Car "Keyless-Go" aka RKE - How it Works and Why it's Flawed by Design

[coppice]

My car has keyless entry (VW ID.3) and it is immune to the repeater attack that has plagued many keyless-go entry systems.   It uses UWB keys.  UWB keyless technology measures the distance to the car's key using the RF delay time.  Inserting a repeater into the system - short of breaking the laws of physics - will never make the key look like it is closer than it is.  So you cannot steal the car by using a repeater device.  You must have the keys yourself.

Give it some time and we'll see. The car makers have a history of fixing one thing, and creating a fresh vulnerability. Maybe there will turn out to be something about the scan to scan timing that allows some tricks to be played. They really should do this kind of development in public, in the way good new encryption techniques come from an open discussion among experts in the field trying to pick holes in each other's work.

[mikeselectricstuff]

This is why UWB is used for rangefinder functions on e.g. AirTags, and some car key fobs.  The pulses are around 1-2ns long...

No reason this can't be used with the XOR concept BTW. Challenger sends a bit of the salt by either transmitting or not in a time slot, the dongle XORs and sends a pulse back or not. With 24 GHz (5 GHz bandwidth) a couple ns range round trip delay should be doable.

the actual turnround time isn't that important as long as it is known and consistent, so deviations can be detected.

[Marco]

I have my doubts whether the current UWB standard is really secure by design, for that the hardware has to be able to encrypt a bit of challenge and return it with negligible delay (which is why I suggest a precomputed code to XOR a challenge with). As soon as the stack has large delays, replay becomes possible again ... and the CCC stack seems huge and full of delays.

Otherwise this wouldn't make sense :
"15CCC DIGITAL KEY
‘Ranging keys’ are derived from CCC Digital
Key authentication handshake and securely
stored in the secure element. When in use,
ranging keys have a limited 12-hour lifetime to
shorten the time window for an attacker."

[tszaboo]

That kind of measure seems to suffer from exactly the vagueness I described. Crimes that go undetected don't appear in the statistics. People of low IQ are so incapable of covering their tracks there is no question that get caught a lot. For high IQ people the jury is out... although the lynch mob may be in.

Ah cool. Let's try this.
At what correlation factor do you say: Yeah, actually you are right.
Hm? 0.8? 0.9? 1.000?

Huh? what are you talking about? The question is not about the level of correlation, but what exactly are you seeing correlate.

Right. So this is why we are in this terrible situation where we cannot talk about anything anymore. Even people who probably understand statistics are completely oblivious to the implications of that statistics. You can just walk past some inconvenient truth and brush it off, because it is against the programming. If this would be reddit, you would probably be crying to the mods to get me banned,  because you don't like the implications.
And it's not "exactly are you seeing correlate". It something that is a widely accepted fact in the field of phycology with ample evidence.

[tom66]

I have my doubts whether the current UWB standard is really secure by design, for that the hardware has to be able to encrypt a bit of challenge and return it with negligible delay (which is why I suggest a precomputed code to XOR a challenge with). As soon as the stack has large delays, replay becomes possible again ... and the CCC stack seems huge and full of delays.

Otherwise this wouldn't make sense :
"15CCC DIGITAL KEY
‘Ranging keys’ are derived from CCC Digital
Key authentication handshake and securely
stored in the secure element. When in use,
ranging keys have a limited 12-hour lifetime to
shorten the time window for an attacker."

It needn't work that way.  Car and key are pre-synchronised, this is part of initial pairing process done at the factory.  The key sends a signal whenever a button is pressed, car then acknowledges that, key responds with next sequence value, which will be some internal secret like some 32 bits of a 128-bit PRNG.  There may be several rounds of this to get a two-way ranging estimate.

This doesn't require a challenge-response mechanism except when key and car get out of sync, when that happens, key will respond with a wrong value, car will do a more thorough challenge, then go back to the normal method to authenticate via time of flight.

[coppice]

That kind of measure seems to suffer from exactly the vagueness I described. Crimes that go undetected don't appear in the statistics. People of low IQ are so incapable of covering their tracks there is no question that get caught a lot. For high IQ people the jury is out... although the lynch mob may be in.

Ah cool. Let's try this.
At what correlation factor do you say: Yeah, actually you are right.
Hm? 0.8? 0.9? 1.000?

Huh? what are you talking about? The question is not about the level of correlation, but what exactly are you seeing correlate.

