Toyota, Mazda, Hyundai and Kia car hack vulnerability discovered

After years of feeling like our cars are reasonably safe from thieves with coat hangers and metal rulers thanks to encryption technology, clever computer hackers are finding frightening new ways to make motor-vehicle theft easy again, with one recently discovered software failing making millions of Toyotas, Hyundais and Kias potentially vulnerable.

Car owners in the US have been particularly vulnerable to so-called “relay attacks” in recent years, which sees hackers cracking cars with keyless entry by breaking the wireless codes that open the door, and even start the car. The latest nefarious trend, however, potentially effects millions of more affordable vehicles with chip-enabled physical keys.

A report in Wired magazine exposes the fact that a few cryptographic flaws, combined with some old-fashioned hot-wiring, “or even a well-placed screwdriver” – allows hackers to clone those physical keys and drive away some Kias, Hyundais and Toyotas in seconds.

Researchers from the University of Birmingham and KU Leuven in Belgium have revealed vulnerabilities they found in the encryption systems used by immobilisers, which allow your car to speak to your key, allowing it to unlock the ignition and start the engine.

The problems were found in the way Toyota, Hyundai and Kia implement a particular encryption system made by Texas Instruments called DST80.

These flaws allow any clever hacker, with what’s called a “Proxmark RFID reader”, near the key fob of any car with the DST80 software to rip off enough information from that key to work out its “secret cryptographic value” – its electronic key signature, basically.

The hacker would then be able to use the same RFID (Radio-Frequency Identification) reader to impersonate the key, trick the immobiliser and start the car.

The effected models include the Toyota Corolla, FJ Cruiser, Camry, Highlander, HiLux, LandCruiser, RAV4 and Yaris, plus the Kia Ceed, Rio, Soul, Optima and Picanto, and Hyundai’s i10, i20, Veloster and i40.

The software problem did also affect Tesla’s Model S, briefly, but when the company was informed of the vulnerability it pushed out a software update to all affected vehicles which effectively blocked the attack. Clever.

To pull off the RFID theft, a hacker has to get physically close to you and your key – just an inch or two from the fob to read it, apparently – which isn’t going to be easy. And because the technique targets the immobiliser, the thief will still need to somehow turn the ignition barrel without a physical key, which is also tricky, but the researchers point out that a car thief could use a screwdriver to turn the barrel, or hot-wire the ignition instead, just like the bad old days, before technology.

“You’re downgrading the security to what it was in the ’80s,” University of Birmingham computer science professor Flavio Garcia explained.

Toyota in the US confirmed to Wired that the cryptographic vulnerabilities were real, but added that “the described vulnerability applies to older models, as current models have a different configuration”.

After being contacted by CarsGuide, Toyota Australia said it had been informed of the research and that “we acknowledge its technical accuracy”.

A Toyota spokesman added: “We are currently investigating if the specific vulnerability applies to Australian vehicles, noting that this vulnerability constitutes a low risk for customers, as the methodology requires both access to the physical key and to specialised components.”

The researchers who found the flaws disagree, however, noting that no part of their research required hardware that wasn’t publicly available.

Just to nerd out for a moment, the problem isn’t with the Texas Instruments encryption so much as the way the car companies in question chose to use it, apparently. The Toyota fobs’ cryptographic key used a serial number, which was openly transmitted when scanned, making life easy for hackers.

The Kia and Hyundai fobs used just 24 bits of random-number generation, rather than the full 80 bits the DST80 makes available. “That’s a blunder,” Mr Garcia added. “Twenty-four bits is a couple of milliseconds on a laptop.”

Hyundai Australia – which never sold the effected i10 in Australia to be fair – contacted head office in Korea and came back to us with a statement: “Hyundai Motor was made aware of an alleged vulnerability in its key fob technology that was brought to our attention by researchers at the University of Birmingham and KU Leuven.

“Firmly committed to safeguarding cyber security for our customers, Hyundai Motor continues to monitor the field for recent exploits and we make significant efforts to stay ahead of potential attackers. The company has, and will continue to make progress in developing effective countermeasures to mitigate any potential concerns around vehicle cyber security.”

Kia Australia, meanwhile, said it was aware of “allegations” made in relation to data hacking for manual key fobs in some models in overseas markets.

“Kia takes the security of our owners seriously,” a spokesman said. “While continuing to monitor the situation, KMAu is unaware of any such breaches in Australia.”

It’s worth noting, of course, that while the number of car thefts has fallen over the past decade, according to Budget Direct, a car is still stolen in Australia every 10 minutes. According to carsafe.com.au, there were 58,285 motor vehicle thefts in 2019, up from 53,483 in 2018.

The figures do show that modern technology works better than the old however, with the average age of cars being stolen in Australia being around 12 years.