A study conducted jointly by KU Leuven in Belgium and the University of Birmingham has revealed a serious flaw in the implementation of cryptographic measures within millions of car remote controls produced by Toyota, Hyundai, Kia and Tesla which makes them vulnerable to sabotage, increasing the risk of theft.
The problem attributable to the implementation that was made cryptographic system Texas Instruments DST80 inside car remote controls and which would allow a hacker to exploit a relatively inexpensive RFID device close to the remote control to intercept communications and clone it, thus being able to disable the car's immobilizer system. Once you have stepped over this bank, it would be sufficient to tamper with the ignition lock of the car to start the engine, with the "usual" techniques often portrayed in films and TV series.
The method requires that the attacker be in close proximity to the remote control in order to be able to scan it via an RFID device. In this way it is possible to obtain enough information to determine the encryption key, clone it using the same RFID device and use it in turn to disable the car's security measures.
The attack is possible because the encryption keys used by the cars involved were easily discovered by performing a reverse engineering operation on the firmware. In the case of Toyota, for example, the encryption keys were based on a serial number that was also transmitted with the remote control signal, while for Kia and Hyundai 24-bit randomly generated are used (but DST80 and supports up to 80 , hence the name): Professor Flavio Garcia of the University of Birmingham notes that "guess" the correct 24 bits a rather trivial matter. However, researchers did not divulge precise information on how encryption was hacked.
The researchers published a list of the cars involved in their study, but specified that the list is not exhaustive, thus suggesting the possibility that the problem may also affect other car models.
