7004 views|10 replies

2w

Posts

74

Resources
The OP
 

How can a car's keyless entry system be hacked? [Copy link]

 

This morning's news is shared with everyone to see if it is useful in design or to increase knowledge in life :

Keyless entry systems are a basic feature of most modern cars. The biggest advantage is convenience, as the vehicle detects the key and unlocks the car automatically. However, many people question the security of such systems. They believe that the convenience of keyless entry systems sometimes comes at a price: information security.

This article explains how hackers attack key fobs and the proactive security measures Synopsys recommends.

Over the years, security researchers have discovered many vulnerabilities in automotive systems. As a result, the demand for automotive cybersecurity has risen. A recent high-profile case is a series of vulnerabilities in the keyless entry system of the Tesla Model X in November 2020. The vulnerability was discovered by Lennert Wouters of the University of Leuven in Belgium.

Steps in a key fob attack

The operating steps of the Tesla Model X keyless entry system are shown in the figure. The numbers in the figure represent the steps. Please note that the target vehicle is locked and the target key card is away from the vehicle.

image.png

1. The attacker approaches the target vehicle, reads the vehicle identification number (VIN) through the windshield, and configures the emulated SE for the modified body controller module (BCM) in the attack device to use the target VIN

2. The attacker finds the target key fob and brings the attack device close to it and pretends to be the target vehicle, connecting via low frequency (LF) at a distance of about 5 meters. The attacker uses an identifier derived from the VIN to force the previously paired target key fob to appear connectable via Bluetooth Low Energy (BLE)

3. The attacker uses a Raspberry Pi to push a malicious firmware update to the target key fob via BLE to gain full control of the key fob. This update can be performed by using the over-the-air download service (OTA) on the target key fob at a distance of up to 30 meters.

4. After updating the target key fob, the attack device will reconnect via BLE. Since the key fob is running malicious firmware controlled by the attacker, which allows arbitrary Application Protocol Data Unit (APDU) commands to be sent to the SE in the target key fob, the attacker is able to extract many valid one-time unlock commands (e.g. unlock doors, trunk, etc.) from the SE in the smart key to the target vehicle.

5. The attacker approaches the target vehicle and uses a valid unlock command to unlock the target vehicle. The unlock command is sent from the Raspberry Pi to the target BCM via BLE

6. The attacker has physical access to the interior of the vehicle and can physically connect the attack device to the vehicle network through the diagnostic port located below the center display. The attack device connects to the target BCM via the Controller Area Network (CAN)

7. The attacking device instructs the target BCM to pair with the modified key fob. After passing the BCM challenge response verification, the modified key fob is added and the necessary credentials are stored in the emulated SE of the key fob

8. The attacker starts the vehicle using the newly paired key fob on the attack device, successfully passes the challenge-response authentication using the credentials previously stored in the emulated key fob SE, and then drives away with the target vehicle

Vulnerabilities/Flaws that Make Key Fobs Vulnerable

Such attacks are mainly caused by the following two vulnerabilities/flaws:

image.png

Although signature verification is performed on the key fob, due to the vulnerability, an attacker can update the key fob with malicious firmware via BLE. In addition, although a valid key fob usually stores the signature certificates received from the backend, these certificates are not verified by the vehicle BCM when paired with the key fob.

It is worth noting that the security researchers responsibly disclosed these issues to Tesla in August 2020. Tesla released an OTA patch in November 2020.

Use application security testing tools to address execution and design vulnerabilities/defects

In the first case, improper key card signature verification, this type of problem can usually be discovered using static application security testing, software composition analysis (identifying known vulnerabilities) and fuzz testing (detecting unknown vulnerabilities). In addition, penetration testing that focuses on high-risk areas, such as security-related functions and firmware updates, can also detect such vulnerabilities.

The second case is the lack of certificate verification in the pairing protocol design between the BCM and the key fob. These types of design issues can usually be identified through a security design review. In addition, a proper threat analysis and risk assessment must be performed on the target system to identify high-risk areas, which helps define appropriate security requirements and design corresponding security controls.

There are already many initiatives in the automotive industry to help improve cybersecurity, such as the ISO SAE 21434 cybersecurity engineering standard and UN Regulation 155 on cybersecurity and cybersecurity management systems.

Developing 100% secure automotive systems is not realistic, so automotive companies need to consider and deploy appropriate measures to enable OTA updates to patch newly discovered vulnerabilities in a timely manner.

This post is from Automotive Electronics
Add and join groups EEWorld service account EEWorld subscription account Automotive development circle

Latest reply

Dongfeng's car key is much longer than this one, about 1.5 meters long. The key in the picture is probably the Dongfanghong   Details Published on 2023-2-22 17:33
Personal signature

加油!在电子行业默默贡献自己的力量!:)


9720

Posts

24

Resources
2
 

Everything has loopholes. My car is in better condition. People with poor physical condition can't drive it away even if they crank the handle.

