Automobiles are getting ever smarter, and cracking them with a crowbar and a screwdriver is getting ever more difficult. Statistics back up that assumption: According to research from Jan C. van Ours and Ben Vollaard highlighting car theft and recovery data, vehicle theft decreased by 70% between 1995 and 2008 in the Netherlands and by as much as 80% in Great Britain.
One of the causes of the decrease is the ubiquitous introduction of so-called “immobilizers.” Immobilizers, however, are just as susceptible to cracking as any other relatively complex technology. Cybersecurity researcher Wouter Bokslag chose this as the subject of his Master’s thesis and presented the results of his research at the 36th Chaos Communication Congress (36С3).
What an immobilizer is
In a nutshell, an immobilizer tries to ascertain if the person behind the wheel is a rightful owner. If it cannot be sure, it simply will not let the car start. The recognition process is imperceptible to the lawful owner; it happens within a fraction of a second, with no user participation.
The world’s first-ever immobilizer was patented as early as 1919. At the time, the driver needed to connect contacts in a certain order, and if the order was wrong when the car was started, an alarm went off.
Today’s immobilizer consists of two key parts: a transponder in the ignition key and a receiver in the car itself. When someone attempts to start the engine, the vehicle sends a request to the key. If the key returns the correct predefined signal, the immobilizer sends a command to the engine control unit to start. Without the right signal, you can’t start the car.
Hitag2, DST40, and Megamos Crypto were some of the first transponders. Having been scrutinized over the years, they are now considered insecure. You can read about the shortcomings of Hitag2 here, and those of Megamos Crypto here.
In the final decade of the 20th century, immobilizers proliferated. They became mandatory in the EU states in the late nineties, and other countries gradually followed suit. If we can believe those countries’ reports, immobilizers contributed to a significant decrease in auto theft.
Carjackers strike back
Car theft certainly did not stop there, though. Following a familiar pattern, once immobilizers went mainstream, an arms race between criminals and car brands ensued. As cars got smarter, offenders kept up, and immobilizers proved fairly easy to trick. Successful cracking attempts became frequent, and car theft’s long-standing, steady downward trend reversed around 2010. Great Britain’s car theft rate reached an eight-year high in 2018, and many other countries saw a similar trend: a plunge until 2010 followed by a slight rebound or a plateau.
Expensive luxury brands persisted as the most frequently hijacked cars. Cybersecurity researchers focused on those brands as well, but despite huge budgets, their studies were disappointing.
If an expensive luxury car can be stealthily cracked within ten seconds, what does that say about higher-volume models that most people drive, you might reasonably ask.
Studying immobilizer security
In his study, Bokslag tried cracking three cars by popular brands. None of the cars was new; they all dated back to around 2009. The models were inexpensive B-class hatchbacks — the aforementioned higher-volume models. According to the authors of the study, many newer cars use similar antitheft systems.
Bokslag used the following approach:
- Gain access to CAN bus traffic. The CAN bus is what the internals of most current cars use for communication.
- Read messages that the immobilizer components exchange.
- Get a hold of the engine control module (ECM) or body control module (BCM) firmware.
- Identify the algorithm used in the messaging.
- Use the previously obtained data to prove that you can start the car without an original key.
Step one is fairly easy: Access to the bus is available through the standard OBD II port. All cars from after the year 2000 have it, and it serves the purpose of diagnostics. Once inside a car, you have access to the interface.
One could get the firmware in a hundred ways, from fairly complex techniques to a simple Internet download. That’s right: The firmware for many cars is available online; manufacturers provide it for diagnostics or maintenance.
Well, that’s fine as long as all traffic is reliably encrypted. But herein lies the biggest disappointment: The first two immobilizers were using very week encryption. On the first car, it took only seconds to retrieve vehicle security code, which allows for the authorization of a new key and subsequently disables immobilization. Obtaining the second test car’s security code took as many as 4,000 attempts, or about 15 minutes.
The third specimen was actually tougher — its immobilizer protocol did not have any obvious flaws and was not broken. However, the researcher determined that the key’s chip emulates the PCF7935 transponder, which is similar to the one used in the Hitag2. Using Hitag2’s known weaknesses, you can start the car in just 6 minutes without any need to mess with cryptography.
All three systems are still around, and installed in some cars built in 2019.
What do we do?
Immobilizers are really effective against more conservative offenders who are still using mechanical techniques. They are, however, no match for the more sophisticated among carjackers — in the mass-produced segment anyway.
Therefore, odd as it may seem, a possible recommendation for automobile owners is to remember their roots and not to discard technologies from the eighties and nineties. To break into an electronic security system supplemented with a mechanical steering wheel lock, a carjacker needs the skills to crack both electronics and mechanics.
You still might cross paths with a skilled “two-in-one” carjacker, but at a minimum, doubling up on your security will make stealing your car a little harder than the one next to it. As they say, you don’t have to outrun the bear — just be faster than the other guy.
That said, car manufacturers remain carjackers’ key adversaries, but they are cybersecurity beginners in many ways. Unfortunately, they use proprietary — and often unsophisticated — encryption algorithms that disregard industry standards, and antitheft systems become hopelessly obsolete by the time the cars they protect hit the market.
Despite that, we and others have taken some initial steps to improve automobile security. For some years, we have partnered with AVL, the largest independent manufacturer of automotive systems to make modern connected cars much more secure. You can learn more about our vision of a secure car in the post Connected cars: Secure by design.