Encryption Flaws Leave Millions Of Toyota, Kia, And Hyundai Cars Vulnerable To Key Cloning

Encryption Flaws Leave Millions Of Toyota, Kia, And Hyundai Cars Vulnerable To Key Cloning

Millions of cars with radio-enabled keys made by Toyota, Hyundai, and Kia may be vulnerable to hijacking thanks to a flaw in their encryption implementation, Wired reported this week, citing the results of a KU Leuven in Belgium and University of Birmingham study.

The cars in question use Texas Instruments DST80 encryption, but the way it was built into them means that a hacker could potentially use a “relatively inexpensive Proxmark RFID reader/transmitter device near the key fob” to trick the car into thinking they have a legitimate key, Wired wrote. While other models of car have proven vulnerable to hacking via relay—in which hackers use radio transmitters to extend the range of a car’s key fob until the original key is in range—this method requires that the attacker come within close proximity of the fob and scan it with the RFID device. That would provide enough information to determine the encryption key, clone it using the same RFID device, and use that to disable a part called the immobilizer, which prevents a car from starting without a key in the vicinity.

With the immobilizer disabled, the only obstacle remaining would be the ignition barrel (i.e., key slot) that actually starts the engine. This only requires classic-era car theft techniques like hotwiring or substituting the key for a screwdriver.

The attack is made possible because the encryption keys used by the cars were easily discovered by reverse-engineering the firmware, the researchers wrote. In Toyota’s case, the encryption key was based on a serial number also broadcast with the fob signal, while the Kia and Hyundai cars in question used just 24 random bits of protection (DST80, as implied by the name, supports up to 80). University of Birmingham computer science professor Flavio Garcia told Wired that identifying the correct 24 bits “is a couple of milliseconds on a laptop.” However, the researchers did not publish certain information about how they cracked the encryption.

Hyundai told Wired that none of the affected models are sold in the U.S. and that it “continues to monitor the field for recent exploits and [makes] significant efforts to stay ahead of potential attackers.” Toyota told the site that “the described vulnerability applies to older models, as current models have a different configuration” and is “low risk.”

The full list of affected models is below, including Toyota Camry, Corolla, RAV4, and Highlander models; the Kia Optima, Soul, and Rio; and multiple Hyundai hatchbacks. (The Tesla S used to be vulnerable, but Tesla has updated the firmware, according to Wired.) The researchers noted that this list is “non-exhaustive,” meaning more models could be affected.

Screenshot: TCHES

Per Wired, the researchers say the findings are relevant to consumers because although the method is rather technically involved, it can be circumvented by methods like attaching a steering lock when necessary. Some of the cars could also potentially be reprogrammed to remove the vulnerability, though the team told Wired that the Tesla S was the only car on the list they were aware had the capability to do so.