Root Causes 85: Automotive Key Fobs and Cryptography

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Alan Grau

VP of IoT and Embedded Solutions

Original broadcast date

April 23, 2020

Recent headlines have unveiled high profile attacks against automobile key fobs. Such an attack is potentially huge since successfully mimicking these fobs can yield complete access to an automobile's capabilities.

Our hosts are joined by repeat guest Alan Grau as they describe the cryptographic architecture of a modern automotive key fob, how these attacks take place, and what automobile manufacturers can do about it.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanWe are joined once again by super guest, Alan Grau. Alan is VP of IoT and embedded solutions here at Sectigo. How you doing today, Alan?

Alan GrauI'm doing well. Thanks, Tim.

Tim CallanAnd we're here today - - We know - - whenever Alan is here, we know that there's a hardware component to what we're talking about, because that's kind of your specialty. Today, we're really interested in some new developments and I'm just looking at a, by way of example, a March 5 2020, Wired Magazine article about the possibility to clone key fobs for popular motor vehicles, and potentially get complete access to, you know, to everything you would be able to do with that vehicle. And so, this is an interesting topic. It matters to a lot of people and I think you can educate us on that today, right, Alan?

Alan GrauYeah. I've been doing a little research into the topic and be happy to talk about it with you.

Tim CallanSo, at a high level, what's going on? What's the attack? What's happening? And what can the bad guys do?

Alan GrauWell, the key fob is really the keys to the kingdom, right? Quite literally, that is the key to the car. So, if you steal my key fob, right, if I'm out at a restaurant, and I leave it on the table, and you steal my key fob, you can find my car, push the right button, it will flash the lights, and you know where it is, hop in and drive away. What we've seen, however, is hackers have shown that for a large number of key fobs, it's relatively easy to clone a key fob and then they've got a key fob for your car and can do all the things with it that you can.

Tim CallanSo how does that work? Are they listening in when you hit the button, and they get the signal that way? Are they, you know, touching it with something? Like what is - - physically how does that attack take place?

Alan GrauSure. There have been a number of different attacks. And, you know, all of them are based on essentially breaking the crypto that's utilized between the key fob and the car itself. So, just a little bit of background. So, the car, you know, one of the things that people realized some time ago, is that people hot wiring cars and stealing them is a problem that we need to solve.

Tim CallanRight.

Alan GrauAnd, so, an immobilizer was developed, introduced, and most, if not all, modern cars now have what's called an immobilizer and the immobilizer doesn't allow you to turn the car on until the mobilizer says, yes, you can turn the car on. And the way it works is through that authentication process with a key or the key fob and that's typically done by sending some sort of a rolling code or some short-encrypted secret between the key fob and the car and, again, typically it's what we call a rolling code or some piece of information that changes to help prevent replay attacks. So, if we take a step kind of back in time, early on, people would do replay attacks where they would listen in, you know, basically record the radio transmission between the key fob and the car and once it's recorded, they could then replay it.

Tim CallanPlay it back.

Alan GrauYep. Play it back and take over the car. So, the first step was well, okay, we will take that encrypted, make it a rolling code, and make it much harder for people to break into the cars in this way.

Tim CallanSo, it's changing, it’s time stamped, or it's using the last one as a seed or it's got something other like that, to make sure that it's unique every time?

Alan GrauExactly.

And so, then what, what people did in some cases, it's like, well, we'll also encrypt that data. So, make it harder to break and what one of the challenges in this is, you know, the trade-offs is, right, you don't want to have an $800 key fob with lots of hardware in it. So, people were trying to build super, super cheap key fobs. So, they had very limited capability in the chipset on the key fob to perform these operations. And so, some of the early ones were doing 40-bit encryption. 40 bits of what's called symmetric encryption. Something like an AES encryption algorithm. And that's important to understand for a couple of reasons. One is that means that it's symmetric encryption. So, both ends of the communication channel have the same encryption key. So, if you can discover the encryption key, then you can break the encryption.

Tim CallanGotcha. Sure.

Alan GrauAnd the other thing is, well, you know, most people listening to this podcast, probably pretty quickly recognized that 40-bit encryption as an acceptable level of encryption went out of vogue probably - -

Tim CallanIn the 1990s.