Right. So this is why we are in this terrible situation where we cannot talk about anything anymore. Even people who probably understand statistics are completely oblivious to the implications of that statistics. You can just walk past some inconvenient truth and brush it off, because it is against the programming. If this would be reddit, you would probably be crying to the mods to get me banned,  because you don't like the implications.
And it's not "exactly are you seeing correlate". It something that is a widely accepted fact in the field of phycology with ample evidence.

Now you are projecting. I don't want you banned. I just think you don't seem to be applying any analytical skills, and are rather confused. Just show me some evidence that holds up to scrutiny. I've never seen any. I just see studies with gaping holes in them. There appears a pretty solid correlation between low IQ and crimes the person commits being registered. There appears a pretty solid correlation between low IQ and the person being caught for their crimes which have been registered. These are unsurprising results. Beyond that I see a lot of hand waving.

[mikeselectricstuff]

I have my doubts whether the current UWB standard is really secure by design, for that the hardware has to be able to encrypt a bit of challenge and return it with negligible delay

Not necessarily - the ranging and authentication could be seperate operations. 

[Phil1977]

I have my doubts whether the current UWB standard is really secure by design, for that the hardware has to be able to encrypt a bit of challenge and return it with negligible delay (which is why I suggest a precomputed code to XOR a challenge with). As soon as the stack has large delays, replay becomes possible again ... and the CCC stack seems huge and full of delays.

A pure XOR would not be sufficient because the attacker could easily catch the XOR-key from the keyfob and use it with little delay at the car-side relay station. You would need a small interactive element, like "XOR it with a secret key and send me only only bytes nr, x1 x2 x3 x4 from the string".

[mikeselectricstuff]

Another really simple way to avoid the turnround time issue is to use two messages within up to a few tens of mS- the first sends the challenge ( maybe also including a wake-up preamble) for the fob to process, the second requests the fob tp  reply quickly and send its stored reply, and does the  ranging.

[Benta]

An update to this theme.

ADAC (the German equivalent to AA, AAA etc.) has just published a report on 700 NEW car models having Keyless-Go systems.
Only 9% were immune to attacks, all others were simple to steal using an RF relay (range extender).
So don't tell me this problem is non-existent.
https://www.adac.de/rund-ums-fahrzeug/ausstattung-technik-zubehoer/assistenzsysteme/keyless/

It's in German, but a web translator will help.

[coppice]

An update to this theme.

ADAC (the German equivalent to AA, AAA etc.) has just published a report on 700 NEW car models having Keyless-Go systems.
Only 9% were immune to attacks, all others were simple to steal using an RF relay (range extender).
So don't tell me this problem is non-existent.
https://www.adac.de/rund-ums-fahrzeug/ausstattung-technik-zubehoer/assistenzsysteme/keyless/

It's in German, but a web translator will help.

Where the 9% of immune cars scattered among the brands, or were there brands taking things really seriously with most of their products immune?

[Benta]

Where the 9% of immune cars scattered among the brands, or were there brands taking things really seriously with most of their products immune?

Here's the list:
https://assets.adac.de/image/upload/v1724742959/ADAC-eV/KOR/Text/PDF/Keyless-Liste_8_24_acig7v.pdf

Where columns 4 or 5 say "X", the cars are vulnerable. Where it says "nein", they're safe for now.

Judge for yourself.

PS: column 3 "Erstzulassung" tells you when the car was put on the market. Most are still sold today.

[tom66]

That's a pretty horrid list there isn't it.  Wow.

[Siwastaja]

That's a pretty horrid list there isn't it.  Wow.

It is, but the 9% is enough to prove it can be designed to work safely, and those 9% are not some kind of NASA secret technology, but similar cars than those that do not pass, just probably newer models(?). Now what kind of motivation manufacturers need to fix their shit is another question.

[Marco]

A pure XOR would not be sufficient because the attacker could easily catch the XOR-key from the keyfob and use it with little delay at the car-side relay station. You would need a small interactive element, like "XOR it with a secret key and send me only only bytes nr, x1 x2 x3 x4 from the string".

Car sends encrypted XOR key to fob
Fob decodes and they are both waiting say exactly 100 us (gives fob time to decode the encryption with low power circuitry).
Car sends random data and fob "immediately" (say 1.5 bit delay, short enough not to mess with ToF) returns the XOR'd random data

If the fob is away from the car and the fob side relay tries to send it's own data to the fob to decode the XOR key, the car side relay won't get the XOR key in time AFAICS. The XOR key bits are only valid in a tens of ns timewindow (thanks to the magic of crystal oscillator accuracy).

