Last year he was able to uncover the algorithm of the encryption key in a widely used immobiliser, allowing any vehicle using that algorithm to be easily de-immobilised. This attack was targeted at the transponder communications.

There are several encryption methods being used by OEMs for the communication between the transponder and the immobiliser system and there has been a clear progression in transponder technology over recent years:

Source: Karsten Nohl, Embedded Security in Cars Conference (ESCAR), November 2010

Many OEMs have been slow to adopt the latest technology. The most commonly used transponders have 40 or 48-bit key encryptions and were shown to be insecure as far back as 2005. Karsten Nohl was able to break these systems in just 6 hours, claiming that “the encryption key was way too short.” The fitment of the recommended 128-bit Advanced Encryption Standard (AES) systems is still limited to a small number of vehicle manufacturers.

“Even before the research released in 2005 by RSA laboratories, TI worked with customers and released transponders with higher levels of security. By supplying the extended key length AES 128bit transponders for car immobilisers, TI is providing one crucial element of the complete immobiliser system.” says Klaus Seiberts of TI.

However, this part of the system is in fact relatively secure anyway, and although attacks are possible, they are not the weakest link in the chain. SBD’s database of theft tools shows that there are many key copying machines in existence, but there are more tools targeted at the on-board electronics where prior access to the driver’s original key is not required.

"To our knowledge the direct causal link between the failure to adopt AES systems and the rise in car theft cannot be drawn,” Thomas Rudolph of NXP told New Scientist.

Despite this, NXP and Texas Instruments, the two largest suppliers of transponders for the automotive industry, are now phasing out their older encryptions and already offer 128-bit Advanced Encryption Standard (AES) which would provide adequate security to avoid immediate concerns of hacking the transponder algorithms.

SBD believe that the real concern lies with the lack of security at the ECU side of the immobiliser system. The Engine Management ECU, along with a large array of other ECU’s, are interconnected via the vehicle’s internal network which uses a less secure encryption than the transponder verification.

It is possible to access the network through the OBD port within the vehicle, via direct connection to CAN lines accessed from outside the vehicle, and in the future potentially via wireless communication links. The security provided by the transponder (whether 40-bit or 128-bit) is completely bypassed and the ECU software can be compromised. Thieves have already developed tools that can plug into the OBD in order to reprogram ECU’s and new keys.

SBD will look further into the effects of vehicle hacking (direct interference with a vehicle communication system to access software) in report 2312: ‘Can Thieves Control My Car?’ to be released in 2011. For more information on the methods of theft being utilised by criminals today, please see Vehicle Crime in the 21st Century or contact Juanita Appleby on jappleby@sbd.co.uk