| Tuesday May 31st 2016

Hacking Car Security Systems and Remote Keyless Entry (RKE)

Yet another hack for RKE? We, as the designers for secure systems, should keep developing our systems and protect the Achilles’ heel (security weakness) relatively.
The modern vehicles are equipped with various access control systems to prevent being stolen. The manufacturers promote many products such as immobilizer, RKE (Remote Keyless Entry), PKE (Passive Keyless Entry) for their cars. However, more and more car thieves still break into these advanced systems with their continuously improved hacking gears.

Threats and Attacks

There are different levels of attacking methods, either physical or logical (mathematical) ways. We are not going to involve too much discussion about cryptography, which is very boring for most visitors. And an open discussion for any existing Remote Keyless Entry (RKE) system will bring up more legal risks.

Interference for Remote Keyless Entry (RKE)

I read a newsflash about a group of series thieves, who have stolen various private cars with RKE (Remote Keyless Entry) interference units. They always wander in a car park. When the car drivers lock their cars with remote keys, they start the interference units and make the security system fail. Many drivers do not recognize that their cars are already in danger and just leave in that case. It is difficult to get them on site since the interference units are hidden well. This interference unit approach is used to attack the communication between the remote key and the RKE/ECU of the car. Most of RKEs employ OOK/ASK (such as MAXIM), which is very sensitive to the RF interference and easy to monitor.

RF Scanner

Another hacking approach is the RF scanner. The thief will scan all parking cars and try to open the cars with fixed or hopping codes in 10 m range. According to the report, the 3 billion hopping code can be tried in 10 minutes. If the Remote Keyless Entry (RKE) system under attack doesn’t use extra encryption and authentication algorithm, this traditional try and error approach is quite useful in hacking most of the RKE (Remote Keyless Entry) systems.

RF monitors & Session Playback

The most advanced hacking approach is using RF monitor and session playback. The thief can use RF monitor to scan the RF communication between the RKEs and the remote keys. Then they decode the ciphers and simulate or make a “valid” remote key with PC. This approach is based upon extensive arithmetical operations. I don’t know the detail of how to hack the algorithm, but I do know a simple fact: if the algorithm is in public and the last session is known, it is much easier to hack a one-way communication system. And Remote Keyless Entry systems are not the banking systems, they have not the limitation for trials. According to update report, the thieves who use the RF monitors can break into any high-end cars, including BMW, Benz, Bentley and etc. That is also a big reason why Microchip does not reveal the algorithm for its new KeeLoq products any more.

Possible Remedies

The biggest defect of most Remote Keyless Entry systems is plain communication on an open and insecure media: RF. The real reason is cost-driven and customer experience. However, such lagging thought should be abandoned in a fast growing world. Security should be the first consideration. Now the computers are cheaper and more powerful. We can find some alternative solutions accordingly to the make up the RKE systems.

Accordingly, the possible remedies for existing RKE systems include improved modulation under noise, mutual authentication, and encrypted communication with random seed.


Infrared could be a low cost alternative physical layer for the RF based RKE systems. The infrared system is difficult to monitor or copy because of its visibility and narrow communication angle. One Chinese graduate student released an infrared access control system with mutual authentication with a standard 89C51 microcontroller. Its communication speed is reduced on purpose. The successful communication still fast enough for authenticated users, but it is a nightmare for car hackers.

IEEE802.15.4 (Zigbee) & Bluetooth

There are two RF alternative solutions for RKE systems: IEEE802.15.4 and Bluetooth. These two technologies are low-cost solutions, which are very cheap and proven in the consumer market. They can bring more safe two-way RF communication with mutual authentication.

IEEE802.15.4 is well-known as Zigbee, which uses DSSS/BPSK and DSSS/O-QPSK modulation, which offers higher anti-interference capability. BTW, IEEE802.15.4 mentioned here does not refer to a RF system who has implemented full Zigbee stack. Most of the Zigbee suppliers also offer their proprietary protocols, which can be implemented in a small-footprint microcontroller, and it is more attractive for the car manufacturers. Technically, IEEE802.15.4 is a proper replacement for the existing RKE systems, because it has longer battery life-time and it can be permanently embedded into a remote key. The car makers can develop their own cryptographic algorithm or strong RSA authentication in the embedded microcontrollers, which always bring more flexibility and options in deployment.

The Bluetooth uses GFSK modulation with hopping frequency capability. However, Bluetooth may win the market because most of the mobile phones have Bluetooth modules. On the other hand, broader installation base may be the shortcoming as well. And someone does not appreciate the key pairing of Bluetooth. There are too many commercial considerations.

Nobody knows who can win. But I prefer IEEE802.15.4.

Theoretically, CDMA(Code Division Multiple Access) is the best solution for the RKE systems. It has PN code and spread frequency modulation, so the CDMA system can work in a noisy environment, is hard to monitor and track. However, we have to face the IP barrier and cost challenge. If a manufacturer promotes its CDMA Key RKE systems, I am interested to know who is supplying ICs for CDMA based RKE. Please give me some comments in case you know the IC manufacturer for CDMA key.

Finally, it is obvious that the existing RF based one-way RKE system is easy to attack and hack. (I do see the “two-way” RKE system. But the up-link is used to report the TPMS, rather than an authentication challenge). We can not see a quick change even so many cars are in danger. It is difficult to change the car makers minds.

Read More:

[phpbay]remote keyless, 5, “”, “”[/phpbay]

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.