Cars and Key Fobs: Attacks on Car Remotes

Summary

Assignment 5: Cars and Key Fobs Overview Almost all cars currently come with a key fob, which allows you to open the doors, and start the car. When you buy a car, the convenience is the compelling feature. You can leave the key fob in your pocket, and never again worry about having a physical key. It sounds great. The implicit assumption you make is that the key fob system is secure, and that some random person with $50 of hardware can't drive off with your car. You have no real way to tell whether the car company did a reasonable job with their system, so you have to trust them. Unfortunately, that trust is not always warranted. And it isn't until people try to hack these systems that the problems come out. Problems that less scrupulous people may have already been exploiting. Your Car's Key Fob There are lots of different key fob systems. We'll start by looking at the key fob for my 2006 Prius. Key fobs use something called a Remote Keyless System (RKS). In the U.S. these operate at 315 MHz, +/- 2.5 MHz. My Prius key turned out to be at 312.590 MHz.The keyfobs are all listed in the FCC database. Watching for new entries is one of the ways people can tell when new car models are coming out. These will appear long before the official announcement. You can figure out what frequency your key fob transmits on using your SDR and use GQRX or SDR# to monitor the spectrum. When you push a button on the fob, you should see a brief jump in the spectrum. You may need to shift the frequency band up or down by a couple of MHz to find the signal, mine was almost 2.5 MHz low. One word of caution. Don't get too carried away pushing the button! The RKS system uses a rolling pseudo-randomly generated code. Both the key fob and the car keep in sync, so that the car recognizes the next code. However, if the key fob gets too far ahead in the sequence (100s of button pushes) the car won't recognize it. That makes the key (and the car) considerably less useful! If we capture the signal t...