Imagine you return to your car after running an errand. It's sitting exactly where you left it. But when you open the door, you realize all your belongings are missing. Still, there isn't any sign of forced entry. No shattered glass or damaged locks. It might just be the perfect crime.
How is this possible? News outlets are reporting that burglars have found a way to hack into cars that have remote keyless entry systems. By stealing your security codes, they're able to steal your belongings—or worse still, your car—without leaving a trace of evidence. Evidence that is important for car owners when they file a claim with their insurance companies.
"We need to figure out ways to prove a car has been legitimately broken into or whether someone is trying to create insurance fraud," Derek Wing, spokesman for PEMCO, recently told King5.com. "This is something we're going to have to look into."
People have already reported this type of burglary across the country, leaving police officers and insurers scratching their heads as to what might have happened.
If you're wondering whether your car could be affected, chances are, it could. According to a study from University of Birmingham researchers Flavio Garcia, David Oswald, and Pierre Pavlidès, as well as Timo Kasper from Kasper & Oswald, almost 100 million vehicles are susceptible to these kind of attacks.
A recent Wired.com article explains cars are open to two different types of attacks. One hack can target almost all Volkswagen cars sold since 1995, including Audi and Skoda makes. The other attack affects vehicles such as Fiat, Ford, Mitsubishi, and Nissan.
The Nitty Gritty of Car Hacking
Garcia, Oswald, Pavlidès, and Kasper shed some light onto this car hacking phenomenon when they presented at the 25th USENIX Security Symposium in August.
According to their report, hackers need to eavesdrop the signal from the victim's key fob. After doing this, they'll be able to clone it. In order to intercept the signal, all the hacker needs are a laptop and radio hardware. Alternatively, robbers can buy a device that costs as little as $40 to do the same thing.
Once the signal is eavesdropped, the hacker can create a clone of the key fob using the laptop and radio hardware, or else a $20 custom device. This allows them to mimic the fob and unlock a person's car.
"The cost of the hardware is small, and the design is trivial," Garcia told Wired.com. "You can really build something that functions exactly like the original remote."
And after breaking in, if the burglar is able to hack the immobilizer system, they can start the engine and steal the car.
What exactly is an immobilizer? According to Pavlidès, the immobilizer (or transponder) is a little piece of hardware inside the key fob. In order for your car to start, the transponder has to be close to the ignition.
If your car is only able to start if you put the actual key into the ignition, then you shouldn't have to worry about vehicle theft. You'll still be open to a potential break-in, however.
But although the equipment needed to steal a car's security codes isn't difficult to get, the hacker does have some limitations. For instance, for both hacks the burglar needs to be within 300 feet of the vehicle they're targeting.
Rolling Codes 101
Robbers are specifically able to break into cars that use rolling codes in their remote car keys. To understand how the hack works, you need to know how rolling codes operate.
"When you press a button on your remote car key, a signal is sent to the car, which in turns processes it and decides if it should [open or close] the doors," Pavlidès explains. "If the signal were always the same, an attacker could eavesdrop it and repeat it to open the car at will. As a result, there is a counter in the signal. At each key press, the counter is incremented by one, and the car makes sure that the counter is greater (in an allowed window) from the last one it has seen."
Pavlidès notes that an attacker could eavesdrop the signal, take the counter, and then just increase it by one. This new signal would allow them to open the car. Rolling codes help to prevent these kind of attacks by using a "shared cryptographic key" between the car and key fob.
"This key is used to 'sign' the signal and make sure it comes from an authorized key fob. As a result, an attacker is not able to create a valid signature for her modified signal," says Pavlidès.
Still, Garcia, Oswald, Pavlidès, and Kasper were able to reveal two ways that hackers can still break into a car despite this technology.
This type of hack, as you may have guessed, works on Volkswagen Group vehicles due to cryptographic key management failures. As mentioned, this includes brands like Volkswagen, Audi, Seat, and Škoda.
To perform this hack, you first need to get access to one of the few cryptographic keys that are shared with millions of Volkswagen cars. To do that, the researchers used reverse engineering on the firmware of an electronic control unit to gain access to a shared key. Using this shared key combined with a signal eavesdropped from a specific key fob, the researchers were able to successfully clone the key's signal and access a targeted car.
The scary part of this hack is that once you have one of the shared cryptographic keys, you'll be able to use it to hack into millions of other Volkswagen vehicles. To top it off, once you're able to unlock a car, you'll essentially have another key to that vehicle. You can get into the car as often as you want without performing another hack.
The Hitag2 hack, on the other hand, targets multiple car manufacturers. These manufacturers use an outdated cryptographic primitive called Hitag2.
For this hack, a burglar would need to use the equipment described above to eavesdrop four to eight signals from the targeted key fob. Once received, the hacker could clone the key fob. The researchers were able to execute this hack in as little as 60 seconds.
Although this hack can be done quickly, it does require the robber to wait for the victim to press their fob at least four times. To speed this process up, the hacker could jam the signal to the vehicle, leading the car owner to press the button multiple times in succession. And like the first hack, once you have access to a vehicle, you're able to get into it as many times as you'd like.
What Rolling Codes Mean for Car Owners
"Rolling schemes for remote entry systems are not bad per se—we only found issues in either the way they are set up, or in a core component they are using," Pavlidès says. "In the second case, using a stronger core component fixes the issue."
