Mid-engine Vette gets mid-battery key fob.
How to protect your 2012+ Ford from key fob hacking
“Vault-like” doors. “Drives like a tank.” “The damn thing is bullet-proof.”
We talk about our cars as if they’re war machines, ready to shrug off the world’s problems like raindrops rolling off the windshield. The irony is that they’re often insecure. The simplest of tools can find a way through the door jams of every automobile made to date. A mobile castle to us is a trivial puzzle for cyber attackers. “Criminals are getting extremely high-tech,” says Dale “Woody” Wooden, a 20-year Navy veteran and founder/CEO of Weathered Security.
Woody has spent the last year or so chiseling away at the layers of security in his 2019 Ford Raptor. What he’s discovered is a hack for 2012+ Ford models, including the perennially popular F150 and Mustang, that can lock out an owner’s key fob and gain complete access to the vehicle. Woody is something of a “white hat” hacker himself, who publishes the vulnerabilities he finds instead of utilizing them for nefarious purposes. What he figured out in these late-model Fords was a method of replaying key fob commands back to the vehicle that can gain the hacker unfettered access to the given car or truck.
“When I first reported this, one of the responses I got was, ‘Well, we just don’t think this is a vulnerability that most people would take advantage of,’” Woody says. “And I said, ‘Well, obviously you’ve never been through a divorce.’ I use that [analogy] because it’s amazing the lengths that people go through during those to be able to gain information and be able to figure things out.”
Exploiting this automotive weakness doesn’t require going to any great lengths, either. Before we get into the hacking portion, however, we’ve got to explain how your typical key fob works. When you press a button, such as “unlock,” the key fob broadcasts a message comprised of several parts. The vehicle listens for these messages on specific frequencies and breaks down the message to identify which key fob is transmitting (each vehicle comes with a minimum of two key fobs), what the command is, and what hexadecimal number the rolling code is reporting.
Rolling code is the first line of defense against basic replay attacks. It spits out a hexadecimal value using a formula to randomize the code, and the vehicle keeps track of the transmitted codes to ensure each one matches a value the vehicle is expecting while also rejecting any duplicate rolling code values. Prior to this, vehicles used a static ID code to match a key fob to a vehicle, which made recording and replaying the lock and unlock sequences dangerously simple. As CAN-bus integration became common—which stands for Controller Area Network, and is roughly analogous to a car’s digital nervous system—so did keyless entry and push-button starters. We started to see an evolution in the complexity of key fobs as they became more than just a convenient way to unlock doors.
“I was in the military for 20 years and I started exploring technology when I got out,” says Woody. “I started to teach myself about wifi, Bluetooth, then software-defined radios (SDRs). Then I started getting into light—like infrared, invisible light—and found ways to exploit it. After that I started getting into vehicles. So I’ve looked at [everything] from garage door openers to wireless thermometers and vehicle key fobs. The majority of my time is probably spent with SDRs. I spent a good amount of time looking at radio frequency (RF) signals and figuring out can it be replayed, is it using rolling code, what type of modulation is it—things to that effect.”
SDRs are just that—radios that you control with software instead of with buttons and switches. These devices can record, analyze, and play radio signals, and are excellent tools for both studying and manipulating RF vulnerabilities.
Woody began to wonder whether you could exploit a vehicle by pitting the pair of factory key fobs against each other to see how the vehicle responds to the different rolling codes. Luckily for him, Woody had just picked up a 2019 Ford Raptor, so he had all the time he could ask for to poke and prod the Blue Oval vehicle’s security. Unfortunately for Ford, Woody is a pretty clever guy.
On every single wireless device around you is an FCC ID number, which leads you to a wealth of online documentation thanks to The Man’s regulatory testing and public information. To ensure the device is operating within the frequency range and power allowed, the FCC tests everything that transmits and receives a radio signal, and important details, like the operating frequencies, are ready to download in .pdf form. What’s amazing is that you don’t even need physical access to the key to find the FCC ID; you can typically find it in the item description of almost any online store that sells key fobs—but we’ll touch more on that later.
With this info in hand, Woody could tune his HackRF SDR to the correct frequency for recording key fob commands and studying what data they were trying to send to the car. If he simply replayed a key fob command (and the aforementioned rolling code) that he had already received, he found that the vehicle would deauthenticate the victim’s key. This was the first maneuver: locking you out of your vehicle.
“What I’m more concerned with is being able to do a denial of service. [Imagine] when a girl in college has walked to her car and [discovered] her key fob doesn’t work—maybe she doesn’t know how to get the manual key out and get the door open. Now she’s vulnerable to attack because now she can’t get into her car,” Woody described.
Let’s backtrack. Say you have a lifeless Explorer in your driveway after trying to unlock it with your own key fob. You’ve got a spare fob in the house—why not grab that? It’s probably just a battery issue, or something for the dealer to look at later.
Think again, because this is where Woody’s scheme gets juicy: While watching for a command to broadcast from the second key fob with an SDR, the recorded key fob signal from earlier can be replayed and reauthenticated within a certain window of time. At that point, no matter where the car was in counting the rolling code, it’ll accept anything given to it and reset its counter to the attacker’s captured rolling code. Of course, that rolling code has also been exploited, so from then on, unless the vehicle’s owner is any wiser, the attacker has access to the vehicle. Better yet, now that they can play any key fob command you have, an attacker can unlock the door and access the OBDII port under the dashboard to download your SecuriCode door combinations. Especially that pesky, factory-set master door code that doesn’t reset when you clear your personal door codes.
