Overview
Almost all cars currently come with a key fob, which allows you to open the doors, and start the car. When you buy a car, the convenience is the compelling feature. You can leave the key fob in your pocket, and never again worry about having a physical key. It sounds great.
The implicit assumption you make is that the key fob system is secure, and that some random person with $50 of hardware can’t drive off with your car. You have no real way to tell whether the car company did a reasonable job with their system, so you have to trust them. Unfortunately, that trust is not always warranted. And it isn’t until people try to hack these systems that the problems come out. Problems that less scrupulous people may have already been exploiting.
Your Car’s Key Fob
There are lots of different key fob systems. We’ll start by looking at the key fob for my 2006 Prius. Key fobs use something called a Remote Keyless System (RKS). In the U.S. these operate at 315 MHz, +/- 2.5 MHz. My Prius key turned out to be at 312.590 MHz.The keyfobs are all listed in the FCC database. Watching for new entries is one of the ways people can tell when new car models are coming out. These will appear long before the official announcement.
You can figure out what frequency your key fob transmits on using your SDR and use GQRX or SDR# to monitor the spectrum. When you push a button on the fob, you should see a brief jump in the spectrum. You may need to shift the frequency band up or down by a couple of MHz to find the signal, mine was almost 2.5 MHz low.
One word of caution. Don’t get too carried away pushing the button! The RKS system uses a rolling pseudo-randomly generated code. Both the key fob and the car keep in sync, so that the car recognizes the next code. However, if the key fob gets too far ahead in the sequence (100s of button pushes) the car won’t recognize it. That makes the key (and the car) considerably less useful!
If we capture the signal the result is shown below
The total width of the plot is 10 seconds, so you can see there is one key press shortly after 2 seconds, and another shortly after 5 seconds.
If we plot 100 ms starting at 2 seconds, we can see the digital signal we are looking for:
Zooming in to the first couple of bits, we get
The bits are easy to identify. A decision threshold of 15 will give almost perfect detection. If we do this, and then plot first part of the digital data for the two key presses, we get this
Although the two start the same, they rapidly diverge. This is fortunate, because if the signal was the same every time, you’d have enough information to steal my car now!
The data is again on-off keying (OOK). It is also almost certainly split phase (or Manchester) encoding. Instead of a “1” being high, and a “0” being low, the information is encoding in the transition from high to low or low to high. That means that a “0” bit is a rising transition, and a “1” bit is a falling transition. A good way to recognize split phase encoding is that you can only have one or two low or high segments in a row. The nice thing about Manchester encoding is that every symbol has a transition, and these are easier to find then when the signal has been high or low for several intervals.
This example is OOK, which is the most common for car remotes. Some use frequency-shift keying (FSK), where each bit is transmitted as a different frequency, and the envelope is constant.
Attacks on Car Remotes
There are lots of different attacks that can be used against car remotes, depending on how they work, and what sort of access y
18 Comments
trishmapow2
Did a high school project on the jam and replay attack mentioned here: https://github.com/trishmapow/rf-jam-replay. Low cost SDRs have been a real game changer in letting the average Joe get started in this space. Good to see that more unis have courses with this type of hands on experimentation.
spacebanana7
One thing I would’ve liked about an Apple car is the security. Imagine FaceID, secure enclaves and MFA. An iPhone on wheels would be immune to most, if not all, of these attacks.
sorenjan
BMW has a page describing the use of UWB (Ultra Wide Bandwidth) radio in key fobs and how it helps against relay attacks. In short it's because the wide bandwidth allows for very short pulses which lets them measure the distance between the car and the key, and using a relay will inevitably add distance and therefore time between the signal is sent and the reply is received.
https://www.bmw.com/en/innovation/bmw-digital-key-plus-ultra…
relaxing
Only two lecture slide decks?
Did the professor get tired of uploading the material for students to review post lecture?
