A group of COSIC experts form KL Leuven University in Belgium have developed a new relay attack called Passive Key Entry and Start (PKES) which is used by most cars to unlock and start an engine. The Passive Keyless Entry (PKE) works automatically as it detects the if the user is in proximity and relies on the paired key Fob.
The method is used by Thieves to Steal Cars…
Most of the thieves use PKES attacks to steal vehicles by use of relayed messages between the key and the vehicle. There is a drawback to this attack as the attacker can only steal the car when the owner’s key is in the range of the proximity sensor.
During normal operation, the car periodically advertises its identifier. The key will receive the car’s identifier, if it is the expected car identifier the key fob will reply, signalling it is ready to receive a challenge,” reads a blog post written by the experts.
“In the next step, the car will transmit a random challenge to the key fob. The key fob computes a response and transmits it. After receiving the key fob’s response, the car must verify it before unlocking the doors. The same challenge-response protocol is repeated to start the car.”
What are the Security Weaknesses found by the Researchers?
Several security weaknesses were found in these smart unlocking systems with many of these security vulnerabilities existing due to a lack of the mutual communication between the car and key.
- Phase 0: the hacker records one wake frame periodically transmitted by the car to learn the 2-byte car identifier.
- Phase 1: the hacker can now impersonate the car and transmits two chosen 40-bit challenges to the key fob and records their respective 24-bit responses.
- Phase 2: using the captured challenge-response pairs and the TMTO table the 40-bit key can be obtained. The first pair is used to select the correct subset of keys and the second pair is used to find the real key among the approximately 216 candidate keys.
- Phase 3: the adversary can now impersonate the key fob and thus unlock and start the car.
Tesla have already fixed the issues with the help of the research team. The experts communicated the flaw to Tesla in August and the vendor fixed the problems with their staff in the recent weeks.
Tesla rolled out upgraded cryptography for key fobs and introduced an optional feature called “PIN to Drive,” that requests a PIN to be the driver before the vehicle can be driven.