Last year ago I wrote a term paper as part of the “Applied information security” course at Gjøvik University College where I’m a master’s student. Researching the topic was very interesting, and I thought I’d share my work with the public.
1, Introduction
2, Motivations for attacks
3, Types of access systems in cars
3.1, Physical key without RFID immobilizer
3.2, Physical key with RFID immobilizer
3.3, Keyless entry with RFID immobilizer
3.4, Passive Keyless Entry and Start (PKES)
3.5, Keypad
3.6, Infrared
4, Attacks on the different systems
4.1, Physical key with RFID immobilizer
4.1.1, Malleability attack
4.1.2, Time/memory tradeoff attack
4.1.3, Cryptanalytic attack
4.2, Relay attack against Passive Keyless Entry and Start (PKES)
4.3, Jammer attack
5, Real life examples of attacks as shown in media
6, Conclusion
List of Figures
[easytable]
1, Schematic of a simple ignition lock. [KVDP 2010]
[/easytable]
List of Tables
[easytable]
I, Key system types
II, Car manufacturers’ naming of their PKES systems
III, Car models using Hitag2
[/easytable]
1. INTRODUCTION
Modern cars use electronic car key systems to make it more convenient to perform actions like locking, unlocking and starting the car. Historically, cars relied on the insertion of a physical key in order to lock, unlock and start the car. As the technology has evolved, car manufacturers have implemented more features to make it more practical for the user and to try to achieve more theft resistant cars.
One early invention which drastically increased the security of car key systems, was the immobilizer. Compared to non-electronic car keys, the cars using immobilizers are considered to be much more complicated to steal, as it potentially requires much more technical knowledge of the thief compared to traditional hot-wiring.
Some early keyless entry systems communicated with the car using infrared signals, while today it is more common to use short-range radio signals like UHF and RFID. These car key systems make it possible to perform actions like locking and unlocking the vehicle without having to insert a physical key into a lock, which can be very convenient for the car users.
In recent years car manufacturers have increased the convenience even further, by introducing so-called Passive Keyless Entry and Start car key systems. This system makes it possible for the user to enter and start the car while keeping his car keys in his pockets.
The increase of convenience has shown to come at a cost; some of these systems introduce vulnerabilities making them exposed to different types of attacks. In some systems, an attacker is able to unlock, start and fully use the vulnerable car without being in possession of a legitimate key. This paper will describe and discuss different attacks on electronic car key systems.
2. MOTIVATIONS FOR ATTACKS
In the real world, there are many potential reasons why attackers would choose to target vehicles. The people targeting vehicles, could include everyone from criminals trying to make a profit to teenagers wanting to have some illegal fun.
The case of people stealing a car to have fun, is often referred to as “joyriding”. According to dictionary Merriam-Webster, the exact definition of joyriding is “a ride taken for pleasure (as in a car or aircraft); especially an automobile ride marked by reckless driving (as in a stolen car) ” [Merriam-Webster 2012]. The consequences of joyriding are potentially very high, and numbers from England and Wales claim that 40 people were killed in 2004/2005 as a part of aggravated vehicle taking [Nicholas et al. 2005].
Another mentioned motivation for attacking vehicles, is criminals trying to make a profit. There are different ways criminals could make a profit of attacking a vehicle, much depending on the goals and resources of the attacker. Perhaps the simplest profitable attack against a car is stealing valuables that have been left in the car by the car user. While some criminals achieve this by simply breaking a window of the car, others might use more sophisticated approaches in order to leave just a minimum of traces. In 2011, insurance companies claimed that 8000 car owners in Norway had experienced and reported a car break-in [Gulbrandsen 2011].
While some criminals focus on the simple approach of stealing valuables from cars, others aim higher and steal the entire automobile. After the criminals have successfully stolen the vehicle, there are generally two popular methods of monetizing the stolen car: Selling the car as a whole or disassembling it and selling it in parts. From the criminal’s perspective, one challenge is that once the car is stolen, it is very likely that it will be reported as stolen quite soon after the crime has occurred.
In many countries police vehicles have implemented cameras attached to automatic number plate recognition systems, which compares the read number plates against a database of known stolen vehicles. Taking Norway as an example, articles in media claim that these systems are able to read up to 3000 number plates an hour [Holm 2009]. This suggests that detecting a stolen vehicle driving in public is both practical and feasible.
As the chance of getting caught most likely increases as time passes, it might be desirable for the thief to hide the stolen vehicle as soon as possible to prevent detection. Depending on the resources and goals of the criminals, driving the car straight to e.g. a shipping container is one way of hiding it fast. If the goal is to sell the vehicle, it is often exported to another country as detection in another country is less likely. According to the insurance company If in Norway, many stolen cars are exported to Eastern Europe and Africa, and these are often shipped in containers [Danielsen 2010].
