of the 3-speed hub at some point after SA were bought by Sun Race.
Still, I wouldn't personally ever stand up to pedal on an SA 3-speed unless I personally owned it and knew its maintenance condition...
You must have had a nice grin seeing that. I also read reverse psychology tricks on biking boards such as not locking the bike, which convey a sense that the owner is not far / in sight and scare most robbers. Requires balls.
OK, one more of my dopey stories.. I live on the shores of Lake Washington and some years back (when I was a lot younger) I was into wind surfing and I had a pretty nice rig. I was moving to a new place and I had long since drifted away from the hobby of wind surfing to I list my board and rig to sell, but I didn't get any responses so for a fun experiment I carried it across the street and rigged it up and just left it there and went back to my place and sat back to see how long before someone would steal it. It was there for a day and a half and a nice young man called and said he wanted to buy it. He seemed nice so I told him where it was and that he could just go get it and it would be his for free (he could barely believe it). About 30 minutes later I saw a young guy packing it up and taking it away. I felt kinda good about it I guess, hoping he would have fun with it. A few hours later he called sounding very anxious and apparently his parents did not believe the story. So I told them to come by, which they did. His father insisted that they pay me something for it, I relented and told them I would give the money to charity. Sometimes something like that happens, and it just renews your faith in people.
Maybe. Except for the "brought in for questioning by police, bike impounded, paying for a lawyer, etc" parts :(
I must say, however, that after my new (expensive, and lovingly customized and maintained) bike was stolen, I did fantasize about remote-controlled explosives. But then I just filed an insurance claim, and replaced it ;)
Or do what the Japanese do: every bike has a serial number etched into the frame and is registered to you (similar to a car). If your bike is ever stolen, the police can trivially find it by the serial number and return it.
I believe every modern bike has a unique frame number stamped. If the police recovered a known-stolen bike it could be returned. However, buyers and bike shops don't make a habit of running frame numbers past the theft database, so it's mostly useless.
Every car has a serial number in several places, in theory it should be trivial to find a stolen one, yet plenty of cars are stolen each yer. Clearly this does not solve the problem.
It solves the problem in Japan. Japan just isn't like other countries; they have citizens who actually care about their society and don't want to be seen as leeches on it.
It's no wonder they don't want to import a bunch of foreigners. I can just imagine how their society would be completely ruined if they allowed millions of Americans to move in. Bike theft would be the least of their problems.
The question is - would japan have a bike theft problem without bike registration scheme? I suspect not, for the reasons you mentioned. In which case, the registration numbers are more of a curiosity than anything.
My own country(Poland) had mandatory bike registration 30 years ago(during communist rule) and no, it didn't stop bike theft.
This is another example of something that works great in Japan and wouldn't work at all elsewhere. In other countries (esp. anywhere in the Americas), this would never work, because there's no shortage of someone willing to buy something that may be stolen.
old busted stuff is likely to be stolen if there's a healthy grey aftermarket for said old busted stuff parts.
the cheaper the stuff, the healthier the aftermarket, if it's a mass produced item. people who buy cheap stuff want to buy even cheaper stuff parts when the stuff breaks.
I underplayed how busted it was. Slick tires, rusty rims. 1995 cheap model of a cheap brand. Simplest Shimano gear shifting mechanism, obsolete thumb push. Plastic brake handles. Blue, pink, fluo yellow frame paint. Gah, I loved that shitty bike to pieces, I nearly died on it so many times T_T;
"shitty and old" is now "vintage" to the right crowd. someone who owns a crooked bike shop is probably stripping and repainting old cheap frames and marketing them to young hipsters.
Not only this but many cars of the same make had very little variation in their keys meaning that on a dealer lot or even a very busy mall there was a chance you could unlock or start; rarely both; a car other than your own.
Personally I had seen this twice in action. First was back in the early nineties I could unlock my friends Escort GT with my key and he could unlock my EXP. Neither could start it. Now my Aunt and Uncle had a Ford Windstar and Mercury Sable. The Sable key could start the Windstar but not unlock it. My Aunt found this out the hard way after a trip to the store where she could not get back in the car.
Now my BMW motorcycle uses a keyless ignition but you have to stand so close that I am not sure how well the hack will work. As in close I mean nearly rubbing up to it and only from the left side, from the right if they key is in the pocket away from the bike it won't recognize. There is an emergency key which is an little plastic type that has no power of its own, you can start the bike provided you find that magical point near the dash it actually works; by that I mean it took me and the dealer five minutes to get it to work
Speaking from experience (locksmith), you cannot download the skills required to use a slim jim. Well, you kinda can, being that there are books/catalogs that show you where the lock's internal mechanism is, but being able to manipulate it requires more than simply pressing "exploit car radio".
I never had much problem breaking into my old 80s Toyota truck with a clothes hanger back when I was a new driver who would occasionally lock himself out of his car, but valid point - I know 90s cars especially made it a lot harder.
