How to protect against SARA

[amateur_25]

HI

I am just surprised at how bloody simple and genius this SARA attack is.

The fact that we can get our hands on things cheaply now is creating security threats by making it accessible to hackers but it is a double edge sword.

I was wondering do you experts have any ideas on how to make our cars more secure.

I was thinking of using time domain reflectometry then you can tell how far the key is.
The fact that the signal is being amplified doesn't work around the fact Rf signal take time to travel through free air does it?

Maybe Dave can make a video on it

https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/

[SilverSolder]

[...] I was wondering do you experts have any ideas on how to make our cars more secure. [...]

Mechanical lock/key.  Something solid that looks too much like hard work for the thieves.

[janoc]

HI

I am just surprised at how bloody simple and genius this SARA attack is.

The fact that we can get our hands on things cheaply now is creating security threats by making it accessible to hackers but it is a double edge sword.

The problem is not "making things accessible to hackers" but bloody clueless manufacturers that put gizmos that nobody really needs in cars without understanding neither the technology nor the security/safety implications and think that if they keep stuff secret it is somehow going to be secure.

The SARA attack is impossible if you require a physical key in the ignition (as was standard for decades) and not just "nearby" (= RFID). However, in the name of convenience and gee-whiz keyless pushbutton ignition (= a feature you can charge more for!) your car can be now stolen with a cheap box of electronics in a few seconds, with no trace of forced entry (so many insurances will refuse to pay).

One way to fix this issue would be requiring a check that the keyfob/card is physically in the vehicle - e.g. by inserting it in a reader with physical contacts, not just RFID (some older vehicles had such system). But then we are effectively back to the key-in-the-ignition setup, just the key is replaced by a fob ...

You can't use reflectometry - there is no reflection to measure. And measuring response times is notoriously unreliable, e.g. because of interference, keyfob not reacting right away, etc. which will swamp the time of flight of the radio signal that you could use to determine distance. Signal intensity detto.

[...] I was wondering do you experts have any ideas on how to make our cars more secure. [...]

Mechanical lock/key.  Something solid that looks too much like hard work for the thieves.

Not necessarily, even the good old rolling code pushbutton thing is more secure than this. There are tricks that can be used to bypass it (google Logjam attack), but it is much more finicky and complicated for the thieves to reliably execute it, so likely few will bother - smashing a window or forcing a door lock is easier.


The SARA vulnerability is effectively unfixable without ditching the entire system with the RFID fobs. If you don't want to have your car stolen or burgled, don't buy a car with this. Fortunately, this stupid system is optional on most brands that have it.

This is called progress - solving a "problem" that wasn't really a problem to begin with (what is so difficult or inconvenient about having to insert a key in the ignition?) and causing several new, much worse ones.

[SiliconWizard]

The SARA attack is impossible if you require a physical key in the ignition (as was standard for decades) and not just "nearby" (= RFID). However, in the name of convenience and gee-whiz keyless pushbutton ignition (= a feature you can charge more for!) your car can be now stolen with a cheap box of electronics in a few seconds, with no trace of forced entry (so many insurances will refuse to pay).

I fully second that. Making ignition keys "wireless" (not requiring any physical contact) was the most mind-boggingly stupid move we could ever think about. Some cars actually have RFID-like keys in various shapes (not necessarily key shape), but requiring to be inserted in some kind of slot. This is already a bit safer.

But it all comes from the same lazy attitude customers have grown accustomed to. Just like now there are mobile phone apps as payment means, replacing credit cards. The selling point is just that the customer will never have to worry about having their credit card(s) with them. How hard is it really? Soon we'll see mobile phone apps to unlock and start your car while we're at it, and your house door (already exists!) it follows the same logics. Apparently these days, all you're supposed to have with you is a fucking mobile phone (and you better have one!!) It's also funny how it has managed to become so indispensable that everyone now assumes that you can forget/lose absolutely any object, except your mobile phone. Apparently mobile phones are now almost implanted so nobody's supposed to be without one at all times.