One popular method criminals use to make a stolen car seem legitimate, is to use parts from different cars. As cars have unique chassis numbers, it is often desirable to remove these from the stolen vehicle and replace them with other parts with seemingly legitimate serial numbers. Another example from Norway shows that some criminals target high-end luxury cars and replace the serial numbers with parts from other countries. In this particular case, one police district reported that 187 cars were stolen in 2011 and 2012, and only 21% of the cases were solved [van der Linden 2012].
Another scenario for attack motivation against cars, is sabotage against the vehicle’s computer system. As car manufacturers implement more and more computer controlled features, attackers might find ways to tamper with critical safety functions of the car. In this case, a hypothetical scenario could be e.g. terrorists disabling the brakes in the car of a very important person.
In their paper, Checkoway et. al. demonstrate that an attacker is able to e.g. disable brakes, brake on individual wheels on demand and turn off the engine once they have access to the Electronic Control Unit (ECU) of a car [Checkoway et al. 2010]. Taking this a little further, it might be possible that attackers infect the target systems with specialized malware, which for instance could be some sort of logic bomb that disables the brakes at a given time.
3. TYPES OF ACCESS SYSTEMS IN CARS
3.1 Physical key without RFID immobilizer
Early modern car models relied on physical, non-electronic key in order to restrict open and start access. In these kind of lock systems, the car user must insert the key into the ignition lock and turn it in order to power the electric starter motor, which then initiates the starting of the engine. The security of this kind of system relies solely on that the key matches the ignition lock. If the key matches, the car user is able to turn it and is thereby authorized to start and drive the vehicle.
This kind of security mechanism does provide some protection against theft, but can quite easily be exploited. An attacker wanting to steal a vehicle with such system, could produce a duplicate of the key in the case where he has access to a legitimate key. From the attacker’s perspective, this could be done by temporarily stealing the key and cutting a copy, for instance if the car owner has left his keys unattended on his office desk. It is also possible to produce a key duplicate just based on a photo of how the key is cut, as demonstrated by [Laxton et al. 2008].
Another well known attack against these primitive ignition lock systems, is hotwiring. Hot-wiring refers to bypassing the ignition lock, and thereby being able to start the car without the need of a matching key. As the ignition lock in principle works by restricting electric signals from completing the circuit needed to start the engine, it is clear that once the attacker gets access to wires running through the ignition lock, he will be able short-circuit them and thereby start the engine. Figure 1 shows a schematic of a simple ignition lock.
In order to start the engine, the attacker would strip and short-circuit wire number 4, 5, 6 and 7. Once the starter has been run long enough to start the engine, the attacker would disconnect wire number 7 as the function of the starter no longer is required. It must be noted that many cars have a steering wheel lock, which prevents the attacker from turning the wheel unless a valid key is in the ignition lock. In order to be able to drive away with the car, the lock must be disabled or removed.
Table I: Key system types.
[easytable]
Denomination, Entry, Start engine
Physical key, Physical key, Physical key
Physical key with RFID immobilizer, Physical key, Physical key + RFID
Keyless entry with RFID immobilizer, Remote active (press button), Physical key + RFID
Passive Keyless Entry and Start (PKES), Remote passive, Remote passive
Physical key with infrared, Physical key or infrared, Physical key + RFID
Door keypad, Keypad, Physical key or PKES
[/easytable]
3.2 Physical key with RFID immobilizer
As section 3.1 describes, relying on just a physical, non-electronic key is not an adequate security mechanism to prevent theft of a car. This lead to the development of an additional security feature in car key systems; the usage of Radio Frequency Identification (RFID) immobilizer units.
In a car lock system that uses an immobilizer unit, the key has an embedded transponder RFID chip. Near or embedded into the ignition lock, there is a device that queries and reads the RFID chip of the key. When the key in the ignition lock is turned, the car queries the key and expects a code returned. The returned code is compared to a list of valid codes, and if it matches one of them, the immobilizer is disabled and the car user is authorized to start the engine [Iijima 1995].
Since the car with an implemented immobilizer system relies on a valid RFID chip, it is thought of as much more secure than just a physical key ignition lock system. This has lead to an implementation of such systems in most modern cars, and it is required by law many countries. From 1996, all vehicles sold in the European Union are required by law to have immobilizers [Commission 1995]. From 2007, it is required by law that all vehicles produced in Canada has implemented an immobilizer unit [News 2007].
While it is hard to estimate an exact number of car thefts immobilizers have prevented, J. C. van Ours and B. Vollaar claim that the reduction of car thefts is 70 percent in the Netherlands and 80 percent in England and Wales [van Ours and Vollaard 2011].
Although immobilizer units are very effective against hot-wiring, it has been proven that one of the leading types of these systems have weaknesses that makes it possible to recover and reproduce the secret code, and thereby disable the immobilizer without being in possession of a legitimate key. This will be described further in section 4.1.
