To exploit this vulnerability, an attacker would need to place a device that intercepts the RKE radio signal in close proximity to the target vehicle. In the most common scenario, this would involve placing the device on top of the target vehicle’s windshield. RKE broadcast signal interception is difficult to accomplish, but not impossible. Additionally, the attacker must avoid triggering an alert on the target vehicle’s factory radio. Because the RKE signal is transmitted via FM radio, the attacker must avoid interfering with the signal while it is being broadcast. For example, criminals often position the RKE signal intercepting device within the vehicle, on top of the windshield.

Description of the vulnerability

The vulnerability allows attackers to gain access to the factory radio of a target vehicle and then manipulate it, enabling them complete control over the radio. Once complete control is achieved, an attacker can send commands that could result in information disclosure, corruption of data on the target vehicle’s hard drive, or even gain remote access to the vehicle.
This exploit was first described in a 2007 paper by Bojan Jovanovic and Mike Baur. It has been used by organized crime groups to steal luxury cars as well as provide them with remote control capabilities. This vulnerability has been also been reported by multiple sources within the automotive industry including BMW and Tesla.

RKE Signal Intercept Vulnerability

The process of exploiting this vulnerability is not difficult. An attacker must be within close proximity to the target vehicle, and must avoid triggering an alert on the target vehicle’s factory radio. The attacker must also position the RKE signal intercepting device within the vehicle, on top of the windshield.
Given these limitations, it is unlikely that a real-world attack would be successful. However, if an attacker did successfully exploit this vulnerability and caused the driver to stop driving their car in order to remove the device, they could potentially cause serious injury or death by running them over with their own vehicle.

RKE Broadcast Vulnerability: What Is It and How Does It Work?

RF signals are typically transmitted in the radio spectrum by FM radio stations. These radio waves carry information from the frequency’s transmitter to the receiver, so anyone within range can receive and manipulate that data. The RKE signal is no exception, but it is unique because it transmits a secondary payload of information. This secondary payload of information is a message containing an identifying code related to the car and its owner.
The RKE signal broadcasts this code at a particular frequency, so as long as an attacker is within range and using a compatible device, they can replicate that signal to intercept it at any point between the car and the transmitter. So how does this stun gun exploit this vulnerability? To start, we need to understand how an RF jammer works. An RF jammer uses radiation in order to disrupt or block other transmissions in its area of operation. Basically, there are two types of jammers: active jammers and passive jammers. Active jammers use power to generate radiation; passive jammers do not require power, but instead rely on natural radiation (like sunlight) for their operation. In RF jamming devices like these stun guns, you have one antenna connected to both antennas on your target vehicle’s factory radio with a cable. That antenna sends out a burst of energy which interrupts the RKE broadcast signal being sent out by the car’s factory radio and then captures it for transmission elsewhere if desired.
To avoid triggering alerts on your target vehicle

Timeline

Published on: 08/24/2022 06:15:00 UTC
Last modified on: 08/31/2022 15:41:00 UTC

References