Car Security Woes


In this article, researchers at the University of Birmingham and engineering firm Kasper & Oswald plan to reveal 2 vulnerabilities that allow a criminal to remotely unlock your car. One vulnerability applies to 100 million Volkswagens sold since 1995, and the other is more broad and affects multiple car lines.

I worked on Remote Keyless Entry (RKE) as a cooperative college student sometime around 1990. While the technology has changed, the basic function has not. The key fob (the remote on your key chain) contains a small radio transmitter. When you press a button, it decodes which button was pressed and transmits a message. On the opposite side, mounted somewhere in the car, is a radio receiver. When a radio frequency is detected that matches that of the fob,it decodes the radio transmission. If the command is valid and meant for this car, then the receiver sends a message requesting the car do some action, like unlock the door.

The FCC limits the radio frequencies that devices can use. This makes sense. You don’t want your cordless phone or cell phone to disconnect when you press the garage door opener remote. The result is, each type of device is assigned a relatively narrow band of frequencies. Most RKE systems operate on the same frequency, usually 300 or 400 MHz.

When you press the button, the remote transmits a 2 part message. The first part is an ID, and the second part is a command. Back in 1990, the remotes I worked with had fixed 20-bit ID, which amounts to 2^20 unique ID’s (a little over a million). Your car would come with 2 remotes and it would be programmed to respond to only those remotes. So, if your car had 1334 and 87234 as your two remotes, and received the signal for 1335, then it would ignore it. This is required so that when you press the unlock button, you don’t unlock all of the Buick’s in the parking lot.

The problem with that system, is the signal transmitted to unlock your car is the same, every single time. If you sat in a parking lot with a scanner tuned to 300Mhz, and captured these short bursts of radio traffic, you could simply archive them and then play them back, unlocking the car. The equipment to do this is relatively cheap and easy to assemble. Furthermore, if you actually decoded the message, you could extract the ID and substitute the unlock command. Think about this for a second. If you were sitting in a parking lot, and someone pulls in, they get out of their car, and press LOCK. You would then have the lock command for that particular car, but it is not very useful to a criminal. What you need is the UNLOCK command, and likely you would only get that opportunity as the owner walks back to their car, at which point they unlock it and drive away. If you could decode the signal and create a new transmission with the correct ID and the UNLOCK command, now you could unlock the car as soon as the owner was out of site.

The car companies immediately recognized this weakness. So, they changed the way the system works. First, they changed the ID to be 40-bits, or about 1 Trillion combinations. Next, they switch to a rolling code, so each time it transmits and ID, it increments to the next one. Let’s say you had a remote that was set to 1334. You press the button, it transmits 1334, the receiver is expecting 1334, it does the action you request and both receiver and transmitter increment to the next number, say 1335. This prevents someone from just re-transmitting the ID. However, it is easy to see that determining the next ID would be easy to figure out. To solve this, the ID generator has a pseudo random number generator. With that, the “next” number is not the next consecutive number, but the next random number in the sequence. So 1334 might be followed by 5366342, but 1334 will ALWAYS be followed by 5366342. This is how an iPod works on Shuffle mode and this is how remotes have worked for some time. (Home garage doors work the same way as well).

Apparently, what has happened is these researchers have discovered what this pseudo random sequence is. So, now, you press the lock button, a criminal could receive the transmission, decode the ID, pick the next pseudo random number, pair it with the unlock command, and transmit that message. The whole process can be done in less than a minute and with $40 in hardware. The problem for the car manufacturers is, how do you fix this. Well, there are new, better algorithms out there, but that would require physically changing the module in your car and the remotes. Since this is not a safety issue, do not expect the car manufacturers to issue a recall.

What can you do? Quite simply, don’t use your remote, especially for locking you car. The one thing I like about locking the car with the remote is it guarantees that you are physically in possession of your keys when the car gets locked. I have never locked my keys in the car since I have been driving cars with a remote.

An alternate method would be to press the power lock button (LOCK ALL) on the door panel as you exit the car. That doesn’t fix the issue of locking your keys in the car, but it does prevent someone from intercepting your signal. Another method would be to physically use your key to lock the door. That solves the locked key problem, but doesn’t ensure ALL the doors get locked.

When you return to your car, it is probably OK to use the remote to unlock the car, provided your are driving away, because it is unlikely that a criminal would follow you and attempt to break into your car at your next destination. However, if you sense that someone is monitoring radio traffic, there is no harm in using your physical key.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s