Car Theft by Antenna
#1
01-29-2011, 05:25 AM
Join Date: Nov 2007
Location: New Jersey
Posts: 2,051
Car Theft by Antenna
Car Theft by Antenna
Researchers beat automatic locking and ignition systems.
THURSDAY, JANUARY 6, 2011
BY ERICA NAONE
Car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key, according to new research that will be presented at the Network and Distributed System Security Symposium next month in San Diego, California.
The researchers successfully attacked eight car manufacturers' passive keyless entry and start systems—wireless key fobs that open a car's doors and start the engine by proximity alone.
Srdjan Capkun, an assistant professor of computer science in the system security group at ETH Zurich in Switzerland, who led the work, says he was inspired to investigate the security of keyless entry and start systems after buying a car that had one. Capkun and Aurélien Francillon and Boris Danev, both researchers in the same institution, examined 10 car models from the eight manufacturers. They were able to access all 10 and drive them away by intercepting and relaying signals from the cars to their wireless keys. While they could relay the signals from the key back to the car as well, usually they did not need to because the key transmits its signals up to around 100 meters. The attack works no matter what cryptography and protocols the key and car use to communicate with each other...
Researchers beat automatic locking and ignition systems.
THURSDAY, JANUARY 6, 2011
BY ERICA NAONE
Car thieves of the future might be able to get into a car and drive away without forced entry and without needing a physical key, according to new research that will be presented at the Network and Distributed System Security Symposium next month in San Diego, California.
The researchers successfully attacked eight car manufacturers' passive keyless entry and start systems—wireless key fobs that open a car's doors and start the engine by proximity alone.
Srdjan Capkun, an assistant professor of computer science in the system security group at ETH Zurich in Switzerland, who led the work, says he was inspired to investigate the security of keyless entry and start systems after buying a car that had one. Capkun and Aurélien Francillon and Boris Danev, both researchers in the same institution, examined 10 car models from the eight manufacturers. They were able to access all 10 and drive them away by intercepting and relaying signals from the cars to their wireless keys. While they could relay the signals from the key back to the car as well, usually they did not need to because the key transmits its signals up to around 100 meters. The attack works no matter what cryptography and protocols the key and car use to communicate with each other...
#2
01-29-2011, 09:26 AM
Re: Car Theft by Antenna
Interesting info, and not surprising at all. Thanks for posting it. I personally doubt it will become a huge issue, any more than thefts of mechnically keyed cars. If someone really wants my car bad enough to steal it, go ahead, just don't hurt me or my family. It's only a car.
FWIW, I REALLY like the keyless entry and start, and it has become a requirement for me when I buy cars now. Just like power windows and door locks uesd to be a "who needs it" item, are now requirements. LOL
FWIW, I REALLY like the keyless entry and start, and it has become a requirement for me when I buy cars now. Just like power windows and door locks uesd to be a "who needs it" item, are now requirements. LOL
#3
01-30-2011, 06:16 AM
Re: Car Theft by Antenna
(paraphrasing)
"The more the complicate system, the easier it is to 'gum up the works'.
Spoofing exploits aren't isolated to cars - it's a weakness for any 'near-field' wireless device. There are ways of preventing that sort of exploit, but they typically increase costs and complicate the circuitry. The most expedient is an encrypted 'challenge-response' strategy, which can be quite effective if the crypto is strong enough and varies sufficiently. Apparently, the systems hacked didn't have sufficient variability, or had enough of a back door to be susceptible to the hack.
#4
01-31-2011, 04:39 AM
Re: Car Theft by Antenna
...There are ways of preventing that sort of exploit, but they typically increase costs and complicate the circuitry. The most expedient is an encrypted 'challenge-response' strategy, which can be quite effective if the crypto is strong enough and varies sufficiently. Apparently, the systems hacked didn't have sufficient variability, or had enough of a back door to be susceptible to the hack.
Alan
#5
01-31-2011, 03:28 PM
Re: Car Theft by Antenna
Actually, this would be a "man in the middle" exploit, and a challenge-response strategy would not be effective as this exploit is a fully transparent man-in-the-middle. The exploit is not trying to inject, but only trying to relay. The crypto is fully transferred so long as the relay is fast enough, and in this exploit, the crypto is never cracked. This is just a simple range extender between the key and the car.
Alan
Alan
Or am I missing your point?
#6
02-01-2011, 12:17 AM
Re: Car Theft by Antenna
This makes sense. The proximity detection system works by having the car transmit a 'poll' signal periodically -- several times per second. That poll signal that is transmitted by the car is intentionally weak, so that it travels only a meter or so and doesn't draw much power. The intent is that the key fob only receives the poll when it is within a meter or so. When the fob receives that challenge, it transmits a response that tells the car to unlock. The challenge-response is a cryptographic protocol, so it is supposed to be hard to simulate.
But this approach doesn't need to crack the crypto. By relaying the signal from the car to the distant key fob, the key fob is fooled into thinking that the car is close. Then the legitimate key fob transmits the encrypted authorization response (whatever that is). If the signal from the fob can also be relayed if needed. Then the car is convinced that they fob is near, and allows the door or 'start' button to be operated.
The attack is not a cryptographic attack. It simply copies the encoded signal from the car to the fob, and relays that signal over a longer distance than intended.
