Key fobs at risk

Key fobs at risk

Charles Parker, II

#

A decade ago, breaking into a vehicle was a relatively easy manual process. As technology improved, there was an increase in the technology implemented in the vehicle. We are to the point where the vehicle is a computer on wheels. This will even be more the case once automotive ethernet is implemented through the vehicle manufacturers.

To remove the opportunity for the theft a new technology was placed in the vehicle-the immobilizers. This reduced the number of key fob attacks by removing relay attacks from the attack surface. These required the attacker to be within the range of the original key.

Cryptography Applied to the Key Fob

The key fobs added a cryptographic function to the unlocking device. The attacker could not simply sniff the key fob communicating with the vehicle and replay the signal to break into the vehicle. The cryptographic function instead worked to scramble the key fob communication.

New Attack

The attack-defense cycle was at work here. The defense (the manufacturer) created a cybersecurity feature to stop the attacks. The attackers viewed this, reverse engineered the process, and created a new attack circumventing the cybersecurity feature. This instance was no different. The attackers grasped the idea of breaking through the feature with the key fobs, researched the idea, and reverse-engineered the process.

The researchers purchased a few immobilizer electronic control units from eBay. With these secured, the researchers were able to reverse engineer the firmware located within the key fobs. The purpose of this was to analyze the method of communication between the key fob and vehicle.

The analysis indicated the key used was very easy to crack. This used Texas Instruments DST80 encryption to secure communication. This normally would not be a significant detriment; however, the manufacturer’s implementation was the issue. For instance, the Toyota implementation was based on the serial number. What made this worse was if someone were to scan this with an RFID reader, it showed the serial number. This portion of the research was not difficult to complete. The RFID readers are for sale on Amazon for under $30. Working with these is not complicated.

Another example involved Kia and Hyundai. These manufacturers used 24 bits of random character rather than the 80 bits the DST80 offers. To put this in perspective the 24 bits used could be cracked with a laptop in a few milliseconds. Unfortunately, the rationale for not using the greater number of bits is unknown. Perhaps this was for a cost or processing time savings.

With either attack, once you have the cryptographic key, unlocking the vehicle and doing as you wish is not a far stretch of the imagination. The only other addition to the attack is the person needs to be able to turn the ignition. This may be bypassed using old-school technology (e.g. screwdriver or hot-wiring).

This was a rather significant decrease in cybersecurity applied to the key fob-vehicle communication process. This is much like cybersecurity retreating to the 1980s.

Application

This serious vulnerability is not applicable to all the models for the three automakers. This issue is applicable to older models. While this is positive, this still has the other vehicles at risk of theft and other malicious actions.

This does, however, affect many models. To show the extent, following is the listing:

Toyota                 Auris                     2009-2013

                              Camry                  2010-2013

                              Corolla                 2010-2014

                              FJ Cruiser             2011-2016

                              Fortuner              2009-2015

                              Hiace                    2010+

                              Highlander          2008-2013

                              Land Cruiser       2009-2015

                              RAV4                    2011-2012         

                              Urban Cruiser     2010-2014

                              Yaris                     2011-2013

Kia                         Ceed                     2012+

                              Carens                  2014

                              Rio                        2011-2017

                              Soul                      2013+

                              Optima                 2013-2015

                              Picanto                2011+

Hyundai               I10                        2008+

                              I20                        2009+

                              Veloster               2010+

                              IX20                      2016

                              I40                        2013

What did we learn?

Over time, security should improve. The attackers are not limiting their attacks or type of technology used for the attacks. They certainly are not moving backward in their attack plans. For the cryptography to be used in the format as it was is not appropriate. The cybersecurity needs to be at least matched, however, it should be optimized against the known and future attacks. This is done through testing and forward-looking cybersecurity architecture.

Cybersecurity needs to be built into the product from the beginning of the project. With this in place, the project’s timeline and costs are kept inline. Having to re-engineer, approve, and retrain staff is a costly venture.

Resources

Ansari, U. (2020, March 6). Poor car keys encryption: Hackers can clone millions of toyota, kia and Hyundai keys. Retrieved from https://www.carspiritpk.com/2020/03/poor-car-keys-encryption-hackers-can-clone-millions-of-toyota-kia-and-hyundai-keys/

E&T. (2020, March 6). Millions of cars’ anti-theft systems vulnerable to hacking. Retrieved from https://eandt.theiet.org/content/articles/2020/03/millions-of-cars-anti-theft-systems-vulnerable-to-hacking/

Greenberg, A. (2020, March 5). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/

Greenberg, A. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://arstechnica.com/cars/2020/03/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/?comments=1

McClain, S. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://mashviral.com/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/

McKay, T. (2020, March 5). Encryption flaws leave millions of toyota, kia, and Hyundai cars vulnerable to key cloning. Retrieved from https://gizmodo.com/encryption-flaws-leave-millions-of-toyota-kia-and-hyu-1842132716

Whazup. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://www.wazupnaija.com/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/

Wouters, L, Van den Herrewegen, J., Garcia, F.D., Oswald, D., Gierlichs, B., & Prencel, B. (2020). Dismantling DST80-based immobilizer systems. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(2), 99-127. Doi:10.13154/tches.v2020.12.99-127