Not the OP, but having owned a 30 year old car up until recently, I can list a few things I loved about it:
1. It operated on mechanics that I could see and touch and fix with a wrench, as opposed to opaque black box computers. I did not need a code reader to diagnose problems.
2. Thanks to point #1, I had the confidence in the knowledge that it was maintained correctly, the parts were good and soundly installed, that every bolt was tightened to the right torque specification, because I did quite a bit of it myself, and could visually inspect any work that someone else did.
3. Points #1 and #2 let me learn a hell of a lot about car maintenance and how everything works than you can with today's computers-with-wheels.
4. It was built years before every manufacturer decided to make their cars look like identical bars of soap, so it had a distinctive '80s look that you don't see much of anymore.
Sadly, the state of California decided that the car had to meet emissions standards that were far stricter than anything the original manufacturer ever dreamed of, so it eventually became impossible to smog. I had to sell it to someone outside the state and I'm currently driving a boring bar of soap.
My car is about 20 years old. In my country it's far more normal to buy a cheap car outright (say 2.5k USD) rather than get a lease or a loan for a new car (say 25k USD).
There's nothing wrong with it, i'm not sure why i'd want a newer one.
Hi from cross the Tasman! My daily driver is a 1988 Mazda 323 hatchback. It cost me $900 and had just had the autotrans reconditioned and a new radiator before I bought it. I recently put new front break pads in and will do the rear breaks shortly.
For my own personal, and endless, amusement: I paid more for my phone than I did my car.
Crash protection, that's why. A new car will let you walk away from a crash that your 20-year-old car will maim or kill you in. Crash protection is that much better now.
The auto manufacturers (and for that matter all the "IoT" creators) couldn't give two shits about protecting consumers. Building security into this stuff is trivial and a responsibility.
>How would you prevent this type of attack while retaining the keyless start and entry feature
I get that regular keys could be copied and locks picked, but I feel that if you can't securely do wireless unlock and keyless start, then don't put it in.
The car industry has a lot to learn about security. I almost refuse to believe the stories where hackers take over the onboard computers via the entertainment systems in a car, because I can't believe that anyone would be stupid enough to link the two system. Yet, companies like Jeep seems to believe there's a reason that the computer running the GPS and radio needs access to the breaks.
> The car industry has a lot to learn about security.
Not only security; with GPS and radio having access to the breaks, the car industry has a lot to learn about safety.
The entire industry that allowed this kind of terrible design needs to study the lessons of the Therac-25. Nobody seems to understand what "fail safe" means anymore.
The simplest defeat is to require the key ping round trip to complete in N microseconds, where N is sufficiently low. Researchers have demostrated that this is a practical solution.
Theoretically, a attacker can transmit an amplified message 300 m in 1 microsecond. So the car must limit the RTT to only a few dozen nanoseconds. This is fairly easy with modern electronics.
Proxying the radio signal over this link introduces a req/res delay. The handshake starts when the car detects fob proximity but there is still a communication with the key for authentication (otherwise you could have a replay attack). So if the car side is programmed to be strict about req/res timing you can defeat a proxy like this (in theory at least) at the expense of a higher false-negative rate.
Like they did it in the 90'ies? Have an actual button on the key that you need to press to open the doors and authenticate. Same goes for starting the car, if you want to offer the "feature" of remote start/stop.
Lots of ways. The ECU only goes into pairing mode if it gets a valid challenge-response from the manufacturer. If put into that mode, it provides a nonce encrypted with its own pairing mode public key that only the manufacturer knows (could even base-64 encode it and show it on screen to let people do this over the phone). You could make it two-phase where it requires the first response within 5 minutes of starting, then requires a second response that must come one hour later (also with a 5-minute entry window). This makes social engineering much more difficult and the delay makes it impractical for most car thieves, but it won't impact dealers or legit owners at all. If the registered owner provides a cell phone, the first attempt should send a text message to let them know the ECU will enter pairing mode and allow them to reply with "STOP" to cancel any further requests.
Once in pairing mode, the physical key and ECU use standard public-key crypto (ala SSL) to setup a secure connection, then exchange keys.
In theory you could allow boot-strapping another key so long as an existing paired key is present which would make the procedure above your failsafe for when all keys are lost/destroyed. If you wanted to take things a step further you could use a form of distributed Kerberos where the manufacturer sets up a physical key with a ticket allowing access to one (or a set) of allowed cars but that makes the manufacturer's systems a massive target for hacks/social engineering which is a problem because thousands of dealer technicians need access to those systems... that's the point of the delays and short acceptance windows above. An evil tech or hacker can't pre-create a bunch of keys on the sly.
