Own a Mercedes S550 or BMW X5? A Toyota Prius, or a Ford Escape? Beware: that keyless ignition system might make it easy for someone to steal your vehicle.
In February, researchers at Johns Hopkins University published a report on their success with using a laptop computer with a microreader to capture and decrypt the sequence code from a keyless ignition fob, allowing them to unlock the doors and start a 2005 Ford Escape SUV - without using a key. The vulnerable technology exists in a large number of vehicle designs that use the Texas Instruments (TI) chip, including Mercedes, BMW, Ford and Toyota.
The practice of stealing cars with a laptop has not yet become prevalent in the United States, but it is happening in Europe. David Beckham, the famous UK soccer star, has already had two customized BMW X5’s stolen using this technique.
A keyless ignition system is a convenient feature that allows you to unlock your car and start the engine without fiddling with a key. The devices work up to six feet away from the car, so the keys can be left in a purse or pocket. When you get close to your vehicle the doors automatically unlock, and once inside a simple push of a button or turn of a knob allows you to start your car. The nice thing is fobs don't require a battery because they are passive; instead of sending a signal, they are powered by the signal emitted from the car. This makes them somewhat different from the “old school” alarm fob you probably already have.
Since the vehicle is essentially broadcasting its code and looking for a response from the fob, data thieves are able to intercept the RFID data and replicate it – all in less then a half hour. And once they have stolen the code sequence, they have the keys to the kingdom. They can use the code to not only shut off the security system and unlock car doors, but to also start the car without a key.
According to the researchers, the TI RFID chip contains rolling 40-bit strings of codes and after each use, the code changes slightly, to create about 1 trillion different combinations. While that may sound like a lot, it is not difficult to hack with today’s laptops.
The researchers found that by being in the proximity of someone with a keyless ignition device and simulating a car's broadcasts through the use of a laptop; they were able to capture two “challenge-and-response” sequences in less than a second without the owner knowing. They then began decrypting the sampled challenge-response pairs using brute-force attack techniques. Once they had the matching codes, they could predict the rolling sequence and unlock and start the car. The process only took about 20 minutes.
One of the reasons the codes are relatively easy to crack is that they are based on outdated 40-bit encryption technology. More powerful encryption is available, such as the 128-bit Advanced Encryption Standard (AES), but this would require higher power consumption.
Consumer advocates are warning buyers to be aware of these shortcomings and to not purchase cars with keyless ignition systems until the manufacturers can provide at least 128-bit AES encryption.
Sniffing data streams may be relatively new in the automotive sector, but it is not new in corporate networks. This is why security-focused organizations are now using 128-bit AES and even 256-bit AES encryption algorithms for data streams, ensuring security to even “top secret” military specifications.
Hackers using laptops to unlock cars...
Posting Permissions
Reply With Quote