Ah ah, just some thoughts about how stupid we're becoming and how natural it is that it's bound to backfire in nasty ways.

[DimitriP]

But it all comes from the same lazy attitude customers have grown accustomed to.

This "accustomed to" is mostly result of one idiot manufacturer producing a bluetooth gardenhose  the feature, then every other manufacturer having  to catch up,
or they are perceived as lagging behind in technology. Customers follow like sheep because "new" is "better" and so the cycle goes....
After all. "lane detection" can prevent an accident while you are reading the latest tweet from  your favorite twit!!!

 

[AndyC_772]

Soon we'll see mobile phone apps to unlock and start your car while we're at it

https://www.bmwblog.com/2018/11/17/video-heres-how-the-bmw-digital-key-works/

[janoc]

Soon we'll see mobile phone apps to unlock and start your car while we're at it ...

That exists already - the infamous Tesla Summon feature does exactly that, plus it is supposed to make the car come to you from wherever you have parked it. Assuming it doesn't cause an accident in the process, of course (just google it, there are plenty of really scary videos online already).

However, a phone app is still more secure than an RFID keyfob - a phone app talking to your car over internet is much more difficult to spoof for your average thief.

Of course, that assumes the manufacturer isn't a complete idiot and the internet interface in the car doesn't have more security holes than the Swiss cheese ... Not holding my breath for it, especially after the Jeep fiasco (if you don't know what that was about: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ ).

[janoc]

Soon we'll see mobile phone apps to unlock and start your car while we're at it

https://www.bmwblog.com/2018/11/17/video-heres-how-the-bmw-digital-key-works/

Isn't that using NFC (i.e. RFID) on the phone? That would explain the need to put it on the charging pad (= RFID reader) in the car to pair it. If that's the case, that is not really any different than the keycard/fob, just you can explicitly turn NFC on the phone off and thus prevent the attack (but who is going to remember to do that every time?).

[SiliconWizard]

Soon we'll see mobile phone apps to unlock and start your car while we're at it

https://www.bmwblog.com/2018/11/17/video-heres-how-the-bmw-digital-key-works/

Isn't that using NFC (i.e. RFID) on the phone? That would explain the need to put it on the charging pad (= RFID reader) in the car to pair it. If that's the case, that is not really any different than the keycard/fob, just you can explicitly turn NFC on the phone off and thus prevent the attack (but who is going to remember to do that every time?).

I suspect it's NFC indeed.

Anyway, from what I gathered from the article posted by the OP, the hack would require having access both to the key AND the "keypad" inside the car, the only thing is that both wouldn't have to be close to each other. Nice trick, but to be victim of this is relatively unlikely. What's the real life scenario in which you would be victim of this, and in which it still would be more practical for people willing to steal a car than directly using the key? How would they enter the car to begin with? Not all very clear. Sounds a bit like a nice trick with relatively little impact? (May have missed something though!)

I consider any wireless system (with longer range, such as bluetooth, wifi, LoRa...) much more risky in real life than NFC.

[janoc]

Soon we'll see mobile phone apps to unlock and start your car while we're at it

https://www.bmwblog.com/2018/11/17/video-heres-how-the-bmw-digital-key-works/

Isn't that using NFC (i.e. RFID) on the phone? That would explain the need to put it on the charging pad (= RFID reader) in the car to pair it. If that's the case, that is not really any different than the keycard/fob, just you can explicitly turn NFC on the phone off and thus prevent the attack (but who is going to remember to do that every time?).

I suspect it's NFC indeed.

Anyway, from what I gathered from the article posted by the OP, the hack would require having access both to the key AND the "keypad" inside the car, the only thing is that both wouldn't have to be close to each other. Nice trick, but to be victim of this is relatively unlikely. What's the real life scenario in which you would be victim of this, and in which it still would be more practical for people willing to steal a car than directly using the key? How would they enter the car to begin with? Not all very clear. Sounds a bit like a nice trick with relatively little impact? (May have missed something though!)

