Is Your Car Key Fob Vulnerable to This Simple Replay Attack?
Most people probably take for granted that their key fob is secure. Locking and unlocking cars is, after all, enormously important. But at the Black Hat security conference, researchers showed how a simple replay attack can roll back the safety measures built into car key fobs.
The system for locking and unlocking cars remotely is called Remote Keyless Entry (RKE), and it's more complex than it might seem. Each button-press is unique, which prevents an attacker from simply recording you hitting the unlock button and playing it back later.
Levente Csikor, a researcher at I2R, A*STAR, explained that RKE systems use a rolling code. The key fob and the car have a counter that increases each time a button is pressed. That way, a previously recorded button press will not be accepted.
But not all your key fob presses make it to your car. Perhaps you're out of range, behind thick glass, or just fidgeting with your keys. These button-presses move the counter on the key fob forward but not the car. To prevent accidental button-presses from locking out car owners, RKE systems reset to the lower counter number if they detect that the fob has more button-presses than the car.
The reset system assumes that as long as the counter number on the fob is higher than the car, it can't be a replay attack. But this means that codes captured before the reset occurred—which never made it to the car—would be accepted.
Csikor said that this is the crux of the RollJam attack that debuted(Opens in a new window) seven years ago from different researchers. Using low-cost materials, a RollJam device captured a key fob button signal, then jammed the airwaves and captured a second button-press. The second signal never reached the car, and an attacker could reuse it later on to unlock the vehicle.
Well, it turns out that the entire process of jamming and replaying may not be necessary. Csikor explained that for some vehicles, an attacker would only need to replay a few previously captured button presses(Opens in a new window) to "rollback" the car's counter. Even if they had already been detected by the car, any previously captured button-presses would then be accepted by the vehicle.
Not only that, but this attack could be replicated in the future. The attacker had only to replay the button-presses, at any point in the future—even after the car's owner had used the key fob repeatedly—and the car would accept the signals and unlock. A new video released after Black Hat showed replayed signals being used successfully over 100 days after capture.
Csikor showed several videos of the attack in action. Instead of a custom RollJam device, he used a standard Lenovo ThinkPad attached to a HackRF software defined radio unit—which can cost hundreds of dollars. On screen, he captured five button-presses of a Kia key fob. The car can be seen responding to all of them. He then played back the first two, which were ignored, but the following three were accepted by the vehicle.
It gets better (or worse). Csikor said that in the time since they submitted their paper to Black Hat, the team discovered that any sequential button-presses would roll back the car's counter. A mix of sequential lock and unlock signals is enough for RollBack to work.
The team will release a full list of the vehicles they tested, but not just yet. Of the 20 vehicles listed in Csikor's presentation, only six are not susceptible to the RollBack attack.
Of the three Hyundais the team looked at, only one fell to the RollBack attack. Two out of three Nissans tested were susceptible, but none of the four Toyotas evaluated were affected.
Within each car brand, the number of button-presses that needed to be captured was consistent, even across models and model years. Vulnerable Nissan, Kia, and Hyundai models required only two button-presses, while all vulnerable Hondas required five.
Csikor stressed that this isn't an issue that's limited to older vehicles. Cars as new as the 2020 model year and as old as 2009 are susceptible.
Hoon Wei Lim, the Director of Cyber Security R&D at NCS Group, said that the team reported their research to affected key fob manufacturers in April 2022, and to the Automotive Information Sharing and Analysis Center (Auto-ISAC) in May. All the affected automotive manufacturers have also been contacted and are investigating the issue.
Despite all their work, the researchers admit there is still a lot they didn't know. For instance, they only tested the vehicles they had access to in Southeast Asia. That's a fraction of all the cars on the road, so they're not sure how widespread the vulnerability is.
They also don't know why vehicles behave like this. The vehicle systems are proprietary, Csikor explained, and the team isn't in a position to tear apart a car to investigate. A possible clue came from a key fob manufacturer called Microchip, which had public documentation of the process by which car owners could pair a new key fob to their vehicle. Some of it matched the team's research, but not all of it. Csikor also noted that the receiver in the car, not the key fob, is doing most of the work. That suggests it may be up to auto manufacturers to fix the problem.
As a result, the team isn't sure about what kind of solutions manufacturers can introduce. One possibility would be to use timestamps along with the rolling code system.
Until more is known, the best thing to do might be what Hoon Wei Lim did at the outset of the talk: Ask people not to hack his car.
Keep reading PCMag for the latest from Black Hat.
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Your subscription has been confirmed. Keep an eye on your inbox!
SecurityWatch