Several weeks ago, New York Times columnist Nick Bilton wrote about his car being broken into in front of him. After speaking with security researchers, Bilton arrived at the theory that his car was snatched with the help of a signal repeater that boosted the range of the keyless entry fob. That seemed like a reasonable explanation to us; we reported on a spate of car burglaries in southern California in 2013, arriving at a similar conclusion. In both cases, the work of a Swiss-based security expert named Boris Danev was central to pointing the finger at signal repeaters. This week, Bozi Tatarevic at The Truth About Cars wrote up his attempt to test this potential exploit in quite some detail.
Danev's 2010 paper "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars" demonstrated the vulnerability of keyless entry fobs to signal amplification, but doing so required a lab bench full of equipment, and an AC power supply. Tatarevic was unable use Danev's approach to create a low-cost cordless signal amplifier and instead concludes that the burglaries were more likely the result of a brute force attack against the rolling codes that some manufacturers use for their unlocking signals.
Tatarevic bases this on the work of Silvio Cesare, another security researcher who demonstrated such an attack at last year's Black Hat conference. That attack involved using a laptop and a software-defined radio (SDR) to send the car code after code until the right one unlocked the doors, something that could take up to two hours. That could fit with the facts; in each burglary, the cars had been parked for some time. This trick would also only unlock the car, unlike amplifying the signal of a keyless entry system, which would allow the car to be started, if only once.
Read 2 remaining paragraphs | Comments