Showing posts with label VehicleHacking. Show all posts
Showing posts with label VehicleHacking. Show all posts

Thursday, March 12, 2020

Key fobs at risk



Key fobs at risk

Charles Parker, II
#
A decade ago, breaking into a vehicle was a relatively easy manual process. As technology improved, there was an increase in the technology implemented in the vehicle. We are to the point where the vehicle is a computer on wheels. This will even be more the case once automotive ethernet is implemented through the vehicle manufacturers.

To remove the opportunity for the theft a new technology was placed in the vehicle-the immobilizers. This reduced the number of key fob attacks by removing relay attacks from the attack surface. These required the attacker to be within the range of the original key.

Cryptography Applied to the Key Fob
The key fobs added a cryptographic function to the unlocking device. The attacker could not simply sniff the key fob communicating with the vehicle and replay the signal to break into the vehicle. The cryptographic function instead worked to scramble the key fob communication.
New Attack
The attack-defense cycle was at work here. The defense (the manufacturer) created a cybersecurity feature to stop the attacks. The attackers viewed this, reverse engineered the process, and created a new attack circumventing the cybersecurity feature. This instance was no different. The attackers grasped the idea of breaking through the feature with the key fobs, researched the idea, and reverse-engineered the process.

The researchers purchased a few immobilizer electronic control units from eBay. With these secured, the researchers were able to reverse engineer the firmware located within the key fobs. The purpose of this was to analyze the method of communication between the key fob and vehicle.
The analysis indicated the key used was very easy to crack. This used Texas Instruments DST80 encryption to secure communication. This normally would not be a significant detriment; however, the manufacturer’s implementation was the issue. For instance, the Toyota implementation was based on the serial number. What made this worse was if someone were to scan this with an RFID reader, it showed the serial number. This portion of the research was not difficult to complete. The RFID readers are for sale on Amazon for under $30. Working with these is not complicated.
Another example involved Kia and Hyundai. These manufacturers used 24 bits of random character rather than the 80 bits the DST80 offers. To put this in perspective the 24 bits used could be cracked with a laptop in a few milliseconds. Unfortunately, the rationale for not using the greater number of bits is unknown. Perhaps this was for a cost or processing time savings.
With either attack, once you have the cryptographic key, unlocking the vehicle and doing as you wish is not a far stretch of the imagination. The only other addition to the attack is the person needs to be able to turn the ignition. This may be bypassed using old-school technology (e.g. screwdriver or hot-wiring).
This was a rather significant decrease in cybersecurity applied to the key fob-vehicle communication process. This is much like cybersecurity retreating to the 1980s.
Application
This serious vulnerability is not applicable to all the models for the three automakers. This issue is applicable to older models. While this is positive, this still has the other vehicles at risk of theft and other malicious actions.
This does, however, affect many models. To show the extent, following is the listing:
Toyota                 Auris                     2009-2013
                              Camry                  2010-2013
                              Corolla                 2010-2014
                              FJ Cruiser             2011-2016
                              Fortuner              2009-2015
                              Hiace                    2010+
                              Highlander          2008-2013
                              Land Cruiser       2009-2015
                              RAV4                    2011-2012         
                              Urban Cruiser     2010-2014
                              Yaris                     2011-2013
Kia                         Ceed                     2012+
                              Carens                  2014
                              Rio                        2011-2017
                              Soul                      2013+
                              Optima                 2013-2015
                              Picanto                2011+
Hyundai               I10                        2008+
                              I20                        2009+
                              Veloster               2010+
                              IX20                      2016
                              I40                        2013
What did we learn?
Over time, security should improve. The attackers are not limiting their attacks or type of technology used for the attacks. They certainly are not moving backward in their attack plans. For the cryptography to be used in the format as it was is not appropriate. The cybersecurity needs to be at least matched, however, it should be optimized against the known and future attacks. This is done through testing and forward-looking cybersecurity architecture.
Cybersecurity needs to be built into the product from the beginning of the project. With this in place, the project’s timeline and costs are kept inline. Having to re-engineer, approve, and retrain staff is a costly venture.
Resources
Ansari, U. (2020, March 6). Poor car keys encryption: Hackers can clone millions of toyota, kia and Hyundai keys. Retrieved from https://www.carspiritpk.com/2020/03/poor-car-keys-encryption-hackers-can-clone-millions-of-toyota-kia-and-hyundai-keys/
E&T. (2020, March 6). Millions of cars’ anti-theft systems vulnerable to hacking. Retrieved from https://eandt.theiet.org/content/articles/2020/03/millions-of-cars-anti-theft-systems-vulnerable-to-hacking/
Greenberg, A. (2020, March 5). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/
Greenberg, A. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://arstechnica.com/cars/2020/03/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/?comments=1
McClain, S. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://mashviral.com/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/
McKay, T. (2020, March 5). Encryption flaws leave millions of toyota, kia, and Hyundai cars vulnerable to key cloning. Retrieved from https://gizmodo.com/encryption-flaws-leave-millions-of-toyota-kia-and-hyu-1842132716
Whazup. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://www.wazupnaija.com/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/
Wouters, L, Van den Herrewegen, J., Garcia, F.D., Oswald, D., Gierlichs, B., & Prencel, B. (2020). Dismantling DST80-based immobilizer systems. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(2), 99-127. Doi:10.13154/tches.v2020.12.99-127