Alan GrauOr earlier, right? I mean, that was a long time ago that NIST said 40 bits wasn't enough, right? So, if you've got 40-bit encryption, you know, any PC today has got the horsepower to do a brute force attack on that and discover the encryption key. So that's just not strong enough. So, one of the fails was brute force attacks allowed people to break the encryption. Right? So, that was a problem. So, some of the systems did the right thing, seemingly, and upgraded their key links. Only they went to 80-bit encryption, which still isn't enough, right? Any, I think, you know, the NIST standard some time ago said 112 bits wasn't enough encryption for any modern, you know, encryption algorithm or any modern security system that needs to be able to protect data for any length of time. So, you know, really, we're looking at 120-bit minimum key links on anything that needs to be protected in a reasonably secure fashion.

Tim CallanSo, guys, question to both of you. I'm a little surprised, because chips are pretty cheap and automobiles are pretty expensive and it seems like it wouldn't be that hard to be able to support an acceptably large key length, and that the grand change in cogs would be completely rounding error. Am I wrong on this?

Alan GrauNo. I don't think you're wrong on that. I think that when people first started looking at building key fobs, they were, you know, you were replacing a piece of metal that cost $1, right, or 20 cents to produce and so there really was a cost sensitivity there that was disproportionate to what the cost of the car were, or cars are. And so, initially, it's like, well, we're gonna replace it with something to make it more convenient and, this is a theme that we've seen in IoT security, and every podcast we've talked about is nobody thought that deeply or that hard about security. And so, you know, so the engineers who, great engineers, but just don't understand security, put together something that was quick and easy and cheap, and didn't take a step back and look at the problem comprehensively and say, you know what, somebody is going to try to hack this, and it's going to be a problem, you know, so they just did something really simple, really cheap coming at it from an engineering perspective, as opposed to somebody coming at it from a security perspective and saying, you know what, people are going to hack this, we need to do the right thing and, and spend a little bit of money, not a ton, but a little bit to build in a reasonably secure solution.

Jason SorokoSo, Alan, a couple things here - the car itself and the key fob are the two things that are communicating, right? With each other, essentially. So, therefore, the secret, which essentially generates the cipher for these different sizes of bit length AES encryption, if I were a bad guy, in order to understand the problem that I have in front of me, you know, one of the first things I might not think about is, hey, I'm going to go and break that encryption. Even if it's a small bit length. What happens if I could just go into the car physically, because it's sitting on the street, and actually, somehow, through the OBD two port, which is on every car, be able to retrieve the key, right, the symmetric token, which essentially is generating this, this is the actual attack that we've seen in the real world, against some major automakers and so, this is where I want to pivot the conversation into the problem of symmetric keys, you know, essentially shared secrets being used to protect this kind of mechanism versus an asymmetric system. Can you help us to understand what the difference is and how it would help to avoid this problem that we're seeing in the real world?

Alan GrauYeah. Absolutely. So, one of the things that we've seen that's even easier than what you suggested is people will take the key fob itself, which is easier to gain access to, and use that to reverse engineer how the system works. You know, I mean the reality is, people have broke into these systems or defeated the security of these systems in multiple different ways. Some have been brute force attacks against the keys, some have listened to the RF signals and utilized that as a way to do it. One of the interesting ones is people actually took the key fob, found out they've got, you know, EPROM on them - well, that EPROM is the only place they could have stored the key. So, you've got, you know, some small number of bytes. I mean, in one case was like 384 bytes of data and somewhere within that are the 40 bits or the 80 bits, or even 256 bits of key material. So, you can use that for brute force attack. So, there's multiple ways to do exactly what you're suggesting. And, again, the problem is, it's a shared secret. Both sides of the conversation have that shared key.

And so, what we've seen as a way to solve that, and this is, you know, anytime you connect to a website using a secure protocol, so anytime your browser connects to amazon.com, your banking site, whatever it may be, it uses TLS. Right? So, TLS is the underlying security protocol and the way that the protocol works is it first does authentication and key establishment using public key encryption, using PKI certificates, and what's called asymmetric encryption, or public key encryption and in that mode, each node has its own key pair. So, it's got a public key and a private key and those keys are related in that if you encrypt data with the public key, you can decrypt it with a private key and vice versa. So, to kind of walk-through step by step the way that works, if we - - assume that Jason and I are communicating, and I want to set up a secure connection with Jason, I would - - he would share his public key with me which he can do over any insecure channel, I'd use that public key to encrypt a message with him that contains the private key, and some that - - or that contains not the private key, but the symmetric encryption key, the AES encryption key and send that to him. Now, Jason's the only person who can decrypt that because of the special way that symmetric keys, that asymmetric keys work, the Public-Private Key Pairs work. He can decrypt that message and we now have a shared key that we can utilize and we can use that for all of our communication. Now, if we had a crypto expert listening to this, they would say, well, there's a lot of subtleties that we've brushed over. And that's true, right? When you dig down into the details, there's a lot of things that they get involved underneath, but essentially, that's the process. And so now, each time you set up a communication session, you have a new key that's created and shared for just that session and nobody can, you know, find that hard-coded on the machine, you know, it's much, much more difficult to break that and even if they are able to, you know, listen to the traffic, do a brute force attack and discover the key, they can't use that for the next communication session. So, it's only used for that session. So, they can't use it to duplicate a key fob. So that's, you know, ultimately, the way any strong communication and authentication protocol should be implemented. And then the last point on that to get back to Tim's point, you know, early on, he said that hardware isn't that expensive, you know, for doing these things, right? There are chips available that support these types of operations that cost, you know, some small number of dollars, you know, so they're not hundreds of dollars to buy these chips, you know, they're, you know, $1 apiece, or somewhere in that ballpark. So, there is the ability to transition to this sort of technology.

Jason SorokoSo, Alan, right on that point, which is following up on Tim's point, which is important about the economy of this, you know, you think about a key fob. You can buy blank ones for various car companies for not that much money on eBay. And so, therefore, the underlying chipsets are quite cheap, but to truly consumerize this, turning your cell phone, you know, your smartphone into essentially the equivalent of a key fob through an app is something that's becoming more common. And I think Apple has intentions on this. Do you have any comments about it?

Alan GrauYeah. No, that’s actually, so, I think yesterday was the release of Apple's iOS version 13.4, if I'm not mistaken, but that was released a month or so ago to their developer program as, you know, a beta release and included in that is what they've got, what they've labeled as their, their car key API, I believe it's called, which does exactly that. So, it provides an API where you can through your iOS device, you know, for a smartphone, and I think it will probably also work on, you know, Apple watches have an application that's integrated with your wallet, that does some really interesting things. First off, again, it integrates back to the car, you know, and allows an application on the car to do that authentication. But the other thing that's interesting about it is, you know, it provides some advanced features. So, if I want to lend my car to Jason, I can send him through that app the credentials to do so. Now, this is still just kind of an early API release. We don't actually have, you know, working apps out there, that I'm aware of at least, to do this. So, I think a lot of this will evolve over time, but I think we'll see some really interesting things out of that and, you know, I have followed Apple for a long time and as a company, they have always had a security first mindset and have really done a good job in building security into their solutions. So, I'm, you know, I'm confident that they won't make some of these rookie mistakes that other, you know, other solutions have stumbled across and you know, resulted in the headlines that we’re seeing.

Tim CallanYeah. Yeah. You've got to imagine there's a few nice things about someone like Apple working on this, which is, as you said, they do understand the gravity and importance of security. They do absolutely have the chops to do it right. Right? They have, you know, expertise in-house that's as good as anyone does and this is kind of - - they’re seasoned. They've been around. They've suffered the hard knocks, and they have at least a better perspective - everybody can have a vulnerability, but they at least have a better perspective on how to build a protected ecosystem than, you know, someone who is coming from a very different space would.

Alan GrauExactly.

Tim CallanSo, um, maybe this is a good point to leave this gentleman. I think it's really interesting. I can see the many applications for putting key fobs on mobile devices. That's a very interesting development, but I can also see how it could go very wrong. So, let's make sure it doesn't. But, very interesting, and it's an important part of all of our lives and we probably don't think about the underlying cryptography and security in our key fob, but obviously, without that, a lot of things would go very haywire.

Jason SorokoYeah. They certainly have. And I tell you, I’ll just mention this very quickly in passing, but I happen to have a patent that's held from a former employee of mine on this very topic. And so, this topic is actually very near and dear to my heart. And I thank you very much, Alan for spilling the beans on how this really works.

Alan GrauNo, thanks for having me on guys.

Tim CallanAll right. Thanks, Alan. Thanks, Jason. Thank you, Listeners. This has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!