Five years ago, Boris Danev's boss asked him to do something strange: steal his car.
Danev was a graduate student studying cybersecurity in Zurich, and his boss had just bought a Toyota Rav 4. The car had a Bluetooth passive keyless entry and start (PKES) system, which meant a car owner could walk up to the car, get in and drive off without taking his keys out of his pocket. Danev's boss, a professor who ran the cybersecurity lab, wanted to find out how easy it was to hack the wireless lock.
As it turned out, it wasn't all that difficult. As Danev and his co-researchers recounted in a 2010 academic paper, the team used cheap off-the-shelf amplifiers — gadgets that are the equivalent of Bluetooth bullhorns — to magnify the wireless signal a key sends to a car. They could trick a car into unlocking itself thinking its owner was standing next to it even when the key was actually 165 feet away (about 15 car lengths away), which is way beyond the distance limit at which PKES systems should work. They were able to break into cars made by eight different car manufacturers and drive away without the proper keys. Once inside, most cars let them drive away. Some will warn that they can't detect the keys, but other than that they'll continue to function normally for safety reasons. Otherwise, a key battery going dead while on the freeway would be incredibly dangerous.
More than three years on, the problem seems to be getting worse. Consumers have come to expect the convenience of keyless entry, but often don’t understand the risks involved. The technology that allows for car hacking has gotten better while the security systems baked into keyless entry cars have stumbled to catch up. As a result, there's some evidence that wireless car break-ins are on the rise.
Fusion reached out to several car manufactures, including Toyota, Mercedes Benz, Volkswagen and Audi. Audi declined to comment. A spokesperson for Mercedes wrote in an email that the company "had a very good safety track record, no negative trend on our side. How we achieved this is naturally confidential. We take great proud in safety and security for our customers and their cars and therefore we are always committed to improve our system wherever and whenever possible." Toyota and Volkswagen had not responded by publication time.
In 2013, there was a series of keyless car break-ins in L.A., with eight cars burglarized. In the fall of 2014, the Society of Motor Manufacturers and Traders, an industry group in the UK, warned that "organized criminal gangs are increasingly targeting high-end cars with keyless security systems." That same year, the U.S. National Insurance Crime Bureau issued a similar warning. And last month, New York Times columnist Nick Bilton saw two teenagers use a "black device" to break into his keyless Prius while he and his keys were in his house. A few of his neighbors had experienced such attacks too. At the time, Danev told Bilton that the gizmos that thieves could use to steal your keyless-entry car were available on Amazon and eBay for as little as $17.
"The problem really exists, and it's getting bigger and bigger," said Aurélien Francillon, a security researcher at EURECOM who previously worked with Danev. Some insurance companies are now even refusing to cover drivers with keyless ignitions because they pose a high theft risk.
After his success breaking into cars wirelessly as a grad student, Danev's been working to make cars more theft-proof. In 2012, he started a security company, 3DB Technologies, that seeks to combat the amplifiers potential thieves would use. Instead of detecting the mere presence of an incoming signal, the chip he's built is a frequency reader that can detect how close a key actually is to the vehicle.
With his system, your car would send tiny pulses of energy with super short durations and a specific range of frequencies. The content of the encrypted message, which works kind of like a password, changes each time you try to unlock your car. The key would "reply," bouncing the signal back to the car, which would decrypt the message and measure the exact time of arrival. It's a little bit like counting how long it takes you to hear thunder after you see a lightning bolt to figure out how far away it struck, just much more precise.
Using that time measurement, the system can figure out how far away you and your keys really are. If it’s beyond the set limit, it won’t open. So, say your key is about a yard away, that should take the system about three nanoseconds to detect, given the frequency of the signal. If an attacker with an amp was about 100 yards away, the measured elapsed time would be 300 nanoseconds. (A nanosecond is 1/1,000,000,000th of a second.)
Because that timestamp is part of the key here, "the only way for the attacker to trick the system is if he is able to transmit the signal faster than the speed of light, and this is impossible," Danev told me. "This should make the system bullet-proof secure. The attacker should not be able to trick the system." Bilton’s car and his neighbors' would have been safe, says Danev.
But anyone in security knows that a "bulletproof systems" is like a unicorn; it doesn't exist. A thief could simply steal your key, for instance. And when I pressed Danev, he admitted that the system could be fooled if a thief cloned your key. If a perp was close enough to your car with the impostor key, it would have no way of knowing it was a fake.
"It's not going to solve all the problems for car security, but I believe that the convenience of passive key systems cannot be kept unless you have better security. Right now, the security systems on these car are very bad," Danev's former collaborator Francillon said. "It for sure would prevent many of the possible attacks."
Danev has started pitching his technology to car manufacturers in the U.S. and Europe, including Chrysler, Audi, Volkswagen and Mercedes Benz, he says. Insurance companies, he said, are also interested. But the actual testing of the device is just beginning. He's hopeful that car manufacturers will implement his technology in future models.
Daniela Hernandez is a senior writer at Fusion. She likes science, robots, pugs, and coffee.