Using a $300 software-defined radio, a security researcher says he has figured out how to take control of some of Ford’s newer and higher-end cars and trucks.
Through a radio frequency capture-and-manipulation technique he described to The Parallax, Dale “Woody” Wooden, the founder and president of Weathered Security, says a hacker could unlock a Ford vehicle, interfere with its onboard computer systems, and even start its engine. A successful hack on its own isn’t likely to result in stolen vehicles, however: Wooden’s exploit does not deactivate a car’s immobilizer.
Wooden’s methodology is unusual for this kind of key fob replay attack. “I’ve never heard of someone using multiple key fobs and manipulating the protocol in the RF spectrum by having the receiving machine reset its rolling codes,” he says.
Wooden says the vulnerability he’s learned to exploit affects the key fobs of 2019 Ford F-150 Raptors and 2019 Ford Mustangs, which use a radio frequency in the lower 900MHz spectrum, and the key fobs of at least one slightly older model, the 2017 Ford Expedition, which uses 315MHz.
As seen in the video below, Wooden demonstrates the hack working from the third-floor balcony of a hotel within eyesight of a 2019 Ford Mustang test car. Wooden describes himself as a proud owner of a 2019 Ford F-150 Raptor pickup, on which he also successfully tested the hack.
The exploit, which Wooden says works as long as the car can receive the key fobs’ signal, entails three steps. First, a hacker uses a software-defined radio to record the rolling code signal a key fob sends to a car, during the moment a car owner presses the unlock button on her “Key Fob 1.” The signal changes slightly every time one of the buttons on the key fob is pressed.
The hacker then replays the signal from the software-defined radio. This signal replay disables Key Fob 1’s ability to remotely control the car: It can no longer lock or unlock the doors, open the trunk, or start the engine. (At this point, Key Fob 1 still works for keyless entry or starting the engine, but only when in close physical proximity to the vehicle and without active interaction with the key fob.)
Next, the hacker waits for someone to use Key Fob 2, which should still normally function. During a brief window after the person presses a button on the fob, the hacker replays the signal he recorded from Key Fob 1. (Wooden says this signal-capturing and -replaying process can be automated, making the hack much more of a passive process than an active one.)
In response to receiving the older signal from Key Fob 1, the car’s body control module resets the counter on Key Fob 1’s rolling code signals to the car. This process, however, does not reactivate Key Fob 1.
READ MORE ON CAR HACKING
Hackable software in the driver’s seat: The state of connected car security
Karamba’s bold quest to secure connected cars
Next up on hackers’ IoT target list: Gas stations
How to protect what your car knows about you (opinion)
Uber, self-driving cars, and the high cost of connectivity (opinion)
How Uber drives a fine line on security and privacy
At this point, the attacker can replay any signal recorded from Key Fob 1, and it will work, as long as the signals are replayed in the same order they were recorded. There is no time limit as to how long the signals will work, Wooden says; resetting the key fob is the only way to regain its functionality and stop the attack—and even then, the attacker could use the recordings to regain control of the fob.
Once these steps are complete, the hacker has effectively faked the key fob’s functions: When he plays the signal he recorded for unlock, the car unlocks. On the latest Ford Raptors and Mustangs, these options include locking and unlocking the doors, starting the engine, opening the trunk, and setting off the alarm.
If your Ford has been hacked using this technique, Wooden says, you’d probably notice that a key fob has suddenly stopped functioning. And if it has been hacked, the only way to stop a hacker from using recorded signals to control the car is to reset Key Fob 1.
While a visit to a Ford dealership would do the trick, Wooden says owners of 2019 Ford F-150 Raptor can reset fobs themselves by removing the center cup holder’s plastic insert to access a compartment used to program the key fobs. Placing the disabled fob in that compartment and then starting the vehicle will reset the key fob, he says.