“That’s something that I found alarming for modern privacy, or with the current market that we have with intellectual property theft,” Woody elaborated. “A company [could] be able to plant listening devices or tracking equipment inside of a vehicle by gaining access to it.”
Let’s recap: by replaying an exact copy of your key fob’s commands, an attacker can not only lock you out of a vehicle, but in the presence of multiple key fobs, can also gain near-permanent access to its interior. While Woody hasn’t worked on the last link of the puzzle—relaying the Ford key fob’s short-range radio in order to “wake up” the car and allow it to unlock Park—the methods and tools do exist. You can find them in popular Jeep Wrangler thefts where one attacker sleuths around the house with a scanner that relays to another attacker’s radio in the vehicle that the key fob is close and allows the vehicle to drive. Many Ford key fobs go to “sleep” when they’re not in motion, which is a countermeasure to this style of an attack.
Prepare, don’t fear
We’re done pouring nightmare fuel over your late-model Ford. Here’s what you can do to be mindful of your surroundings and spot this hack.
If you ever get locked out of your car, whether due to a dead battery or dastardly attacker, simply know how to get into the vehicle manually. Practically all keyless cars have a hidden key in the fob, and somewhere around the driver’s door handle will be a traditional lock cylinder. Do you know where both are? Great. In a pinch, you can also use the SecuriCode door combo to also enter the vehicle.
Now that you’re inside your Ford, ensure that the key fob is inside your vehicle and try to start it. Depending on the vehicle, this could mean docking the key fob in a slot in the center console, which also reauthenticates the key. From there, get the hell outta Dodge. If at all possible, restrain the impulse to grab a second fob and attempt to unlock the vehicle remotely. That reflex provides the chance for Woody’s hack to sink in its teeth.
This all sounds ominous, and we’ll likely make you a little paranoid the next time that key fob needs a battery, but like Smokey Bear once said (I promise): “Only you can prevent vehicular cyber attacks!”
Quis custodiet ipsos custodes?
When we talk about our cyberpunk dream machines, we often forget the cost of technological integration. When we add a camera or sensor to support a new feature, we often don’t consider how these technologies can be leveraged against us. More curiously, many of these technologies are forced on the market through regulations, with entities like the National Highway Traffic Safety Administration setting safety equipment guidelines for automakers.
Take federally-mandated tire pressure monitoring systems, for instance. Four transmitters hide inside the wheels of a vehicle and broadcast their pressure readings to a receiving antenna inside the vehicle. These systems are no longer solely a convenience and safety reminder; they play a critical role in informing the vehicle’s ECU of critical data for stability control and autonomous driving. If tire pressures are dramatically out of spec, some vehicles will enter a limp mode—and, as you’re probably guessing, it uses radio frequencies that can be sniffed out and exploited.
“Most of those protocols do not use rolling code and I can capture or replay any of that same information,” said Woody. “So here’s the thing: where is the accountability on the manufacturing side of something that’s federally mandated? The manufacturers aren’t protecting it and it’s wide open.”
It brings up a real question of liability as we continue to dive into the all-connected future, and especially as autonomous cars come into the fold. For a fact, self-driving machines will be subjected to endless hacking attempts to exploit the suite of sensor arrays they use to see the world. Everything from the LIDAR units used to judge distance to the wireless network for upcoming vehicle-to-vehicle communications can be reverse-engineered, with enough time and equipment. “There’s never been anything that was unhackable,” Woody quips.
When approached about this story, a Ford spokesperson responded by saying: “[This particular hack] demonstrated a very specific scenario that requires two owner key fobs to be activated within vehicle range during the hack. This exact scenario would affect the owner’s key fob, vehicle locks, and the remote start function. It does not allow the hacker to drive the vehicle or prevent owner access to the vehicle, and a disabled key fob will reactivate once it is inside the vehicle and the owner proceeds to drive. While Ford is making the necessary improvements to eliminate this issue, as a matter of policy, we do not comment publicly about security-related actions.”
While OEMs should be expected to carry the same transparency as software companies like Microsoft (who routinely updates users on Windows security flaws and fixes, for example), we did take note of a recent round of cybersecurity job positions opening up at the Blue Oval, which does indicate a growing effort to get ahead of these issues.
“I like to point out that a Ford is by no means more vulnerable than any other vehicle,” Woody says. “The only thing is because I own a 2019 Ford Raptor, I was able to test it over and over and show all the ways to recreate it. I could get the system to where it’s functional,100-percent normal again—and then find ways to bypass it.” And despite its initial skepticism, he says Ford was quick to respond with a team of staff to understand his hack thoroughly. Only after reporting the vulnerability to Ford and receiving a bug bounty did he go public with the findings.
We’re not intending to fearmonger or sound like Luddites, but as we come into a new decade of increasingly connected and complicated automotive systems—especially autonomous vehicles —we bear a responsibility to know how our vehicles operate behind the scenes and what’s being done (or not done) to protect us from cyber attacks. Two decades ago, everyone who owned a vehicle they cared about bought a steering wheel club or car alarm; it’s that same proactiveness that we’re preaching here.
If you want to watch Woody’s full presentation of the Ford hack, check out this video.