A few hundred dollars + a few custom lines of code, that’s all it takes now to swipe a brand new vehicle off a driveway.
The system for locking and unlocking cars remotely is called Remote Keyless Entry (RKE), and it’s more complex than it might seem. Each button-press is unique, which prevents an attacker from simply recording you hitting the unlock button and playing it back later.
RKE systems use a rolling-code, which is highly regarded as the industry standard for keeping your vehicle “un-hackable”. The key fob and the car have a counter that increases each time a button is pressed. That way, a previously recorded button press will not be accepted.
But what if some of your key fob presses never make it to your car? Perhaps you’re out of range, behind thick glass, or just fidgeting with your keys, or perhaps someone with a nefarious motive is lurking and waiting to intercept the signal, or even easier, has access to your keys for just a few seconds. These button-presses move the counter on the key fob forward, but not the car. To prevent accidental button-presses from locking out car owners, RKE systems reset to the lower counter number if they detect that the fob has more button-presses than the car.
The reset system assumes that as long as the counter number on the fob is higher than the car, it can’t be a replay attack. But this means that codes captured before the reset occurred—which never made it to the car—would be accepted, this is demonstrated in the next post, and clearly proves that rolling-code RKE systems used by the biggest players in the automotive industry are extremely vulnerable and very easily exploited, perhaps just as vulnerable as the predecessor “static-code” type of key fob, if we can capture and replicate lock/unlock commands, we can also capture remote start commands.
Please note, we are not advocating the use of these devices to hack or break into vehicles, we are simply exploiting a vulnerability which is tightly and neatly kept under wraps from consumers, despite the issue having been brought to the attention of automotive manufacturers before.
www.tinytxs.com
