In the United States in particular, a new form of car theft is spreading from vehicles equipped with the Smart Key electronic entry and starting system. Ken Tindell, chief technologist at the British software and IT security company Canis Automotive Labs, and a colleague recently documented a corresponding injection attack on the CAN bus (Controller Area Network) using a manipulated Bluetooth loudspeaker. Among other things, a video has now surfaced in which an old cult cell phone, the Nokia 3310, is used to connect to the vehicle’s internal control system and bypass the immobilizer in a matter of seconds.
Connect your cell phone with a cable – start the car
In them nearly 30-second spot shows a person sitting in the driver’s seat of a Toyota and repeatedly pressing the start button next to the steering wheel without success. A red light flashes – nothing happens without the required smart key. The man then uses an unusual tool: a Nokia 3310. You can see how he connects the mobile phone, which has been popular for more than 20 years, to the car with a black cable. He then scrolls through a few options on the tiny LCD screen. “Connect. Get Data” is shown on the screen. Then another attempt to start the car. Lo and behold: The button lights up green, the engine howls.
During the attack, a simple input tool is used to feed fake messages into the serial data bus network, which links the control units, via endpoints such as the headlights. If the door is open, connecting a primed mobile phone, for example, even without an Internet connection, will help for the rest. These planted messages spoof a smart key and its instructions, allowing the compromised vehicle to be stolen.
Hacking with modified Nokia 3310 – for “emergency start”
The online underground marketplace selling pertinent car security bypass products is growing. With the devices available online for a few thousand dollars, the barrier to entry for theft of even high-end luxury cars has dropped drastically. The online magazine “Motherboard” came across numerous YouTube videos while researchingthat demonstrate this technique. As a result, they also show devices used in Maserati, Land Cruiser and Lexus vehicles. The technology is advertised for prices between 2,500 and 18,000 euros on several websites, on the Darknet and on Telegram channels.
One seller is offering the modified Nokia 3310 for 3,500 euros, another for 4,000 euros, the report says. The providers often speak euphemistically of “emergency start” devices that are actually intended for locksmiths. Some of the marketplaces offer tools that might be useful for such professional helpers. However, reputable companies would probably have no use for such instruments hidden in inconspicuous devices. There are even updates for already purchased devices for sale. This indicates that their skills are constantly being developed.
Once a hacker reverse engineered how a smart key module communicated over a given vehicle’s CAN bus, it took “just a few minutes,” Tindell told Motherboard, to manufacture each individual device with the crack on board. “It’s not a lot of work: solder a few wires, coat everything with a blob of resin” – done.
“An industry-wide challenge”
Tindell again and emphatically appealed to affected car manufacturers to issue a software update to prevent the functioning of the growing number and range of CAN input devices. In addition, it is necessary to encrypt the log messages. “The software is simple, and the only complex part is the implementation of the infrastructure for cryptographic key management,” emphasized the expert. Since new vehicle platforms already use cryptographic solutions, the solvent is either already present in newer cars or has to be introduced or retrofitted anyway.
Vehicle theft is “an industry-wide challenge” that Toyota takes seriously, a spokesman for the Japanese automaker’s US division vaguely told Motherboard. Despite technical progress, thieves keep finding ways to circumvent existing anti-theft systems. Toyota has committed to “continue to work on this issue together with theft prevention experts, law enforcement agencies and other key stakeholders”. BMW did not respond to a request for comment. The keyless go system, which works in a similar way to a smart key, has long been considered unsafe. Attackers can, for example, extend all active radio codes from the car and the key with their own transmitter and thus unlock the lock with a relay attack.
(tiw)