3.3 Keyless entry with RFID immobilizer
Many car manufacturers use key fobs with wireless functionality to perform actions like locking, unlocking, controlling the windows, activating the alarm etc. These are usually communicating through Ultra High Frequency (UHF, 315 or 433 MHz) [Francillon et al. 2010a], and the immobilizers work in the same way as described in section 3.2. Other than the fact that these UHF based entry systems are vulnerable to simple jammer attacks (described in section 4.3), there does not seem to be much relevant literature on the security of these systems.
3.4 Passive Keyless Entry and Start (PKES)
In the later years, a system called Passive Keyless Entry and Start (PKES) has been implemented by many car manufacturers, under different names. Table II shows how some major car manufacturers name their implementation of the entry system.
The “Passive” part of the name reflects the nature of the entry system, as the main feature is that it does not require an action from the car user. This means that instead of pressing a button to open and lock the car, the car user may have the car key fob in his pockets, and car opens and locks itself automatically based whether the user approaches or leaves the car. The system also allows starting the vehicle with the key fob still in the pockets of the user, hence there is no need to insert a physical key into an ignition lock [DaimlerChrysler 1999].
In a PKES system, the car key fob has an implemented low frequency (LF) RFID chip for short range communication, and an UHF transmitter/receiver for longer range communication. The car has a system for querying and reading the RFID chip, and this system including diversely placed antennas is used to detect where the key fob is located; inside or outside of the car [Francillon et al. 2010b].
If the key fob is not in near proximity of the car, typically maximum 1-2 meters away, remote open and close is allowed through the UHF channel. If the key fob is in a distance of 1-2 m from the door handle, automatic open and close is allowed. If the key fob is located inside the car, it is authorized to start the engine and the user is thereby able to use the car [Francillon et al. 2010b].
How the PKES system is implemented depends on the manufacturers, but they generally follow the same principles. The car sends beacons probing for a nearby key fob, either continuously or when the door handle is pulled. When the beacon is received by the key, it wakes up the microcontroller in the chip and interprets the signal received from the car. This signal is a cryptographic challenge which is solved by the microcontroller. When the challenge has been solved, the key replies its answer to the car through the UHF channel [Francillon et al. 2010b].
As the answer to the challenge from the key fob is received by the car, it is compared to the value that is expected. When the key fob is located outside of the car, the doors are unlocked if these two values match. When the key fob is located inside the car, it is challenged by the car in a similar way, and if the answers are correct, starting the car is allowed. As PKES systems do not have traditional ignition locks, starting is usually achieved by pressing a button (often while pressing the brake pedal) [Francillon et al. 2010b].
As electronic car keys rely on a battery in order to function fully, the manufacturers often implement backup functions in order to still be able to use the car in the case where the battery is exhausted. This means that many manufacturers embed a physical key hidden inside the key fob to be able to unlock the car manually. As these system use immobilizers, it is still necessary to deactivate these in order to start the engine. This is done by passive LF RFID, where the RFID chip harvests power from the car through electromagnetic induction [Francillon et al. 2010b]. PKES based systems have been demonstrated to be vulnerable to relay attacks, which is described in section 4.2 of this paper.
Table II: Car manufacturers’ naming of their PKES systems.
[easytable]
Manufacturer, Name
Acura, Keyless Access System
Audi, Advanced Key
Audi, Advanced Key
BMW, Comfort Access
Cadillac, Adaptive Remote Start & Keyless Access
Dodge, Keyless Enter-N-Go
Ford, Intelligent Access with push-button start
General Motors, Passive Entry Passive Start
Honda, Smart Entry System
Hyundai, Proximity Key
Infiniti, Infiniti Intelligent Key with Push Button Ignition
Jaguar, Cars Smart Key System
Jeep, Keyless Enter-N-Go
KIA, Smart Key System
Lexus, SmartAccess System
Lincoln, Intelligent Access System
Mazda, Advanced Keyless Entry & Start System
Mercedes-Benz, Keyless Go integrated into SmartKeys
Mini, Comfort Access
Mitsubishi, Motors FastKey
Nissan, Nissan Intelligent Key
Porsche, Porsche Entry & Drive System
Renault, Hands Free Keycard
Ssang, Yong Smart Key System
Subaru, Keyless Smart Entry With Push-Button Start
Suzuki, SmartPass Keyless entry & starting system
Toyota, Smart Key System
Volkswagen, Keyless Entry & Keyless Start or KESSY
Volvo, Personal Car Communicator “PCC” and Keyless Drive or Keyless Drive
[/easytable]
3.5 Keypad
Keypads are offered as a manufacturer option on a few cars, e.g. 2013 Lincoln MKZ [CarAndDriver 2012]. However, there does not seem to be any literature on the security of these keypads, and it will therefore not be covered in this paper.
