How Hackers Gain access to Your Vehicle

In modern connected vehicles, car hacking remains a top-of-mind threat.

2021 saw theft via manipulation of the keyless entry system increase significantly including a 93% spike in keyless entry thefts in the UK alone.

How do hackers gain access to vehicles?

Our analysts broke down the most common methods, including a four-step ‘relay attack’ which takes two hackers and only 30 seconds. Beyond relay attacks, car thieves are utilizing replay attacks, key fob reprogramming, and signal jamming as methods to boost their rates of theft.

Exploiting a key fob

A key fob is the remote that’s handed over to you in place of a set of keys when you receive your shiny new car. The only thing that’s changed from it in the last 40 years is the “key” part of it.

The fob acts as a short-range radio transmitter that is constantly in communication with your car. When in close proximity to its designated vehicle, a receiver unit in the car and fob acknowledge one another with a coded signal.

Transmitted signals can instruct a vehicle to perform a host of actions; from unlocking or locking doors, to opening or closing windows, activating headlights, and even starting the air conditioning systems.

It’s these increasingly common consumer features and conveniences that are creating a boon for vehicle thieves. The ability to access your car hands-free presents a previously unavailable vector that thieves have been manipulating to effortlessly open car doors and drive off.

How? Signals between fobs and cars are intercepted by devices designed to interfere, or steal information from a fob’s radio signal.

Relay Attacks

How two hackers conduct a rapid relay attack:

Four steps to conduct a relay attack and steal a car:

Step 1: One thief stands close to the vehicle, sending a signal to a second thief who is close to the car owner’s house holding a hacking device.

Step 2: The thief who is next to the house holding a second device guessing where inside the owner’s key may be.

Step 3: The second thief relays information from the key (inside the house) back to the thief standing next to your car.

Step 4: The first thief enters the car using the relayed signal to unlock the door and start the engine. In just a few minutes, your vehicle’s security has been compromised, allowing it to be driven away.

Relay attacks are similar to Man-in-the-Middle (MitM) and Replay attacks. They involve intercepting information between a sender and a receiver as they communicate, using the intercepted information for other means.

Hackers use this approach and intercept communication between the key fob and the vehicle by acting as a transmitter or a repeater, without manipulating or changing the content of the communication. One actor waits by the vehicle while the other searches for the key on the other side of a wall as many people store their fobs along with their keys, close to the front door.

Once the doors are unlocked, they can start the car if the signal is strong enough or reprogram a new key fob by physically accessing the OBD port and communicating with key in-vehicle systems.

In the field: In Wolverhampton, UK, in March 2021. Two thieves managed to unlock a keyless entry European-made SUV using a wireless relay device. In a matter of minutes, they were able to pinpoint the key fob’s indoor location, capture its signal, and boost it to a second thief waiting next to the vehicle. They quickly unlocked the vehicle and drove away.

Replay attacks

In replay attacks, the objective is to intercept, steal, and store the contents of a message sent from the key fob or the car’s remotes- saved for an attack to take place at a later time. Once the relevant message is within the hacker’s possession, it can be used whenever they desire to carry out an attack.

In the field: In early July 2021, a European-made vehicle was stolen in Burnside, Sawbridgeworth, UK. The hack involved a relay attack device pointed at the owner’s home.  By scanning for a signal between the key fob and the car, thieves were able to lock onto the coded signal, activate the vehicle’s ignition, and drive the car away. This was just one of seven similar incidents that police reported in the Sawbridgeworth and Bishop’s Stortford area around the same time.

Jamming communication

Jamming prevents communication between a fob and a vehicle. When the vehicle’s owner tries to lock their car, the jamming signal prevents the key fobs from locking the vehicle. Assuming the car has locked, the owner walks away, unaware that the action failed and their vehicle never received the lock door command.

Once out of sight, thieves are able to open the unlocked doors and steal the car by reprogramming a key fob or other methods.

In the field: In Italy, during October 2021, a 54-year-old suspect was arrested for aggravated theft. He was found using a signal jamming device that prevented vehicle owners from locking their cars.

Reprogramming key fobs

Reprogramming a key fob creates a brand new fob while rendering previous keys unidentifiable by a vehicle. While this seems like a unique security feature, it is frustrating for vehicle owners whose cars are returned without a way of even unlocking the door.

Using this approach requires a more sophisticated attack. It requires some kind of physical access to a car, either in a shop or by using one of the above methods.

The device needed to execute this attack is legally obtained by authorized mechanic shops, locksmiths, and various service centers.

Once inside, hackers connect the device to the OBD port and reprogram a new fob. Access to this type of device gives a car thief with little experience full control over the vehicle.

In the field: In November 2021, Detroit police uncovered a string of key fob reprogramming incidents. One included an American-made performance vehicle. Hackers used an $8,000 programming device to reprogram a key fob, rendering the original useless, and allowing the thieves to steal the car with ease.

It’s a cat and mouse game

While these attacks are increasing in frequency, there is a cat and mouse game between OEMs and hackers. As new vehicle theft prevention measures are put in place, they are short-lived, highlighting the need for a more comprehensive approach.

In the Upstream 2022 Global Automotive Cybersecurity Report, automotive-specific analysts broke down these attacks to gain insight into how these attacks are conducted in the field along with what the industry needs to know to clamp down on these attacks. As insurance companies rely more on connected-vehicle data, they have an increased incentive to join OEMs, Tier-1s, and Tier-2s in using contextualized vehicle data to protect assets today and into the future.

Once a vehicle is hacked it is only a few short steps until they gain access to ECUs, telematics servers, and backend servers.