Real World Attack-Key Fob Attack
The key fob presents its own set of issues involving its
wireless transmission as the mode of communication. The German automobile club
ADAC released a report showing how to break into cars produced by 19 different
manufacturers and 24 vehicle models (Tatarevie, 2016). This attack involves the
passive keyless Entry and Start (PKES). This is also known as the remote keyless
entry (RKE). This has been a vulnerability since at least 2011 (Francillon,
Daner, & Capkun, 2011). In effect this allows the car to be unlocked and
started (Vaas, 2016). The attacker could keep the car running until the vehicle
would run out of gas.
The affected vehicles are the Audi (A3, A4, and A6),
Mazda CX-5, Toyota RAV-4, BMW 730d, Citroen DS4 Crossback, Ford (Galaxy and
Eco-Sport), Honda HR-V, Hyundai Sante Fe CRDi, Kia Optima, Lexus RX 450h, Mini
Clubman, Mitsubishi Outlander, Nissan (Qashqal and Leaf), Opel Ampera, Range
Rover Evoque, Renault Traffic, Ssangyong Tivoli XDi, Suburu Levorg, and
Volkswagen (Golf GTD and Tauron 5T) (Vaas, 2016; Zorz, 2016b).
The key fob contains the radio frequency identification
chip. The old attack required the attacker to be very close to the vehicle
(Crilly, 2015). The new equipment mitigates this with the signal extension.
This was done with ADAC building the two devices that extended the service
(Tatarevic, 2016). This equipment is not costly at $225 (Zorz, 2016).
The attack method is rather direct and straight-forward.
A is holding a tool a few feet from the target’s car. B is near the fob. A
impersonates the car’s key and pings the car’s wireless entry system,
triggering a signal form the vehicle that seeks a radio response from the key.
The signal is relayed between A and B’s equipment up to 300 feet. The correct
response is elicited from the key, which is transmitted back to the vehicle
(Vaas, 2016).
The defense for this is to shield the key with metallic shielding
or a faraday cage or remove the battery (Francillon, Daner, & Capkun,
2011). These modes of defense are not very practical, but do work.
References
Crilly,
R. (2015, August 18). Thousands of cars vulnerable to keyless theft, according
to researchers. Retrieved from http://www.telegraph.co.uk/news/uknews/11808814/Thousands-of-cras-vulnerable-to-keyless-theft-according-to-researchers.html
Francillon,
A., Daner, B., & Capkun, S. (2011, February). Relay attacks on passive
entry and start systems in modern cars. In
NDSS. Retrieved from http://www.syssec.ethz.ch/content/domain/ethz/special-interest/infk/inst-infsec/system-security-group-dom/research/spot/332.pdf
Tatarevie,
B. (2016, March 18). This group defeated keyless entry cars with simple
homemade devices. Retrieved from http://www.thetruthaboutcars.com/2016/03/group-defeated-keyless-entry-cars-simple-homemade-devices/
Vaas,
L. (2016, March 23). Time to stash your keyless car-entry fob in with the
frozen pork chops. Retrieved from https://nakedsecurity.sophos.com/2016/03/23/time-to-stash-your-keyless-car-entry-fob-in-with-the-frozen-pork-chops/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=27f073f88e-naked?252Bsec
Zorz,
Z. (2016, February 25). Insecure APIs allow anyone to mess with Nissan leaf
electric car. Retrieved from https://www.helpnetsecurity.com/2016/02/25/insecure-apis-allow-anyone-to-mess-with-nissan-leaf-electric-car/
Zorz,
Z. (2016b, March 23). Cheap radio attack can be used to unlock and steal 24 car
models. Retrieved from https://www.helpnetsecurity.com/2016/03/23/cheap-radio-attack-unlock-steal-cars/
No comments:
Post a Comment