Jump to content
LegacyGT.com

Key fob vulnerability in 4th gen models


Recommended Posts

Just in case this hasn't been posted yet, this is rather interesting / concerning, depending on where you might live.

 

TL;DR: the remote codes are predictable and allow someone to clone your key fob by wirelessly listening to yours.

 

https://www.bleepingcomputer.com/news/security/unpatched-exploit-lets-you-clone-key-fobs-and-open-subaru-cars/

 

I'm unsure how likely this is to pose a real world threat, but it's not zero. If you have a government agency following you around, you might care about this (among other things).

Link to comment
Share on other sites

The unlock code would only be useful one time right after it was scanned. Once the car is opened again, the code would change. Yes, it is a vulnerability but I think it's not much more risky than an experienced thief with standard tools who wants what's in your car. They can't use this hack to drive the car off.
Link to comment
Share on other sites

The unlock code would only be useful one time right after it was scanned.

 

Actually, the keyfob uses a "frequency hopping" scheme that in Subaru's case, is not so random as it should be. So the attack is reproducible. And yes, this isn't new stuff, it's actually pretty common in the older keyless systems.

 

They can't use this hack to drive the car off.

 

Correct.

 

Amount of mental effort I'm going to put into this is minimal. However, next time I park at MIT, I'm gonna check the car a little more carefully because those students get bored sometimes. Also, I've always felt that for some reason, the state of Maine attracts some really talented low-level hackers and this researcher further convinces me of this.

Link to comment
Share on other sites

"By receiving a single packet from the key fob (i.e. the user pressed any of the buttons on the fob while the attacker was within range), the attacker can use that packet to predict the next rolling code and use that to lock, unlock, unlock trunk or sound the alarm of the car," Wimmenhove told Bleeping Computer.

 

I interpret that to mean if you have scanned the most recently used code, then you can calculate the next. But you evidently can't keep using the same code since the next time the fob is used the code changes. I suppose if there is a sequential term in the calculation you could try a bunch of codes very rapidly.

Link to comment
Share on other sites

Nice of him to basically tell the internet how to break into our cars.

 

They've got frameless windows, it's already pretty easy to get into these things.

 

Slide some plastic between the glass and rubber seal, pull the glass slightly away from the car, reach in through the gap with a stiff wire and poke the door lock.

Link to comment
Share on other sites

I read somewhere that the security system is shared by other manufacturers including Toyota. If that is accurate then this is a problem not only for Subaru but other car manufacturers as well.
---
Link to comment
Share on other sites

This is just the old Microchip KeeLoq bug. They found this out a LONG time ago, it's just a sensationalized headline because someone bothered to check our cars.

 

There is no fix, and there really cant be one without hardware change. We dont have push to start, so this is really a non issue. If it bother you you can get an aftermarket keyless entry system.

Link to comment
Share on other sites

How much of a problem could it be for ones with push to start?

There is a transponder in the car ignition key. Push-to-start is usually made so that the transponder needs to be in close proximity to the driver's seat. This hack might enable someone to basically clone your key fob and press any of the buttons on it given they have scanned for the signal when you last used the fob. Without the transponder, they couldn't drive off, though.

Link to comment
Share on other sites

you can't drive off with the car without the transponder the BIU is looking for *and a way to bypass the mechanical ignition lock*

 

In short, yes, as others have said. . .worst they can do is rummage through your car. In my case they may manage to pilfer an android charging cable and a box of Kleenex. In order to accomplish this they would have to be "listening" when you press a button on your remote.

 

A few points for disambiguation:

 

-yes the remote code changes with each use but it's based on an 8 digit number. Any code the remote transmits has to be a derivative of that number. You can program a remote to this system without it even being present so it makes no difference where in the sequence the remote transmits. . .just that the base code agrees with what is stored in the keyless entry module.

 

-it's not used by *that* many other manufacturers. The only other one that comes to mind is Land Rover. Most every other manufacturer I've programmed a remote to requires you to press a button or buttons on the remote to register it. . .which registers the unique base code for that remote and identifies where it is in a rolling code sequence. . . and since the base code isn't written on a sticker and supplied with the remote it's more difficult to crack.

 

-Won't be something subaru will address as it's not that big of a compromise. They're too busy fixing airbags and brake lines. And yes, you'd have to change (at a minimum) the keyless entry module and remotes. If you're really worried about it, put on your tinfoil hat and stop using your remote alltogether or have an aftermarket system installed.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...

Important Information

Terms of Use