3.6 Infrared
Some early cars used infrared communication to perform locking and unlocking,e.g. 1995 Mercedes-Benz C-Class (W202) [MercedesClub 2011]. As with keypads, there seems to be no literature on the security of infrared based entry systems, and because of this infrared will not be covered in this paper.
4. ATTACKS ON THE DIFFERENT SYSTEMS
4.1 Physical key with RFID immobilizer
As mentioned in section 3.2, most modern cars have implemented RFID based immobilizers to prevent theft. While it does provide some additional security compared to non-electronic car keys, one of the most widely used transponder has been demonstrated to be vulnerable to attacks. This section is based on the findings presented in the paper Gone in 360 Seconds: Hijacking with Hitag2 [Verdult et al. 2012].
As previously described, immobilizers consist of a RFID transponder chip embedded in the car key, and a reader system which usually is located near the ignition lock of the car. In order for the user to be authorized to start the engine, the car key must be able to answer correctly on a challenge sent by the car. In early immobilizer systems, the answer to the challenge was a static code which never changed. This is not a very secure solution as an attacker is able to replay the code when it has been captured once. Today it is more common for these systems to use rolling codes, i.e. codes that change often.
As the immobilizer systems are based on that RFID chips in the keys answer with correct codes when queried, the goal of an attacker is to be able to find and reproduce these codes. In the case of a physical key with RFID immobilizer, the only security left after the attacker has found the codes, is the ignition lock which depends on a correct physical key. As mentioned in section 3.1, hot-wiring a car is often feasible in the case where an immobilizer is deactivated.
Hitag2 is the leading RFID system used for immobilizers in cars, claimed to be used by at least 34 car manufacturers in more than 200 models. Table III shows some popular car models using Hitag2. In their paper, Verdult et. al. present flaws that lead to the realization of three attacks aiming to find the secret keys used to authorize the disabling of the immobilizer.
4.1.1 Malleability attack
In the malleability attack, the attacker first gathers an arbitrary length of keystream bits from the transponder key, as this is possible because of a weakness that reveals parts of the key just by attempting authentication once. After the keystream is acquired, the attacker uses this to dump the memory of the transponder key, which includes the secret cryptographic key.
Recovering the keystream and dumping the memory of the transponder key was found to be possible to perform in less than one second, which shows that it is a highly feasible attack. The only requirement is that the attacker must be in proximity of the of the victim’s legitimate car key. It is noted that there is an extra security mechanism that offers protection against reading the blocks of the memory containing the cryptographic key, making this attack ineffective in cases where this protection is enabled.
4.1.2 Time/memory tradeoff attack
In a time/memory tradeoff attack against Hitag2, the attacker uses the gathered keystream (as described in section 4.1.1) to generate a lookup table of possible remaining keystream bits. This table requires 1.2 TB disk space, and is stated to be possible to generate within one day with a standard laptop. This attack requires to emulate a transponder key and to attempt authentication with the car. After this is done, the answer to the authentication attempt is replayed to the valid transponder key, which then reveals 256 bytes of keystream through the weakness described earlier.
It is noted that the steps involving the authentication attempt against the car and replaying this to the valid transponder takes less than 30 seconds, while the table lookup takes less than 30 seconds on a standard laptop.
4.1.3 Cryptanalytic attack
In the cryptanalytic attack against Hitag2, the attackers emulate a transponder key and perform 136 authentication attempts. Based on the retrieved keystream, the attackers build a lookup table and use this to retrieve the full key. It is stated that this computation takes less than five minutes on a standard quadcore laptop.
All of the tested vehicles used white listing as an extra security feature, meaning that authentication was only possible with keys with white listed identification numbers. In order for an attack to be successful, the attackers must first eavesdrop or guess a valid key ID. Eavesdropping can be done either by wirelessly pickpocketing the ID from the victim’s legitimate key through RFID, or by listening on the UHF channel while the car user presses a button on the key fob. It is stated that eavesdropping UHF is possible from a distance of 100 meters, which shows that it is feasible to do while keeping a good distance away from the victim.
These three presented attacks clearly demonstrate that bypassing immobilizer systems that use Hitag2 is very feasible. From an attacker’s perspective, a choice must be made on which of the attacks he should perform. This depends on the scenario and what the attacker is able to do.
The malleability attack requires communication with a valid key for about 1 seconds, and depends on that the memory protection is not activated. The time/memory tradeoff attack requires communication with both a valid key and the car for a total of 1 minute, and also about one day of processing. The cryptanalytic attack only requires communication with the car, and 5 minutes of processing time.
Based on the prerequisites and the time necessary, the cryptanalytic does generally seem like the best choice. However, if the attacker has foreknowledge about a certain car model which has not implemented the memory protection described in section 4.1.1, he will save a lot of valuable time as it requires only 1 second to perform.
