Aug. 4, 2014
CBS MoneyWatch - That high-tech keyless car security system is pretty sweet -- for hackers. According to a new report in Wired, thieves can use off-the-shelf hardware and software to impersonate a vehicle's security fob and break into a car in no more than a few minutes.
This vulnerability in keyless vehicles illustrates what is practically an axiom in technology: Convenience often reduces security. And in a corollary truth, hackers are usually at least one step ahead of the technologies intended to thwart them.
Australian security researcher Silvio Cesare plans to review his findings about this new approach to keyless break-ins at this week's Black Hat Internet security conference in Las Vegas. The annual event is a place where people from law enforcement, security experts, military intelligence and even the shady side of the street come together.
People have previously found weaknesses in keyless entries. In 2012, for instance, a rash of Chicago car break-ins were linked to someone using some kind of electronic tool.
Meanwhile, Swiss researchers have found a way to get someone's key fob to broadcast an open command so it can be duplicated, potentially allowing thieves to break into and operate a car.
However, Cesare thinks that he may be the first to actually crack the encryption intended to guard they keyless systems. He built a device that would keep pressing the buttons on his own fob. After collecting thousands of samples of the codes intended to be picked up by the car, he found patters that reduced the number of possible codes to unlock a vehicle from 43 million to less than 13,000.
That's still a big number for humans, but computers can try that many sequences without getting bored, wasting time or needing a bathroom break.
According to InformationWeek, as cars increasingly feature on-vehicle wireless networks that connect with satellite services and smartphones, they become more vulnerable to remote attacks. By breaking into a car's Bluetooth network or a phone app, for instance, someone could in theory control a car's steering, braking or automated parking.
Last year, researchers showed how they could take control of many basic functions in a 2010 Toyota Prius and 2010 Ford Escape. Among new vehicles, the 2014 Jeep Cherokee, 2014 Infiniti Q50 and 2015 Escalade are the most vulnerable to attack, according to security researchers. A 2014 Audi A8 was deemed the least vulnerable model to electronic attack because the car's networked systems are separate from its physical operational systems.
The automobile industry has begun to take such threats more seriously. Last month it announced a mechanism to share security vulnerabilities.