Recently I lost my car key and with it goes my “remote entry” fob. Only then did I realize how inconvenient it is for me to having to plug in the physical key to open the door or the trunk every time. Therefore, I did a bit research online and found that I can purchase a new remote entry unit for only $70 on amazon and “program” it for the car myself(which involve procedures like turning on and off ignition for 3 times in 10 seconds and etc). While this is easy and convenient, I began to question the security of these devices–how hard it is for someone else to hack this device and get into my car?
I then did some research online, here’s how a remote key works in the early days: the transmitter in the key fob sends out signals containing unique identifying code to the car for verification. If the car verifies that the code is correct, it opens the door/starts the engine. As the unique code is fixed, hackers can “capture” the code the transmitter sends and simply re-transmit to open the car.
Modern remote controllers are a lot more complex and robust: They use something called a rolling code(normally 40-bit) to provide security. Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random generator to pick a new code. On the other end, when the receiver receives a valid code, it uses the same pseudo-random generator to pick a new one. In this way, the receiver only opens the door if it receives the code it expects. Capturing the old code will no longer work as the old code is no longer valid.
While some remote key manufacturer claim that attacks to such remote controllers only exists in theory and are hardly practical. The paper “Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars” presented at 2011 Network and Distributed System Security Symposium demonstrated relay attack on such system. Here’s my quick understanding of how the relay attack works: The mechanism for the Passive Keyless Entry System is that the car will periodically send signals to the key. As the signal is very weak, it can only be picked up by the key when the key is very close to the car. The relay attacks works by placing an antenna near the car and the other one near to the key. The antenna picks up the signal the car sends out and relay it to the other antenna that is close to the key, which tricks the system into thinking that the key is within short distance from the car. Here’s a scenario proposed by the paper.
In this Parking Lot scenario, the attackers can install their relay setup in an underground parking, placing one relay antenna close to the passage point (a corridor, a payment machine, an elevator). When the user parks and leaves his car, the Passive Keyless Entry System will lock the car. The user then exits the parking confident that his car is locked (feedback form the car is often provided to the owner with indicator lights or horn). Once the car is out of user’s sight, the attackers can place the second antenna to the door handle. The signals will now be relayed between the passage point and the car. When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the car and will send the open command to the car. As this message is sent over UHF it will reach the car even if the car is within a hundred meters 10. The car will therefore unlock. Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the allow start message. The car can now be started and driven. When the attacker drives away with the car, the relay will no longer be active. The car may detect the missing key; however, for safety reasons, the car will not stop, but continue running. Similarly, the car might detect a missing key for several other reasons including if the key battery is depleted. Some car models will not notify the user if the key is not found when the car is on course, while some will emit a warning beep. None of the evaluated cars stopped the engine if the key was not detected after the engine had been started.
There are two restrictions on this attack: 1) the car antenna must be really close(30 cm) to the car. 2) The key antenna should be within 8 meters from the key. As we can see from the scenario, these two requirements are not that hard to satisfy. Moreover, all the equipments used in the relay attack can be build under $1000, making it very feasible. The authors test this approach on 10 different cars by different manufacturers and all of them proved to be vulnerable to such attack.
It looks like that the remote car keys are not that safe. The only good news is that none of the police agencies had ever heard of an instance of an automobile theft being accomplished through such high tech techniques. Rather than spending all the trouble to set up the equipments, the thieves prefer to simply smash the windows.
Relevant links:
http://auto.howstuffworks.com/remote-entry.htm
http://www.snopes.com/autos/techno/lockcode.asp
http://eprint.iacr.org/2010/332.pdf