Table III: Car models using Hitag2, adapted from [Verdult et al. 2012]. Bold indicates models they tested.
[easytable delimiter=”|”]
Acura | CSX, MDX, RDX, TL, TSX
Alfa Romeo |156, 159, 166, Brera, Giulietta, Mito, Spider
Audi | A8
Bentley | Continental
BMW | Serie 1, 5, 6, 7, all bikes
Buick | Enclave, Lucerne
Cadillac | BLS, DTS, Escalade, SRX, STS, XLR
Chevrolet | Avanlache, Caprice, Captiva, Cobalt, Equinox, Express, HHR, Impala, Malibu, Montecarlo, Silverado, Suburban, Tahoe, Trailblazer, Uplander
Chrysler | 300C, Aspen, Grand Voyager, Pacifica, Pt Cruiser, Sebring, Town Country, Voyager
Citroen | Berlingo, C-Crosser, C2, C3, C4, C4 Picasso, C5, C6, C8, Nemo, Saxo, Xsara, Xsara Picasso
Dacia | Duster, Logan, Sandero
Daewoo | Captiva, Windstorm
Dodge | Avenger, Caliber, Caravan, Charger, Dakota, Durango, Grand Caravan, Journey, Magnum, Nitro, Ram
Fiat | 500, Bravo, Croma, Daily, Doblo, Fiorino, Grande Punto, Panda, Phedra, Ulysse, Scudo
GMC | Acadia, Denali, Envoy, Savana, Siera, Terrain, Volt, Yukon
Honda | Accord, Civic, CR-V, Element, Fit, Insight, Stream, Jazz, Odyssey, Pilot, Ridgeline, most bikes
Hummer | H2, H3
Hyundai | 130, Accent, Atos Prime, Coupe, Elantra, Excel, Getz, Grandeur, I30, Matrix, Santafe, Sonata, Terracan, Tiburon, Tucoson, Tuscanti
Isuzu | D-Max
Iveco | 35C11, Eurostar, New Daily, S-2000
Jeep | Commander, Compass, Grand Cherokee, Liberty, Patriot, Wrangler
Kia | Carens, Carnival, Ceed, Cerato, Magentis, Mentor, Optima, Picanto, Rio, Sephia, Sorento, Spectra, Sportage
Lancia | Delta, Musa, Phedra
Mini | Cooper
Mitsubishi | 380, Colt, Eclipse, Endeavor, Galant, Grandis, L200, Lancer, Magna, Outlander, Outlander, Pajero, Raider
Nissan | Almera, Juke, Micra, Pathfinder, Primera, Qashqai, Interstar, Note, Xterra
Opel | Agila, Antara, Astra, Corsa, Movano, Signum, Vectra, Vivaro, Zafira
Peugeot | 106, 206, 207, 307, 406, 407, 607, 807, 1007, 3008, 5008, Beeper, Partner, Boxer, RCZ
Pontiac | G5, G6, Pursuit, Solstice, Torrent
Porsche | Cayenne
Renault | Clio, Duster, Kangoo, Laguna II, Logan, Master, Megane, Modus, Sandero, Trafic, Twingo, Saturn Aura, Outlook, Sky, Vue
Suzuki | Alto, Grand Vitara, Splash, Swift, Vitara, XL-7
Volkswagen | Touareg, Phaeton
[/easytable]
4.2 Relay attack against Passive Keyless Entry and Start (PKES)
In their paper, Francillon et al. present a practical relay attack on Passive Keyless Entry and Start (PKES) based systems. This section is based on their paper, and presents their findings [Francillon et al. 2010a].
During a relay attack, the attacker acts as a man in the middle, intercepting and forwarding the signals that are supposed to go directly between the transmitter and the receiver. This makes the receiver and the transmitter able to communicate with each other through the relay, and therefore it is assumed that they are in proximity of each other, although they might in fact be very far from each other.
When this kind of attack is applied to PKES based systems, the attackers place one of their devices near the key fob and another device near the car. As the signals are relayed using the attackers’ devices, they will be able to access and start the vulnerable car without having to steal or even touch the car key.
As this attack only relays the communication between the key fob and the car, it does not read or modify the signals. This makes it applicable for different cars from different manufacturers, since it does not depend on a specific protocol, encoding, encryption, etc. Since no actual interpretation or cracking is performed, it is independent of key length and encryption methods, meaning that even though a long key and strong encryption is used, it is still vulnerable to a relay attack if an appropriate proximity check is not performed.
In their study, Francillon et al. tested 10 recent car models from 8 manufacturers, and all of them were successfully exploited. The attack made them able to open and start the car even though the key fob was not in proximity, and it was tested to be successful for up to 50 meters of distance. For some systems, they were able to read and relay signals from the key fob while being at a distance of up to 8 meters away from the key fob, while others could be read from a few meters away.
