A security researcher called Dale Wooden has discovered a potentially serious security issue with some of Ford’s higher-end cars and trucks that could allow a nefarious user to gain access and control vehicle functions. The Ford key fob hack uses a $300 gadget called a software-defined radio and Wooden says that the device could allow a hacker to unlock a Ford vehicle, interfere with onboard computer systems, and even start the engine.
While the hack Wooden has devised highlights vulnerabilities that Ford may need to address, he is clear that his hack doesn’t deactivate the vehicle immobilizer and therefore isn’t likely to result in stolen vehicles. The Ford key fob hack impacts the key fobs on 2019 Ford F-150 Raptor trucks and 2019 Ford Mustangs, like the 2019 Ford Mustang Bullitt.
Both of those vehicles use radio frequency in the lower 900MHz spectrum. The hack also works on the 2017 Ford Expedition that uses 315MHz frequency. Wooden demonstrates the hack being executed on a 2019 Ford Mustang test car while he stands on the third-floor balcony of a hotel well away from the vehicle. The Ford key fob hack can be executed from any distance as long as the car can receive the key fob signal.
The hack required the software-defined radio to record the rolling code signal a key fob sends to the car during the moment the owner presses the unlock button. The signal is then replayed from the software-defined radio. By playing back that signal the owner’s key fob is disabled and can’t lock or unlock doors or open the trunk.
The hacker then waits for someone to use a second key fob. During the window when a button on that second keyfob is pressed, the hacker can replay the signal recorded from the first fob resetting the counter on that first fob’s rolling code signals to the car. Any signal can then be recorded from Fob 1 giving the ability to use the software-defined radio to lock and unlock the doors, start the engine, open the trunk, and set off the alarm.
A non-functioning fob is the best tip off your car has been hacked with this technique, which can be automated, says Wooden. Ford has stated it doesn’t make comments on actions it’s taking to ensure security. Wooden says Ford was very slow to respond when he notified it of the vulnerability.