To unlock or remote start, the key broadcasts a HELLO message, encrypted with the ECU's public key. The ECU responds with an ACK+nonce encrypted with the physical key's public key. The physical key decrypts it and replies with an ACK+nonce encrypted with the ECU's public key. Congrats, you now have a reasonably secure system that prevents replay attacks.
Ultimately it would require embedded software engineers and company management who a) understood security and b) gave a shit. Both are in extremely short supply.
That doesn't fix this exploit at all: This is merely an analog device amplifying other radio waves.
The only way to secure against the described exploit is to measure round-trip-time from the car -> key -> car and ensure it's under, say 5 light-meters: aka 16 nanoseconds, plus the carefully calibrated time it takes the key to compute its response.
16 nanos is a very short amount of time, and it'll be tricky to measure that reasonably accurately.
The real solution is to require the user to interact with the key in some way, like pressing a button, or perhaps moving it around (as would happen as you walked with it in your pocket).
>perhaps moving it around (as would happen as you walked with it in your pocket).
One attack vector is stealing cars out of a supermarket parking lot. You just wait for someone to drive up in the model car of your choice and have your accomplice discreetly follow them into the store. When your accomplice texts you that they are at the bread aisle/back of the store you can just steal with impunity knowing that a bystander will see no difference between the actual owner who has the key in his pocket and you with your relay device in your pocket. You also know that your victim is in the back of the store and that they can't get within sight of you before you're already long gone.
My car seems to be able to tell if the key is inside or outside pretty accurately so I think it can already figure out the distance to the key (though might be using something like RFID for that, which is not very secure).
The whole point is the the car is using signal strength as a proxy for proximity, which is unreliable when you can use an transceiver and/or amplifier to boost the signal strength from a remote key.
Do you have a source for your doubt? It would be more technically accurate to say that the car is dependent on signal fall-off than signal strength, but that seems to be a distinction without a difference to me.
>A PKES car key uses an LF RFID tag that provides
short range communication (within 1-2 m in active and a
few centimeters in passive mode) and a fully-fledged UHF
transceiver for longer range communication (within 10 to
100 m). The LF channel is used to detect if the key fob
is within regions Inside and Outside of the car. Figure 2(b)
shows the areas in proximity of the car that must be detected
in order to allow a safe and convenient use of the PKES system.
The regions are as follows. [1]
As you can see on the picture yourself, the inside/outside zones are very close to each other. Locating a key with such a precision based on the signal strength alone does not seem possible for following reasons: the key's transmitter is too small to provide stable signal level, the key is located in very anisotropic environment, the car itself changes its shape and hence RF loss from different directions.
Let's assume that each of us knows what we are talking about.
Yes, the actual key itself is located by the car based on Low Frequency RFID.
The attack described is a relay attack, which means that the key can be spoofed in real time by relaying short range radio transmissions to two locations.
The mistaken assumption of the security system is that the short range communication protocol used by the car and the key requires the key to be in close proximity to the car.
Since the communication may be relayed, the range assumption is invalid. The main suggestion is to use high precision timing to determine the range, as it is very difficult to cheat on the speed of light.
I agree that "signal strength" is not the best way to phrase the above in a technical discussion.
I have not seen any indication that triangulation or any other physical location system is used in vehicle PKES.
what are you talking about? This isn't about replay attacks. The car sends a message to the key, which is 200 feet away. This hack merely amplifies the signal so the key acts like it's only 2 feet away. The amplifier is a man in the middle, but it need know nothing about the contents of the signal. Encryption is powerless against this.
Requiring the key fob to be activated in some way would prevent a good number of these attacks. For instance, a capacitive sensor could be installed on the fob that would only begin transmission when picked up by someone's hand and cease wireless transmission after some timeframe, say 2 minutes. This would at least stop many of the burglaries that occur at night when people are at home.
Well, for existing cars, keep your key in a faraday cage.
My friend (who's not particularly technical and probably didn't know what a faraday cage was previously) told me that's what we has doing with his Prius key after it had been broken into with no sign of forced entry twice.
The car could log the signal strength of all successful auth attempts from the key fob and determine an acceptable range. Anything outside of the acceptable range could then require use of the mechanical key (for those fobs where the mechanical key is built in) as a precaution.
Fobs could require a 'wake up' key press after a certain duration of inactivity.
Fobs could have a physical switch on them, enabling an airplane mode.
These ideas all give up some manner of ease-of-use.
I've never used this type of key, and I don't known if I would have noticed the flaw. But, um, nineteen different manufacturers gave drivers devices that try their best to unlock the car every minute of every day, and not one engineer asked what could possibly go wrong?
Multiple OEMs using systems from 4 or so suppliers[1]. If you carefully examine the list of vehicles affected you will see at least a couple duplicates: Toyota and Lexus, as well as Audi and Volkswagen.
I guess things like this just happen. How many people where involved in using and testing something as critical as openSSL ? Still, heartbleed was discovered more than 2 years after the flawed code landed in production !
