IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

Cryptographic Security for Keyless Car Entry Systems – Not Gone in 60 Seconds

Recent news reports from sources including Insurance Journal, the National Insurance Crime Bureau and the TODAY Show have highlighted a critical security weakness in some cars and trucks equipped with keyless remotes and pushbutton ignitions. As demonstrated in the following TODAY Show video, thieves are using small, handheld devices that wirelessly replicate the signal of car key fobs to unlock and drive away vehicles in mere seconds.

Many keyless remote and ignition systems use symmetric (secret-key) encryption, where the key fob, entry system and ignition system all share the same master cryptographic key. This means that when a key fob is used to unlock the car doors, it sends a signal to the entry system using the shared key, and the doors unlock because the car “recognizes” that key. And the ignition system recognizes that key as well, enabling the car to be started. The devices shown in the TODAY Show video can rapidly identify this shared key, providing thieves with a fast and easy way to gain entry to targeted vehicles.

Cryptographic Security for Keyless Car Entry SystemsEven worse, thieves can potentially gain control of millions of cars and trucks because many leading auto manufacturers use the same master key for all vehicles within a particular model line. So once thieves have cracked the master key for a specific model, they can easily use their attack devices to gain entry to any car or truck of the same model.

According to a paper presented at the 25th USENIX Security Symposium in August of 2016, the majority of VW Group vehicles have been secured with only a few master cryptographic keys that have been used worldwide over a period of almost 20 years. The paper also notes that “according to VW Group, this problem has been addressed in the latest generation of vehicles, where individual cryptographic keys are used.” However, if this solution is symmetric, a security issue still exists because keys are typically stored in databases that are subject to hacking and other security risks.
The good news is, methods such as asymmetric (public-key) encryption can offer a stronger defense against key-fob spoofing. With asymmetric encryption, each security endpoint has a different private key that is used in combination with a mathematically-related public key to establish a shared “secret” key, ephemeral and unique to each session, that is used for encryption and decryption. This means that the security of the system is not compromised if the private key for one endpoint (e.g. a key fob) is hacked.

Auto manufacturers as well as manufacturers of consumer electronics and smart home gadgets should take note that as the media continues to report on security issues, consumers will begin to increasingly prefer, and eventually demand, products that are protected from theft and attack. The auto industry in particular is at risk for consumer backlash as security weaknesses have been reported for many years now.

SecureRF’s asymmetric cryptosystems can provide the security and authentication required to safeguard vehicle entry and ignition systems. Designed for constrained, low-resource IoT devices, they draw very little energy and have the short run times essential for consumer acceptance of any vehicle security protocol. Contact us to learn more.