This is definitely a serious security problem. The car can be started and driven away while you are shopping or dining, or even at home. The fob never leaves your pocket. The car cannot be re-started later, but they sure could drive it once, perhaps to a chop-shop.
The immediate question is, how to defeat this attack.
One way would be to keep the fob in a "Faraday cage" when it is not being used. If you keep your key fob in a closed metal container, the radio signals cannot get to or from the fob. It cannot receive the challenge signal, and cannot transmit the response signal. That would be a PITA, of course. You would have to open the container every time you wanted to open the car, and close it when you leave the car.
There might be a way to attenuate the signal that is transmitted by the fob. This isn't definite -- just thinking. If the fob is inside a container that is not quite radio-opaque, the signal might be attenuated instead of being blocked entirely. Then it might work at short range, but not reach all the way across the parking lot. The attacker would then have to place a receiver near the fob to forward the reply signal. Placing a receiver near the fob would be more likely to attract attention. It still wouldn't be secure, but it would be less easy to break.
For the next generation, they are going to have to change the proximity detection algorithm, or require the user to poke a button on the key fob. High-resolution time measurement, to measure the actual distance and detect/prevent relay attack might work. Putting GPS receivers in both stations and comparing GPS coordinates inside crypto envelopes, might also work. There may be other approaches.
Basically, depending on the short range of a weak radio signal, is just a bad idea.
But this approach doesn't need to crack the crypto. By relaying the signal from the car to the distant key fob, the key fob is fooled into thinking that the car is close. Then the legitimate key fob transmits the encrypted authorization response (whatever that is). If the signal from the fob can also be relayed if needed. Then the car is convinced that they fob is near, and allows the door or 'start' button to be operated.
The attack is not a cryptographic attack. It simply copies the encoded signal from the car to the fob, and relays that signal over a longer distance than intended.
This is definitely a serious security problem. The car can be started and driven away while you are shopping or dining, or even at home. The fob never leaves your pocket. The car cannot be re-started later, but they sure could drive it once, perhaps to a chop-shop.
The immediate question is, how to defeat this attack.
One way would be to keep the fob in a "Faraday cage" when it is not being used. If you keep your key fob in a closed metal container, the radio signals cannot get to or from the fob. It cannot receive the challenge signal, and cannot transmit the response signal. That would be a PITA, of course. You would have to open the container every time you wanted to open the car, and close it when you leave the car.
There might be a way to attenuate the signal that is transmitted by the fob. This isn't definite -- just thinking. If the fob is inside a container that is not quite radio-opaque, the signal might be attenuated instead of being blocked entirely. Then it might work at short range, but not reach all the way across the parking lot. The attacker would then have to place a receiver near the fob to forward the reply signal. Placing a receiver near the fob would be more likely to attract attention. It still wouldn't be secure, but it would be less easy to break.
For the next generation, they are going to have to change the proximity detection algorithm, or require the user to poke a button on the key fob. High-resolution time measurement, to measure the actual distance and detect/prevent relay attack might work. Putting GPS receivers in both stations and comparing GPS coordinates inside crypto envelopes, might also work. There may be other approaches.
Basically, depending on the short range of a weak radio signal, is just a bad idea.
#7
02-01-2011, 03:58 AM
Re: Car Theft by Antenna
This is one of those "Possible, but not practical"
To use this exploit:
1. Track and correlate persons to cars.
2. Intercept the car-specific item and relay it to the car.
3. Do so out of the sight line of the driver.
To pull this off would require cooperation of several 'players', as well as command and control infrastructure. Such coordination makes getting caught virtually certain, as it leaves easily detectable 'footprints'. Much more expedient is a simple 'gun in the face' of the driver to get the keys.
To use this exploit:
1. Track and correlate persons to cars.
2. Intercept the car-specific item and relay it to the car.
3. Do so out of the sight line of the driver.
To pull this off would require cooperation of several 'players', as well as command and control infrastructure. Such coordination makes getting caught virtually certain, as it leaves easily detectable 'footprints'. Much more expedient is a simple 'gun in the face' of the driver to get the keys.
#8
02-01-2011, 07:05 AM
Re: Car Theft by Antenna
Huh? The "Practical" part of this attack is very easy. No crypto is needed. The research article describes the apparatus, which can be built for a few hundred bucks, and can be small enough to be carried easily. The LF radio signal from the car is received, amplified, and then retransmitted. The transmitter may be up to 8 meters from the key fob. When the key fob detects the signal, it transmits the UHF response to unlock the car. The entire attack could be completed in just a few minutes during the night. The thieves might have to carry the transmitter around the perimeter of your house to find a place within a few meters of the fob.
I do agree that conducting this attack in a public place, such as a restaurant or shopping mall, would be more difficult. The article describes a scenario in a multi-level parking garage, though.
I think I'm going to start keeping my keys in a metal box at night. A closed metal box forms a Faraday cage, and stops all radio signals.
I do agree that conducting this attack in a public place, such as a restaurant or shopping mall, would be more difficult. The article describes a scenario in a multi-level parking garage, though.
I think I'm going to start keeping my keys in a metal box at night. A closed metal box forms a Faraday cage, and stops all radio signals.
#9
02-01-2011, 11:59 AM
Re: Car Theft by Antenna
Why not just turn off the SKS system when you are not using it.
JeffD
JeffD