Still, in their paper, the research team warns that besides theft of personal belongings or your car, there are other potential issues that could arise from these attacks. For example, once an intruder was inside your car, they could alter the board computer, which could lead to situations such as your brakes failing after you turn on your windshield wipers. Another possibility is that someone or something could be placed in your car without your knowledge.
Signs You're Being Hacked
Unfortunately, there are few warning signs that your car is in jeopardy before these kind of attacks. One signal, though, is if you find that you have to repeatedly press on your fob to unlock or lock your car doors.
This could mean a burglar is trying to intercept your codes quickly as described above. Of course, there are other reasons why your fob could fail in this way, such as a dying or dead battery.
How to Prevent a Hack
Normally, simply remembering to always lock your car doors would be the best way to prevent theft.
But in this case, the researchers recommend drivers not use a car this is impacted by these hacks. Otherwise, you should avoid using a car's keyless entry system. Rather, use the mechanical lock to open and close your car door.
Nevertheless, you can't be 100 percent that your car is safe no matter how many precautions you take.
"There is little one can do to prevent these kinds of break-ins," says Frank Scafidi, National Insurance Crime Bureau's director of public affairs. "Then again, think of it in terms of the traditional kinds of break-ins…you can only do so much to secure your vehicle, but if it and a thief with ill intent are in the same space, then the odds are not in your favor—regardless of how the thief gains access."
If you want to be sure your belongings are safe, your best bet is to take them with you. Especially since any changes to counter these hacks will most likely not happen anytime soon.
"These vehicles have a very slow software development cycle,” Garcia told Wired.com. “They’re not able to respond very quickly with new designs.”
Still, Pavlidès notes car companies can protect against these hacks by creating cars that use a unique cryptographic key per key fob and strong cryptographic primitives.
"The good news is that the auto manufacturers are indeed aware of the problem and are integrating more security into their products. The reality of technology is that it makes our lives more productive and our labor more efficient," says Scafidi. "But if someone with the intellect, the tools, the time, and a dark heart wants to find unauthorized ways into data networks, then it will eventually happen. The challenge is to develop a crack-proof electronic shroud around wireless devices and services."
Will My Insurance Still Cover My Claim?
Since preventing car theft isn't completely possible, the best way to protect yourself is to make sure you have adequate auto insurance. After all, in 2015 alone, over 700,000 vehicles were stolen in the United States.
Interestingly, if your belongings are stolen, you will need to file a homeowners or renters insurance claim, rather than one with your car insurance company. But if your car is stolen, you'll need comprehensive car coverage to file a claim.
"The auto insurance would cover the stolen car itself as well as a rental car for a specific amount of time if you elected to take that coverage," says Addison Gardner. "That way you would have a car while you're without one and waiting on the settlement checks and claims investigation into your stolen vehicle."
If you are a victim of a hack, you should call 911 immediately and file a police report. You'll also want to cancel any credit or debit cards if someone stole them.
Scafidi warns that identify theft has become a big problem in car burglaries.
"Look at it in the same manner as when someone either breaks the window on a car to gain access or uses a special tool to unlock the door. It’s been happening for decades," says Scafidi. "The goal in these cases is to find things of value to the thief—and that’s been the same goal for decades as well. The new wrinkle today is that many drivers keep personal data in their cars and, in the wrong hands, that information can be used to commit identity theft. And that creates a whole new set of problems for consumers more so than their insurers."
Also, if your vehicle is stolen and you have OnStar or another tracking system, make sure to call them right away. You'll then want to let your insurance company know about the theft as soon as you can.
But these kinds of evidence-free break-ins bring up the question of whether insurers will cover your claim. And will insurance companies start charging customers more if they own the type of cars that hackers are targeting?
"You could now make a case that once that's general practice in the hacker communities, there would be a dramatic increase in stolen vehicles due to the fact they could hack the car to unlock it then remote start it and drive away without breaking a window. This could cost insurance companies millions in the years to come," Gardner says. "Eventually insurance companies would have to start looking at ratings on vehicles with smart technology, but that will be a hard determination to make because even right now you can get a car with remote start and keyless ignition starting at $20,000 ranging all the way up to $400,000."
Gardner explains an insurance company will need receipts, police reports, and a description of what happened to open a claim. Especially for these kind of attacks, the insurer needs to determine whether or not your claim is valid or an attempt at insurance fraud.
"A police report is usually the first thing that is requested. This demonstrates that you filed a formal report with the appropriate law enforcement agency and in most cases, if you file a false police report, you open yourself up to other legal problems," says Scafidi. "Most people who suffer legitimate losses don’t hesitate to report it to the police."
But, according to Scafidi, just because someone files a police report doesn't always mean they're innocent of fraud. A type of insurance fraud called "owner give-up" requires someone to fill out a false police report. After that person fills out the report that their vehicle was stolen—when in reality they got rid of it in some other way—they submit a claim to their insurer.
Still, this recent research on car hacking can help answer questions many have as to how someone broke into their car in the first place.
In their paper, Garcia, Oswald, Pavlidès, and Kasper wrote, "Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles."
To find out if your vehicle is one of the millions that could be hacked, read the researchers’ paper here.