The following is a typical scenario where this attack could be successfully performed. A car owner parks his car in a parking spot near a supermarket. The attackers, e.g. car thieves, recognize the car as one with a vulnerable PKES based system. One of the attackers follows the car owner into the supermarket, and stays near him with his hidden relay device. The other attacker approaches the car and places his antenna near the receiver.
The messages are relayed via wireless communication, and the car believes that the legitimate key fob is in proximity and therefore sends it a challenge as it normally would when the key fob is near. The key fob replies with its answer through the relay, and the car is opened. The attacker opens the car and presses the start button. Since the car believes that the key fob now is inside the car, it is therefore authorized to start.
After a certain distance of driving, the car is likely to lose its communication with the key fob via the relay. For safety reasons, though, the car will not stop when the communication with the key fob is lost, but rather give the driver a warning that a key fob is not present. This means that the car thief is potentially able to get quite far away with the car, and for example to hide it in a shipping container to smuggle it out of the country.
In the previous scenario, once the engine is turned off, they will not be able to start it again as they no longer have the possibility to relay the signal. However, as the thieves now have unrestricted physical access to the car, they could for instance replace the key system with their own to be able to fully use the car.
Another example scenario is when the attackers do not have the intention of stealing the car, but instead to steal valuables that are stored inside the car. This could for instance be a targeted attack, e.g. if the attackers have some knowledge about the car owner and that he is likely to store valuables inside the car, e.g. money, laptops, cellphones, sensitive documents etc.
The attackers would then follow the car owner and perform the same procedure as mentioned above. What’s to note here is that since the car still is present, it would quite possibly be subject to some police investigations and perhaps forensic analysis. If the car keeps an event log of accesses, it would show that a legitimate key was in fact used, hence it would look like the car owner himself took away the valuables as there would be no other technical traces of the break-in occurring.
In the study, they realized two attacks: One wire based using a cable between the relay devices, and one using wireless communication. The wire based setup had two loop antennas, one on each end of the cable. When the antenna near the car was put near the door handle, it captured the beacons sent by the car, and sent the signal through the cable and to the other antenna. The other antenna then generated an electric field which woke up the microcontroller in the key fob, then read the message sent by the car.
What the message from the car to the key fob is, depends on where it believes the key fob is located; either outside or inside the car. If the key fob is believed to be outside of the car, the car will send a open command to the key fob. If the key fob is believed to be located inside the car, it will send the allow start authorization command to the car. In both cases, the key fob sends a answer via UHF, and the car then performs the action.
The wireless setup followed the same principles as the wired setup, but with the wireless setup they built their own RF link. This setup consisted of two parts, one emitter unit and one receiver unit. The emitter unit was the one placed near the car, and this unit converted the signal to 2.5 GHz, amplified the signal and sent it over the air. The receiver unit was the one placed near the key fob, and this unit down-converted the received signal to its original form for the key fob to be able to read it. As with the wired setup, the answer was then sent via UHF and the car could perform the action.
In an actual attack scenario, the wireless setup is naturally more practical to perform as it does not require a long and suspicious cable running between the units. It is noted in the paper that the up and down conversion of the signal makes the devices able to communicate at longer distances, and that both the power consumption and the price is very low.
The equipment needed to perform the attack is claimed to cost between 100 and 1000 USD, depending on what kind of components are used. In their paper, Francillon et al. present some countermeasures to prevent the relay attack on PKES based systems. As an immediate countermeasure, they propose that the owners of cars with vulnerable PKES systems implemented could make a metallic shield around the key fob in order to make it unable to send and receive signals. By doing this, the full convenience of the PKES functionality will obviously no longer be present, as the car owner must put the key fob in and out of the shielding every time it is used.
Another immediate countermeasure is to remove the battery from the key fob. This would naturally remove all the remote functionality of the key fob, and the car owner must therefore open and lock the car by using the physical backup key which usually is hidden inside the key fob. When the battery is removed, the car goes into a dead battery mode which makes it possible to use the car even though the battery is removed or exhausted.
As cars with PKES systems usually have a start button instead of an ignition lock where a physical key is inserted into, the car still relies on the communication with the RFID chip in order to be able to authorize the key fob, even if the battery of the key fob is drained. In the case of a drained battery, the car owner must place the key fob in close proximity of the RFID reader in order to start the car. This is usually a pre-designated area near the start button, and in a dead battery mode the RFID chip receives its power from the car through induction.
Further, they present countermeasures that would require action from the car manufacturers. Their first proposal is a software modification that disables the PKES functionality until the car user presses the open/close button on the key fob. This makes the car user able to start the car as usual once the button is pressed, but removes the convenience that normally would make the car user able to keep the key fob in their pockets.