AFAIK, the system works like that that the car unlocks automatically when you approach it with the RFID fob - the assumption is that this works only at a very short distance. Then to start the car you need to only press the Start button on the dash, you don't need the keypad nor anything. So the attack works by simply extending the range of the original keyfob so that the car reacts to the (genuine) signal and allows you to unlock it and start it. Of course, you must not turn the engine off afterwards or you would be never able to start it again.

It is certainly not a theoretical attack - thefts of the higher end models of BMW cars with this system have gone through the roof.

See e.g. this video:



The guys seem to struggle a bit, the keyfob is probably farther away from the door (door is a logical choice - most people hang their keys near the door). There are purpose-made devices available on the internet for this - thieves don't lug an SDR and a laptop around, even though the crooks in the video may have a laptop in that bag (but it looks like it has a handle at one point, so perhaps not).

Renault has the same problem with their system, just the thefts are not that prevalent because, well, it is Renault and those aren't all that desirable.

I consider any wireless system (with longer range, such as bluetooth, wifi, LoRa...) much more risky in real life than NFC.

Depends on what you use it for. RFID on your credit card isn't going to do a lot of damage, because most banks limit the transactions to about 20 euros and demand a pin code after 3 of them. So you would be out of 60 bucks at most. Of course, a thief could sit e.g. in a railway station or in front of a supermarket siphoning money off the customers passing by but it would be risky and difficult to be inconspicuous sitting around with a large antenna required for it. Furthermore, it would need a merchant account somewhere so that you could actually cash that haul out - another potential point of failure where you could get caught (unlike with stolen credit card numbers + pins where you duplicate the card on a blank and go to an ATM, with the contactless transactions you need to send them to a bank for clearing at some point).

The same with the chips in your passport.

However, if someone uses this technology for stupid purposes, such as protecting a high value item (a car or a house), then you are going to have problems. The crooks will have sufficient motivation to invest in the necessary technology if the payout is that big.

[coppice]

Soon we'll see mobile phone apps to unlock and start your car while we're at it

Are there any luxury cars which don't currently have this feature? Most have had it for a few years, and its working down to the cheaper cars.

[coppice]

AFAIK, the system works like that that the car unlocks automatically when you approach it with the RFID fob - the assumption is that this works only at a very short distance. Then to start the car you need to only press the Start button on the dash, you don't need the keypad nor anything. So the attack works by simply extending the range of the original keyfob so that the car reacts to the (genuine) signal and allows you to unlock it and start it. Of course, you must not turn the engine off afterwards or you would be never able to start it again.

I think most of them work like my Volvo. If you touch the door handle with the key fob close to the car it unlocks. Its the same with the "waving your foot" feature to open the tailgate. It only works when the keyfob is very close to the car. Usually within about a metre. Without the keyfob inside the car the engine won't start when you twist the start knob (its a button in most cars, but Volvo use a knob for some reason. I assume a really strong signal from outside the car would work, but the keyfob won't allow the engine to start when its just outside the car in places where it works to unlock the car. Once the engine is started you can drive the car, and for safety it won't cut out if you take the key fob away. However, if you stop somewhere, like the traffic lights, the engine can cut and not restart without the key fob being present.

It seems they try to use the metalwork of the car's body to isolate some of the radio signals around the car to a reasonable extent. For example, my car can use my phone set to wifi hotspot to access the internet while I am driving. However, it can't use the phone when its right outside the car. I can only get the car to connect to our home wifi by having a wifi router positioned to shine down through the windscreen at about 45 degrees when the car is parked under our car port. This kind of isolation is nice for day to day use, but it useless for isolating against criminal attacks.

[SiliconWizard]

Just a quick note about NFC. Any wireless link that works at more than a few cm definitely isn't, by definition, NFC. The key systems that work up to 1m or so are not NFC, they are usually either 433/868MHz RF links, or RFID, but not strictly NFC, which is meant for much shorter ranges.

