How to Mitigate Keyless Entry Attacks

Hackers-Turned-Car-Thieves Exploit Keyless Entry Systems

In 2019, hackers stole a BMW worth more than $100,000, without having to go to the trouble of breaking into it. They simply used an electronic device to pick up the radio signal from a nearby key fob and relayed it to another device next to the car. In this article, we’ll look at such keyless entry attacks and how to detect them before they result in car thefts.

Overview

Keyless entry was one of the most common attack vectors affecting connected cars in 2018, according to Upstream Security’s analysis of automotive cyberattacks. It’s a growing crime phenomenon. In the UK, for example, car theft went up by 38% from 2017 to 2018, with the police attributing much of the increase to keyless entry. In one UK country alone, keyless entry accounts for 92% of car thefts. Car theft is a big business, with the FBI in the US estimating that the crime costs Americans over $6 billion a year in more than 700,000 separate vehicle thefts.

Research Reveals Four Popular Keyless Entry System Methods

Broadly, we see mainly four types of wireless entry attack on cars:

• Relay attack – a process of picking up the radio signal from a key fob, potentially inside a home, and relaying it to a device near the car—“fooling” the car’s electronics into thinking the owner is performing keyless entry. Recently, security experts have tested several car models and rated four as “poor for security” due to keyless entry systems that made them susceptible to relay attacks.
• Hacking the car’s OBD port – and using it to access information about the car’s key codes. The thief can then program a new key that will start the car.
• Keyless jamming – a technique that involves blocking of the signal coming from the key fob. You think you’re locking your car, but the signal’s not reaching it. The thief can then open the door and proceed to steal the car.
• Spoofing – a car thief steals a vehicle’s cryptographic key—a process that can take mere seconds. Spoofing has been successfully demonstrated on a White hat basis with a Tesla Model S, where thieves could wirelessly read the signals from its key fob and were able to clone it almost instantaneously.

Keyless Entry Attacks Turn Convenience into a Car Theft Tool

As we see with many automotive cyber security problems, the latest luxury or convenience can easily become an attack vector. With keyless entry attacks, the vehicle “thinks” it’s being opened or started by its legitimate owner. The challenge, from a security perspective, is to detect and protect against such threats without diminishing the value of the keyless feature.

Leveraging Data to Defend Against Wireless Entry Attacks

The data and connectivity that make keyless entry possible, form the basis for mitigating the keyless threat. Vehicles generate data related to their wireless entry system. For instance, vehicle data can indicate systemic behaviors like a door being opened or the engine starting when it senses the presence of the wireless key fob. By monitoring the data from a connected car using the right insights, one can potentially detect.  Wireless entry attacks can potentially be detected by monitoring the vehicles’ data and learning their behavior, in order to detect anomalies that might indicate a hacker tempering with the wireless system.

A cybersecurity solution for cars can detect that anomaly and take action. A number of incident responses might be suitable, depending on the type of wireless entry attack. In a relay attack, one countermeasure is to notify the vehicle’s manufacturer, fleet manager or Telematics Service Provider (TSP) of the suspicious activity. Owners or operators of the vehicles can be notified via text message or through an app. This way, if the car owners are not aware of the car being started, they can call the police or activate a process that makes the engine stop.

Upstream’s C4 Platform and Keyless Entry Attacks

Upstream Security mitigates keyless entry attacks through its Centralized Connected Car Cybersecurity (C4) platform. This agentless solution is built with a multi-layered security architecture. It monitors automotive telemetry data in the cloud. C4 leverages deep-protocol, big-data and behavioral analysis algorithms to spot anomalies that suggest a car is being subjected to a keyless entry attack.

Upstream uses machine learning to understand a vehicles’ unique patterns. At the same time, it learns about comparable cars in its class. For instance, the act of hacking a car’s OBD port to make a copy of a key might create a unique digital signature. Once Upstream has learned what this attack looks like on another, similar car, it can monitor your car for that signature and take action if the attack is spotted.

Upstream enables automated responses to wireless entry attacks. Upstream’s solution is used at the core of Vehicle Security Operations Centers or VSOCs. The Upstream C4 solution encompasses real-time cybersecurity detection and mobility SIEM (security incident and event management) for the entire operational network and OT assets. It also works hand in hand with existing IT cybersecurity products such as SIEM and Workflow solutions. C4 can pass keyless entry incident data via API to the integrated enterprise SIEM or Workflow solutions where the incident triggers a proper playbook and the triage process begins.

Upstream has deep detection and response capabilities, enabling it to detect keyless entry attacks. To learn more about these and other attack methods and security solutions, visit: https://upstream.auto/research/ and subscribe to our monthly newsletter for the latest in smart mobility cybersecurity.