RFID-based Vehicle Network Can Not Be Ignored Security Risks

- Sep 27, 2018-

In recent years, with the rapid development and popularization of terminal devices and network devices such as smart wearable devices, smart homes, and smart routers, the proportion of cyberattacks against IoT smart devices is on the rise, and attackers exploit IoT smart device vulnerabilities. Device control rights can be obtained, or used for user information data theft, or to take over related IoT devices for illegal purposes. Today, we will focus on the safety risks of the car's keyless entry system.

According to "China Internet Station Development Status and Safety Report (2017)", CNCERT conducts on-line monitoring and analysis of the safety of the Internet of Vehicles system, and finds that some car network information service providers and related products have security vulnerabilities, which can lead to vehicles, locations and owners. Security risks such as information leakage and remote control of vehicles.

Now, with the wide application of the car's keyless entry and keyless start function, it was originally a configuration that was only available in high-end cars. Now basically, there are configurations for intermediate or low-end cars. Car safety is welcoming new challenges, and it is more prone to the dilemma of the key does not leave, the car is driven away.

First, the basic principle of the keyless entry system

1. Built-in low frequency antenna receives signal

Vehicles loaded with keyless entry systems actually have 5 to 6 low-frequency antennas built in (in fact, coil windings, the core is ferrite or other similar magnetic permeability material. It can be equivalent to an inductor) Because of the low frequency and low power, the general communication distance is very limited, which is why the driver can sense and start the door opening command when the vehicle is close to the vehicle within 1-2 meters. According to the electromagnetic theory, the frequency is low and the approach is basically in Frey. In the area, the main component is the magnetic field, so it mainly depends on the induction). Generally, the position of the antenna mounted on the vehicle is one on the left and right doors, two inside the car, one in the trunk, and one in the rear bumper.

2. Working process

First, the low-frequency alternating voltage is used to drive the resonant circuit composed of the antenna and the capacitor (generally 125KHz, and other manufacturers use 134KHz, and others, but very few). The reason for using the low frequency is that the low-frequency resonant circuit forms a magnetic field instead of an electric field. And it is very important that the magnetic field range is easy to control. In fact, we are talking about RFID technology (What is RFID technology? Everyone knows that the bus card is called contact RFID technology, ETC is called non-contact RFID technology, usually called radio frequency identification)

In the car design process, the coverage is determined by adjusting the power supply (drive) voltage of the in-vehicle system (when the coverage function is Area>=B, where B is the boundary magnetic field strength value, in other words, the antenna is the center. , B is the circle of the radius), so that different areas are divided by certain settings. For example, the area inside the car is used as a key to start. The trunk area is used as a trunk detection. The rear bumper antenna is used for trunk opening detection. The area covered by the two-door door handle antenna can be used as an unlocking of the two-sided door.

When the owner carries the legal key and triggers the corresponding function (such as the button on the door handle or the capacitive sensor inside the handle or the one-button start button in the car or the trigger button on the back button of the rear box), the corresponding antenna starts. It is driven to search for the existence of a legal key in its coverage. When the key receives the low frequency trigger command, it returns the vehicle ECU authentication information through the radio frequency. The ECU decodes and decrypts the authentication information, and the corresponding function is executed after the password is correct.

Of course, in order to take into account the battery-powered events in the car, this antenna only transmits low-frequency signals at intervals. After the vehicle is started, the antenna inside the car will even reduce the search frequency or even the key. If the key is suddenly not searched during the driving process, will the car cause a dangerous accident? The answer is definitely not. In the current design of such a keyless system, as long as the detection key is not in the car, the alarm will ring at most. Then the car can no longer be fired after the flame is turned off.

In a popular language, the keyless entry system means that the vehicle always searches for (calls) the car key through low frequency radio signals. When the car key hears its call (receives a radio signal), it sends out a response message to perform a door opening operation. .

Second, how the key is not removed from the car is how to achieve

In general, the sensing distance of a car without key entry and start should be about one meter. However, through radio relay operation, the key sensing distance can be extended to tens of meters or even hundreds of meters, which means that when the owner is away from the car, the door may still be opened by others to cause property damage, even the car can drive away.

After the driver got off the bus, he locked the door, put the car key in his pocket, and then left the car. At this time, the vehicle was already several tens of meters away. A few tens of meters away, the experimenter followed the owner to collect the key signal of the owner. The two experimenters played the role of following the owner and driving the car. One of the researchers followed the owner and had a small tool in the shape of a charging treasure to collect the signal of the owner's key.

One of the experimenters successfully opened the door and started the vehicle. Another experimenter stood next to the car's cab and carried a tool to receive the signal. When the tool indicator light is on, press the sensor button on the door handle to open the door smoothly, sit on the driver's position, and start the vehicle. In just one or two minutes, when the owner turned around again, he found that he had been far away.

In general, the higher the degree of encryption, the greater the probability of opening or expanding the door through the relay signal. For this reason, it is recommended to use a more encrypted RFID technology communication protocol.

In the information age, everything can be broken, and people need to strengthen information security protection. The owner also has methods to prevent attacks, such as placing the car key in a box made of tin foil, by using signal shielding, but this is very inconvenient for daily use, so the most fundamental solution is to use better encryption and better agreement. The module is perfected.