(written by Antonia Böttinger and Andreas Gold)
Introduction
Modern cars embed complex technologies to improve the drivers comfort and safety. In 1999 the automobil industry introduced the smart key system that more and more cars use. Even if manufacturers make use of various designations like Keyless Go, KeyFree Power or Smart Key the technique is still similar.
Traditionally, access and authorization to drive and start cars have been achieved by using physical keys and lock systems. Smart key systems allow the car owners to comfortably open and start their cars while keeping their keys in their pockets. Same applies for stopping the engine and closing the car. However, this luxury contains a great security breach. Car thieves use this comfort for their own purpose. They steal cars equipped with this technology within seconds.
In this article we would like to investigate how the modern car thief can steal cars that use the smart key system. In addition countermeasures that can be taken from the car owner and manufacturers are introduced. Furthermore, we check how manufacturers, insurance and police react on the increasing number of attacks. It has to be noted that our research was done online since none of the mentioned technologies were at our disposal.
Car Entry Systems
Car key systems have passed through several generations of development. Starting with physical keys the automobil industry moved forward to keyless entry systems. The table below gives a quick overview of the existing car key systems.
| Designation | Entry | Start Engine |
|---|---|---|
| Physical key | Physical key | Physical key |
| Physical key + RFID | Physical key | Physical key + RFID |
| Keyless entry with RFID | Remote active (press button) | Physical key + RFID |
| Smart key | Remote passive | Remote passive |
Table: Key system types
Remote Open and Close
Physical keys were upgraded by a button on the key fob to open or close the car remotely. The user needs to press the button to use the remote function integrated into the key. Still the engine of the car itself is started by using the physical key. Known vulnerabilities that enabled attacks in the past were too short keys and weak encryption algorithms. Manufacturers are moving towards more secure and well established ciphers.
Furthermore radio jammer can be used while the car owner tries to lock the car remotely by pressing the button on the key fob. The signal is jammed and the car will therefore be left open. Usually this option is used to rob valuables inside the car instead of stealing the car. Another related attack is to eavesdrop the message from the key and replay it by using on a fake reader or key pair.
Transponder key
Transponder keys are physical keys or remote open and close keys that are extended by a RFID chip that is embedded in the key bow. As soon as the key blade is inserted in the ignition lock, the RFID tag will be queried by the car to verify if the key is authorized. This prevents car thieves from just physically copying the key or bypassing the lock. Like remote open and close keys, known vulnerabilities that enabled attacks in the past were too short keys and weak encryption algorithms.
Passive Keyless Entry Systems / Smart Key Systems
Passive keyless entry systems or smart key systems are meant to increase the driver’s comfort by opening the car effortlessly when the key enters a specified range of 1-2 meters around the car door or closing it immediately when the key leaves this certain area. Furthermore it is possible to start the engine once the key is inside the car, without the need of any interaction between the driver and the key fob in his pocket. Smart keys contain a low frequency RFID tag for short distance communication and a fully functional ultra high frequency transceiver for long distances up to 100 meters. In most keyless systems the car periodically examines if the key is in range. In this case a challenge-response-protocol for access-validation is executed. Since the low frequency communication channel is energy-intensive it is only used by the car sending beacons to the key to calculate if the key is in range or inside the car. Afterwards the key itself will reply on the ultra high frequency channel to save energy.
Relay Station Attack on Smart Key Systems
As mentioned earlier in this article smart key systems contain a big security breach. The keyless entry system’s assumption that the ability to communicate with the key simultaneously means that the key is in range is wrong and stays unverified, thus it can be abused by thieves. For this purpose it needs two attackers where one has to be next to the car door while the other one should get as close to the key fob as possible, for example at the car owner’s doorstep. Both thieves carry a relay station, these are used to relay the car’s low frequency signal to the key, by converting it to an ultra high frequency signal on the car-side and reconverting it to a low frequency signal on the key-side, where the signal additionally can be amplified to achieve a range of 2-8 meters. Since the key will answer on the ultra high frequency channel with a range up to 100 meters it is indeed possible but mostly unnecessary to relay the keys response. After the connection is successfully established within seconds the challenge-response-protocol is executed, granting access to the thief at the car-side, who is able to enter and start the car without any violence. Once started, the engine is unable to stop automatically because of driving safety conditions even if the communication to the key is interrupted. After the car is stolen its automobile electronics can be reconfigured for another key by criminal specialists.
Countermeasures
In this section we are going to take a closer look at countermeasures that can be directly deployed by the car owners, possible mid-term solutions and a new approach to close the vulnerability.
