Keyless Security Not So Secure - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
04:53 PM
Connect Directly

Keyless Security Not So Secure

A suppressed security paper shines a light on the shortcomings of the cryptography used to protect keyless vehicle access systems.

New York Auto Show: Cool Cars With Hot Tech
New York Auto Show: Cool Cars With Hot Tech
(Click image for larger view and slideshow.)

A two-year-old research paper documenting flaws in the Megamos Crypto transponder, used to protect Audi, Fiat, Honda, Volkswagen, Volvo, and other vehicles with keyless ignition systems, demonstrates that you don't need a key to steal a car protected by keyless authentication.

The paper is being presented as part of the 2015 Usenix Security Symposium in Washington, D.C., this week. It was originally scheduled to be presented in 2013, but Thales and Volkswagen, developer of the Megamos Crypto system, sued in the UK to prevent its publication and won an injunction, despite nine months of advance warning from the researchers. The company argued that the publication of the paper could allow sophisticated thieves to bypass protections and steal cars.

That's exactly what the paper's authors, British computer scientist Flavio Garcia and the Dutch researchers Baris Ege and Roel Verdult, say is cause for concern, at least for the car models tested in 2012. "The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition," they conclude. "At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate."

Keyless ignition systems, perversely, have keys. While a keyless vehicle may have a start button instead of a mechanical key port, the electronic fob that authenticates the owner and allows the engine to start relies on a cryptographic key, stored on an RFID chip.

The Megamos Crypto transponder uses a 96-bit key. But it has a variety of flaws, according to the researchers. It lacks a pseudo-random number generator, making it vulnerable to replay attacks, and its internal cipher consists of only 56 bits, among other problems.

(Image: Ege, Garcia, Verdult. Bold indicates models tested.)

(Image: Ege, Garcia, Verdult. Bold indicates models tested.)

It took the researchers all of 30 minutes to recover the 96-bit key from the transponder. A second attack took a bit longer, two and a half hours.

This is not just a problem for the Megamos Crypto transponder. The paper says that there are known attacks for the other widely used immobilizer transponders, specifically DST40, Hitag2, and Keeloq.

Volkswagen did not immediately respond to a request for comment.

In February, the UK's Metropolitan police said that more than 6,000 vehicles last year, representing 42% of thefts of cars and vans, were stolen without the owners' keys. The agency said that while some of those thefts could involve vehicles that had been towed away, the majority of them "appear to be the result of organised criminals using key-programming devices to create duplicate keys for vehicles."

[Read about a summer full of car hacks. ]

Such thefts, however, probably do not involve techniques described in the research paper. As the Metropolitan police point out, keyless vehicles are commonly stolen by breaking into the vehicle, electronically or physically, and using the onboard diagnostic port (OBD) to program a new key.

Such thefts appear to be less common in the US. Last year the US National Insurance Crime Bureau (NICB) warned that thieves were exploting keyless authentication systems to open locked cars using "scanner boxes," to steal personal items.

But Frank Scafidi, spokesperson for the NICB, said in a phone interview that he hasn't seen one report where a car has been stolen by the external hacking of a keyless system. He said there have been some reports of thefts arising from OBD abuse, but not an overwhelming number.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/30/2015 | 8:51:44 PM
Re: Sophisticated car theft using technology
@Tango: What happened to the case? Were the culprits ever caught? The scene you described, is very dramatic. Sounds like a movie scene.
User Rank: Ninja
8/30/2015 | 8:46:31 PM
Delaying the publishing of the paper is not the best defence. It's some defence. The bigger secret is not how it is to be done. The bigger secret was if it could be done. Car lifting gangs would figure out the how part.
User Rank: Apprentice
8/17/2015 | 4:46:49 PM
Sophisticated car theft using technology
I don't see Chrysler / Jeep or Cooper Mini listed in the table in the story, so I can't say for sure it is related, but . . .  the next door neighbors had a Jeep Grand Cherokee stolen from their driveway last year.  It appears the thieves both unlocked (they heard the "chirp" from the unlock, which got them out of bed to look) and then started the keyless ignition and they saw them take it from the driveway and go for a joy ride without having access to the original "keys" or fob at all.  They also saw their Cooper Mini doors had been remotely unlocked at the same time.  

We were all wondering if the thieves had some sort of transmitter sending unlock codes at a rapid pace, and got lucky.  Other neighbors in the same area had things taken out of their vehicles around the same time, finding the doors unlocked in the morning when they were all pretty certain they'd been locked the night before.  Most had alarm systems, and the alarms hadn't gone off but the doors had obviously been opend and the contents of the car tossed about looking for valuables.
User Rank: Ninja
8/17/2015 | 8:08:08 AM
Re: Smart
It's funny because when it's newer technology used to break into a vehicle we worry but we don't stop to think about all the failings of mechanical keys.  You can buy master sets of keys for automobiles, and for a span of years GM was handing out what were essentially bump keys for their other vehicles.  With a key from a few year time span you could use it to open and start many other models from various years.  Locks keep honest people out, mechanical or digital. 
User Rank: Ninja
8/16/2015 | 11:02:59 AM
Re: Smart
I would think car manufactures will be more serious about protecting their customer from theft.  I think they should do a better job at providing security to their vehicles.  What is the point of providing convenient functionality if such feature puts your security at risk.  I prefer a regular car instead.
User Rank: Ninja
8/14/2015 | 8:43:20 PM
Theives are getting more sophisticated. And while I do think that towing a vehicle away is a novel idea, using technology is a good idea, too.

Stealing a car isn't all about breaking into the mechanical component of a car anymore – its more about hacking into the digital side of things. 
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll