Cheap radio attack can be used to unlock and steal 24 car models
A group of researchers from ADAC, the largest automobile club in Germany and Europe, have demonstrated how the keyless “comfort locking” system used by most automakers on most modern cars provides no security against vehicle theft.
This finding, in itself, is not new, as previous research demonstrated how easy is to fool the system into unlocking the car and starting its engine by relaying messages between the car and the smart key, at a considerable distance (up to 50 meters, non line-of-sight).
The latest attack variant
But ADAC researchers have come up with a much cheaper alternative ($225 altogether for the attack setup) and have managed to extend the range of the attack.
“The radio connection between keys and car can easily be extended over several hundred meters,” the researchers noted. The key could easily be in the owners’ home (and pocket or bag) and the attack will work – and will turn off the car’s alarm system, as well.
The attack devices can be easily made at home, with little effort and from commercial electronic components. One needs to create two radio signal extension devices, and put the receiver in the vicinity of the car key and the transmitter in the vicinity of the car door.
The transmitter mimics the key and its proximity to the car triggers the locking system, which sends out a signal asking the key to respond. The transmitter relays the signal to the receiver near the car key (e.g. outside of the owner’s home), which relays it to the key. Once the key responds with the correct signal, the two devices relay it back to the car.
The system recognizes the signal as valid, and unlocks the vehicle. Usually this means that the attacker can enter the car and start the engine by simply pushing the starter button (or even without that last step). The engine won’t shut down until the thief chooses to do so or until it the engine runs out of fuel, but it’s possible to fill up the gas tank even while the engine is running.
The researchers told Wired that they won’t be revealing the full technical details of the attack setup as they don’t want people to replicate it and use it for stealing cars. Although, it is generally believed that car-stealing gangs have already been using a similar setup for years.
An example of a real-life theft can be seen in this video (in German):
Which cars are vulnerable?
ADAC researchers have tested European versions of 24 cars made by 19 manufacturers, and the attack technique worked on all except one (BMW i3 – they weren’t able to unlock the car but were able to start the engine).
The list of vulnerable cars – although by no means considered to be definitive – goes like this:
- Audi: A3, A4 and A6
- BMW: 730d
- Citroen: DS4 CrossBack
- Ford: Galaxy and Eco-Sport
- Honda: HR-V
- Hyundai: Santa Fe CRDi
- KIA: Optima
- Lexus: RX 450h
- Mazda: CX-5
- MINI: Clubman
- Mitsubishi: Outlander
- Nissan: Qashqai and Leaf
- Opel: Ampera
- Range Rover: Evoque
- Renault: Traffic
- Ssangyong: Tivoli XDi
- Subaru: Levorg
- Toyota: RAV4
- Volkswagen: Golf GTD and Touran 5T.
What to do?
“Owners of cars with keyless locking systems should exercise increased vigilance in the storage of the key,” the researchers noted. A solution might be to store the key in their fridge or a Faraday cage to prevent any signals getting through to it, but that’s not very practical.
The researchers say that wrapping the key in aluminum foil or putting it inside an aluminum can might or might not do the trick, depending on the material’s thickness, but they don’t recommend either solution.
It’s the manufacturers who must come up with one. “The car manufacturers have a duty: An expensive locking system can not be much easier to crack than the standard wireless remote control,” they pointed.
Such a solution must be devised quickly, and should be able to get implemented in cars that have already left the factory.