Immediate Countermeasures
One possible and quite obvious solution for this problem is to prevent the communication between the key and the car. This can be achieved by placing the key fob within a protective metallic shielding while it is unused by the car owner. Several providers offer already a couple of different blocking sleeves and protection cases to ensure this service.
Another option is to disable the active wireless communication abilities of the key by removing the battery. As consequence the UFH radio of the key will be deactivated.
A combination of the two countermeasures would definitely provide the highest protection, but would also be at least convenient for the user. It is also unlikely that car owners reduce usability by disabling the smart key system to increase security.
Mid-term Countermeasures
While previous solutions require simple actions by the car owner, mid-term countermeasures involve slight software or hardware modifications by the manufacturer. This could either be a software update or a key fob exchange or modification.
A software modifications could allow the car owner to temporarily disable the smart key system. If the car owner parks his car in an unsafe area he could close the car by pressing the close button on the key fob. The smart key system would remain disabled until the car owner opens the car by pushing the open button. On the other hand the smart key system would remain active by closing the car by pushing the button on the door handle or just walking away from the car.
Another solution would be that the car would stop sending signals after the door handle was pulled out without detecting the key nearby. This scenario would not prevent a relay attack but could trigger an alarm to scare the thief off.
Instead of removing the battery from the key fob, a simple switch could be added to the key for disabling the smart key system if not being used. But once more all of these solutions reduce the usability of the smart key system.
Keyless-System 2.0
The only reliable answer to avoid relay station attacks seems to be the – as we like to call it – Keyless-System 2.0, a proposal by Aurélien Francillon, Boris Danev and Srdjan Capkun of the Department of Computer Science of the ETH Zurich. It is based on the distance bounding protocol, a cryptographic protocol to compute the physical distance by using the delay time between sending and receiving bits. Therefore the delay multiplied by the speed of light has to be divided by two, which ends up in approximately 15 centimeters computed distance for each nanosecond timing-delay. With such a cryptographically secured keyless system relay station attacks would be disarmed, because any worth mentioning delay would lead to access denial. It turns out that the Keyless System 2.0 is not only the only reliable solution but also the most comfortable one, which in the end is the purpose of keyless entry systems.
Reaction on the attacks
It is a scandal that after more and more attacks on the smart key system and thefts, manufacturers just ignore the problem. And that regardless of the fact, that the attack scenario has been known for more than five years. In 2010 three researches of ETH Zurich accomplished opening 10 out of 10 cars from a distance of around 100 meters by expanding the car signal to the key via an antenna pair. The study has been published in 2011 including several countermeasures. However, the manufacturers sell more and more of this unsafe technology instead of fixing the problem. Some of them even implement the smart key system as standard system in their current models.
The manufacturers who might even sell a new car for every stolen one, accept no liability for loss or damage. Insurance puts the costs via classification of vehicle type on the customer. Even the police, except a view officers investigating in this case, ignore the attacks so far.
Conclusion
To put it in a nutshell keyless systems are unsafe, the mid-term countermeasures are inadequate and the automobile industry ignores the need for the implementation of the Keyless-System 2.0 solution already proposed in 2011. Additionally it is difficult to proof a car theft and the insurance companies deny to pay, so that the consumer pays the loss. This leads us to the following questions:
- Is there any comfort in keyless entry systems, if the owner has to cover the key or remove the battery constantly?
- Do keyless car owners know about the security risk, the countermeasures and if they do, do they take them or not in favour of the comfort?
- (When) will the automobile industry face the problem? What is the reason for the ignorant behavior?
- How could an appropriate reaction of the automobile industry look like?
- Is security getting less attention due to the pressure of the internet companies?
- Could the stolen cars get localized via GPS?
- Is there a way to collect digital evidence against this way of car theft? Would this collide with data protection acts of several countries?
- Will keyless systems 2.0 come up with new security gaps? What could they look like?
- More and more car apps being developed. Will they have an effect on the security of automobile electronics?
Sources
- https://eprint.iacr.org/2010/332.pdf
- http://www.pressebox.de/pressemitteilung/kryptronic-technologies/Funkschluessel-Neues-Etui-verhindert-Autodiebstahl/boxid/768470
- http://www.heise.de/ct/ausgabe/2015-26-Autodiebe-tricksen-kontaktlose-Schliesssysteme-aus-3013915.html
- http://www.heise.de/newsticker/meldung/Relay-Angriff-auf-Keyless-Entry-Systeme-1165996.html
- http://www.spiegel.de/auto/aktuell/sicherheitsluecke-bei-keyless-go-komfortabel-auch-fuer-diebe-a-1072851.html
- https://en.wikipedia.org/wiki/Distance-bounding_protocol
Leave a Reply
You must be logged in to post a comment.