INTRODUCTION
In the 1990’s,
the government put pressure on car manufacturers to improve the security of
vehicles. Thieves could steal cars very easily by hotwiring, making a copy of
the key, or by other means. The first use of cryptography in cars is the placement
of immobilizer chips based on RFID technology in key fobs. The first
immobilizer alarm system was invented and patented in 1919 by St. George Evans
and Edward Birkenbeuel. Many car manufacturers started in producing cars with
immobilizers chip in 1995. Immobilizers became mandatory in all new cars sold
in German since January 1, 1998 and in Canada since January 2007. After the
installation of immobilizers, there was a great decline in car theft. As car
manufacturers install more technology and software into the car for security
and convenience, thieves learn how to manipulate weakness in the technology, so
vehicles can be stolen without the key.
TO THE COMMUNITY
I have written this paper to make the community aware of vehicle security risk. Technology has enable so many valuable conveniences and safety features in vehicles which have also provided many weaknesses to be exploited. Most people think their belongings and vehicle are safe when they hit the lock button on their key. Unfortunately, we make assumption about the technology we use, which often aren’t true. I have outlined some of the attacks that can be carried out to unlock or even start vehicles without the possession on the key. According to an article written in October in The Telegraph, “Three Quarters of Cars Stolen in France ‘electronically hacked’ This means that car thieves are learning how to exploit the car manufacturer weaknesses very quickly. There is very inexpensive equipment such as the HackRf and RollJam that are produced to aid attackers. As a consumer, you should be aware and know how to best protect yourself and your belongings by reviewing the counter measures in this paper. When buying a new car, look into the cars security features and check if the systems have been exploited by hackers. Some car manufacturers and models have more security risks than others.
RFID
RFID,
Radio-Frequency IDentification is a general term for small, wireless devices
that emit unique identifiers upon interrogation by RFID readers. RFID’s are mostly
used in commercial supply chains and are known as EPC (Electronic Product Code)
tag. Large companies use them to provide identification but not digital
authentication. RFID’s don’t just denote EPC tags, but a wide spectrum if
wireless devices or varying capabilities. Higher end RFID devices can offer
cryptographic functionality and can support authentication protocol.
Vehicle
immobilizers are a type of RFID that did not originally provide cryptographic
security, but now exclusively have that functionality. “Immobilizers deter
vehicle theft by interrogating an RFID transponder embedded in the ignition key
as a condition of enabling the fuel-injection system of the vehicle”. Without
the RFID signal, the engine will not start even if the thief has a copy of the
key (without the immobilizer). This device
has been
credited with significant reductions in car theft.
TYPES OF CAR KEYS
PHYSICAL KEYS
According to
Popular Science article, the key was introduced to cars in 1949 by the Chrysler
Corporation as an ignition-key to start vehicles . Previously, cars were
started with 2 separate buttons, a starter and an ignition button, as seen in
the picture. Aside from the convenience to the driver, the key was used to
prevent children from starting a vehicle.
Although the
key added some security, vehicles were easily hot-wired and stolen. Also,
metallic keys were easily duplicated, providing an attacker access to the
vehicle with previous contact with the key.
PHYSICAL KEYS WITH IMOBILIZERS
A key with an
immobilizer has a metal key than an immobilizer (RFID transponder) imbedded
into the plastic part of the key. The immobilizer communicates with the
steering column to enable to fuel injection system. The immobilizer is a
passive device that uses electromagnetic induction from interrogation signal
transmitted by the reader. This system was created to prevent car thefts such
as hot wiring, because the car won’t start unless it has the successful
authentication by the RFID chip.
There are two
types of immobilizers: Electronic and Cryptographic . Electronic immobilizers
were the first generation which used static signature type transponders.
Although they lacked cryptography, they decreased car theft dramatically, see
Figure X. The next immobilizer uses cryptographic protocols to prevent
attackers from copying the electronic immobilizer with ease.
REMOTE KEYLESS ENTRY SYSTEMS (RKE)
The Remote
Keyless Entry System, RKE, send radio waves to the vehicle to lock and unlock
door, open the trunk, or disarm the car alarm system. Older models used
infrared band, but newer ones use radio waves. RKE systems typically run at
315MHz for North America and 433.92 MHz for Europe and Asia and the
transmission range is between 10 and 100 meters. The device has a power source
and sends signals to the receiver in the vehicle which means this is an active
system. The 1982 Renault Fuego was the first car to use a central locking
system .
A typical RKE
system (Figure 5) includes a microcontroller in the key or key fob. To unlock
the car, you press a pushbutton in the key that wakes up the microcontroller,
which then sends a stream of 64 or 128 bits to the key’s RF transmitter, where
it modulates the carrier and us radiated through a simple printed-circuit loop
antenna. A loop antenna is inefficient but is inexpensive to produce and is
widely used .
In the
vehicle, an RF receiver captures that data and directs it to another
microcontroller, which decodes the data and sends an appropriate message to
start the engine or open the door. The digital data stream, transmitted between
2.4kbps and 20kbps usually consists of a data preamble, a common code, some
check bits and a “rolling code” which ensure changes with each use to ensure
the vehicles security. This prevents an attacker from capturing the signal once
and being able to repeatedly gain entry.
REMOTE KEYLESS IGNITION SYSTEMS (RKI)
Remote Keyless
Ignition Systems (RKI), also called Passive Keyless Entry and Start Systems
(PKES) or Smart Key, are devices that have the capabilities of a RKE but also
do not require a metal to start the car. Doors are usually unlocked without
pressing any button on the key (many cars with RKI systems allow the car owner
to have the key in their pocket and touch a sensor on the door handle). Some
cars require that the key fob be placed in the ignition slot, while other just
require it to be inside the car to start the ignition.
The
“automatic” car unlocking or ignition can be a security risk because an
attacker may be able to steal the car when the car owner is nearby (i.e.
filling up fuel or loading the trunk). The normal mode for the key uses two
channel. After getting in close proximity to the car, the car communicates via
inductive coupling LF channel (120-135 kHz) to the key on one channel (in 1 – 2
meter vicinity) and the key will replay back on the second, UHF channel
(315-433 MHz) even in the vicinity of 50 – 100 meters. A car first periodically
sends LF signals until the key sends its acknowledgment proximity UHF signal;
then the car sends its Id number along with the challenge via LF signal, and
finally, the key sends its response via the UHF signal. Battery depleted mode
uses the passive component on the key and works in both directions. The passive
component must be near the RFID reader and a metallic key must be used in the
key fob to start the car.