In addition to the vulnerability of today's car keys, so-called car keys, we briefly show attack variants in this amount, gWe respond to what we believe to be the completely exaggerated scaremongering of the ADAC and above all explain how car owners can obtain the best possible theft protection at low cost.
In 2015 we already hacked the car key of an old Mercedes C180. (link to video) We then received a test vehicle from BMW to test whether the same vulnerability of the car keys could also be exploited here - this vulnerability also exists here.
Over time and many "opened" vehicles later, the question arose again and again as to whether this would also work with "premium brands", so we decided on a Ferrari as a worthy car representative from the 6-digit cost range. We added the video as a goodie at the end of the blog ;-).
Special thanks at this point to Denis Maier, who always supports us in the area of cars, this time with a Ferrari 458 Italia!
The market launch of the car radio key (car key) was around 1993 by Siemens Automobiltechnik – better known today as Continental. PASE, the Passive Start and Entry System (Continental), or perhaps better known to many as Keyless Go (Mercedes Benz), dates back to 1999. At this point I would like to point out that PASE, i.e. Keyless Go, is still known in 2017 as “High Tech Goodie” is handled. In November 2016 I ordered a new Mercedes Benz and picked it up from the dealer almost 4 weeks ago - shockingly, I had to realize that Keyless Go, i.e. more security, should also cost extra here - but I don't pay any extra for my insecure radio key.
In our opinion, security in products must not be sold separately, but must be part of the standard; especially when technologies could have been in use for years.
First we have to understand how a classic wireless car key (car key) works (not Keyless Go). Car keys use a rolling key system, which means that a defined number of possible keys is stored on the key. So every time you press, the valid key is sent and the “system” rolls on to the next key. There are now three types of possible attacks:
As PoC we have a replay attack and a brute force attack. But first some theory. Radio keys work on different frequencies, 433,92 MHz, 315 MHz and sometimes also on 868 MHz. This is manufacturer and GEO dependent; 433,92 MHz is the standard for EU vehicles. Sometimes different types of modulation are used, but this was OK with our tested key.
Now we start our sniffer, which catches the raw signal 1:1 and saves it in a file. If we wrap the key in a cool box lined with aluminum foil, it is well protected from interference signals. For this I drilled a small hole for the USB cable of my receiver to connect it to my MacBook. If you now press the key (glued to the inner wall with a metal rod through a second hole), we get largely interference-free signals.
If we now play this signal, the Ferrari opens once.
Up to this point the attack cannot be used realistically.
Jamming refers to the interruption of signals by interfering signals. Now that we've been able to record a near-clean signal in our "lab," we know exactly what bandwidth the signal is using. Since the transmitter and receiver are often cheap devices, to put it mildly, the reception and transmission power is often modest. Therefore, the reception is often a bit "generous", so that e.g. B. due to temperature fluctuations, the signal of the key can still be received and correctly demodulated. So in the first step we need an interference signal, for this I decided on the song “Rude Boy” by Rihanna – actually not my taste in music, but it was playing on the radio when I was recording the radio waves from a regional radio station; thanks BigFM for the interference signal :).
Joking aside; Now that I have the signal, I play it back at a fringe frequency of 433,92MHz, so it's close to that of the key. 433,9191MHz worked well on the Ferrari. If I now play this in a loop with a decent gain and press the car key of my Ferrari, nothing happens.
Perfect, the Ferrari's “close” signal is now broken.
Now that we have recorded a clean signal and have a jammer, we of course need a filter that also filters our jamming when recording. For this I wrote a simple low pass filter (a filter that cuts frequencies above a defined frequency threshold). If we now let the misery run its course and our victim parks his Ferrari in the multi-storey car park, his vehicle no longer locks itself. If the victim notices the attack, they may lock the door, but do you turn to your vehicle each time?
Assuming you've turned around and locked up, do you come back after your purchase and press open? Nothing happens again because we have now recorded the signal and interrupted the transmitted signal on the Ferrari - even if you probably don't drive a Ferrari to the weekly shop. So you unlock the door and drive away. The attacker follows you and waits, now we open your Ferrari with the recorded signal.
Yes, but it's in my garage, isn't it?
Great, because this one will probably come with an 868MHz radio receiver so it can be opened with a remote control, right?
In the course of this, we had to find out to our astonishment that the ADAC called Keyless Go unsafe and underpins this with videos and a constantly updated list of vehicles that are opened and started by the ADAC scenario. We would like to explain the process in a little more detail at this point.
By forwarding the signal (similar to a W-LAN repeater), it is possible to extend the key's signal. This actually makes it possible to open and start the car. According to the ADAC, the procedure is less secure than the traditional radio key.
The victim is sitting in a café and the perpetrator is no more than 1,5 m away – otherwise the signal is lost. Depending on the distance, another perpetrator must now be available to extend the signal and accept it from the parked vehicle. The perpetrator must extreme closeness to the victim have and a second offender is needed.
In contrast, with the Jam & Replay attack on old radio keys, you only need a signal once and have to not in the immediate vicinity of the victim be, because here even 40m is enough in the multi-storey car park. Even at night, the vehicle can then simply be stolen from the victim's garage; often precisely when this is also opened by radio remote control. The scenario is much more threatening, because here the victim can actually only protect themselves by no longer using the classic radio key. In addition, such attacks also work without a key through brute force attacks and only one perpetrator is required in both cases.
Keyless Go, on the other hand, cannot currently be successfully attacked by brute force, nor can a classic replay attack be carried out - and There is also protection for €8,99 on Amazon (link below); However, the press and the ADAC omit this reference - drama production, I think. If the Keyless Go key is in such a case, the ADAC's attack has been successfully repelled!
So if you want to open my Mercedes: Go ahead, I didn't pay the surcharge because I'm not going to promote the automotive industry at this point.
