Keyless hack check list: Is your car one of 24 that can be unlocked and started with radio amplifier?
Published 24/03/2016 | 08:41
Dozens of car models, including BMW, Audi and Range Rover can be remotely unlocked and started using a simple hack, research reveals.
The hack allows malicious actors to unlock and drive away 24 different car models from 19 manufacturers using a cheap and easily constructed radio amplifier. Called the "amplifier attack", the hack involves altering the radio frequency in the cars to trick the keyless sensor technology into thinking that the vehicle's owner is nearby with the key.
The cars affected include European popular models such as the Ford's Galaxy, Audi's A3, Toyota's Rav4, Volkswagen's Golf GTD and Nissan's Leaf. This isn't an untested threat either, the researchers claim the method has already been used in car thefts, and is evidenced in real surveillance footage.
The researchers believe dozens more models that use keyless technology could be vulnerable, but they are yet to prove it. Currently, 95 per cent of European car brands use keyless entry.
The only car that resisted the researchers couldn't unlock was BMW's i3. But they were able to start its ignition. And the BMW 730d was hackable, meaning that the German carmaker's models aren't immune to the vulnerability.
How it works
For years, owners of cars that use keyless technology have reported seeing their cars being effortlessly stolen by people walking up to them and driving away. Researchers at the German car club ADAC have now tested what is called the "amplification attack" on dozens of car models and found 24 of them vulnerable.
The hack involves tricking the car's radio equipment into thinking that the owner is near the vehicle with the keyless sensor. It involves boosting the signal in the key fob by making a couple of simple changes to the frequency in the car's radio equipment with an amplification device.
"The radio connection between keys and car can easily be extended over several hundred metres, regardles of whether the original key is, for example, at home or in the pocket of the owner," said the ADAC researchers.
The attack has been around for at least four years - Swiss researchers detailed a similar version of the hack back in 2011. But carmakers have not released a fix for the problem, and now German researchers have come up with an even cheaper and easier way to exploit it.
The ADAC researchers devised a system that can unlock and start the cars for just £160, where the Swiss researchers had spent thousands of pounds on their software.
They created two radio devices - an amplifier that must be positioned near the victim's key, and a receiver that should be placed near the car. The radio near the car impersonates the key and triggers the car to unlock.
The device can work from as far away as 90 metres.
The radios are simple to make, and the components cheap, according to the researchers. They have not released how exactly they made the devices, as they do not want to encourage potential thieves.
How can I protect my car?
There is no simple fix for the hack, unfortunately. If you own a car that uses keyless technology - or one of the models below - you could try storing your key in a "faraday cage", designed to block radio signals, or a freezer, as one New York Times journalist did.
Really, it's down to car manufacturers to build defences into wireless key fobs.
Models that can be hacked
- Audi: A3, A4, A6
- BMW: 730d
- Citroen: DS4 CrossBack
- Ford: Galaxy, Eco-Sport
- Honda: HR-V
- Hyundai: Santa Fe CRDi
- Kia: Optima
- Lexus: RX 450h
- Mazda: CX-5
- Mini: Clubman
- Mistubishi: Outlander
- Nissan: Qashqai, Leaf
- Opel: Ampera
- Range Rover: Evoque
- Renault: Traffic
- Ssangyong: Tivoli XDi
- Subaru: Levorg
- Toyota: Rav4
- Volkswagen: Golf GTD, Touran 5T
(Note: only keyless versions of models referred to above are vulnerable to the hacking)