Prevention of Car Door Hacking: Mechanical and Electronic Techniques
This write-up is a part of HakTrak Cybersecurity Squad’s research activity.
بسم الله الرحمن الرحيم
1. Introduction
In today’s era, it is undeniable that cars have “evolved” from being simple modes of transportation into elements more closely connected with individuals’ lives. Cars that originally intended solely for travel, have transformed into a second home, a mobile office, and even a safe deposit box for storing sensitive documents and valuable items such as gadgets. The change in user perspective towards cars is warmly welcomed by car manufacturers who continually strive to make their cars more user-friendly, such as by introducing conveniences like easy engine ignition and door opening through keyless technology.
However, cultural shifts in car use and the arrival of new technologies indirectly give rise to unique risks associated with the theft of valuable items inside the car or even the car itself. Quoting from MotorIllustrated, it is reported that incidents of automotive hacking between 2018 and 2019 experienced a significant increase of 138% in the United States.
In this article, we will discuss common steps related to automotive hacking that specifically focus on “car door hacking”, and of course the corresponding preventive measures that can be taken.
2. Basic Methodology
Car door hacking basically can be categorized into two types, namely:
- Mechanical hacking (like lock picking and key duplication), is often used to target the physical components of a car. This method requires skillful manipulation of the car’s lock mechanism. While it’s a more traditional approach, it remains a significant threat due to the mechanical vulnerabilities in many car locks.
- Electronic hacking is a kind of hacking technique that involves sophisticated approaches like signal jamming and replay attacks in targeting the car’s wireless communication systems. Tools such as HackRF One and Flipper Zero are often used in these exploits, demonstrating the growing sophistication of electronic car hacking methods.
Please note that while mechanical hacking relies on physical interaction and traditional methods, electronic hacking leverages sophisticated tools for its approach. Whatever the method, both pose unique threats, each with its approach that certainly comes with its own set of risks (to be explained in the next section).
2.1. Mechanical Hacking
2.1.1. Lock Picking
In general, the context between car door lock picking and lock picking doesn’t have many differences. Lock picking is a method used to open a lock without using a “legitimate physical key.” In this context, a lock picker will use specialized tools such as a tension wrench to manipulate components inside the lock to gain unauthorized access.
When applied to car door hacking, it means a lock picker will attempt to manipulate components inside the car door lock without using the official key. However, car doors normally have more complex keys, which are double-sided keys.
Note: In practice, car manufacturers have implemented additional security measures to prevent thefts through lock picking methods (such as alarms — especially in cars using keyless technology). But whatever precautions are taken, this can influence how an attacker approaches car door lock picking.
2.1.2. Key Duplication
For sure, we are certainly familiar with the concept of key duplication in our lives. From a security perspective, in general, this method exploits the oversight of car owners, allowing an attacker to take the key within a certain period to be duplicated, potentially followed by stealing items from inside the car or even the car itself at a later time.
However, what we want to emphasize here is a method of duplicating keys based on information from photos, especially photos posted by many users on social media. It should be noted that sharing key images on social media can also pose its own risks.
These photos can provide enough information for an attacker to understand the key profile, which can then be used to create a duplicate key without requiring physical access to the original key.
Equipped with image recognition technology and 3D modeling software, an attacker can create a counterfeit car key based on the obtained images. They can use details in the photos to estimate the shape and size of key patterns. With this information, they can create a duplicate key accurate enough to unlock the car door or even start the engine.
2.1.3. Others
Certainly, there are still several methods classified as mechanical hacking, some of which involve using a pump or air wedge.
In this context, attackers take steps such as attempting to disconnect the car’s battery to prevent the alarm from triggering in the event of a strong impact on the car door.
2.2. Electronic Hacking with Radio Hacking
In the 1960s, the convenience of car users experienced a remarkable improvement with the introduction of adaptable keys by Ford (specifically in 1965). These keys had two sides and could be inserted into the ignition in any orientation, resulting in a simplification of the user experience.
A notable advancement in car key technology occurred in the 1990s with the introduction of key fobs. Key fobs basically have a small radio transmitter or radio frequency identification (RFID) chip along with an antenna. It uses radio frequencies to send a unique coded signal to a receiver unit within the device. This receiver also contains an RFID tag, which is some form of stored information.
Over time, this device continued to evolve from initially allowing car owners to remotely unlock their cars via radio waves to eventually being able to open the trunk and even start the engine from a specific distance. This period marked the beginning of the transition from traditional mechanical keys to more sophisticated electronic devices.
As we entered this era, the emergence of smart keys marked a significant transformation in car key technology. These keys typically do away with the conventional key blade, relying instead on encrypted signals to unlock and start cars. They come with features like keyless entry and push-to-start, adding a touch of modernity to our driving experience.
With all these evolutions, the testing approach will certainly be different. So in this second section, we will explore the realm of key fobs and keyless systems, and also delve into the techniques of “attacks” on key fobs and keyless entry systems.
2.2.1. Jamming Attack — Key Fob Jamming
The basis of a jamming attack is basically to interfere with radio frequency (RF) signals used in wireless communications. In this scenario, jamming causes interference that can cause communication failure between the sending and receiving devices.
In the context of key fob jamming, an attacker can use a jamming device to monitor the radio signal between the key fob and the receiver in the car. When someone tries to lock or unlock the car using the key fob, a radio signal is sent from the key fob to the car. Jamming aims to block this signal, so that commands from the key fob do not reach the receiver in the car or may be interrupted, causing errors in the communication process.
