Car Keys – Ferrari hacked – ADAC’s false alarmism

In 2015 we hacked the car key of an old Mercedes C180. (link to the video) Then we received a test vehicle from BMW to test if the same vulnerability of the car keys can also be exploited here – this vulnerability also exists here.  Many “opened” vehicles later, the question arose again and again whether this would also work for “premium brands”, so we decided on a Ferrari as a worthy vehicle representative from the 6-digit cost range. We added the video for this as a goodie at the end of the blog ;-).

Special thanks at this point to Denis Maier, who always supports us in the field of cars, this time with a Ferrari 458 Italia!

The launch of the KFZ radio key (KFZ-Keys) was around 1993 by Siemens Automobiltechnik – better known today as Continental. PASE, the Passive Start and Entry System (Continental), or perhaps better known to many as Keyless Go (Mercedes Benz), dates from 1999. I would like to note at this point that PASE, ie Keyless Go, was still considered “high tech” in 2017 Goodie “is handled. In November 2016 I ordered a new Mercedes Benz and picked it up from the dealer almost 4 weeks ago – shockingly, I had to discover that Keyless Go, i.e. more security, should also cost extra here – but I don’t pay any extra for my unsafe remote control key.

In our opinion, safety in products must not be sold separately, but must be part of the standard; especially when technologies could have been in use for years.

First of all, we have to understand how a classic wireless car key works (not Keyless Go). Car keys use a rolling key system, which means that a fixed number of possible keys is stored on the key. Each time you press the key, the currently valid key is sent and the “system” rolls over to the next key. There are now three types of possible attacks:

1. Replay attack
2. Jam (and Replay)
3. Bruteforce

As a PoC we have a replay attack and a brute force attack. But first a little theory. Radio keys work on different frequencies, 433.92 MHz, 315 MHz and sometimes also on 868 MHz. This is manufacturer and GEO dependent; 433.92 MHz is the standard for EU vehicles. Sometimes different types of modulation are used, but this was OK with our tested key.

If we put the key wrapped in an aluminum foil-clad cool box, it is well protected from interference signals. To do this, I drilled a small hole for the USB cable of my receiver to connect it to my MacBook. If you now press the key (glued to the inner wall with a metal rod through a second hole), we receive largely interference-free signals.

Now we start our sniffer, it catches the raw signal 1: 1 and saves it in a file.
If we play this signal now, the Ferrari opens once.
Up to this point, the attack cannot be used realistically.

Jamming describes the interruption of signals by interfering signals. Since we were able to record an almost clean signal in our “laboratory”, we know exactly what bandwidth the signal is using. Since sender and receiver are often, to put it nicely, cheap devices, the reception and transmission power is often modest. Therefore, the reception is often a bit “more generous”, so that z. B. due to temperature fluctuations, the signal from the key can still be received and properly demodulated. So in the first step we need an interfering signal, for this I decided on the song “Rude Boy” by Rihanna – actually not my music, but was on the radio when I was recording the radio waves from a regional radio station; thanks BigFM for the jamming signal :).

Joking aside; Now that I have the signal, I play it on a border frequency of 433.92 MHz so that it is close to that of the key. 433.9191 MHz worked fine on the Ferrari. If I play this with a decent gain in a loop and press the car key of my Ferrari, nothing happens.

Perfect that the Ferrari’s “close” signal is now interrupted.

Now that we have recorded a clean signal and have a jammer, we of course still need a filter that filters our jamming while recording. For this purpose I wrote a simple low pass filter (a filter that removes frequencies above a defined frequency). If we let the misery go and our victim parks his Ferrari in the parking garage, his vehicle no longer locks. If the victim notices the attack, he or she may lock the door, but do you always turn to your vehicle?

Suppose you’ve turned around and locked yourself, come back after your shopping and hit open? Again nothing happens, because now we have recorded the signal and interrupted the signal sent to the Ferrari – even if you probably don’t go with the Ferrari for weekly shopping. So you unlock the door and drive away. The attacker follows you and waits, now we will open your Ferrari with the recorded signal. Ferrari hacked!

Yes, but isn’t it in my garage?

Great, because this will probably be equipped with an 868 MHz radio receiver so that it can be opened by remote control, right?

We were astonished to find that the ADAC describes Keyless Go as unsafe and underpins this with videos and a constantly updated list of vehicles that are opened and started by the ADAC scenario. At this point we would like to explain the process in more detail.

The victim sits in the café and the perpetrator sits a maximum of 1.5 m away – otherwise the signal is cut off. Depending on the distance, another perpetrator must now be available to extend the signal and receive it at the parked vehicle. The perpetrator must be extremely close to the victim and a second perpetrator is needed.

In contrast, with Jam & amp; Replay attack on old radio keys only sends a one-time signal and does not have to be in the immediate vicinity of the victim , because sometimes even 40m in the parking garage is enough. Even at night, the vehicle can easily be stolen from the victim’s garage; often just when this is also opened by radio remote control. The scenario is much more threatening, because here the victim can actually only protect himself if the classic radio key is no longer used. In addition, such attacks also work without a key through brute force attacks and only one perpetrator is required in both cases.

Keyless Go, on the other hand, cannot be successfully attacked by brute force at the moment, nor can a classic replay attack be carried out – and protection is also available for € 8.99 on Amazon (link below); However, the press and the ADAC leave out this reference – I think that drama is generated. If the Keyless Go key is in such a case, the ADAC attack is successfully repelled!

• We, as IT security experts, would like to expressly point out at this point that although in principle any type of radio transmission “by design” can be attacked, Keyless Go is definitely more secure than the traditional radio key (car keys) !
• Our appeal to the automotive industry: The “keyless” PASE system must be part of the standard and must not be sold as a “special feature” for an extra charge!
• In our opinion, unsettled ADAC only and stirs up fear and further uncertainty; Uncertainty among buyers, which can and will be used again by hackers in the event of social engineering attacks.
• If you want to protect yourself as best as possible, you have to do without conventional remote control keys and should use the Keyless Go technology in combination with an appropriate protective cover for the car key; similar to a protective cover for smartphones, only with the function of shielding the signals from the key from being “tapped” by criminals. link for an example product

So if you want to open my Mercedes: Go ahead, I didn’t pay the surcharge because I won’t be promoting the automotive industry at this point.