Keyless car entry and start systems make it easy to get on the road, but they could also make it easier for criminals to take off with your car. And strong encryption won't solve the problem.
Armed with antennas, researchers at ETH Zurich in Switzerland were able to trick 10 models from 8 manufacturers into thinking the car key fob was within proximity and drive away with these "stolen" vehicles. No scratched doors, no broken glass, and no busted ignitions--it's a hack that's anything but.
Vehicles equipped with keyless entry systems emit a low-level signal that can only be detected by a key fob paired with the vehicle. When the fob is close enough to the vehicle to detect the signal (typically 20 feet), it automatically issues a command to unlock the doors and enable the push-button ignition. The key fob codes are encrypted, but that's irrelevant. Researchers found that antennas can work as repeaters to trick the vehicle system into thinking the fob is right outside the door.
The heist as performed by the researchers requires two antennas: one within 26 feet of the key fob and another near the vehicle. The antenna near the key fob receives the signals and relays them to the other antenna near the vehicle.
If you parked your car and then sat down for dinner at a restaurant, a thief could place the antenna a few feet away from you and they'd have an hour or so to make the car disappear. The only way to protect against this kind of theft is to shield the key fob so that its signal can't be detected. But if you fumble around with a key guard of some sort to get in the car, you may as well just use an old fashioned key.
This kind of dilemma is bound to be more common as cars become increasingly computerized and more vehicles can be controlled by mobile phone apps. A few months ago, researchers from the University of South Carolina and Rutgers University demonstrated how two popular tire pressure monitoring systems could be easily hacked, while researchers from the University of Washington demonstrated how to steal cars using laptops, although that boost required access to a car's internal port.
These vulnerabilities should give manufacturers pause before they add another convenience feature to vehicles. Or at least they should start thinking more like criminals.
Source: MIT Technology Review