A decade ago, breaking into a vehicle was a relatively easy manual process. As technology improved, there was an increase in the technology implemented in the vehicle. We are to the point where the vehicle is a computer on wheels. This will even be more the case once automotive ethernet is implemented through the vehicle manufacturers.
To remove the opportunity for the theft a new technology was placed in the vehicle-the immobilizers. This reduced the number of key fob attacks by removing relay attacks from the attack surface. These required the attacker to be within range of the original key.
Cryptography Applied to the Key Fob
The key fobs added a cryptographic function to the unlocking device. The attacker could not simply sniff the key fob communicating with the vehicle and replay the signal to break into the vehicle. The cryptographic function instead worked to scramble the key fob communication.
The attack-defense cycle was at work here. The defense (the manufacturer) created a cybersecurity feature to stop the attacks. The attackers viewed this, reverse engineered the process, and created a new attack circumventing the cybersecurity feature. This instance was no different. The attackers grasped the idea of breaking through the feature with the key fobs, researched the idea, and reverse engineered the process.
The researched purchased a few immobilizer electronic control units from eBay. With these secured, the researchers were able to reverse engineer the firmware located within the key fobs. The purpose with this was to analyze the method of communication between the key fob and vehicle.
The analysis indicated the key used was very easy to crack. This used Texas Instruments DST80 encryption to secure the communication. This normally would not be significant detriment; however, the manufacturer’s implementation was the issue. For instance, the Toyota implementation was based on the serial number. What made this worse was if someone were to scan this with an RFID reader, it showed the serial number. This portion of the research was not difficult to complete. The RFID readers are for sale on Amazon for under $30. Working with these is not complicated.
Another example involved Kia and Hyundai. These manufacturers used 24 bits of random character rather than the 80 bits the DST80 offers. To put this in perspective the 24 bits used could be cracked with a laptop in a few milliseconds. Unfortunately, the rationale for not using the greater number of bits is unknown. Perhaps this was for a cost or processing time savings.
With either attack, once you have the cryptographic key, unlocking the vehicle and doing as you wish is not a far stretch of the imagination. The only other addition to the attack is the person needs to be able to turn the ignition. This may be bypassed using old-school technology (e.g. screwdriver or hot-wiring).
This was a rather significant decrease in cybersecurity applied to the key fob-vehicle communication process. This is much like cybersecurity retreating to the 1980’s.
This serious vulnerability is not applicable to all the models for the three automakers. This issue is applicable to older models. While this is a positive, this still has the other vehicles at risk of theft and other malicious actions.
This does, however, affect many models. To show the extent, following is the listing:
Toyota Auris 2009-2013
FJ Cruiser 2011-2016
Land Cruiser 2009-2015
Urban Cruiser 2010-2014
Kia Ceed 2012+
Hyundai I10 2008+
What did we learn?
Over time, security should improve. The attackers are not limiting their attacks or type of technology used for the attacks. They certainly are not moving backwards in their attack plans. For the cryptography to be used in the format as it was is not appropriate. The cybersecurity needs to be at least matched, however, should be optimized against the known and future attacks. This is done through testing and forward-looking cybersecurity architecture.
Cybersecurity needs to be built into the product from the beginning of the project. With this in place, the project’s timeline and costs are kept inline. Having to re-engineer, approve, and retrain staff is a costly venture.
Ansari, U. (2020, March 6). Poor car keys encryption: Hackers can clone millions of toyota, kia and Hyundai keys. Retrieved from https://www.carspiritpk.com/2020/03/poor-car-keys-encryption-hackers-can-clone-millions-of-toyota-kia-and-hyundai-keys/
E&T. (2020, March 6). Millions of cars’ anti-theft systems vulnerable to hacking. Retrieved from https://eandt.theiet.org/content/articles/2020/03/millions-of-cars-anti-theft-systems-vulnerable-to-hacking/
Greenberg, A. (2020, March 5). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://www.wired.com/story/hackers-can-clone-millions-of-toyota-hyundai-kia-keys/
Greenberg, A. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://arstechnica.com/cars/2020/03/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/?comments=1
McClain, S. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://mashviral.com/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/
McKay, T. (2020, March 5). Encryption flaws leave millions of toyota, kia, and Hyundai cars vulnerable to key cloning. Retrieved from https://gizmodo.com/encryption-flaws-leave-millions-of-toyota-kia-and-hyu-1842132716
Whazup. (2020, March 7). Hackers can clone millions of toyota, Hyundai, and kia keys. Retrieved from https://www.wazupnaija.com/hackers-can-clone-millions-of-toyota-hyundai-and-kia-keys/
Wouters, L, Van den Herrewegen, J., Garcia, F.D., Oswald, D., Gierlichs, B., & Prencel, B. (2020). Dismantling DST80-based immobilizer systems. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(2), 99-127. Doi:10.13154/tches.v2020.12.99-127
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!