Should drivers trust keyless security systems?

A new study shows that remote keyless entry systems can be easily and inexpensively be hacked using key-cloning.

Brennan Linsley/AP/File
Volkswagen cars for sale are on display on the lot of a VW dealership in Boulder, Colo.

Remote keyless entry (RKE) systems often urge their users to forget about their keys. In these systems, a key fob can remain in the driver’s pocket and unlock the car without the owner doing anything but pulling on the handle.

Lose your keys for good!” Innovative Ignition Systems writes in their description of their PKE-100-V1 Universal Proximity Sensing Keyless Entry system. But a new study by three researchers at the University of Birmingham and one at Kasper & Oswald GmbH, Germany, has found that the danger of keyless cars is not losing your keys, but losing your car.

“The results of this paper show that major manufacturers have used insecure schemes over more than 20 years,” the paper concludes. Unlike previous research that has found simple solutions to hacking methods, there is no easy solution to this technique. “Lock it or lose it? Remove it!” the researchers recommend. Has the best solution to car entry become the old-fashioned key?

The study, titled “Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems,” tests two different remote keyless entry schemes: those used by Volkswagen (VW) vehicles between 1995 and today, and those used by a variety of other manufacturers. They find both systems can be hacked inexpensively and easily.

To enter a car without the key, hackers use signals from cheap and simple radios that are able to eavesdrop and record the codes used by keyless entry systems and then clone them.

Eavesdropping is easy because the Volkswagen Group only used a few cryptographic global master keys for the RKE systems, they write.

"With the knowledge of these keys, an adversary only has to eavesdrop a signal from a target remote control. Afterwards, he can decrypt this signal, obtain the current [identifier of the remote control] and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times," the researchers write.

As Wired's Andy Greenberg reports, however, the attack isn't a total cinch.

The attack isn’t exactly simple to pull off: Radio eavesdropping, the researchers say, requires that the thief’s interception equipment be located within about 300 feet of the target vehicle. And while the shared key that’s also necessary for the theft can be extracted from one of a Volkswagen’s internal components, that shared key value isn’t quite universal; there are several different keys for different years and models of Volkswagen vehicles, and they’re stored in different internal components.

 Methods for hacking RKE systems have been found in the past. A few years ago, security researchers found that RKE vehicles could be hacked using power amplification.

“It’s a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, ‘hello,’ ” Boris Danev told The New York Times. “You can buy these devices anywhere for under $100.” Using this method, thieves have been able to enter cars when car fobs have been as far as a football field away, for example in the house when the car is in the driveway.

A car owner was able to simply solve this problem, though, by wrapping the fob in aluminum foil or putting it in the freezer, The New York Times reported.

Researchers say confirming this new scalable method may help explain unexplained thefts from locked vehicles from the last few years.

“As of today, even experts in car theft cases expressed the opinion that the alarm and electronic door locking systems of a car cannot be easily circumvented,” the researchers write. “From now on, they have to consider that special universal remote controls to bypass the security mechanisms might be used by criminals.”  

Along with allowing drivers to forget their keys, RKEs make thefts practically invisible.

Instead of returning to the key, researchers recommend that manufacturers solve the security issues. “For a ‘good’ RKE system, both secure cryptographic algorithms … and secure key distribution are necessary,” they recommend.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.