Mobile phone: the modern jemmy

Many years back, around the mid-nineties, when remote keyless entry systems became widespread amongst vehicle manufacturers, there were many paranoia-inducing stories of thieves lying in wait at suburban shopping centres just itching to break into your brand new car.

The theory was that the nefarious criminals would be ready to nab the code to your remote locking system as it flies through the airwaves from the push of the button on your key fob.  Using a device - no doubt a box with a little rotating dish upon it – the potential car-thieves would detect, and recreate the signal from the fob, therefore opening your car doors while you shopped.

Whilst potentially feasible, this fear was soon debunked due to the unlikeliness of the attack and the soon released upgrade to signal-code encryption that became the norm for RKE (Remote Keyless Entry) systems soon after release.

But technology has moved on, and now a new threat looms on the digital landscape, hackers have worked out how to unlock cars that use remote control and telemetry systems such as Ford Sync, General Motor’s OnStar, BMW Assist and Hyundai’s Blue Link.

These systems use the mobile phone network (GSM and CDMA) to connect with a variety of services provided by the car manufacturer.  Services such as roadside assist, automatic crash notification and navigation help are provided as part of the networking ability inherent in this technology.

New technology attracts new criminal activity, and so it is with a little bit of reverse engineering and some “war texting” (geographical roaming looking for and hacking into devices connected to the cellular network) a security firm has demonstrated the ability to fool the car's remote systems into connecting as they would to their normal vehicle manufacturer’s servers.

Presented at the Black Hat USA 2011 technology security conference this month in Las Vegas, Don Bailey and Mathew Solnik, both employees of iSEC partners presented their talk entitled “War Texting: Identifying and Interacting with Devices on the Telephone Network”

The presentation was aimed at unveiling the vulnerabilities of many devices connected to the telephony data networks: “These systems often receive control messages over the telephone network in the form of text messages (SMS) or GPRS data.” said Baily “These messages can trigger actions such as firmware updates, Are You There requests, or even solicitations for data. As a result, it is imperative for mobile researchers to understand how these systems can be detected by attackers on the global telephone network, then potentially abused.”

In particular, within two hours the pair was able to unlock the doors of a car and communicate directly with the on-board systems.  Whilst the specific process details have not been revealed, enabling vehicle manufacturers to study the work of Baily and Solnik and develop fixes, the underlying principals are well understood.

Baily and Solnik created their own ad-hoc GSM network, using off-the-shelf equipment and then set about “sniffing” the traffic sent between car and server which, according to them, is not obfuscated or encrypted sufficiently to protect against an attack designed to mimic the system's protocols.

“What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA [Supervisory control and data acquisition] systems and traffic-control cameras. How quick and easy it is to re-engineer them is pretty scary.”

We all loved going to see Die Hard 4 in the cinemas, a bit of escapism that had us laughing at the over the top stunts as it did during the scenes of network hacking.  Systems from BMW’s roadside assist and remote start facility to country-wide utility infrastructure were done over by Bruce Willis and the on-screen terrorists, all in the name of entertainment.  Given the real-world nature of the work performed by Baily and Solnik however, one hopes any vital SCADA networks are encrypted to a satisfactory level.