Cloning Millions of Toyota, Hyundai, and Kia Keys becomes easy.

Researchers found problems in how Toyota, Hyundai, and Kia implement a Texas Instruments encryption system called DST80.

Relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace.A few cryptographic flaws combined with a little old-fashioned hot-wiring or even a well-placed screwdriver lets hackers clone those keys and drive away in seconds.

Researchers found problems in how Toyota, Hyundai, and Kia implement a Texas Instruments encryption system called DST80. A hacker who swipes a relatively inexpensive Proxmark RFID reader/transmitter device near the key fob of any car with DST80 inside can gain enough information to derive its secret cryptographic value. Vulnerabilities they found in the encryption systems used by immobilizers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car’s ignition and allow it to start.

Toyota has confirmed that the cryptographic vulnerabilities the researchers found are real.the cloning attack the Birmingham and KU Leuven researchers developed requires that a thief scan a target key fob with an RFID reader from just an inch or two away. And because the key-cloning technique targets the immobilizer rather than keyless entry systems, the thief still needs to somehow turn the ignition barrel the cylinder you slot your mechanical key into.

The researchers developed their technique by buying a collection of immobilizers’ electronic control units from eBay and reverse-engineering the firmware to analyze how they communicated with key fobs. They often found it far too easy to crack the secret value that Texas Instruments DST80 encryption used for authentication. The problem lies not in DST80 itself but in how the carmakers implemented it: The Toyota fobs’ cryptographic key was based on their serial number, for instance, and also openly transmitted that serial number when scanned with an RFID reader. And Kia and Hyundai key fobs used 24 bits of randomness rather than the 80 bits that the DST80 offers, making their secret values easy to guess“.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s