If your car key allows to start the car just by sitting anywhere inside the car - then it's definitely not NFC, strictly speaking.

Solutions that would still be based on 'NFC' links but with an extended range are completely against the spirit of NFC, and are actually just plain RFID. And conversely, it's really not hard to design an NFC link that only works up to a few mm only. I consider those much safer as they require ultra close proximity to work, making a whole range of hacking attempts worthless.

The first generation of "contactless" ignition keys were very short range stuff (similar to NFC) and a lot less brain-dead idea. There are fortunately still recent cars that use similar keys. But any key that works up to 1m - no thanks.

[coppice]

Just a quick note about NFC. Any wireless link that works at more than a few cm definitely isn't, by definition, NFC. The key systems that work up to 1m or so are not NFC, they are usually either 433/868MHz RF links, or RFID, but not strictly NFC, which is meant for much shorter ranges.

If your car key allows to start the car just by sitting anywhere inside the car - then it's definitely not NFC, strictly speaking.

Solutions that would still be based on 'NFC' links but with an extended range are completely against the spirit of NFC, and are actually just plain RFID. And conversely, it's really not hard to design an NFC link that only works up to a few mm only. I consider those much safer as they require ultra close proximity to work, making a whole range of hacking attempts worthless.

The near field is quite large for 125kHz systems. However, most of the keyless entry systems for cars have a battery in the key, so they are not passive NFC responders. With our car we got 2 ordinary keys, with buttons to control the locks on the car, and a completely sealed key you can take swimming. When the battery dies in the sealed key it is not user replaceable, and a replacement key costs a fortune. Isn't technology wonderful?

[SiliconWizard]

Again, it's not NFC then, it's plain RFID.

https://en.wikipedia.org/wiki/Near-field_communication

[SilverSolder]

The problem is not "making things accessible to hackers" but bloody clueless manufacturers that put gizmos that nobody really needs in cars  [...]

The keyless entry systems open up possibilities for whole new categories of stupid mistakes that were not possible before.  E.g. the BMW owner that drops his wife off at the shopping center, drives to work, and on attempting to drive home...   realizes his wife has the key...

[SiliconWizard]

The problem is not "making things accessible to hackers" but bloody clueless manufacturers that put gizmos that nobody really needs in cars  [...]

The keyless entry systems open up possibilities for whole new categories of stupid mistakes that were not possible before.  E.g. the BMW owner that drops his wife off at the shopping center, drives to work, and on attempting to drive home...   realizes his wife has the key...

Ah yes, that too!

[amyk]

This is called progress - solving a "problem" that wasn't really a problem to begin with (what is so difficult or inconvenient about having to insert a key in the ignition?) and causing several new, much worse ones.

Agreed. I happen to like physically inserting a key, turning it, and feeling the engine roar to life. Pushing a button (and one that might not even start an engine, or start an engine you can't even feel running)? That's a toy car...

...then again, I prefer cars that sound like this:

[janoc]

Solutions that would still be based on 'NFC' links but with an extended range are completely against the spirit of NFC, and are actually just plain RFID. And conversely, it's really not hard to design an NFC link that only works up to a few mm only. I consider those much safer as they require ultra close proximity to work, making a whole range of hacking attempts worthless.

The problem is that those "few mm" is not something you can actually enforce if you have no control of the antenna on the other side. That's why these systems are vulnerable to attacks like the SARA. Even a system where you normally need to literally press the fob against the reader or it won't register can be spoofed with an antenna sufficiently large (and with a large gain) and an adequate transmitter (likely illegal but crooks are unlikely to care about that). Again, all this is well known and has been demonstrated many times.

Whether the attack like that is practical or not depends a lot on what is it used for. Stealing passport data? Likely not - running around with a yagi pointed towards crowds of people would certainly attract unwanted attention. Stealing a car? Heck yeah - takes a few minutes tops and well worth it for the crooks.