Wooden believes that by changing the key fob frequency to the 900MHz range, and disabling key fobs, Ford has been “aggressive” in its attempts to stop replay attacks, even as he felt frustrated by what he described as a slow response to his claims.
“I want car engineers to start to think about the other side of what they do,” he says. “[Ford] had put safety precautions in place. If you had come at [these cars] with a standard replay attack, it wouldn’t work.”
In an emailed statement to The Parallax, Ford representative Karen Hampton did not respond to specific questions about Wooden’s hack.
“At Ford, we take the security of our customers’ vehicles seriously. We have assembled a world-class team and robust processes to help ensure that security is maintained as new threats arise and vulnerabilities are discovered,” she wrote. “As a matter of policy, we do not comment publicly about the actions we are taking to ensure this security.”
Wooden has requested that The Parallax not publish more specific details of the hack, as Ford has yet to address it.
“I have seen [the same] chips used on a large array of vehicles. I’ve opened all of them up.”—Samy Kamkar, independent cybersecurity researcher
Wooden’s warnings to Ford went unanswered until he emailed Executive Chairman William Ford. The company’s initial response to Wooden, in February, expressed concern but did not indicate how it would address the exploit—if at all.
“We greatly appreciate your letting us know that you are able to enter and start your new Ford F-150 Raptor using your computer. I have personally forwarded your note to our customer service team for their immediate review,” Mary Culler, Ford’s chief of staff, wrote Wooden in an email on February 22. “A member of the team will be in touch with you as soon as possible. Thank you again for letting us know about this issue.”
The company has since updated its public cybersecurity bug bounty with HackerOne to include hacks of vehicle hardware, including key fobs. It has also given Wooden a $500 gift card to its online gift shop, which offers a selection of Ford-branded baseball bats, keychains, Bluetooth earbuds, and Lego sets.
The only way to address the key fob vulnerability, Wooden says, is to replace the lock system and protocol on every Ford that uses the same key fob system as the vehicles he tested: the 2017 Expedition, the 2019 F-150 Raptor, and the 2019 Mustang.
Car-hacking expert Matthew Carpenter, who heads up embedded-system security research for cybersecurity company Grimm, says Ford and other carmakers need to take key fob replay attacks more seriously.
Replay attacks are the most common form of car hacking, he says, but their severity depends on what the hacker could potentially force the vehicle to do; how much technical expertise a hacker needs to successfully complete the attack; and what kind of equipment the hack requires.
Carpenter likens Wooden’s exploit to threading a needle. “It requires access to another key fob that is valid, just to put it into the state of resyncing the fob,” he says.
That makes it a more difficult hack to replicate, he says, but far from impossible. It’s also far from impossible to perform the same hack on a reset key fob, Carpenter notes. And once a hacker unlocks the doors and starts the vehicle’s engine, he says, it’s not hard to imagine the hacker finding a way to disable the immobilizer and drive off. Such attacks are currently considered nontrivial and highly dependent on the make, model, and year of the vehicle, but nevertheless achievable.
Samy Kamkar, an independent security researcher and expert in radio frequency hacking, says that given how manufacturers tend to reuse chips, it’s likely that this hack works on “25 percent” of Ford’s vehicles—and possibly other manufacturers’ vehicles.
“I have seen [the same] chips used on a large array of vehicles,” Kamkar says. “I’ve opened all of them up.”
Carpenter says changing how the car interacts with the key fob requires changing the car’s body control module.
“Ford should never invalidate the key fob just because the vehicle received a replay of the message from the fob,” he says. Whether the vulnerability resides in an unintentional security design error or is easy to address, he says, this kind of hack “probably requires somebody taking the vehicle in” to the dealership.
In other words: a recall.
Update on May 6 at 5:25 p.m. PDT: Added clarification on car-hacking possibilities from Matthew Carpenter.
Correction on May 3 at 10:05 a.m. PDT: A previous version of this story reported William Ford’s title incorrectly. He is the company’s executive chairman.