mobile-menu-icon
Ford Authority

Security Researcher Discovers New Ford Key Fob Hack

A security researcher called Dale Wooden has discovered a potentially serious security issue with some of Ford’s higher-end cars and trucks that could allow a nefarious user to gain access and control vehicle functions. The Ford key fob hack uses a $300 gadget called a software-defined radio and Wooden says that the device could allow a hacker to unlock a Ford vehicle, interfere with onboard computer systems, and even start the engine.

While the hack Wooden has devised highlights vulnerabilities that Ford may need to address, he is clear that his hack doesn’t deactivate the vehicle immobilizer and therefore isn’t likely to result in stolen vehicles. The Ford key fob hack impacts the key fobs on 2019 Ford F-150 Raptor trucks and 2019 Ford Mustangs, like the 2019 Ford Mustang Bullitt.

Both of those vehicles use radio frequency in the lower 900MHz spectrum. The hack also works on the 2017 Ford Expedition that uses 315MHz frequency. Wooden demonstrates the hack being executed on a 2019 Ford Mustang test car while he stands on the third-floor balcony of a hotel well away from the vehicle. The Ford key fob hack can be executed from any distance as long as the car can receive the key fob signal.

The hack required the software-defined radio to record the rolling code signal a key fob sends to the car during the moment the owner presses the unlock button. The signal is then replayed from the software-defined radio. By playing back that signal the owner’s key fob is disabled and can’t lock or unlock doors or open the trunk.

The hacker then waits for someone to use a second key fob. During the window when a button on that second keyfob is pressed, the hacker can replay the signal recorded from the first fob resetting the counter on that first fob’s rolling code signals to the car. Any signal can then be recorded from Fob 1 giving the ability to use the software-defined radio to lock and unlock the doors, start the engine, open the trunk, and set off the alarm.

A non-functioning fob is the best tip off your car has been hacked with this technique, which can be automated, says Wooden. Ford has stated it doesn’t make comments on actions it’s taking to ensure security. Wooden says Ford was very slow to respond when he notified it of the vulnerability.

Subscribe to Ford Authority for around-the-clock Ford news coverage.

Source: The Parallax

Shane is a car guy with a fondness for Mustangs and off-roading.

Subscribe to Ford Authority

For around-the-clock Ford news coverage

We'll send you one email per day with the latest Ford updates. It's totally free.

Comments

  1. Without knowing more specifics on the methodology employed in the Ford 2019 vehicle hack ability it seems quite a stretch to successfully perform all the steps described without camping out in view of the target vehicle. Also given the list of manufacturers that use the same or similar fob functions, why just pick on Ford, as if they are the only people using the sub 900MHz spectrum? I think my iPhone and credit cards are easier targets plus once the info is stolen is easier to use than stealing a car with all the trackable anti theft devices installed…just saying!

    Reply
    1. I am the researcher. It’s is actually very easy to do and we have automated it where the collection and deployment can be done with a Raspberry pi or any computer. The range for the new 900mhz band means the attack can be done from over 200 yards. That means in a parking garage, apartment or house complex would be a prime target. There are some other issues as well we are not releasing. With all that being said Ford did a good job stopping traditional replay attacks. I like my Ford and will continue to use it. The key is knowing if the attack is used against you and that it’s possible. There is a video on line showing me do it from 1000yds away on 3rd floor of a hotel.

      Reply
      1. Let me correct that 100yds.

        Reply
  2. I have a physical key and a door mounted keypad to unlock my Fusion Hybrid. I use the door pad more than the fob to reduce its power usage. I can unlock the trunk from the door pad. I can also lock the car with the door pad or the internal lock button, too. I only need the fob near the ignition switch to start it up.

    Reply
  3. I love my Raptor and think Ford made a great attempt to stop replay attacks. Their technical just has a flaw. It’s difficult to stop every attack.

    Reply
  4. Reply
  5. Hi Woody thank you for posting information on SDR attacks. I work at GM and have a Ford F150 w/ remote start and jealous creeps have been doing this to me nearly 2 years now. Especially when winter arrives. I was suspect something if this nature was occurring. How can I prevent them from doing this and will I still be able to use remote start in winter?

    Reply

Leave a comment

Cancel