It's the worst nightmare of the remote-control age - German scientists claim to have cracked the code of the electronic blipper that locks and unlocks cars and garage doors.
The team from Ruhr University says it is now relatively straightforward to clone the remote control devices that act as the electronic keys.
The scientists say they have overcome the KeeLoq security system, which is made by US-based Microchip Technology and is used by Honda, Toyota, Volvo, Volkswagen and other manufacturers to transmit access codes using radio frequency identification technology.
The revelation caused consternation among the car makers. Volvo said it took security extremely seriously, but preferred not to comment further until its technical teams were able to look at the scientists' claims to establish whether they could be substantiated. At Volkswagen, a spokeswomen would make no comment. Honda also said it would pass the information to its engineering teams, echoing the view: "We obviously take security very seriously."
If the claims are correct, it could pose a major headache for the car companies, whose keyless entry systems are becoming increasingly more common in their high-end marques.
The research team from Ruhr's Electrical Engineering and Information Sciences Department said the crack applies to all known car and building access control systems that rely on the KeeLoq cipher. It targeted and ultimately cracked its RFID as part of its research in embedded security. "The security hole allows illegitimate parties to access buildings and cars after remote eavesdropping from a distance of up to 100 meters," says professor Christof Paar, head of the communication security group at the department.
Timo Kasper, a PhD student who worked on the research, blamed KeeLoq for keeping the cipher secret. He said: "If they had made it public they would have found out 20 years ago that it's insecure. Now it's a little bit too late, because it's already built into all the garages and cars."
Because most access devices are publicly available, it's not too hard for attackers to get their hands on one to perform the analysis. The hack requires about £1500 worth of equipment and a fair amount of technical skill, but once the unique master key for a particular model is available, it works universally, Kasper said.
Paar's team used various code-breaking technologies to develop several attack variables. The researchers said that the most devastating was the so-called side-channel attack on car keys (or building keys), which can be cloned from a distance of several 100 meters.
Based on the research, an attacker can reveal the secret key for the remote control in under an hour, and the manufacturer key of the corresponding receivers in less than a day.
"Eavesdropping on as little as two messages enables illegitimate parties to duplicate your key and to open your garage or unlock your car," says Paar. "With another malicious attack, a garage door or a car door can be remotely manipulated so that legitimate keys do not work any more. Thus, after the security of the building or car has been breached, the attacker can prevent you from future access."
The scientists said the KeeLoq's security relies on poor key management, in which every key is derived from a master that's stored in the reading device. Moreover, it uses a proprietary algorithm that had already been shown to generate cryptographically-weak output.
That algorithm was kept secret for most of the last 20 years but 18 months ago an entry on Wikipedia published it. The research team almost immediately spotted weaknesses.
Microchip officials have been quiet on the revelations, relying instead on a prepared statement which said: "The paper requires detailed knowledge of the system implementation and a combination of data, specialised skills, equipment and access to various components of a system, which is seldom feasible.
"These theoretical attacks are not unique to the Keeloq system and could be applied to virtually any security system."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article