[themadhippy]

If the fob is away from the car

Hang on are you suggesting i cant start my car and turn on the heated seat from the  the comfort of my kitchen whilst i finish breakfast? Instead you want me to finish breakfast,and them actually get in the car,sit on a cold seat before i can start it?

[Marco]

Hang on are you suggesting i cant start my car and turn on the heated seat from the  the comfort of my kitchen whilst i finish breakfast? Instead you want me to finish breakfast,and them actually get in the car,sit on a cold seat before i can start it?

Only for keyless entry/go based on proximity. When you use a phone app to operate car functions that's your own choice. If you unlock it and someone steals everything inside, that's on you.

[coppice]

That's a pretty horrid list there isn't it.  Wow.

It is, but the 9% is enough to prove it can be designed to work safely, and those 9% are not some kind of NASA secret technology, but similar cars than those that do not pass, just probably newer models(?). Now what kind of motivation manufacturers need to fix their shit is another question.

A lot in that 9% group use UWB, which seems to indicate that this is probably a big help with security. As for the others the list doesn't say much at all. It looks really hit and miss among the car makers, like nobody has a really effective solution, except perhaps the use of UWB. It looks more like many of the passes are more luck than good design.

As for motivation, the answer is simple. Who is failing to buy a car because of this issue? If it isn't hurting sales it has a low priority. I note that a lot of the models passing in that list are JLR models. This might be because the theft issue has actually blown up in JLR's face, with theft of their cars getting so bad people can't get them insured, and its all over the media.

[themadhippy]

If  it isn't hurting sales it has a low priority

might actually be helping sales,your new car gets nicked insurance replace it with an identical model,2 cars sold instead of 1 with decent security

[tom66]

The big problem with the JLR thefts is the vehicles are becoming uneconomical to insure, or are completely uninsurable in some cases - I've seen £10,000 per year quoted for some Evoque models, and other insurers outright refusing to quote as they don't like the risk.

The only way JLR can reasonably fix this is by recalling the vehicles and loading improved software on them; they've announced an update for 2018 models onwards, but it seems earlier model owners are screwed.  Funny that UK law has a cut-off of six years to bring a claim for a product being unfit for purpose, I'm sure that had nothing at all to do with their decision to exclude earlier models.

There is no good fix to the repeater problem besides using reliable ToF measurement.  If the radio chipsets don't have ToF support then they are screwed in terms of a true solution to relay attacks, but they could still prevent CANbus/OBD-II attacks, and/or offer a feature like PIN-to-drive for free.

[Siwastaja]

There is no good fix to the repeater problem besides using reliable ToF measurement.  If the radio chipsets don't have ToF support then they are screwed in terms of a true solution to relay attacks, but they could still prevent CANbus/OBD-II attacks, and/or offer a feature like PIN-to-drive for free.

One of the issues is overcomplexity in modern cars. This causes many problems:
* Worse reliability,
* Car industry hogging all components like CAN transceiver chips during events like chipageddon
* Security issues (CAN attacks through headlamps etc.)
* Longer design cycles
* More expensive cars
* Buggy products hated by the customers
* Less innovation because higher fixed cost (10 engineer team working on "left headlight communication specification") forces you to manufacture larger numbers of the same design to get the ROI

I don't see any upsides to the complexity. It's a bubble. There is a whole lot of necessary complexity in a modern car, therefore all unnecessary complexity should be cut off.

[mikeselectricstuff]

There is no good fix to the repeater problem besides using reliable ToF measurement.  If the radio chipsets don't have ToF support then they are screwed in terms of a true solution to relay attacks, but they could still prevent CANbus/OBD-II attacks, and/or offer a feature like PIN-to-drive for free.

Motion sensing in the key would make a big improvement, with low cost to replace keys for existing users.

[Marco]

So they wait till you're getting coffee?

[tom66]

So they wait till you're getting coffee?

Indeed, there have been thefts of cars from shopping malls using keyless entry systems.  One accomplice follows the mark, having parked his flashy Audi up in the parking lot, with half of the piece of kit.  Once the mark is away from the car, the cloning device allows the thief with the receiver to drive the car out of the garage.

This is not a new attack, people searching for their cars with their fob pressing the lock/unlock button have been targets before (basically, grab the signal before they get to the car and use that with vulnerable immobilisers), but it massively increases the possible window of attack.

[Benta]

This is not a new attack, people searching for their cars with their fob pressing the lock/unlock button have been targets before (basically, grab the signal before they get to the car and use that with vulnerable immobilisers), but it massively increases the possible window of attack.

It'll open the car for content theft, but it won't start the car. And as the owner is on his way to the car, this is a low risk scenario and not really worth the trouble.