Keyless systems on cars easily hacked, researchers say

Researchers at Switzerland's ETH Zurich University show how passive keyless entry and start systems can be compromised

The passive keyless entry and start (PKES) systems supported by many modern cars are susceptible to attacks that allow thieves to relatively easily steal the vehicles, say security researchers at Switzerland's ETH Zurich University.

In demonstrations using 10 cars from eight makers, the researchers showed how they were able to unlock, start and drive away the cars in each case, by outsmarting the smart key system.

The break-ins were carried out using commercial, off-the-shelf electronic equipment available for as little as $100, the researchers said in a paper describing their exploits .

Although the possibility of such attacks on keyless systems has been discussed previously, it has not been clear before if they would be feasible on modern cars, the researchers said. "In this paper, we demonstrate that these attacks are both feasible and practical," they said.

Details of the hacking are scheduled to be presented at a security conference in San Diego later this month, reports the MIT Technology Review .

The keyless systems exploited in the Zurich demonstrations are designed to let car owners lock, unlock and start their vehicles without having to take the key fob out of their pockets. They allow car doors to unlock when the person carrying the key approaches the vehicle, and to lock them when the person walks away from the vehicle.

To start the keyless vehicle, the user needs to be inside the car with the key on their person or within the car. There is no need, however, for the key to be inserted physically into the ignition lock to start the vehicle.

The car and the key fob communicate with each other using a combination of both Low Frequency and Ultra High Frequency radio signals. The door lock and unlock functions, asw well as the engine start functions, are activated by the proximity of the key fob to the car. When the key is brought close to the car, it issues a command to open the car and turn on the ignition.

For the experiment, the researchers used a pair of commercially available loop antennas for capturing beacon signals from the car and relaying it to the key fobs. The antennas were used to fool the car into believing the key fob was in closer proximity to the vehicle than it actually was.

First, one of the antennas would be placed on the exterior of the car, close to the door handle, to pick up signals from the vehicle and relay it to the second antenna located some distance away. Signals received by the second antenna would then be picked by the key, which would relay instructions back to the car to unlock the doors.

Once the door was unlocked, the researchers would bring the first antenna inside the vehicle and either press the brake pedal or the start engine button, to cause the car to send a 'start engine' message to the key. The key would then respond with a command to start the car in each case, the researchers said.

Two sets of tests were conducted. In one, the researchers linked the two antennas using standard co-axial cables; in the second, the antennas were linked wirelessly.

They said the tests demonstrated more than just a theoretical threat. For example, the equipment used for the test could be used in a parking lot to steal keyless-enabled vehicles.

In this scenario, the attackers could place one relay antenna close to a corridor, a payment machine, or an elevator, the researchers said. When a user parks and leaves a car with a keyless system, an attacker could quickly place a second antenna to the door handle of the vehicle. This antenna would then begin communicating with the previously placed relay antenna.

"When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the car and will send the 'open' command to the car," the researchers said. "Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the 'allow start' message," they said.

One immediate countermeasure that drivers can take is to put their keys within a protective metallic envelope to prevent it from emitting signals.

Removing the battery from the key fob can also disable the active wireless communications, the paper noted. It also discussed hardware and software modifications that manufactures can take to mitigate the threat.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySecurity Hardware and Software

More about MITSwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts