A new week, a new hack!
A British and German research team from the University of Birmingham have uncovered another automotive security flaw. They were able to overcome the security of the radio function of car key remote controls and open and close vehicles from a distance.
Affected are allegedly over 100 million vehicles from 15 manufacturers for models manufactured after 1995.
German journalists and webnews Wired report that: “One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda.”
Makes affected are: all Volkswagen models manufactured after 1995 as well as Audi, Seat and Škoda. The researchers were also able to identify vulnerabilities in some models of Alfa Romeo, Citroen, Dacia, Fiat, Ford, Lancia, Mitsubishi, Nissan, Opel, Peugeot and Renault.
So how do they do it?
To open a vehicle via radio signal, the car key sends an encrypted signal to the car – where it is de-crypted. The command, i.e. “open doors” or “open boot” is executed. The vehicle alarm system is also disabled with this system.
According to Wired an expert explains that the researchers used a cheap, easily available piece of radio hardware to intercept signals from a victim’s key, then employ those signals to clone the key. The attacks, the researchers say, can be performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an attached radio receiver that can be purchased for $40. “The cost of the hardware is small, and the design is trivial,” says the computer scientist. “You can really build something that functions exactly like the original remote.”*
The researchers have succeeded in affected Volkswagen vehicles to extract the cryptographic code of the chips. This allowed them to reproduce the radio function of a key as desired. It is sufficient to capture the encrypted signal to the car keys once. Criminals could open the car with the copied password by pressing a button, steal items from it and even lock it again. For the owner of this intrusion is hardly traceable. The opening leaves no traces on the car nor in the protocols of the control electronics. The necessary hardware costs less than one hundred euros and fits in a backpack.
In a second series of the research, the security researchers working with Dutch chip manufacturer NXP . The encryption technique “Hitag2 system” used by a number of manufacturers. The researchers were able to determine vulnerabilities in models of Alfa Romeo, Citroen, Dacia, Fiat, Ford, Lancia, Mitsubishi, Nissan, Opel, Peugeot and Renault.
Overcoming NXP chip is according to the researchers more difficult than for Volkswagen. A criminal who has to intercept at least four different radio signals of the original key to succeed.
The thieves are now well-versed in vehicle technology and much more professional than ever before. For models whose vulnerabilities are known, the crooks selling equipment online to overcome the immobilizer and reproduce keys. For a few thousand dollars, you can obtain a starter kit. Up to now, the thieves problem is to break in unobtrusively without triggering the vehicle alarm.
None of the manufacturers have responded in detail so far.
The only way to safely avoid this issue is to manually lock an unlock the car with the key and completely dispense of your remote control.
*Source: Wired.com, Sued