The keyless entry system is the basic configuration of most modern cars. Its biggest advantage is its convenience. The vehicle itself can detect the key and unlock it automatically. But many people question the security of such systems. They believe that the convenience of keyless entry systems sometimes comes at a price: information security.
This article takes you to understand how hackers attack key fobs and the active security measures Synopsys recommends.
Over the years, security researchers have discovered many vulnerabilities in automotive systems. Therefore, people’s demand for automotive network security is rising. The most recent case of concern is a series of vulnerabilities in the Tesla Model X keyless entry system in November 2020. The vulnerability was discovered by Lennert Wouters of the University of Leuven in Belgium.
Steps in the key fob attack
The operation steps of the Tesla Model X keyless entry system are shown in the figure. The numbers in the figure indicate the individual steps. Please note that the target vehicle has been locked and the target key fob is far away from the vehicle.
1. The attacker approaches the target vehicle, reads the vehicle identification number (VIN) through the windshield, and configures the simulated SE for the modified body controller (BCM) in the attack device to use the target VIN
2. The attacker finds the target key fob, brings the attacking device close to it, pretends to be a target vehicle, and connects via low frequency (LF) at a distance of about 5 meters.The attacker uses an identifier derived from VIN to force the previously paired target key fob to be displayed as connectable via Bluetooth Low Energy (BLE)
3. The attacker uses the Raspberry Pi to push the malicious firmware update to the target key fob through BLE to gain complete control of the key fob.This update can be performed by using the over-the-air download service (OTA) on the target key fob at a distance of up to 30 meters
4. After updating the target key fob, the attacking device will reconnect via BLE. Since the key fob is running malicious firmware controlled by the attacker, the firmware allows arbitrary application protocol data unit (APDU) commands to be sent to the SE in the target key fob, so the attacker can move from the SE in the smart key to the target The vehicle extracts many valid one-time unlock commands (such as unlocking the door, trunk, etc.)
5. The attacker approaches the target vehicle and uses a valid unlock command to unlock the target vehicle. The unlock command is sent from the Raspberry Pi to the target BCM via BLE
6. The attacker can physically access the interior of the vehicle, and can physically connect the attacking device to the vehicle network through the diagnostic port located under the central Display. The attacking device is connected to the target BCM via the Controller Area Network (CAN)
7. The attacking device instructs the target BCM to pair with the modified key fob.After passing the BCM challenge response verification, add the modified key fob, and the necessary credentials will be stored in the emulated SE of the key fob
8. The attacker uses the newly paired key fob on the attacking device to start the vehicle, uses the credentials previously stored in the simulated key fob SE to successfully pass the challenge response verification, and then drives the target vehicle away
Vulnerabilities/deficiencies that make the key fob vulnerable
This type of attack is mainly caused by the following two vulnerabilities/deficiencies:
Although the signature verification was performed on the key fob, due to a vulnerability, the attacker used malicious firmware to update the key fob via BLE. In addition, although valid key fobs usually store signed certificates received from the backend, these certificates will not be verified by the vehicle BCM when paired with the key fob.
It is worth noting that security researchers have responsibly disclosed these issues to Tesla in August 2020. Tesla released an OTA patch in November 2020.
Use application security testing tools to resolve implementation and design loopholes/defects
In the first case, the key card signature is not properly verified. This type of problem can usually be discovered by static application security testing, software composition analysis (identifying known vulnerabilities), and fuzzing (detecting unknown vulnerabilities). In addition, penetration testing focuses on detecting high-risk areas, such as security-related functions and firmware updates, and can also detect such vulnerabilities.
The second case is the lack of certificate verification in the design of the pairing protocol between the BCM and the key fob. These types of design issues can usually be identified through security design reviews. In addition, appropriate threat analysis and risk assessment must be performed on the target system to identify high-risk areas, which helps to define appropriate security requirements and design corresponding security control measures.
There have been many initiatives in the automotive industry to help improve cybersecurity, such as the ISO SAE 21434 cybersecurity engineering standard and the United Nations Regulations No. 155 on cybersecurity and cybersecurity management systems.
It is not realistic to develop a 100% safe automotive system, so automotive companies need to consider and deploy appropriate measures to enable OTA updates in order to patch newly discovered vulnerabilities in a timely manner.