Watch This Wireless Hack Pop a Car's Locks in Minutes

Shims and coat hangers are the clumsy tools of last century’s car burglars. Modern-day thieves, if they’re as clever as Silvio Cesare, may be able to unlock your vehicle’s door without even touching it. As part of a talk on the insecurity of wireless devices at the Black Hat security conference later this week, Cesare […]
unlockeddoor
car door with a red child safety lockGetty

Shims and coat hangers are the clumsy tools of last century's car burglars. Modern-day thieves, if they're as clever as Silvio Cesare, may be able to unlock your vehicle’s door without even touching it.

As part of a talk on the insecurity of wireless devices at the Black Hat security conference later this week, Cesare plans to reveal a technique that could allow anyone to spoof the signal from a wireless key fob and unlock a car with no physical trace, using a codebreaking attack that takes as little as a few minutes to perform. “I can use this to lock, unlock, open the trunk,” says Cesare, an Australian researcher for the security firm Qualys. “It effectively defeats the security of the keyless entry.”

For now, Cesare's hack requires off-the-shelf tools that cost just over $1,000, and in some cases may require the attacker to remain within wireless range of the car for as long as two hours. He's also only tested it on his own car, which is ten years old.

But the radio equipment Cesare used in his research and proof-of-concept attack is rapidly getting cheaper, potentially inviting less friendly hackers to refine his technique and seek out similar wireless vulnerabilities. Cesare's method was straightforward enough that he suspects some variant of it would likely work on other automobiles, too---at least of the same era. Carmakers, he points out, tend to use commercially available key fob technology that might be common among many makes and models. Manufacturers of the devices include the companies Amtel and TRW, for instance.

In the meantime, he won’t identify the car he tested, and he asked WIRED not to name it either, though he gave permission to publish the video that shows it below. He’s still communicating with the Australian chapter of the Computer Emergency Response Team (CERT) which is working to alert the manufacturer. “It’s a very popular car,” Cesare hints. “From my driveway, I can see two of the same model.”

Cesare’s hack uses a tool known as a software-defined radio, a device that can digitally emit or pick up a wide band of frequencies from FM to bluetooth to Wi-fi. With that super-versatile transmitter attached to his laptop, along with a cheap antenna and amplifier, he was able to transmit the same frequency as the key fob. He then used that frequency to perform a “brute force” attack—--cycling through thousands of code guesses at a rate of two to three a second until he found the one that successfully unlocked the car. In the video below, he shows the trick working in just minutes.

Because the car and key fob use a rolling code that changed with each use, however, the trick takes varying amounts of time---in some cases, as long as two hours. Even then, a hacker would only need to find the car when it’s left unguarded for an extended period, Cesare notes. “If someone’s parked their car in a garage overnight, something like this is definitely plausible,” he says. The only sign that the car had been wirelessly unlocked, says Cesare, is that the owner's key fob doesn't work on the next use, and takes two or three button presses to again synch up with the car's locking system.

During his testing, Cesare also was surprised to note that the car opened with the same code multiple times. That implies, he says, that the car may have a manufacturer-created backdoor that doesn't change between unlockings, and could allow it to be opened on the first try once found. After using that instant-open code dozens of times, however, Cesare says it suddenly stopped working; he's still trying to determine just how extensive the backdoor may be among cars of his make and model and whether it might be possible to use it consistently.

For either attack---the brute-force or what Cesare calls the backdoor---there's one more requirement. The attacker must first identify a portion of the unlocking code that's different for every vehicle. That means the hacker would need to eavesdrop on one lock or unlock command sent from the victim's key fob to pick up the car's unique code before issuing his or her own spoofed unlock command--though that eavesdropping could occur months or even years before the unlocking attack.

Cesare suggests that limitation could serve as a form of band-aid protection: Anyone concerned about wireless car burglars could avoid using the fob in public. He suggests manually locking the car in any instance when an eavesdropper might be able to pick up the fob's signal.

But he admits that kind of paranoia is hardly a satisfying fix. In fact it would often trigger the "panic" alarm for many modern cars. Ultimately, Cesare says it may be too late to protect the vulnerable generation of cars he's discovered, and he intends his findings to instead serve as a warning to automakers for future models. For that reason he's declined to make his code or tools available to the public for fear of enabling less technically-skilled thieves. "Criminals could hire researchers to replicate this attack," he says. "But they won't be getting it from me."

Cesare isn't the first to wirelessly break into cars. Three years ago Swiss researchers found they could break into and even start cars wirelessly by triggering an unsuspecting victim's key fob and reproducing the signal with their own antenna in what's known as a "replay" attack. But Cesare believes his attack is the first to actually break the encryption of a car's wireless unlocking mechanism since Israel and Belgian researchers cracked the widely-used Keeloq wireless entry cipher seven years ago.

To find the cryptographic vulnerability he exploited, Cesare developed an ingenius hack in its own right: He built a small robot to push his key fob's button thousands of times and listened to the radio codes it transmitted. That automated button-mashing solenoid, shown in the video below, allowed Cesare to assemble enough data to find patterns in the seemingly-random numbers, cutting the number of possible unlock codes from around 43 million to around 12,500.

Not every hacker will go to the lengths of creating a button-pushing robot for his or her code-breaking research. And Cesare's attack on a single, decade-old car has plenty of limitations. But as software-defined radios become cheaper and more accessible, he says the security community would be wise to expect more wireless vulnerabilities to be exposed. He used a thousand dollar radio called a USRP for his work. But newer models like the HackRF cost less than half that price, and similarly allow hackers to spoof practically any wireless signal they can identify. "This is a new hacking playground for the world," says Cesare. "Lots of devices can now be modified, impersonated and eavesdropped. And we're going to see more security problems revealed as a result."