Another countermeasure that is presented is a hardware modification where a power switch is added to the key fob. As this would temporarily disable the remote functionality, it would be equivalent to removing the battery as previously presented. Another possibility is to make the switch disable only the PKES, and still have the possibility to use remote open and lock. However, both of these variants would require the user to remember to turn the switch off every time he is leaving the car.
In the end of their section of countermeasure proposals, they present a suggestion on how the car manufacturers could prevent relay attacks on PKES systems. Their suggestion is to implement RF distance bounding to verify that the key fob is in fact in proximity of the car. With distance bounding, the car sends a challenge to the key fob, and the distance is calculated based on the time it takes for the reply to arrive to the car. As the relay would add a delay, the reply time would differ from the expected time, which would make the attack unsuccessful.
4.3 Jammer attack
While some attacks could be considered quite sophisticated and would perhaps require thorough planning and technical knowledge from the attacker, other attacks are more simple but could get the job done when the attacker’s goal is to access the car. In the context of keyless entry systems, one such simple attack is a jammer attack. In a jammer attack, the attacker uses a device that produces signals which makes the car and the key fob unable to communicate with each other.
The interesting perspective in this context, is the wireless locking of the car that’s either done by the passive automatic open/locking function by PKES, or the active lock performed when the car user presses the button on the key fob. In an attack scenario, the jammer would block the wireless communication, and the car would not receive the lock command.
The consequence of this is that the car is left unlocked and accessible for the attacker. As many cars have indicator lights that flash when the door is opened or locked, the attacker would perhaps try to distract the car user in order for him not to notice that the indicator lights did not flash. It must be noted that the jammer attack itself does not make the attacker to start the car, as a modern car likely has implemented an immobilizer. A jammer attack can, however, help the attacker get access to valuables in the car without breaking anything. It can also help the attacker get access to the computer system of the car, to e.g. add a new transponder, as mentioned in section 5.
As a jammer is a quite simple device, it is not very expensive: For approximately $260 it is possible to purchase a jammer that is able to disrupt signals from UHF, VHF and cell phones [GSMJammerStore 2012]. This means that the attackers do not need much technical knowledge to perform a jammer attack, as they are able to purchase everything they need on the Internet.
5. REAL LIFE EXAMPLES OF ATTACKS AS SHOWN IN MEDIA
Car thefts are often reported in media, especially in cases where they are part of organized crime. The methods used to steal the vehicles are not always reported, but with the knowledge of methods used as presented in this paper, it might be possible to take an educated guess of what methods were used. This section presents a few examples from Norway, where electronic car key systems have been exploited.
Using Norway as an example, numbers show a reduction of the number of reported stolen vehicles: From 14669 in 1997 to 8183 in 2010 [Lunde 2011]. It is stated that the immobilizer is one of the most important reasons for the reduction, as it makes it more difficult to hot-wire a car.
From March to July in 2012, a criminal Lithuanian group stole 18 cars in Norway, worth a total of approximately 10 million NOK [Ruud 2012]. In all the cases, no keys were reported stolen, there were no broken windows, no alarms were trigged. When the group was caught, the police stated that they found equipment used to circumvent immobilizer systems. They seemed to be mostly interested in Honda CR-V’s and BMW X5’s, and as shown in table III, Honda CR-V uses the vulnerable Hitag2 system.
Several examples show that BMW X5 and X6 are very popular car among thieves, and the same is reported in these cases: No stolen keys, no broken windows, no alarms trigged [Aftenposten 2012]. In these cases, it is stated that their method was to first use a titan key to destroy the door lock, and then connect to the car’s electronic diagnostic system to add a new transponder key. Afterwards, they drove the cars to Lithuania with fake number plates and insurance documents [Bruland 2012].
6. CONCLUSION
Because of security systems like immobilizers, stealing a car today is more difficult than in the early days of the modern car. However, weaknesses in the popular immobilizer system Hitag2 have been demonstrated to be practical, making it possible for an attacker to circumvent the protection the immobilizer provides.
Cars that use the popular system Passive Keyless Entry and Start have been demonstrated to be vulnerable to relay attacks, making it possible for thieves to steal a car by eavesdropping and forwarding signals between a legitimate key and the car.
Jammer attacks against keyless entry systems makes an attacker able to access the car in the case where the victim does not pay attention to whether or not the car has been locked after he leaves. A successfully performed jammer attack could potentially make thieves able to steal valuables in the car, and also able to gain access to the car’s computer system in order to e.g. add new transponder keys and thereby be able to start the car.
Examples from the real world show that these types of attacks are being used by criminals. This means that in order for car manufacturers to stay ahead of the criminals, more secure solutions should be made and perhaps also distributed and installed in vulnerable cars that already have been produced.
REFERENCES
Aftenposten. 2012. Flere tyverisikre bmw-er stjålet. http://www.aftenposten.no/nyheter/
iriks/Flere-tyverisikre-BMW-er-stjalet-6954911.html. [Online; accessed 14. December-2012].
