Two Tata Tiago keyless entry systems unlocked by same key (Video) – We explain how

What do you do when you go to open your car, and someone else's car opens? Yes, it can happen to anyone.

This is what we were alerted to on a sleepy Sunday waiting for F1. Mayur Nath Reddy’s Facebook post read as follows – ‘Its a security concern with Tiago i wanted to share here. I found out that my tiago is getting opened up with remote of another car!!! Can this be expected from TATA??How to escalate the issue? The service centre guys says it can b rectified. Whats the guarantee it doesn’t open up with any other remote in future!!! Kindly give some suggestions.’ So, keyless entry systems are vulnerable? Evidently yes, but can they cause real damage? Most likely not.

[Update – Both Tata Tiago hatchbacks have been delivered by KHT Motors Dealership, and are sequential in Serial Chassis no. (70195 and 70196). The logical explanation is at the time of Pre-delivery inspection (PDI), the key wasn’t reprogrammed as part of the final check process by the dealer before handover. It’s also true that the matter has only come to light as both car owners live in close proximity. The parks his car once in a week atleast to have food at a nearby eatery, next to the entrance of Mayur’s building,and both cars happened to be parked closeby on the day. With both cars getting activated, Mayur was alerted, and the ensuing video was filmed.]

Mayur further elaborates. ‘Yaa… it was captured in my cctv. My security guy has been infrming me since a month. I dint believe at first. Then he noted the time wen the other car has come next time. I was shockd to see it cctv footage.
This time yesterday, i was called wen the other car has come.
But, it was owners friends who got it this time. So, I neglected to take the contact number.’

Car keys are procured by OEMs for a cost factored into a car’s selling price, and all attempts are made to keep the latter as competitive as possible. Economies of scale could also mean the entire sequential key is not in use, further reducing the scope of permutations and leading to a situation of similarity because of frequency match. If such a situation were to arise, reprogramming is in order.

Owing to the number of code sequences used by manufacturers, a match is likely to be found. Honda has 3,500 different combinations. The probability of it is much lower cause of both keys on the same frequency, a situation must involve both cars to be present together and at least one driver trying to unlock a car.

Keyless entry systems use a rolling code/ hopping code to thwart attempts at replay attacks, i.e., systems recording transmission to replay, so the receiver ‘unlocks’ later.

The biggest flaw in the initial years was any key could open any door as remotes worked on the same signal/fixed code as in the case of keyless entry systems being used for garage doors.

With the introduction of DIP switch sets of eight manual electric switches grouped and attached to a printed circuit board, it became possible to control the system in the transmitter and receiver. DIP switches provided 256 possible codes. While this solved some of the problem, it did not eliminate the probability of unlocking another’s door.

Keyless entry systems use a much longer sequence of numbers through a pseudorandom number generator (PRNG). 40-bit codes or longer combinations have the capacity of upward of a 1 trillion different combinations if the entire sequence is in use. Most importantly, the radio frequency (RF) information is encryptedr and secure, in both, transmitter and receiver. When a remote is used, the transmitter sends a current code to the receiver, which is essentially the ‘next’ code in a long sequence.

Once the remote is pressed, the transmitter sends a code. The receiver responds if it gets the current code, it responds’ i.e.; its compares next code to its code. Both transmitter and receiver ‘roll/hop/flip’ a code using the same pseudorandom number generator (PRNG) each time. When a transmitter transmits a current code, the PRNG creates a new code and commits it to memory. Once a current code is received, the receiver uses the same PRNG with the same sequence/seed number to generate a new code. The process ensures both transmitter and receiver generate matching code sequences in a synchronised manner. If a receiver misses a code, a comparison is made in the next 256 codes cue. Despite systems in place, vulnerability exists.

Is it possible to crack keyless entry systems – Yes, and it was demonstrated.

DEF CON 23 – Samy Kamkar – Drive it like you Hacked it explains how. Samy Kamkar built an inexpensive handheld electronic device that’s easy to conceal in close proximity to a locked car.

While the demo effectively shows such a possibility exists, the probability of cars being stolen in this manner are not widespread. Keyless entry systems in use today are secured through rolling codes and encryption/cryptography, making them difficult to crack, and getaway, especially when combined with smart key capability.