[SiliconWizard]

Solutions that would still be based on 'NFC' links but with an extended range are completely against the spirit of NFC, and are actually just plain RFID. And conversely, it's really not hard to design an NFC link that only works up to a few mm only. I consider those much safer as they require ultra close proximity to work, making a whole range of hacking attempts worthless.

The problem is that those "few mm" is not something you can actually enforce if you have no control of the antenna on the other side.

Probably true in the very general case, but I can assure you that it's definitely possible to enforce reasonably (of course the 100% unhackable doesn't exist!) if you design with the right parameters.

I've worked with NFC a bit so I have experimented quite a few things. For instance, the NFC standard allows data speed up to 424kb/s, but some NFC interface ICs allow to use up to 848kb/s (and sometimes higher.) I can guarantee you that, given how NFC (like RFID, basically with load modulation/backscattering) works, if you choose to communicate at the highest speed possible while still being reliable at a few mm (848kb/s, in my experience, was the sweet spot), even with very advanced techniques, it would be almost impossible to communicate with the tag and/or reader at over just a few mm, 1cm TOP. Try to pull off doing it reliably at larger distances! The BER just becomes impossibly large to deal with whatever you do at high speeds; load modulation is a bitch.

Of course at the lower speeds, it's a lot easier to do, and I believe most RFID car keys are, as I said, not really NFC but just RFID, and actually communicate with the reader at the lowest speed possible (which in turn makes it a bit more robust but a lot easier to hack from a distance.)

Just a few thoughts. I'll never say "never", of course, but I can assure you that at high speeds, it's an order of magnitude (or more) more difficult that anything that has been attempted this far for the existing keys.

[Yansi]

Just a quick note about NFC. Any wireless link that works at more than a few cm definitely isn't, by definition, NFC. The key systems that work up to 1m or so are not NFC, they are usually either 433/868MHz RF links, or RFID, but not strictly NFC, which is meant for much shorter ranges.

If your car key allows to start the car just by sitting anywhere inside the car - then it's definitely not NFC, strictly speaking.

Solutions that would still be based on 'NFC' links but with an extended range are completely against the spirit of NFC, and are actually just plain RFID. And conversely, it's really not hard to design an NFC link that only works up to a few mm only. I consider those much safer as they require ultra close proximity to work, making a whole range of hacking attempts worthless.

The first generation of "contactless" ignition keys were very short range stuff (similar to NFC) and a lot less brain-dead idea. There are fortunately still recent cars that use similar keys. But any key that works up to 1m - no thanks.

Keyless entry systems are in fact RFID at 125kHz.     RF (315/432/868/915) is NOT part of the keyless entry, it is there just for authentication, only unidirectional transmission.

//EDIT: Antitheft systems in many (if not most) book libraries, where you go through that frames near the doors, are in fact also NFC, at 13.56MHz. ISO/IEC 15693 (vicinity cards) if I am not mistaken. This can work a meter well.

[janoc]

Probably true in the very general case, but I can assure you that it's definitely possible to enforce reasonably (of course the 100% unhackable doesn't exist!) if you design with the right parameters.

I've worked with NFC a bit so I have experimented quite a few things. For instance, the NFC standard allows data speed up to 424kb/s, but some NFC interface ICs allow to use up to 848kb/s (and sometimes higher.) I can guarantee you that, given how NFC (like RFID, basically with load modulation/backscattering) works, if you choose to communicate at the highest speed possible while still being reliable at a few mm (848kb/s, in my experience, was the sweet spot), even with very advanced techniques, it would be almost impossible to communicate with the tag and/or reader at over just a few mm, 1cm TOP. Try to pull off doing it reliably at larger distances! The BER just becomes impossibly large to deal with whatever you do at high speeds; load modulation is a bitch.

Of course at the lower speeds, it's a lot easier to do, and I believe most RFID car keys are, as I said, not really NFC but just RFID, and actually communicate with the reader at the lowest speed possible (which in turn makes it a bit more robust but a lot easier to hack from a distance.)

