從鑰匙扣到超寬頻(UWB):駭客如何劫持車輛進入系統

2024年6月7日
VicOne 網路威脅研究實驗室
從鑰匙扣到超寬頻(UWB):駭客如何劫持車輛進入系統

By Omar Yang (Senior Threat Researcher, Automotive)

The evolution of vehicle entry systems — from traditional keys to advanced remote keyless entry (RKE) systems and smart key systems, also known as passive keyless entry (PKE) systems or passive entry passive start (PEPS) — has brought both convenience and new security challenges. As car thieves develop more sophisticated methods, robust security solutions have become critical.

Ultra-wideband (UWB) technology is emerging as a game changer in automotive security. Unlike Bluetooth and radio frequency identification (RFID), UWB offers precise distance measurements, making it highly resistant to relay attacks, a common method used in car theft.

In this first blog entry of a two-part series, we examine the history of automotive entry technology and explore notable types of security breaches such as replay attacks, rolling attacks, and relay attacks, along with their effective mitigation strategies. As part of our discussion, we tackle a recent report that covers how Tesla’s keyless entry system could be vulnerable to certain attacks. We uncover the mechanism of the unlocking process and how it can be exploited by attackers. In the second half of this series, we’ll take a deeper look at UWB technology, its applications, and its potential vulnerabilities.

A brief history of automatic entry systems and their security challenges

The evolution of automatic entry systems has been marked by significant advancements aimed at enhancing convenience and security. Initially, cars were secured using simple mechanical keys, which could be easily duplicated by skilled thieves. The introduction of remote keyless entry (RKE) systems in the late 1980s marked a significant leap forward, allowing drivers to unlock their cars with a press of a button. However, as technology advanced, so did the sophistication of car thieves. RKE systems became vulnerable to signal jamming, replaying, and interception attacks.

The next major innovation was the development of smart key systems, which allowed for keyless entry and push-button start features. Relay attacks, where thieves extend the signal from the key fob to the car, became a common method for stealing vehicles especially since it did not require physical access to the key. A surge in luxury vehicle thefts led to skyrocketing insurance premiums for car owners, because high-end cars were particularly vulnerable to and enticing targets for such attacks. As these threats evolved, the need for more secure entry systems became evident. This drove the adoption of ultra-wideband (UWB) technology, which provided enhanced precision and security to counter these sophisticated attacks effectively.

In addition to the wireless technologies mentioned above, RFID is commonly used in modern vehicles, in the form of either a physical card or a virtual card stored on a mobile phone. RFID systems unlock cars only within a few centimeters, making them more secure during direct user interaction. However, RFID has its own vulnerabilities. It can be jammed by a stronger radio signal on the same frequency, intercepted (“sniffed”) during communication between the RFID tag and the reader, and used to create a duplicate RFID tag with the same identification code as the original.

Types of signal attacks against automatic entry systems

We’ve mentioned several possible signal attacks against RKE systems. In this section, we give an overview of how they work.

In the jamming attack, hackers send radio signals with a higher energy, so that the vehicle will be unable to receive the correct signal. This is a type of denial-of-service (DoS) attack.

Figure 1. A jamming attack

Figure 1. A jamming attack

In a replay attack, hackers intercept the signal transmitted from the car owner. They are able to use the captured fixed-code signals to gain unauthorized access to the vehicle.

Figure 2. A replay attack

Figure 2. A replay attack

A rolling jam attack combines signal interception and jamming. In this scenario, hackers simultaneously intercept the transmitted signal and jam the signal near the car to prevent it from receiving the correct signal. Their goal is to trick the car owner into pressing the key fob two or more times. In doing so, hackers can capture signals that can be used in future attacks. This technique targets cars with a rolling-code feature.

Figure 3. A rolling jam attack

Figure 3. A rolling jam attack

In a relay attack, hackers position one radio device near the car and another near the real key. These radio devices essentially extend the signal to trick the car into believing the key is nearby, allowing the car to be unlocked and started.

 A relay attack

Figure 4. A relay attack

These attacks have proven effective in bypassing the automatic entry systems discussed in the previous section. Table 1 summarizes various iterations of vehicle entry systems and the different attack methods that can be used against them.

Automatic entry systemPotential attacks
Physical keyHot-wire
Remote keyless entry (RKE)Jamming, replay, rolling jam
Passive keyless entry (PKE)Relay
RFID (key card)Jamming, sniffing, cloning

Table 1. A summary of automatic entry systems and possible attacks against them

An attack against Tesla Model 3

UWB comes as the game changer and next major step in the evolution of automatic vehicle entry. This raises the question: How effective is UWB against current radio hacks? A recent report on the latest Tesla Model 3’s use of UWB helps give an idea.

Citing findings by researchers at GoGoByte, the report states that although the Tesla Model 3 supports UWB, it is not currently using the technology effectively for distance checks that could prevent relay attacks. This is because Tesla’s keyless entry systems primarily still use Bluetooth to unlock the car and control the immobilizer. Consequently, relay attacks remain successful over Bluetooth, as with earlier models.

Tesla has acknowledged the issue, stating that it is working on improving UWB reliability and security. Until the necessary enhancements are deployed, Tesla vehicles remain vulnerable to relay attacks. Despite this, it is fair to note that Tesla vehicles are reported to be the least frequently stolen in the US, thanks to their default GPS tracking features.

To address this issue, Tesla vehicle owners are advised to take advantage of a feature called “PIN-to-drive,” which acts as a form of multifactor authentication (MFA). This feature requires the driver to enter a four-digit PIN code before the car can be started, even after it has been unlocked using the key fob or smartphone. PIN-to-drive provides a second layer of protection, ensuring that even if a thief unlocks the car using a relay attack, the thief cannot start the vehicle without knowing the PIN. This feature offers an effective safeguard against current security weaknesses until more robust UWB security measures are implemented.

The report gives a good introduction to the current implementation of UWB and how improvements are still necessary to fully realize its advantages. In the second half of this two-part blog series, we take a closer look at this technology and examine its security implications for vehicles.

VicOne新聞與觀點

深入瞭解汽車網路安全

閱讀最新報告

馬上體驗更先進的汽車網路安全防護

預約專人展示