• Stefan Prandl

Hacking Cars The Easy Way

Do you have a keyless entry car? Probably, they’re quite common these days. Do you have a keyless start car? Maybe, maybe not. You have to agree though, pushbutton start is really cool. However have you ever considered the security implications of the ability to unlock and even start your car without physically presenting something you have to it?


When I was younger, I was fascinated by the remote control for my parents garage door. What really got me was that the one controller would not open other doors in the street. Even other doors that were made by the same manufacturer. How was this so? As it turns out, old garage doors did suffer from the problem that doors of the same make and model could open each other with their respective remotes. They really did just choose the frequency and hope that two neighbours didn’t have the same door. Newer doors have what’s called a rotating code. Each remote has a particular mathematical process, with a state that is shared with the garage door. Each time the remote is pressed it sends a code to the garage door. The garage door is able to check that the code is correct by using the same math that generated it on the remote. These appear to be random numbers, and they certainly look that way, but they are actually generated by a complex mathematical formula that wanders between numbers in an unpredictable way. The plus side being that if you have two machines following that formula, in this case the remote and the garage, you will always know what the apparently random number is going to be. The downside is if the attacker ever figures out what this formula is, and what it’s going to be next, they can effectively create a third party to the exchange, or in this case a second “shadow” remote.


This sounds like a particularly tricky challenge, for each remote you need to crack a different formula, and then you have to figure out where in the infinitely long sequence of numbers the pair that you were trying to compromise are at. It turns out that you don’t need to be this clever. You can just capture two codes. When a user tries to open the garage door you jam the signal, stopping them from opening the door, and record the code they tried to use. When the user then press the button again (slightly annoyed their door did not open), you record that code, jam it again, and then send the first code that you recorded. The attacker can then use the second code to open the door once the user has left. Really dumb, but quite effective.


Opening garage doors is one thing, but we can do better. A well-known problem in OT technologies is that the companies involved have no idea how security works. They tend to use security “solutions“ that have well known flaws, and then make it essentially impossible to patch those flaws once they become known to users (and attackers) of the systems. And example here are the keyless entry systems of cars that I was talking about earlier, many of them use the rolling code system, exactly the same one that garage doors do. This is vulnerable to the exact same problems as garage doors. The obvious difference being that someone with your cars code can open your car and steal it with impunity. If you’re a police officer and you see someone walk up to a car, which straight up unlocks to let them in, you’re not going to think twice about it.


This week, a study from the University of Massachusetts Dartmouth used a small assortment of off-the-shelf tools to go ahead and investigate the keyless systems in Honda car models. What they found was that even though this remote key system problem is known and has been known since 2015 as a serious problem for car security, Honda has “solved” this problem by… going backwards. As it turns out for most Honda keyless cars, both for unlocking and for keyless start, each key fob has a specific set of highly complex keys that they use for each action. Each key fob is unique and can only unlock and start one car each. Pretty neat right? Now you have to steal the key fob to get into the car, right? Sadly, no. The same keys are used for each action every time you do it. So any hacker kid with a radio and a recorder can record the keys required to both unlock and start your Honda car. Once they know these keys, it is impossible for you to change them, or patch your car or key fob, and therefore your car is no longer secure. This is even worse than the rolling code problem, because in that case even if an attacker has stolen one of your codes, eventually (and actually reasonably soon) it will no longer be valid as your remote will use that code to open your car (very likely the very next time you try to unlock your car). This vulnerability affects all Honda Civics made in 2016 through 2020. So if you have one of those, just be aware your car’s remote system is basically there for convenience, it doesn’t actually keep your car safe. It is also very likely that other Hondas are affected in the same way, and currently there’s no way to tell which cars by which manufacturers are affected by these kinds of vulnerabilities beyond trying to hack them. Kinda makes you want to use the key again doesn’t it? At least they have to steal that, or go back to hotwiring.


These sorts of really dumb security problems are ubiquitous in OT security. If you have OT systems in your network, you’re likely dealing with a ticking time bomb. You have no idea which systems have these sorts of vulnerabilities, and just like the Hondas, once you find out you can’t just fix them. You can’t just patch them like you can your computer in many cases. Maintaining visibility of the actions of your OT systems is important to early detection and mitigation of the threats that these poorly secured systems pose. Firebug is particularly good at observing the convergence point between IT and OT.Firebug can help ensure that people already on your network aren’t doing things they shouldn’t be in the OT space, and also make sure your OT systems haven’t become a backdoor into your IT network. Have a chat with us today if you’d like to get some visibility over what your OT stuff is doing.


29 views0 comments