For years, automakers and hackers have known about a clever attack that spoofs the signal from a wireless car key fob to open a vehicle’s doors, and even drive it away. But even after repeated demonstrations—and real thefts—the technique still works on a number of models. Now a team of Chinese researchers has not only demonstrated the attack again, but also made it cheaper and easier than ever.
A group of researchers at the Beijing-based security firm Qihoo 360 recently pulled off the so-called relay hack with a pair of gadgets they built for just $22. That’s far cheaper than previous versions of the key-spoofing hardware. The Qihoo researchers, who recently showed their results at Amsterdam’s Hack in the Box conference, say their upgrade also significantly multiplies the radio attack’s range, allowing them to steal cars parked more than a thousand feet away from the owner’s key fob.
The attack essentially tricks both the car and real key into thinking they’re in close proximity. One hacker holds a device a few feet from the victim’s key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. That elicits a radio signal from the car’s keyless entry system, which seeks a certain signal back from the key before it will open. Rather than try to crack that radio code, the hacker’s devices instead copy it, then transmit it via radio from one of the hackers’ devices to the other, and then back to the key. Then they immediately transmit the key’s response back along the chain, effectively telling the car the key is in the driver’s hand.
“The attack uses the two devices to extend the effective range of the key fob,” says Jun Li, one of the researchers in the Qihoo group, who call themselves Team Unicorn. “You’re working in your office or shopping in the supermarket, and your car is parked outside. Someone slips near you and then someone else can open up and drive your car. It’s simple.”
Watch the researchers demonstrate their attack in the video below (including a very dramatic soundtrack):
Speaking the Language
That relay attack on keyless entry systems dates back to at least 2011, when Swiss researchers pulled it off with multi-thousand dollar, software-defined radios. Last year, researchers at the German car-owners group the ADAC showed they could achieve the same results with what they described at the time as just $225 in equipment. They also found that it still worked on 24 different vehicles. Given the broad scope of the problem and the rarity of software or hardware automotive security fixes, many of the cars and trucks on their list—sold by companies ranging from Audi to BMW to to Ford to Volkswagen—likely remain vulnerable to the attack.
But Team Unicorn has taken radio relay theft a step further. Instead of merely copying the raw radio signal and sending it whole, they built their own custom devices that include chips to demodulate the signal, unpacking it into ones and zeros. That reverse engineering, they say, means they can send the decomposed signal bit by bit at a much lower frequency, which allows longer range signals—1000 feet compared with 300 feet in the ADAC tests—while using less energy. The hardware also comes much cheaper. In total, the Beijing-based researchers say they spent less than 800 Chinese yuan on chips, transmitters, antennas, and batteries for both devices. That’s about $11 each.
It’s particularly impressive that the team reverse-engineered the signal, says Samy Kamkar, a well-known independent security researcher who has himself developed his own keyless entry hacks. “The original attacks took a tape recorder and hit record and then played it back,” says Kamkar. “These guys understand the language: It’s like they write down the words and speak it on the other end.” That distinction could lead to more research into vulnerabilities in the protocol.
Cheap and Easy
In their tests, the Qihoo researchers say they were able to remotely open the doors and drive off with two vehicles: A Qing gas-electric hybrid sedan from the Chinese automaker BYD, and a Chevrolet Captiva SUV. But the researchers emphasized that the problem reaches farther than the two vehicles they tested. They point instead to NXP, the Dutch chipmaker that builds the keyless entry system used in the Qing, Captiva and dozens of vehicles. They also emphasized that NXP likely isn’t alone in leaving vehicles vulnerable to the attack.
“The industry is aware that the complexity and cost associated with mounting a relay attack has dropped over recent years,” says NXP spokesperson Birgit Ahlborn. “Carmakers and car access system integrators are introducing solutions that counter these attacks.” But the company referred any questions about existing vulnerabilities in specific cars to the carmakers themselves. Neither BYD nor Chevrolet has yet responded to WIRED’s request for comment.
Qihoo’s researchers suggest that carmakers and component companies like NXP could prevent the relay attack by requiring tighter timing constraints in the call-and-response communications between key and car. Relay the signal from too far, and those limits could prevent the fraudulent transmission from being accepted.
The other method to foil the attack falls to the car owner: Keep your keys in a Faraday bag that blocks radio transmissions—or in a pinch, a metal box, like a fridge, that performs the same function. Storing your keys in the equivalent of a tin-foil hat may sound paranoid. But if the Chinese researchers’ work is any indication, attacks on automotive keyless entry systems may get significantly easier—and more common—before they get fixed.
This story has been updated to clarify that NXP is based in the Netherlands, not Germany.