Just a few thoughts. I'll never say "never", of course, but I can assure you that at high speeds, it's an order of magnitude (or more) more difficult that anything that has been attempted this far for the existing keys.

The problem is that such system would be completely pointless as a keyless entry/start system for a car. The entire idea of that is that you don't have to touch or insert anything anywhere (otherwise you can as well use the key, both to unlock the door and to start the engine). So the system has to work at at least a meter or two of distance while you are approaching the vehicle, with the fob in your pocket. That rules out a scheme like what you are describing.

And once the thief is in the car, it is game over, even if you have some sort of immobilizer requiring that the fob is placed in some very specific spot. The thieves know how bypass/disable similar things in seconds, even going as far as using the OBDII ports with custom programming dongles and a laptop ... Of course, they could do the same by breaking a window or a door lock but spoofing the fob is faster, less noisy and doesn't attract unwanted attention like a broken window would.

[SiliconWizard]

The problem is that such system would be completely pointless as a keyless entry/start system for a car. The entire idea of that is that you don't have to touch or insert anything anywhere (otherwise you can as well use the key, both to unlock the door and to start the engine). So the system has to work at at least a meter or two of distance while you are approaching the vehicle, with the fob in your pocket. That rules out a scheme like what you are describing.

Nope. First, there is a difference between entering the car and starting it, and I think this difference should remain effective. To this day, it's even a very common approach for car makers: the part that unlocks the doors is separate from the part that serves as an ignition key. The former is often still an RF remote, while the latter is now usually some kind of RFID. This is changing for some newer models/makers, but this change is not a smart one IMO. That the car unlocks just because I'm approaching it, without any action from my part, no thanks. It's completely stupid, and can be unsafe in some areas.

The benefit or having a keyless ignition system, IMO, are significant even when you need to put your "key" in some specific spot (again many recent cars with contactless ignition keys still work like this). Not requiring a physical key and lock is a nice feature to me, and was, as I said, the approach in the first generation of "keyless" cars. As a customer, I like the smaller keys (I've always found car keys big and clunky), and the absence of mechanical lock makes for more reliable stuff AND avoids the typical case in which robbers will just put a screwdriver in it (even when the car can't possibly be started doing this, the fuckers will still just try, not all car robbers have PhDs). The days when you'd find your ignition key lock destroyed (which was expensive to replace and sometimes you even had to replace the whole direction column) are over thanks to this.

The introduction of key systems (again, especially for ignition keys) that worked just being inside, or close to the car, is a brain-dead move. I don't care about those in the least. That may look nice for a second, but the drawbacks are just too many.

And again no, contactless systems that only work at a very close distance are definitely not useless IMO. They solve many problems as said above. The rest is just marketing wank (and as SilverSolder noted, can make for very stupid situtations.)

[Ian.M]

Its inexcusable that unlocking the vehicle doesn't require user interaction with the 'key' fob, either when you approach the vehicle or set in advance to work *ONCE* with the fob in your pocket to allow unlocking the vehicle when you approach with your hands full of packages.   

That would protect against SARA attacks as without user intervention the fob would ignore the handshake from the car.

It would be a relatively cheap upgrade or recall for vulnerable vehicles as all that would be required would be to replace the vulnerable fobs and destroy them.

[janoc]

Its inexcusable that unlocking the vehicle doesn't require user interaction with the 'key' fob, either when you approach the vehicle or set in advance to work *ONCE* with the fob in your pocket to allow unlocking the vehicle when you approach with your hands full of packages.   

That would protect against SARA attacks as without user intervention the fob would ignore the handshake from the car.

It would be a relatively cheap upgrade or recall for vulnerable vehicles as all that would be required would be to replace the vulnerable fobs and destroy them.

Yes - and it would quite defeat the entire selling point of the system. If you need to interact with something (or remember to enable something before you leave the car), you may as well use a classic battery powered fob with buttons ...