Thieves don’t need your car keys, just a wireless signal

Thieves don't need your car keys, just a wireless signal

A recent study by researchers at the University of Padova reveals that despite the rise in car thefts involving Remote Keyless Entry (RKE) systems, the auto industry has made little progress in strengthening security.

Since RKE’s introduction in the early 1980s, automakers have worked to improve security by adding features such as immobilizers, which prevent the engine from starting without proper authentication.

Vehicle remote entry technologies and evolution

Over the past year, new web and radio technologies have changed how people access their vehicles. Examples include Passive Keyless Entry and Start (PKES) systems that operate without any driver action, keyless entry through smartphone apps, and Near-Field Communication (NFC) cards that use ultra-wideband signals to enhance security and convenience. While these technologies offer greater ease of use, they also increase the number of ways thieves can break in, start, and steal cars.

The widespread use of proprietary, closed-source devices and algorithms creates vulnerabilities that attackers can discover and exploit. This problem arises because many manufacturers rely on security by obscurity, depending mostly on keeping system details secret rather than building strong defenses.

Attack strategies

Cryptanalytic attacks: These attacks work by capturing messages between the car and its key fob (a small wireless device that lets you lock, unlock, and sometimes start your car remotely) allowing the recovery of the key and cloning the keyfob.

Relay attacks: A relay attack is basically a man-in-the-middle attack combined with a replay attack. In a relay attack, the attacker captures and relays the wireless signals exchanged between the car and the key fob using a separate communication link. This extends the range between the two devices. As a result, the car is fooled into thinking the key fob is close enough to authorize entry or ignition, while the key fob also behaves as if it’s within the car’s detection range.

Jamming and replay: This attack requires very low-cost hardware such as a Software Defined Radio (SDR) and targets RKE and ignition systems in cars that use rolling codes. It involves recording and blocking the radio signal sent by the key fob when the driver tries to unlock the doors. The driver will then try again to unlock the vehicle. Meanwhile, the attacker jams and records the second signal while replaying the first recorded message to make the driver think the second attempt succeeded. Now, the attacker has a second, valid code to unlock the car later, and the driver will lock it the next time.

Web service exploitation: Vehicles often connect to the internet through apps and APIs, allowing owners to unlock or start them remotely. However, weaknesses like poor authentication and exposed API keys have allowed threat actors to access, control, or track these vehicles remotely.

Attacks against new technologies: In recent years, many car brands have updated their RKE and PKES systems to use technologies like Bluetooth, NFC, and Ultra-wideband (UWB). These new methods have made stealing cars more difficult, but not impossible. In fact, various researchers found weaknesses inherited by the protocol stack or a broken implementation of the communication mechanism. One such example comes from NCC Group, which demonstrated a Bluetooth Low Energy (BLE) relay attack that allows attackers to bypass Tesla’s passive entry feature.

Future directions

To improve RKE and PKES security, companies need to work more closely with the security community and focus on better auditing and testing. This is especially important since web vulnerabilities are easier to slip into complex systems.

Using open-source tools can bring more transparency, quicker updates, and a larger group of people finding and fixing problems. In contrast, most companies stick with closed-source development, relying on a black-box approach to security. However, examples from different environments have shown time and again that this approach is flawed.

Future research should prioritize securing web apps and APIs used for vehicle access while tackling the challenges of properly implementing Bluetooth, NFC, and UWB. Following standards like ISO/SAE 21434 is important, but technical guidance and stronger regulation during development are needed.

In the end, progress in RKE and PKES security will depend on close cooperation between manufacturers, researchers, and regulators to keep vehicles safe from new threats.


Source link