[ISN] Gone in 60 seconds -- the high-tech version

From: InfoSec News (isn@private)
Date: Tue May 09 2006 - 00:18:20 PDT


By Robert Vamosi 
Special to CNET News.com
May 6, 2006

Let's say you just bought a Mercedes S550--a state-of-the-art,
high-tech vehicle with an antitheft keyless ignition system.

After you pull into a Starbucks to celebrate with a grande latte and a
scone, a man in a T-shirt and jeans with a laptop sits next to you and
starts up a friendly conversation: "Is that the S550? How do you like
it so far?" Eager to share, you converse for a few minutes, then the
man thanks you and is gone. A moment later, you look up to discover
your new Mercedes is gone as well.

Now, decrypting one 40-bit code sequence can not only disengage the
security system and unlock the doors, it can also start the
car--making the hack tempting for thieves. The owner of the code is
now the true owner of the car. And while high-end, high-tech auto
thefts like this are more common in Europe today, they will soon start
happening in America. The sad thing is that manufacturers of keyless
devices don't seem to care.

Wireless or contactless devices in cars are not new. Remote keyless
entry systems--those black fobs we all have dangling next to our car
keys--have been around for years. While the owner is still a few feet
away from a car, the fobs can disengage the auto alarm and unlock the
doors; they can even activate the car's panic alarm in an emergency.

First introduced in the 1980s, modern remote keyless entry systems use
a circuit board, a coded radio-frequency identification (RFID)  
technology chip, a battery and a small antenna. The last two are
designed so that the fob can broadcast to a car while it's still
several feet away.

The RFID chip in the key fob contains a select set of codes designed
to work with a given car. These codes are rolling 40-bit strings: With
each use, the code changes slightly, creating about 1 trillion
possible combinations in total. When you push the unlock button, the
keyfob sends a 40-bit code, along with an instruction to unlock the
car doors. If the synced-up receiver gets the 40-bit code it is
expecting, the vehicle performs the instruction. If not, the car does
not respond.

A second antitheft use of RFID is for remote vehicle immobilizers.  
These tiny chips, embedded inside the plastic head of the ignition
keys, are used with more than 150 million vehicles today. Improper use
prevents the car's fuel pump from operating correctly. Unless the
driver has the correct key chip installed, the car will run out of
fuel a few blocks from the attempted theft. (That's why valet keys
don't have the chips installed; valets need to drive the car only
short distances.)

One estimate suggests that since their introduction in the late 1990s,
vehicle immobilizers have resulted in a 90 percent decrease in auto
thefts nationwide.

But can this system be defeated? Yes.

Keyless ignition systems allow you the convenience of starting your
car with the touch of a button, without removing the chip from your
pocket or purse or backpack. Like vehicle immobilizers, keyless
ignition systems work only in the presence of the proper chip. Unlike
remote keyless entry systems, they are passive, don't require a
battery and have much shorter ranges (usually six feet or less). And
instead of sending a signal, they rely on a signal being emitted from
the car itself.

Given that the car is more or less broadcasting its code and looking
for a response, it seems possible that a thief could try different
codes and see what the responses are. Last fall, the authors of a
study from Johns Hopkins University and the security company RSA
carried out an experiment using a laptop equipped with a microreader.  
They were able to capture and decrypt the code sequence, then
disengage the alarm and unlock and start a 2005 Ford Escape SUV
without the key. They even provided an online video of their "car

But if you think that such a hack might occur only in a pristine
academic environment, with the right equipment, you're wrong.

Real-world examples

Meet Radko Soucek, a 32-year-old car thief from the Czech Republic.  
He's alleged to have stolen several expensive cars in and around
Prague using a laptop and a reader. Soucek is not new to auto
theft--he has been stealing cars since he was 11 years old. But he
recently turned high-tech when he realized how easily it could be

Ironically, what led to his downfall was his own laptop, which held
evidence of all his past encryption attempts. With a database of
successful encryption strings already stored on his hard drive, he had
the ability to crack cars he'd never seen before in a relatively short
amount of time.

And Soucek isn't an isolated example. Recently, soccer player David
Beckham had not one, but two, antitheft-engineered BMW S5 SUVs stolen.  
The most recent theft occurred in Madrid, Spain. Police believe an
auto theft gang using software instead of hardware pinched both of
Beckham's BMWs.

How a keyless car gets stolen isn't exactly a state secret--much of
the required knowledge is Basic Encryption 101. The authors of the
Johns Hopkins/RSA study needed only to capture two
challenge-and-response pairs from their intended target before
cracking the encryption.

In an example from the paper, they wanted to see if they could swipe
the passive code off the keyless ignition device itself. To do so, the
authors simulated a car's ignition system (the RFID reader) on a
laptop. By sitting close to someone with a keyless ignition device in
his pocket, the authors were able to perform several scans in less
than one second without the victim knowing. They then began decrypting
the sampled challenge-response pairs. Using brute-force attack
techniques, the researchers had the laptop try different combinations
of symbols until they found combinations that matched. Once they had
the matching codes, they could then predict the sequence and were soon
able to gain entrance to the target car and start it.

In the case of Beckham, police think the criminals waited until he
left his car, then proceeded to use a brute-force attack until the car
was disarmed, unlocked and stolen.

Hear no evil, speak no evil

The authors of the Johns Hopkins/RSA study suggest that the RFID
industry move away from the relatively simple 40-bit encryption
technology now in use and adopt a more established encryption
standard, such as the 128-bit Advanced Encryption Standard (AES). The
longer the encryption code, the harder it is to crack.

The authors concede that this change would require a higher power
consumption and therefore might be harder to implement; and it
wouldn't be backward-compatible with all the 40-bit ignition systems
already available.

The authors also suggest that car owners wrap their keyless ignition
fobs in tin foil when not in use to prevent active scanning attacks,
and that automobile manufacturers place a protective cylinder around
the ignition slot. This latter step would limit the RFID broadcast
range and make it harder for someone outside the car to eavesdrop on
the code sequence.

Unfortunately, the companies making RFID systems for cars don't think
there's a problem. The 17th annual CardTechSecureTech conference took
place this past week in San Francisco, and CNET News.com had an
opportunity to talk with a handful of RFID vendors. None wanted to be
quoted, nor would any talk about 128-bit AES encryption replacing the
current 40-bit code anytime soon. Few were familiar with the Johns
Hopkins/RSA study we cited, and even fewer knew about keyless ignition
cars being stolen in Europe.

Even Consumer Reports acknowledges that keyless ignition systems might
not be secure enough for prime time, yet the RFID industry adamantly
continues to whistle its happy little tune. Until changes are made in
the keyless systems, any car we buy will definitely have an ignition
key that can't be copied by a laptop.

Copyright 1995-2006 CNET Networks, Inc. All rights reserved.


Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue May 09 2006 - 00:38:01 PDT