Hackers can start your engine, unlock your car, from a phone

by hans | November 30, 2011 9:17 pm

Watch how a software developer, Brandon Fiquett, hacked his Apple iPhone 4S to get his phone to remotely start his Acura. Best of all, it was all done using the iPhone’s fancy Siri conversational voice command recognition feature. His hacked Siri now recognizes words like “Start my car”, “Lock my car”, “Pop my trunk” and will send out the necessary commands for those actions on his car. Fiquett’s Acura is equipped with a Viper SmartStart smart phone module that allows for remote locking / unlocking and starting the engine from a mobile phone.

Fiquett’s Siri hack is not meant to demonstrate vulnerabilities in the car’s security, as the instruction is sent from his own phone. But considerating malwares targeting smart phones are starting to come to the attention of Internet security experts, it is not hard to make the connection between this proof of concept and any applications with criminal intention,

An increasing number of cars these days are equipped with telematics and vehicle satellite tracking-recovery feature that allows for remote locking / unlocking and even starting the vehicle’s engine. Some of these feature run on regular mobile networks, allowing owners to remotely check / control their vehicles from their mobile phones. Smart keys / keyless entry allow users to unlock and start their car’s engine without even removing the keys from their pockets or handbags. But that same wireless access can be exploited by a skilled hacker with simple off-the-shelf hardware. Even a simple Bluetooth connectivity is a potential point of entry for hackers.

One surprising discovery – security experts learned that hackers can plant malware into the vehicle by just a simply slotting a malware loaded MP3 CD into the CD player. A complicit valet parking attendant can easily do that without arousing any suspicion. Users may also unknowingly infect their car by downloading an infected music file from P2P file sharing or Torrent networks and then playing that same file on their car. Researchers at the University of California discovered that by adding extra codes to a digital music file and burning it into a CD, they were able to plant a Trojan horse into the vehicle. When played on the car’s audio unit, the song file could alter the car audio unit’s firmware. In most cars, the audio unit is integrated with telematics, GPS navigation feature and in more advance models, even the vehicle’s specs and engine condition can be transmitted. By now you can easily see where will this lead to.

BMW’s ConnectedDrive feature for example, has the ‘Teleservice’ function which alert drivers of the next service interval and sends the necessary vehicle technical details to BMW so technicians are able to allocate the necessary tools, replacement parts and reduce customer’s waiting time. However, hackers could potentially exploit such telematics and remote diagnostic function to know what vehicle model and what model year is located at where and potentially even unlock and start the car. They can do all these while sipping coffee at a nearby McDonalds. Paying syndicate members to look out for specific models and finding a vulnerable target is so yesterday.

Vulnerability to car hacking is not only limited to high end cars with a lot of hi-tech features. Earlier this year, a team of computer security experts at iSec Partners demonstrated how they could hack into a 1998 Subaru Outback. Even when new, the Subaru Outback was far from being the byword of automotive technology. An Australian farmer’s tool is a more apt description. The team at iSec were able unlock the Subaru’s doors and start the engine by just sending an SMS from a laptop. It only took them 2 hours to figure out how to intercept the wireless messages between the car and the mobile network and then recreate that same signal from their laptop. In the old days, a couple of suspicious looking individuals hanging around a car would’ve raise suspicion. Now, the hacker can be sitting somewhere far away while working his way around the car’s security. The guys at iSec are what you would call ‘ethical hackers’ whose job is to test weaknesses in security systems. iSec presented their work, which they explained as ‘war texting’ at a recent Black Hat conference but did not reveal the exact vehicle security products hacked. iSec will only reveal the details once a patch have been created.

The Swiss Federal Institute of Technology in Zurich have also demonstrated how keyless entry feature can be exploited. In their research paper ‘Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars[1],’ the researchers in Zurich were able to exploit the wireless operating nature of keyless entry fobs by remotely unlocking a car and starting the engine, with the actual key placed up to 50 meters away from the car, non line-of-sight. The test was done with 10 car models from 8 manufacturers. In demonstrating the vulnerability, two makeshift antennas were used. One to capture the signal from the keyfob, and another to relay the signal to the vehicle. In between these two points, the signal is amplified to compensate for long range attenuation. A loop antenna placed near the car door will replicate the key fob and unlock the car. Same for starting the engine.

The Swiss researchers envisage the following scenario at a parking lot.
In this scenario, the attackers can install their relay setup in an underground parking, placing one relay antenna close to the passage point (a corridor, a payment machine, an elevator). When the user parks and leaves his car, the Passive Keyless Entry System will lock the car. The user then exits the parking confident that his car is locked (feedback form the car is often provided to the owner with indicator lights or horn). Once the car is out of user’s sight, the attackers can place the second antenna to the door handle. The signals will now be relayed between the passage point and the car. When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the
car and will send the open command to the car. As this message is sent over UHF it will reach the car even if the car is within a hundred meters. The car will therefore unlock. Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the allow start message. The car can now be started and driven.

They also added, We tested a variant of this attack by placing a relay antenna close to a window to activate a key left inside a closed building (e.g., on a table). This is possible when the antenna–key range is large such as the 6 – 8 m achieved on some models. In such case, if the car is parked close to the building, the attacker is able to open and start it without entering the building.

In other words, you may be sitting by the window of a restaurant, leaving your car keys in your pocket and all the hacker needs to do is to stand outside the window with an antenna to gain full access to your car.

I guess the best security is complete removal of the steering wheel ala Mr. Bean and his Mini.

Source URL: http://www.motorindustry.org/2011/11/30/hackers-can-start-your-engine-unlock-your-car-from-a-phone/

---