Trainers, a black hoodie, slim jim, a sinister look – many people have this clichéd image of car thieves in the back of their mind. But those days are over: in the age of digitalisation, car thieves operate with small briefcases containing a laptop, radio devices and special connectors. This is all it takes to uncover radio key codes and crack electronic immobilisers. In Houston, two hackers stole more than 100 vehicles of the makes Jeep and Dodge in six months in 2016 – they started the engine using a notebook. In 2015, according to the Federal Criminal Police Office, German car owners registered almost 36,000 vehicles as stolen – which in purely arithmetical terms is more than four cars per hour. In Germany, insurers paid out around EUR 356 million in compensation for fully insured vehicles in 2015. The detection rate is sobering: the nationwide average is less than one third. In most cases, the teams behind the thieves either strip the stolen vehicles into their individual parts, or they transport them whole to eastern Europe.
When you buy a new car today, on many models you can opt for a keyless locking system. The car can be unlocked and started without the owner needing to have the key in their hand. More and more cars can now be unlocked by smartphone as well – for example the General Motors models, which feature the “OnStar” infotainment system. A hacker was able to intercept communication between a smartphone and car. Afterwards, he was able to unlock and lock the car whenever he liked.
In 2016, the German automobile association ADAC tested more than 20 vehicle models with keyless systems. All of them could be overpowered in seconds using a relay attack, also known as an RSA hack. For this purpose, car thieves use radio extenders. The signals of the radio key can even be intercepted through walls and transmitted up to 400 metres. The car thief only has to forward the intercepted signal to an accomplice, who is waiting at the vehicle with a receiving device. It is just as easy for tech savvy thieves to prevent a car from being locked by using an interfering signal. Once the owner has walked away, they climb in and drive off. After stealing a car, thieves often program so-called blank keys, which can be bought online, by tapping the car’s software through the OBD socket in the footwell. In this way, they can extract all of the essential vehicle information onto the key, and unlock, lock and start the car.
Risky radio key
Like keyless systems, radio keys are also at risk. This was shown by an attack on the radio-controlled car locking systems of 15 manufacturers, which caused a stir in August 2016. Researchers from Bochum and Birmingham analysed the encryptions and uncovered a system in the opening code. In this way, the codes could be predicted and the functions of the key reproduced at will. Around 100 million vehicles built from 1995 onwards were affected worldwide. For the researchers, the root of this problem lies in the fact that manufacturers only rarely change the cryptographic passphrases in keys over a long period of time.
Hare and tortoise
The search for suitable preventive methods, meanwhile, is like the race between the hare and the tortoise: a car company only just develops something new and the opposite side already has the answer. Apart from low-tech solutions, like placing the radio key in several layers of aluminium or packing it in a tin box, electronics are helping. The SecuKey system deactivates the factory-set keyless system from a certain distance, thereby thwarting range extenders. Apart from that, the trend among the good guys is heading towards personalisation. Future car models are set to identify their legal owners using biometric characteristics. A tender key then only starts the engine if it recognises the finger features synchronised with it beforehand. VW is experimenting with an infrared camera, which records the facial features of the driver. If the driver is not recognised, a warning message is sent to the car owner’s mobile phone. BMW is also researching in this direction. To make sure thieves don’t outsmart the facial recognition by using dolls, masks or photos of the car owners, BMW has patented a biometric driver identification system. This scans the driver’s retina. A blacklist featuring the stolen SIM cards and the IDs of stolen control devices will also act as a deterrent. The back-end uses this to recognise and block unauthorised use immediately. Key technology is also advancing. An asymmetrical algorithm developed by the Fraunhofer Institute in Garching aims to prevent the code from being decrypted. The BMW electric car i3 recognises the owner using radio signals from the smart watch supplied with the vehicle. But the doors only open when the driver performs a predefined hand motion.