Real World Attack-Key Fob Attack
The key fob presents its own set of issues involving its wireless transmission as the mode of communication. The German automobile club ADAC released a report showing how to break into cars produced by 19 different manufacturers and 24 vehicle models (Tatarevie, 2016). This attack involves the passive keyless Entry and Start (PKES). This is also known as the remote keyless entry (RKE). This has been a vulnerability since at least 2011 (Francillon, Daner, & Capkun, 2011). In effect this allows the car to be unlocked and started (Vaas, 2016). The attacker could keep the car running until the vehicle would run out of gas.
The affected vehicles are the Audi (A3, A4, and A6), Mazda CX-5, Toyota RAV-4, BMW 730d, Citroen DS4 Crossback, Ford (Galaxy and Eco-Sport), Honda HR-V, Hyundai Sante Fe CRDi, Kia Optima, Lexus RX 450h, Mini Clubman, Mitsubishi Outlander, Nissan (Qashqal and Leaf), Opel Ampera, Range Rover Evoque, Renault Traffic, Ssangyong Tivoli XDi, Suburu Levorg, and Volkswagen (Golf GTD and Tauron 5T) (Vaas, 2016; Zorz, 2016b).
The key fob contains the radio frequency identification chip. The old attack required the attacker to be very close to the vehicle (Crilly, 2015). The new equipment mitigates this with the signal extension. This was done with ADAC building the two devices that extended the service (Tatarevic, 2016). This equipment is not costly at $225 (Zorz, 2016).
The attack method is rather direct and straight-forward. A is holding a tool a few feet from the target’s car. B is near the fob. A impersonates the car’s key and pings the car’s wireless entry system, triggering a signal form the vehicle that seeks a radio response from the key. The signal is relayed between A and B’s equipment up to 300 feet. The correct response is elicited from the key, which is transmitted back to the vehicle (Vaas, 2016).
The defense for this is to shield the key with metallic shielding or a faraday cage or remove the battery (Francillon, Daner, & Capkun, 2011). These modes of defense are not very practical, but do work.
Learn more ways to protect your business at The National Cybersecurity Institute.
Crilly, R. (2015, August 18). Thousands of cars vulnerable to keyless theft, according to researchers. Retrieved from http://www.telegraph.co.uk/news/uknews/11808814/Thousands-of-cras-vulnerable-to-keyless-theft-according-to-researchers.html
Francillon, A., Daner, B., & Capkun, S. (2011, February). Relay attacks on passive entry and start systems in modern cars. In NDSS. Retrieved from http://www.syssec.ethz.ch/content/domain/ethz/special-interest/infk/inst-infsec/system-security-group-dom/research/spot/332.pdf
Tatarevie, B. (2016, March 18). This group defeated keyless entry cars with simple homemade devices. Retrieved from http://www.thetruthaboutcars.com/2016/03/group-defeated-keyless-entry-cars-simple-homemade-devices/
Vaas, L. (2016, March 23). Time to stash your keyless car-entry fob in with the frozen pork chops. Retrieved from https://nakedsecurity.sophos.com/2016/03/23/time-to-stash-your-keyless-car-entry-fob-in-with-the-frozen-pork-chops/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=27f073f88e-naked?252Bsec
Zorz, Z. (2016, February 25). Insecure APIs allow anyone to mess with Nissan leaf electric car. Retrieved from https://www.helpnetsecurity.com/2016/02/25/insecure-apis-allow-anyone-to-mess-with-nissan-leaf-electric-car/
Zorz, Z. (2016b, March 23). Cheap radio attack can be used to unlock and steal 24 car models. Retrieved from https://www.helpnetsecurity.com/2016/03/23/cheap-radio-attack-unlock-steal-cars/
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.