Sniffing and jamming of automotive RF signals a growing security problem
Automotive wireless key entry systems remain vulnerable to easy-to-get hacking technology
Security standards should not be open for general use regardless of labor policies
Not that long ago, while attending a technical conference in San Francisco, my colleague’s high-end BMW was broken into by a cyberattacker. There was no damage to the car but both of our laptops (secured in the trunk) were stolen. From that point on, automotive wireless security issues became a real concern for me.
How did the break-in occur? With great ease, according to several recent news stories. Using a $30 tool developed by hackers to “pwn’ the onboard security systems, unskilled criminals can easily open and steal high-end cars. “Pwn” is an Internet slang for “own” as in conquering or stealing to gain ownership. With the $30 tool from China, criminals are able to reprogram a blank car key fob that allows these non-techie thieves to steal a vehicle within two or three minutes. And it’s not just China questionable tech. A careful Internet search reveals a certain cipher development kit offered by a leading US company. One hopes its primary use is to develop ways to defend against ongoing hacks.
Part of the problem is automotive on-board diagnostics (OBD) bypass tools available via shipment from China and Eastern Europe. Potential car thieves need only intercept the wireless transmission between a valid key fob and a car before reprogramming a blank key. With the new key/fob in hand, the criminals can then either open the car or start it, via the OBD system and protocols.
RF and wireless sniffers and jamming products are readily available on the Internet. Product descriptions on these websites are usually so poorly written as to confirm the foreign origin of most of the vendors. BTW: The intentional jamming of RF signals is illegal in the US.
RF jammers exist for every type of wireless protocol from GPS, Wi-Fi and Bluetooth to mobile phones. Why jam signals from within your car? One reason would be to hide any GPS tracking data that is being sent out about the location of your car’s journey. Cell phone transmissions can also be jammed. Further, such jammers could be used against near-by vehicles depending upon their proximity, the jammer’s transmitter power strength and the target receiver’s architecture (i.e., the vehicle being jammed).
The goal of jamming is to interfere with or prevent the clear reception of RF signals by electronic means. In general, a jammer is designed specifically for targeted receiver architecture. Once the type of jammer is known, then its effects can be mitigated within the receiver.
Detecting the presence of a jammer is key in mitigating the issue since it is very difficult to jam the jammer. Technically savvy car owners can use spectrum analyzers to measure average energy changes in the car fob’s locking spectrum. Detecting a jamming scenario lets the car owner know that danger is present. The technology is now so prolific that a quick search on the Internet will reveal instructions on how exactly to hack a car’s key fob in surprising detail. (Note: I’m deliberately not mentioning specific products or sites.)
Concerning policy challenges, it must be understood that OBD readers are readily available for legitimate purposes to car repair and after-market shops. One problem is that the OBD data needs to be open to such third-party garages to satisfy the European free trade federation’s rules on open competition in the automotive trade business.
This means that both technology and well-intended but ill-conceived foreign market labor policies enable cybercrime in a global economy. It is a systemic problem that will need close cooperation between high-tech security and software companies, OEMs, and policy makers in a variety of governments.
Still, more could be done to improve the often-called weak cryptography of many wireless automotive key systems. Several standards have emerged that should help. For example, the United Nations Economic Commission for Europe (UNECE), working with the ISO standards boy and others, has provided a document on System Security Principles for Intelligent Transport System and Connected and Automated Vehicles. This document references ISO/IEC JTC 1 applicable standards and guidance documents, together with two SAE standards: SAE J3061, Cybersecurity guidebook for cyber-physical vehicle systems and SAE J3101, Requirements for hardware protected security for ground vehicle applications, and four NIST documents.
The problem now extends beyond the vulnerabilities of wireless, keyless car locking systems. In late 2019, Motherboard reported that a hacker known only as L&M cracked more than 27,000 commercial car fleet accounts through GPS signals. The hacker could then track vehicles in a small number of foreign countries, including India and the Philippines, and shut down vehicle engines that were stopped or traveling 12 mph or slower, Motherboard reported.
The problem of insufficient automotive cybersecurity will only get worse with the move toward autonomous and connected cars.