Bruland, T. 2012. Bmw-bande fikk til sammen 17 år fengsel. http://www.rogalandsavis.no/nyheter/article6396428.ece. [Online; accessed 14. December-2012].
CarAndDriver. 2012. 2013 lincoln mkz awd v6 – instrumented test. http://caranddriver.com/photos-12q4/488202/2013-lincoln-mkz-awd-keyless-entry-keypad-photo-490201. [Online; accessed 14. December-2012].
Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., and Savage, S.
2010. Experimental security analysis of a modern automobile. IEEE. Commission, E. 1995. EU Commission Directive 95/56/EC. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0056:en:NOT. [Online; accessed 7. December-2012].
DaimlerChrysler. 1999. US Patent 6,624,741. http://www.google.no/patents?id=
PU8OAAAAEBAJ&printsec=abstract&zoom=4&hl=no. [Online; accessed 13. December-2012].
Danielsen, E. J. 2010. Denne stjeles mest. http://www.tv2.no/underholdning/broom/
denne-stjeles-mest-3195915.html. [Online; accessed 14. December-2012].
Francillon, A., Danev, B., and Capkun, S. 2010a. Relay attacks on passive keyless entry and
start systems in modern cars. IACR ePrint Report.
Francillon, A., Danev, B., and Capkun, S. 2010b. Relay attacks on passive keyless entry and start systems in modern cars. IACR ePrint Report , 3.
GSMJammerStore. 2012. 6 antenna vhf, uhf, cell phone jammer (3g,gsm,cdma,dcs). http://www.gsmjammerstore.com/wholesale-uhf-vhf-jammer/6-antenna-vhf-uhf-cell-phone-jammer-3g-gsm-cdma-dcs.html. [Online; accessed 14. December-2012].
Gulbrandsen, C. 2011. Politiet advarer sløve bileier. http://bil.aftenposten.no/bil/Politiet-advarer-slove-bileiere-12902.html#.UMogGuR2zao. [Online; accessed 13. December-2012].
Holm, P. A. 2009. Narkometeret kommer til våren. http://www.aftenposten.no/nyheter/iriks/article3277030.ece. [Online; accessed 14. December-2012].
Iijima, Y. 1995. US patent 5,519,376. http://www.google.no/patents?id=wYAcAAAAEBAJ&printsec=abstract&zoom=4&hl=no. [Online; accessed 7. December-2012].
KVDP. 2010. Car ignition and steering wheel lock.png. http://commons.wikimedia.org/wiki/
File:Car_ignition_and_steering_wheel_lock.png. [Online; accessed 7. December-2012].
Laxton, B., Wang, K., and Savage, S. 2008. Reconsidering physical key secrecy: Teleduplication via optical decoding. ACM Conference on Computer and Communications Security .
Lunde, T. 2011. Biltyvene har blitt færre. http://www.dinside.no/864609/biltyvene-har-blitt-faerre. [Online; accessed 14. December-2012].
MercedesClub. 2011. W202 key fob – infrared not working. http://forums.mercedesclub.org.
uk/showthread.php?t=82361. [Online; accessed 14. December-2012].
Merriam-Webster. 2012. Definition of joyride. http://www.merriam-webster.com/dictionary/
joyride. [Online; accessed 13. December-2012].
News, C. 2007. Anti-theft device now mandatory in Canadian-made vehicles. http://cbc.ca/
news/story/2007/09/01/auto-anti-theft.html. [Online; accessed 7. December-2012].
Nicholas, S., Povey, D., Walker, A., and Kershaw, C. 2005. Crime in england and wales 2004/2005. Table 2.04.
Ruud, T.-E. T. 2012. Slik stjal bande “tyverisikre” luksusbiler. http://vg.no/nyheter/innenriks/artikkel.php?artid=10055748e. [Online; accessed 14. December-2012].
van der Linden, K. 2012. Stjeler biler i millionklassen og frakter dem til utlandet. http://www.budstikka.no/nyheter/stjeler-biler-i-millionklassen-og-frakter-dem-til-utlandet-1.7515233. [Online; accessed 14. December-2012].
19
van Ours, J. C. and Vollaard, B. 2011. Engine Immobilizer: A Non-starter for Car Thieves. http://cesifo-group.de/portal/page/portal/CFP_CONF/CFP_CONF_2011/Conf-am11-Gollier/Papers/am11_Vanours.pdf. [Online; accessed 7. December-2012].
Verdult, R., Garcia, F. D., and Balasch, J. 2012. Gone in 360 seconds: Hijacking with hitag2. IACR ePrint Report .
Wikipedia. 2012. Smart key nomenclature. http://en.wikipedia.org/wiki/Smart_key#
Nomenclature. [Online; accessed 13. December-2012].