IMG_20210329_095526.jpg (0 Bytes, downloads: 0)

IMG_20210329_095526.jpg
This post is from Automotive Electronics

Comments

Awesome, a Dongfeng one? I want one too.  Details Published on 2021-3-30 11:25
Awesome, a Dongfeng one? I want one too.  Details Published on 2021-3-29 10:14
 
 

2w

Posts

74

Resources
3
 
littleshrimp posted on 2021-3-29 09:59 Everything has loopholes. My car is better. People with poor physique can't drive it even if they crank the handlebars.

Awesome, a Dongfeng one? I want one too.

This post is from Automotive Electronics
Add and join groups EEWorld service account EEWorld subscription account Automotive development circle

Comments

It should be the Dongfanghong small hand-held vehicle. It is indeed difficult to start, and it may not work even if it is started...  Details Published on 2023-2-22 17:33
It should be the Dongfanghong small hand-held vehicle. It is indeed difficult to start, and it may not work even if it is started...  Details Published on 2021-3-29 13:52
Personal signature

加油!在电子行业默默贡献自己的力量!:)

 
 
 

1w

Posts

142

Resources
4
 
soso posted on 2021-3-29 10:14 Awesome, Dongfeng? I want one too.

It should be the Dongfanghong small hand-held vehicle. It is indeed difficult to start, and it may not work even if it is started...

This post is from Automotive Electronics

Comments

Hahaha pretty cool  Details Published on 2021-3-29 14:08
Personal signature上传了一些书籍资料,也许有你想要的:https://download.eeworld.com.cn/user/chunyang
 
 
 

2w

Posts

74

Resources
5
 
chunyang posted on 2021-3-29 13:52 It should be the Dongfanghong small hand-held vehicle. It is indeed difficult to start, and it may not start even if it is started...

Hahaha pretty cool

This post is from Automotive Electronics
Add and join groups EEWorld service account EEWorld subscription account Automotive development circle
Personal signature

加油!在电子行业默默贡献自己的力量!:)

 
 
 

1582

Posts

0

Resources
6
 

Cybersecurity is very important in the automotive industry now

Since this standard was only introduced in the last one or two years, not many people know about it.

This post is from Automotive Electronics

Comments

I remember listening to Huang Yizhi's speech at Hunan University last year, in which he mentioned some concepts of automobile safety. I felt it was quite clear at the time: https://news.eeworld.com.cn/IoT/ic515130.html  Details Published on 2021-3-30 11:23
 
 
 

2w

Posts

74

Resources
7
 
se7ens published on 2021-3-30 09:52 Nowadays, network security is very important in the automotive industry. Since this standard was only introduced in the last one or two years, not many people know about it.

I remember listening to Huang Yizhi's speech at Hunan University last year, in which he mentioned some concepts of automobile safety. I felt it was quite clear at the time:

https://news.eeworld.com.cn/IoT/ic515130.html

This post is from Automotive Electronics
Add and join groups EEWorld service account EEWorld subscription account Automotive development circle
Personal signature

加油!在电子行业默默贡献自己的力量!:)

 
 
 

1412

Posts

3

Resources
8
 
Everything has its flaws. My car is in better shape. People with poor physiques can't even drive it away even if they crank the handlebars.
This car is awesome!
This post is from Automotive Electronics
 
 
 

19

Posts

1

Resources
9
 

I have not come across the anti-theft logic of other brands, but for the brands I am familiar with, the success rate of this kind of "brute force attack" is very, very low.

The logic for dealing with "brute force attacks" is:

If you receive an incorrect unlock code three times in a row, the system will be locked for 30 minutes (starting from the last error). If you continue to receive an error during this period, the lock will continue for another 30 minutes.

I have met players who don't understand the principle but are diligent and can't match the key in a whole day.

This is the case when there is a dedicated diagnostic instrument. Without dedicated diagnostic equipment, the difficulty level is even greater.

This post is from Automotive Electronics
 
 
 

435

Posts

0

Resources
10
 
soso posted on 2021-3-29 10:14 Awesome, Dongfeng? I want one too.

Dongfeng's car key is much longer than this one, about 1.5 meters long. The key in the picture is probably the Dongfanghong

This post is from Automotive Electronics

Comments

major  Details Published on 2023-2-22 18:14
 
 
 

2w

Posts

74

Resources
11
 
06010601 Published on 2023-2-22 17:33 Dongfeng's car key is much longer than this one, about 1.5 meters long. The key in the picture is probably Dongfanghong

major

This post is from Automotive Electronics
Add and join groups EEWorld service account EEWorld subscription account Automotive development circle
Personal signature

加油!在电子行业默默贡献自己的力量!:)

 
 
 

Guess Your Favourite
Just looking around
Find a datasheet?

EEWorld Datasheet Technical Support

EEWorld
subscription
account

EEWorld
service
account

Automotive
development
circle

Copyright © 2005-2024 EEWORLD.com.cn, Inc. All rights reserved 京B2-20211791 京ICP备10001474号-1 电信业务审批[2006]字第258号函 京公网安备 11010802033920号
快速回复 返回顶部 Return list