Posted by at No comments:
Labels: , , , , , , , ,

Tuesday, July 30, 2019

Memories, like the corner of my (PCB)


Cybersecurity for embedded systems has come onto the limelight in recent years. The connected systems in vehicles have pulled this as a primary focus. If these systems are compromised, no one is safe on or near the roadways. With the emphasis on this, a bit of history is warranted. Without a quick baseline of where we began, the present trajectory does not mean as much to us. Just over four years ago, there was an astounding event. About this same time, the infamous Jeep hack occurred. This was a well-financed, researched endeavor. There was another interesting event involving ingenuity and the cost of two movie tickets.
Curiosity Pushing Creativeness or Ingenuity is the Mother of Invention
In 2015, a 14-year-old boy decided to fiddle around with a vehicle’s embedded system. The creative mind thought through the attack and figured it would be a great way to spend his time. A person, generally, is not able to simply walk up to a vehicle and miraculously hack it. There has to be some form of research to even attempt this. The young researcher when to the local (at the time) Radio Shack and purchased $15 of electronics. The equipment was openly available to anyone with the money and did not require anything special. He was able to use this to unlock and start a connected vehicle. The target vehicle was not manufactured by a new, small automaker with little experience, however, just the opposite.
What makes this significant?
There has been many different vehicle attacks and compromises published over the years. These vary from the basic to the attacks requiring multiple steps and everything to line up perfectly. This particular attack was different. This shifted the attack theory. The industry easily could be caught up in applying technology. They have to purchase the newest equipment and use this wherever possible to highlight the capabilities for the investors and industry. The “look at what we can do” is warranted in certain environments. This works to advance technology and capabilities in pertinent circumstances. This sounds wonderful, however, certain parties become wrapped up in equating the expense with testing and cybersecurity. Dependent on the circumstances, it may be acceptable to spend $200-$300 on equipment to create a new testing device, instead of $3,500 for something which may or may not work well given your use. With this, your business may distinctly not spend a mass amount, if the business does not need to. As with independent labs and testing facilities, the real focus should be the mission-to independently test the products using what is needed. A successful test and attack are based on the results, not necessarily the amount spent on the equipment. It is notable with certain tests; high end equipment is required. This is however not the case with all the circumstances. At time simple ingenuity is more pertinent.

Resources
Bigelow, P. (2015, February 15). A 14-year-old hacker caught the auto industry by surprise. Retrieved from https://www.autoblog.com/2015/02/18/14-year-old-hacker-caught-industry-by-surprise-featured/

King, L. (2015, February 23). 14-year-old hacks connected cars with pocket money. Retrieved from https://www.forbes.com/sites/leaking/2015/02/23/14-year-old-hacks-connected-cars-with-pocket-money/#69286a702f81

Lavrinc, D. (2015, February 15). How a 14-year-old hacked a car with $15 worth of radio shack parts. Retrieved from https://jalopnik.com/how-a-14-year-old-hacked-a-car-with-15worth-of-radio-1686620075

Mearian, L. (2015, February 20). With $15 in radio shack parts, 14-year-old hacks car. Retrieved from https://www.computerworld.com/article/2886830/with-15-in-radio-shack-parts-14-year-old-hacks-a-car.html

Vijay. (2015, February 20). 14 year old hacks car with homespun kit with circuits bought from radio shack. Retrieved from https://www.techworm.net/2015/02/14-year-old-hacks-car-with-homespun-kit-with-circuits-bought-from-radio-shack.html



Posted by at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)