Several models from Toyota, Kia and Hyundai use an RFID-based immobilizer in their mechanical key. These could Security researchers through reverse engineering chop. The attack could just short-circuit cars – like in the 1980s. It is not the first time that security researchers at the Catholic University (KU) in Leuven (Belgium) have managed to crack key chips: They have been able to hack the Tesla key chip twice in the past few years.
Together with the University of Birmingham (Great Britain), the researchers bought several electronic immobilizer control units on Ebay and extracted their firmware. The researchers then analyzed how they communicated with the key chips. The chips examined used DST80 encryption from Texas Instruments for authentication. However, the affected automakers had implemented these uncertainly: Toyota derived the cryptographic key of the affected models from the serial number, for example, which the key chip sent openly.
Kia and Hyundai only set 24 of the 80 possible bits at random, which made it easy for the researchers to crack the key. "Twenty-four bits are a few milliseconds on a laptop," explained Flavio Garcia, a professor of computer science at Birmingham University, the Wired magazine. In the paper, however, the researchers do not describe exactly how the attacks work – for security reasons. However, other researchers or attackers could also discover the vulnerability.
In order to bypass the immobilizer of one of the affected models, an attacker must first get into the immediate vicinity of the RFID chip in the key. This can be read with a cheap Proxmark RFID reader, the cryptographic key contained can then be easily cracked and the RFID key chip cloned, the researchers explain. With this, the immobilizer can be easily deactivated. However, the car must still be opened and short-circuited, since the RFID chip is only used for the immobilizer. A conventional key is used to open and start the cars, so the car has to be opened with a screwdriver, for example, and then short-circuited – as in the 1980s, the researchers emphasize.
In addition to the Camry, Corolla and RAV4 models from Toyota, the Kia Optima, Soul and Rio as well as the Hyundai I10, I20 and I40 are also affected. A similar attack also worked for Tesla, but it was the only manufacturer that was able to fix the security vulnerabilities using an automatic software update. In a statement, Toyota stressed that "The vulnerability described only affects older models because current models use a different configuration." The vulnerabilities presented a low risk for customers, since both access to the physical key and expensive special hardware were required for the attack. The researchers contradict the latter that neither specialized nor expensive hardware is necessary for the attack.