H8crilA
BTW, car keys (physical keys) are notoriously weak, generally susceptible to simple raking attacks. You can learn how to rake a lock in a few minutes, and the rake+tensioner itself costs around $5. And all cars include a physical key as a backup entry method. This was partially solved by adding another device that cuts off the engine, the immobilizer, which still allows the attacker to get in, but not to drive off.
myself248
For the time being, I just store my keys in a little cast iron dutch oven, sitting on top of the fridge.
It's extremely effective as a shield for the 125kHz LF wake-up signal, and I've been unable to elicit a response when they're in there, even with a relay setup that reliably wakes them up from several feet away otherwise.
DebtDeflation
The current gold standard for vehicle theft protection is:
IGLA system to block the CAN bus, LIN bus, and ODBII port. It also protects against key fob cloning/relay attacks.
+
A hidden physical kill switch that cuts off the fuel pump relay (the company 41.22 makes a drop in that doesn't require wire splicing).
+
A hidden GPS tracker with an onboard backup battery in the event the car battery is disconnected.
None of this stops someone with a flatbed from simply towing your vehicle away, but at least the GPS tracker will give you a window to locate them.
ta1243
I have a physical key which I physically put in a hole in the steering column. This means I know exactly where it is when I come to parking the car, and you need to physically have it in contact to drive the car away.
I don't get the appeal of keyless ignition.
zero_k
Broke a few of these for my old work — HiTag2 and Megamos, some of the code&knowledge used for the attack is online&published, but neither can be used to actually break the ciphers as-is [1][2]. The issue used to be that the cipher employed needed to be low-power, fast, and reliable. With current technology, one could easily use AES, and no serious auto maker should be using HiTag2/Megamos. They were hand-rolled ciphers. The way AES is used (i.e. the protocol itself) could still be wrong, of course, e.g. allowing for replay attacks, etc.
[1] Doesn't have some features which you need to use to actually attack HiTag2: https://github.com/msoos/grainofsalt
[2] Used for various pre-processing that is useful (but not neccessary) to break Megamos, but _far_ from the actual attack: https://github.com/meelgroup/bosphorus/
gadders
So many Range Rovers are being stolen in the UK that the manufacturer has started contributing towards insurance costs: https://www.whatcar.com/news/range-rover-insurance-owners-to…
techlatest_net
[dead]
mppm
I'm confused why this is still an unsolved problem. A simple cryptographic challenge with pre-shared keys + button press ought to make key fobs perfectly secure for all practical purposes. Is there something I'm missing here?
stewx
We should just GPS track the cars and arrest the thieves.
madphilosopher
Vulnerabilities like this lead to car thefts. Some models of cars are more susceptible than others, and the manufacturers seem unwilling to fix the problem. The insurance companies know which models are more trouble for them, and so they set higher rates for these, which punishes the driver/owner for something outside of their control.
My solution? Require the manufacturers of vulnerable models to pay the insurance on behalf of the driver/owner as long as the vulnerabilities go unfixed.
throw0101d
For a good modern day automobile security system, at least in the US, get a car with a manual transmission.
Ballas
Code-hopping remotes have existed for a very long time, and I am really surprised that it's not the case here. I have had cars that were made in the 90's that used keeloq, a technology from the mid 80's.
In fact, all of my door openers and car remotes have some form of code-hopping and it's certainly not because they were specifically chosen for that aspect.
Sure, there are attacks for code-hopping systems as well, but it's a completely different league.
bufferoverflow
Why can't it be very simple and secure. Car and fob share a secret key.
When you click on the open button on the fob, you send
SHA256(key)
Car responds with a random challenge
RND
Fob sends
SHA256(key XOR RND)
Car does the same calculation and compares.
crustycoder
This is an old article and whilst there are undoubtedly still vulnerable vehicles, with the advent of UWB it seems to be a solved problem.
My car has UWB, there's a LED on the fob that blinks when it is in range and if it's stationary for a short time, it inactivates as well. Some experimentation suggests you need to be within about 5m of the car to open the doors.
The localisation seems to be very accurate, even if you can open the car from a distance it won't start unless the fob is physically within it. If I sit in the driver seat the fob has to be less than 10mm away from the outside of driver's window, otherwise it refuses to start.