Hacking Car Security System and Remote Keyless Entry (RKE)


Hacks for RKE are so easy to find on the web that the following question arise: Are you sure that using a Remote Keyless Entry (RKE) as car security system, your vehicle is still safe? A Remote Keyless Entry is a system designed to theoretically permit or deny the access to the cars. The modern vehicles are equipped with various access control systems to prevent being stolen. The manufacturers promote many products such as immobilizer, RKE (Remote Keyless Entry), PKE (Passive Keyless Entry) for their cars. However, more and more car thieves still break into these advanced systems with their continuously improved hacking gears.

1. Threats and Attacks

There are different levels of attacking methods, either physical or logical (mathematical) ways. We are not going to involve too much discussion about cryptography, which is very boring for most visitors. And an open discussion for any existing Remote Keyless Entry (RKE) system will bring up more legal risks.

Interference for Remote Keyless Entry (RKE):

This interference unit approach is used to attack the communication between the remote key and the RKE/ECU of the car. Most of RKEs employ OOK/ASK (such as MAXIM), which is very sensitive to the RF interference and easy to monitor.

RF Scanner:

Another hacking approach is the RF scanner. The thief will scan all parking cars and try to open the cars with fixed or hopping codes in 10 m range. According to the report, the 3 billion hopping code can be tried in 10 minutes. If the Remote Keyless Entry (RKE) system under attack doesn’t use extra encryption and authentication algorithm, this traditional try and error approach is quite useful in hacking most of the RKE (Remote Keyless Entry) systems.

RF monitors & Session Playback:

The most advanced hacking approach is using RF monitor and session playback. The thief can use RF monitor to scan the RF communication between the RKEs and the remote keys. Then they decode the ciphers and simulate or make a “valid” remote key with PC. This approach is based upon extensive arithmetical operations.  Remote Keyless Entry systems are not the banking systems, they have not the limitation for trials. According to update report, the thieves who use the RF monitors can break into any high-end cars, including BMW, Benz, Bentley and etc. That is also a big reason why Microchip does not reveal the algorithm for its new KeeLoq products any more.

Possible Remedies:

The biggest defect of most Remote Keyless Entry systems is plain communication on an open and insecure media: RF. The real reason is cost-driven and customer experience. However, such lagging thought should be abandoned in a fast growing world. Security should be the first consideration. Now the computers are cheaper and more powerful. We can find some alternative solutions accordingly to the make up the RKE systems. Accordingly, the possible remedies for existing RKE systems include improved modulation under noise, mutual authentication, and encrypted communication with random seed.

2. Infrared, Zigbee and Bluetooth

Infrared could be a low cost alternative physical layer for the RF based RKE systems. The infrared system is difficult to monitor or copy because of its visibility and narrow communication angle. One Chinese graduate student released an infrared access control system with mutual authentication with a standard 89C51 microcontroller. Its communication speed is reduced on purpose. The successful communication still fast enough for authenticated users, but it is a nightmare for car hackers. There are two RF alternative solutions for RKE systems: IEEE802.15.4 and Bluetooth. These two technologies are low-cost solutions, which are very cheap and proven in the consumer market. They can bring more safe two-way RF communication with mutual authentication. IEEE802.15.4 is well-known as Zigbee, which uses DSSS/BPSK and DSSS/O-QPSK modulation, which offers higher anti-interference capability. Most of the Zigbee suppliers also offer their proprietary protocols, which can be implemented in a small-footprint microcontroller, and it is more attractive for the car manufacturers. Technically, IEEE802.15.4 is a proper replacement for the existing RKE systems, because it has longer battery life-time and it can be permanently embedded into a remote key. The car makers can develop their own cryptographic algorithm or strong RSA authentication in the embedded microcontrollers, which always bring more flexibility and options in deployment. The Bluetooth uses GFSK modulation with hopping frequency capability. However, Bluetooth may win the market because most of the mobile phones have Bluetooth modules. On the other hand, broader installation base may be the shortcoming as well. And someone does not appreciate the key pairing of Bluetooth. There are too many commercial considerations.

3. CDMA Key

Theoretically, CDMA(Code Division Multiple Access) is the best solution for the RKE systems. It has PN code and spread frequency modulation, so the CDMA system can work in a noisy environment, is hard to monitor and track. However, we have to face the IP barrier and cost challenge.


Based on text written by allankliu

Leave a Reply