The ignition keys with a chip to unlock the cars would be easily hackable. This is the observation made by researchers from the universities of Birmingham and KU Leven, who were able to easily make clones.

Today, if the vast majority of vehicles in circulation are equipped with contactless starting systems, there are still cars with mechanical ignition keys incorporating a chip. They allow unlocking and deactivation of the immobilizer. Yes but here, these keys would be victims of a security flaw located at the level of the encryption of the immobilizer system.

Previously, owners had to (this is still true today) guard against pirating radio waves emitted by contactless keys, but today hackers have found a way to attack the immobilizer system himself. This is not a thriller or yet another installment of Fast & Furious . This security flaw was identified thanks to the joint work of researchers from the universities of KU Leven (Belgium) and Birmingham (United Kingdom).

Researchers have highlighted this flaw discovered on Toyota, Hyundai and Kia vehicles, as well as Tesla (Model S). Following these revelations, the Californian manufacturer knew how to react quickly by carrying out an update from a distance, thus blocking any possible attack.

RFID reader and screwdriver

To clone the key, you must have an RFID reader / transmitter placed near (1 to 2 cm) from the keychain in question in order to digitize it and recover the “encryption key” allowing you to deceive the anti -start-up. But in no case will the car be able to start without the traditional ignition key. To get around this problem, nothing could be simpler: just act the old-fashioned way, namely with a good screwdriver in the barrel or by wiring the ignition system wires.

In order to discover the origin of the flaw, academics sought to understand how the immobilizer system interacted with the key chains. They did their shopping in the largest market in the world, eBay, where they purchased lots and various electronic immobilizers. The researchers looked at the micro-software by practicing reverse engineering . They realized that the encryption system, dubbed DST80, was signed by Texas Instruments. This uses an 80-bit encryption key. However, the Hyundai and Kia encryption system is based on 24-bit. As for Toyota, its encryption key is none other than the vehicle’s serial number! For Flavio Garcia, one of the researchers at the University of Birmingham, security is reduced to what it was in the 1980s .

At Toyota, despite the recognition of this vulnerability, we seem to want to minimize it. The manufacturer believes that the technique developed by the two universities is not as easy to implement as that of “relay” attacks which consist in hacking and extending the radio signal of contactless keys, even through the walls of ‘a house. There are countless videos available on YouTube with car thieves scanning the walls of a house in search of the radio signal from the contactless key of the targeted vehicle.

In its defense, Toyota states that this vulnerability poses a low risk to customers, since the methodology requires both access to the physical key and to a highly specialized device, which is not commonly available on the market . To which the researchers replied in the negative, explaining that the equipment necessary for their research was readily available – Toyota underestimates the ingenuity of car thieves, always at the cutting edge of progress. The Japanese manufacturer added that this flaw concerned old models and that the new ones “had a different configuration” .

Return to compulsory concessions

If Kia and Texas Instruments did not wish to communicate, Hyundai said that the models pointed out (i10, i20 and i40) were not sold in the United States. However, they are in Europe…

As for a patch to download, the researchers said that the vehicles studied had no possibility of being repaired, with the exception of those produced by Tesla. The best thing is that their owners go to the dealership for reprogramming with the risk of having to replace the faulty keychain. Wired magazine, which revealed the study, says it contacted the automakers cited, but to no avail.

For those who would like to reproduce the work of academics, they have not taken the risk of publishing them in their entirety, leaving some blanks here and there. Not sure that this protection curbs the “least ethical”hackers, concludes Wired .


This is not the first case of contact key piracy. Already in 2012, a study by a Dutch university showed a security flaw affecting the ignition keys of vehicles belonging to the Volkswagen group. At the time, the German manufacturer had lodged an application with the high court of justice of England and Wales (EWHC), requesting the prohibition of this study on the grounds that it could have encouraged potential thieves to steal millions of Volkswagen cars. Finally, the German had agreed to lift the ban on publication of the report, on the condition that it did not mention the algorithm allowing the pirated chip to be hacked.