Technically, key fob jamming can be accomplished using (at least) the HackRF One PortaPack H2, which operates within a frequency range from 1 MHz to 6 GHz (offering both receive and transmit capabilities). In its implementation, an attacker only needs to wait for the car owner to lock their car with the key fob. Because the jamming process is an attack that executed when “someone is about to lock their car,” — which of course taking advantage of the car user’s oversight, who believes that their key fob has successfully locked the car doors (which actually remain unlocked due to jamming).
In the other side, if we want to use Flipper Zero, we need to transfer the recorded waves from HackRF to Flipper Zero. Afterward, we can utilize Flipper Zero for the jamming process to interfere with the communication between the key fob and the car’s receiver. It’s because by default, Flipper Zero does not have this wave database.
Note: It’s important to keep in mind that car key fobs operate on two radio frequencies, specifically 315 MHz and 433 MHz.
2.2.2. Replay Attacks
2.2.2.1. Smart Car Hacking with Signal Amplification Relay Attack (SARA)
The Signal Amplification Relay Attack (SARA) in car door hacking is a technique where an attacker exploits keyless entry technology to extend the communication range between the car key (key fob) and the car itself. SARA operates by using two synchronized devices, namely a device near the owner’s key fob, while the other device is placed near the target car.
In short, SARA involves the use of two transmitters to extend the RF signal from the key fob over a greater distance. This relayed signal tricks the vehicle’s controller unit into recognizing the owner’s presence, leading to the unlocking of the vehicle door.
Here is the general flow for understanding the context:
- Signal capture: at the first phase, the attacker’s device (located near the owner’s key fob) captures the signal as the owner approaches their car. This initial signal is crucial for unlocking the door.
- Signal boosting: The captured signal is then amplified by the attacker’s device, enhancing its strength and extending its reach significantly. At this phase, this amplified signal is now ready for transmission.
- Signal relay: In this phase, the amplified signal is relayed to the second device, strategically placed near the target car. This device simulates the key fob and retransmits the boosted signal to the car’s keyless entry system.
- And the last, an unauthorized access to the car: by believing the original key fob is within range, the car’s keyless entry system responds by unlocking the doors or even allowing the engine to start. This unauthorized access is achieved without any physical interaction with the genuine key fob.
2.2.2.2. Key Fob Evil Twin — Rolling Code Bypass with Flipper Zero
In some cars, a security feature called “Rolling Code” is being used, where the data continuously changes. This means that if the lock value is 11, the unlock code should also be 11. After unlocking the car, this number is updated to 12, and the value is automatically updated in the key.
So, how is the technique that can be used to execute this attack? In implementation, there are two techniques that can be used to bypass the Rolling Code:
- Keeping the car key far away from the car, so when the victim tries to open or close the car, the waves don’t reach the car, or
- The attacker can perform jamming to disrupt the signals from the key to the car, preventing the transmitted waves from reaching the car. This allows the attacker to copy and redirect them.
Note:
- As for the wireless key frequencies used in cars, they often range between 433.92 MHz and 315 MHz. The frequency compatibility depends on the car model and the key manufacturer. Some cars respond to AM/FM frequencies.
- In some old cars from Honda, a fixed value is used to open or close the car doors.
3. Conclusion
It is worth noting that the development of security technology adopted in cars continues to evolve to this day. According to a report released by GlobalData, it is mentioned that during the last period of 2020–2023, there has been a significant increase in patent filings related to cybersecurity, including vehicle anti-theft systems.
However, this itself does not make us immune to threats, considering that the development of methods for hacking car doors will undoubtedly continue to progress.
So, what is the recommendation?
As car owners, users must pay more attention to certain aspects, such as not leaving valuable items inside the vehicle, avoiding to publish the photo of the key, avoiding parking the car in “any/random” location, and even using additional security measures (such as in the gear lever or on the steering wheel). Regardless of whether these additional security measures can be disassembled or not, they represent a “basic duty” for every car owner to make it more difficult for thieves to steal the car or valuable items inside.
Car owners should also always ensure that their cars are securely locked after locking them with the remote. This will be beneficial in determining whether there is an attacker performing jamming or not within that area.
As for SARA, car owners can use specially designed wallets available in well-known stores that can be used to prevent radio waves from leaking. It’s for sure can provide an additional layer of protection against unauthorized signal amplification and relay attempts.
4. References
- https://www.dubizzle.com/blog/cars/evolution-car-keys/
- https://www.backthenhistory.com/articles/the-history-of-car-keys
- https://motorillustrated.com/automotive-hacking-incidents-were-seven-times-greater-in-2019-compared-to-2016/51828/
- https://www.motorfinanceonline.com/data-insights/innovators-cybersecurity-vehicle-anti-theft-systems-automotive/?cf-view
- https://harryli0088.github.io/rolling-code
- https://medium.com/hackernoon/signal-amplification-relay-attack-sara-609ce6c20d4f
5. Disclaimer
It should be noted that the author is not responsible for the use of this writing / knowledge which is intended for things that are contrary to sharia.
The content presented here (or on other social media platforms owned by the author) is designed to offer insights and/or lessons for those seeking guidance in their daily lives or work. The author is not accountable for any actions inconsistent with Sharia principles undertaken in individuals’ daily lives.
Hopefully, the knowledge learned can be utilized as well as possible for the right purpose.
