Hackers can clone millions of keys from Toyota, Hyundai and Kia
Over the past few years, owners of cars with keyless launch systems have learned to worry about so-called relay attacks, in which hackers use radio-controlled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars using mechanical keys with chips are also vulnerable to theft in high technology. Several cryptographic flaws combined with a small old-fashioned hot wiring – or even a well-placed screwdriver – allow hackers to clone these keys and steal a car in seconds.
Researchers from KU Leuven in Belgium and the University of Birmingham in the UK earlier this week discovered new vulnerabilities that they found in the encryption systems used by immobilizers, radio devices inside cars that communicate at close range using a key fob to unlock the car’s ignition and allow it to start . In particular, they found problems in the way Toyota, Hyundai, and Kia implemented the Texas Instruments encryption system called DST80. A hacker who runs a relatively inexpensive Proxmark RFID reader / transmitter next to a key fob of any car with a DST80 inside can get enough information to get its secret cryptographic value. This, in turn, will allow an attacker to use the same Proxmark device to impersonate a key inside the car by disabling the immobilizer and allowing the engine to start.
Researchers say affected car models include Toyota Camry, Corolla, and RAV4; Kia Optima, Soul and Rio; and Hyundai I10, I20 and I40. A complete list of vehicles that researchers have discovered has cryptographic flaws in their immobilizers is given below:
Although Tesla S is also on the list, researchers reported Tesla’s DST80 vulnerability last year, and the company released a firmware update that blocked the attack.
Toyota has confirmed that the cryptographic vulnerabilities discovered by the researchers are real. But their technique is probably not as easy to implement as “relay” attacks, which thieves repeatedly used to steal luxury cars and SUVs. They usually only need a pair of radios to expand the keyfob range to open and start the victim’s car. You can take them from a decent distance, even through the walls of the building.
In contrast, a cloning attack developed by researchers from Birmingham and KU Leuven requires the thief to scan the target keychain with an RFID reader at only one inch or two. And since the key cloning method is aimed at the immobilizer, and not at keyless entry systems, the thief must somehow turn the ignition barrel – the cylinder into which you insert the mechanical key.
This adds a layer of complexity, but researchers note that a thief could simply turn it with a screwdriver or connect the car’s ignition to a wire, as car thieves did before the introduction of immobilizers neutralized these methods. “You are lowering the security level to the level of the 80s,” said Flavio Garcia, professor of computer science at the University of Birmingham. And unlike relay attacks, which work only when the source key is within reach, when the thief receives the cryptographic value of the keychain, they can repeatedly launch and control the machine.
Researchers developed their technique by purchasing a collection of electronic immobilizer control units on eBay and reverse engineering the firmware to analyze how they interact with the key fobs. They often found that it was too easy to crack the secret value that Texas Instruments DST 80 encryption used for authentication. The problem is not the DST80 itself, but how the automakers implemented it: for example, the Toyota fobs cryptographic key was based on their serial number, and also openly transmitted this serial number when scanning using an RFID reader. And Kia and Hyundai key chains used 24 bits of randomness, rather than 80 bits, which the DST 80 offers, which makes their secret values easily guessable. “This is a mistake,” Garcia says. “Twenty-four bits is a couple of milliseconds on a laptop.”
When WIRED contacted injured automakers and Texas Instruments for comments, Kia and Texas Instruments did not respond. Hyundai said in a statement that none of its affected models are for sale in the United States. He added that the company “continues to track the field for recent exploits and [прилагает] significant efforts to get ahead of potential attackers. ” They also reminded customers “to be attentive to someone who has access to the key fob of their car.”
Toyota responded in a statement that “the described vulnerability applies to older models, as modern models have a different configuration.” The company added that “this vulnerability poses a low risk to customers, as the methodology requires both access to a physical key and a highly specialized device, which is usually not available in the market.” In this regard, the researchers disagreed, noting that not one part of their research required hardware that was not readily available.
To prevent thieves from repeating their work, the researchers say that they hid some parts of their car key breach encryption cracking method from their published article, although this does not necessarily prevent less ethical hackers from reverse engineering the same equipment as the researchers did to find the same flaws. Researchers say that, with the exception of Tesla, none of the cars whose immobilizers were studied had the opportunity to fix the program with a software patch that was downloaded directly to the cars. Immobilizers can be reprogrammed if owners deliver them to car dealerships, but in some cases they may need to replace key chains. (None of the affected carmakers contacted by WIRED mentioned their intention to do so.)
However, the researchers say that they decided to publish their results to show the immobilizer’s actual security status and let the car owners decide for themselves whether this is enough. Owners of protective vehicles with hacked immobilizers can decide, for example, to use a steering wheel lock. “It’s better to be in a place where we know what kind of security we get from our security devices,” Garcia says. “Otherwise, only the criminals know.”
We are perhaps the most powerful competence center in Russia for the development of automotive electronics in Russia. Now we are actively growing and we have opened many vacancies (about 30, including in the regions), such as a software engineer, design engineer, lead development engineer (DSP programmer), etc.
We have many interesting challenges from automakers and concerns driving the industry. If you want to grow as a specialist and learn from the best, we will be glad to see you in our team. We are also ready to share expertise, the most important thing that happens in automotive. Ask us any questions, we will answer, we will discuss.
Read more useful articles:
- [Прогноз] Transport of the future (short-term, medium-term, long-term horizons)
- The best materials for hacking cars with DEF CON 2019-2020
- [Прогноз] Motornet – a data exchange network for robotic vehicles
- Companies spend $ 16 billion on drones to capture 8 trillion market
- Cameras or lasers
- Autonomous cars on open source
- McKinsey: Rethinking Software and Electronics Architecture in Automotive
- Another OS war is already under the hood of cars
- Program code in the car
- In a modern car, there are more lines of code than …