A lot of models were not mentioned in that list: Audi A8, any Mercedes, etc. I wonder if they just weren't tested or if the hack doesn't work with them. (And if that's the case, what is different about those models?)
This seems the obvious threat model when thinking about a "no action requred" wireless token, same thing as contactless payments and RFID passports etc.
To be secure against this type of attack, such a device has to be designed assuming the adversary controls the nearby radio spectrum and can do relaying and MITM.
To control for distance, a speed of light based latency limit might work, though I don't know how cheaply it could be implemented. Laser based distance meters are cheap now, and light travels just 30cm per 1 GHz clock cycle...
Umm... how old is this hack? Over a decade ago, one of my friends used to drive a somewhat nice car that he modded and fixed up on his own. He always threw his keys with the alarm dongle thing, etc... in the freezer and I never asked why.
edit: Although his car was still eventually stolen when the thieves used some kind of specialized tools to bend his car's hood. The tool allowed them to bend the hood without triggering the alarm somehow and cut the power sources to the alarms. Then they put it on a repo/tow truck and drove away. I guess he showed his alarm to the wrong hot girl he would always bring around when we all hanged out.
When the police found the car everything was gone except for the car's frame and bent hood.
"How can I protect my car?"
Some keys have a "sleep" mode. For Toyota: hold down the lock key, press the unlock key twice, the key should blink 2 times, short pause, 2 times (total of 4 blinks).
Cars can be "hacked" now to simply program a new key with an ODBII "virtual keyboard" which basically does all the work you normally do to program a new key in under 60 seconds.
So here is what you do, amplify the key ping coming from the house, that gets you into the car. Plug this black box into the ODBII and program a new key. Now you've gone around the alarm, and the immobilizer. And the car is yours.
Pardon my ignorance: so how those key fobs work? They have no buttons and the car is automatically opening/closing itself based just on the proximity? That would mean I can not have my car closed when I am drinking beer in a garden over the street, which would be totally nuts, so I guess it's not how they work?
I guess they just inverted the concept of the remote control key.
Remote control key : you push a button on your key (the transmitter), it sends a signal to a receiver in your car, your car authenticates the key (probably a request/response challenge involving some crypto), and opens the door.
Now if you swap the transmitter and the receiver : you put the transmitter button in your car door's handle, and you move the receiver to your key: you have your magic key fob.
From what I understand, the security relies on the fact that the power of the radio signals emitted by the transmitter and receiver are very low, so the range of usage is limited to a few meters. The thiefs and researchers exploited this by amplifing the radio signals of both communicating devices to extend the range up to 90+ meters.
The GP's point still stands: if you are within transmitting range of your car, anyone can push the button on the car door and open it. I doubt that the transmitter verifies line of sight between it and the car.
I have a car with that system and in my experience you need to be really close to the car for the system to work. Stand further away than arms length from the handle and the car won't open even if someone else tries to open it. Also it looks like the car has independent antennas on each side - even if I stand very close to the driver side, you can't open the car by pulling the handle on the passenger's side.
Thanks for that. If it is even sensitive to which side of the car you're on, that implies a really short-range sensor. The potential to use a signal booster still remains, but at least there is no risk of inadvertently opening your car just because you're on the other side of a wall.
I really wish car manufacturers would not rely on security through obscurity for these systems though.
The button is on the car, and it (normally) doesn't work unless you're right next to the car. It won't unlock unless you push the button, and some models will automatically lock if you walk more than a foot away.
1) a broken window is easily noticeable and a giveaway that the car could be stolen.
2) breaking a window creates noise, usually.
3) it still takes time to start the car after you break into it. not so when you hack the radio.
all in all, this hack turns something that would take minutes into something that takes a couple of seconds and leaves the vehicle intact, i.e. beyond suspicion.
People are going to be breaking into your car to steal stuff 99% of the time, not trying to steal the car itself. They are often homeless, or have some sort of chemical dependency, or are mentally ill. They are not going to have the foresight, funds, or ingenuity to use some sort of electronic hacking device. They are not going to make the effort to scout out people as they leave their cars (of only certain makes and models) and play secret agent to use some sort of device between the owner and the car. And they break windows in broad daylight all the time - just smash, grab, and run. It's not like anyone is going to try to tackle a meth head running away with some stranger's $90 GPS.
Even on the infinitesimal chance they steal the car itself, you have car insurance. It doesn't really matter aside from the inconvenience, and the odds are so low it seems like a silly thing to be an absolute deal breaker for anyone.
Seems a bit weird. The i3 doesn't have an ignition - it is an electric car.
Even if they mean "switch on the electronics which control the motor" - I find that hard the believe. There's nothing on the key fob which can do that.
And, even if they did, the battery use of a parked car is negligible.
[1] https://www.grc.com/sn/sn-508.htm