Vulnerability analysis in RF locking systems of vehicles in Bogotá, Colombia

Received May 5, 2020 Revised Feb 1, 2021 Accepted Feb 18, 2021 A car electronic security system aims to prevent its theft, the theft of its parts or of elements in its interior. Studying these systems allows identifying and mitigating vulnerabilities. Nowadays, there are different types of attacks on these systems to exploit their vulnerabilities, such as replay, relay, brute-force or jamming attacks, among others. In the last five years in Bogotá, Colombia, the average number of stolen vehicles was 3,073 per year. This research project proposes the detection of vulnerabilities in the security system of vehicles in this city. A sample of 43 vehicles of different brands sold and registered in the city is taken. The replay attack was executed, as well as a modification of the brute-force attack. Results show that most of the implemented security systems in Bogotá are susceptible of being successfully attacked through the proposed methods. The analysis done on the brute-force attack highlights a considerable reduction in time for unlocking the vehicle compared to the conventional attack in more vulnerable RKE systems. Replay attacks turn successful in great part of the sample and, furthermore, it is concluded that the unlocking key code can be generated from the locking one.


INTRODUCTION
Implementation of security systems in motor vehicles has always been present, whether it is through mechanical systems or complex electronic systems. Manufacturers develop security mechanisms to avoid car theft, the theft of its parts or of elements in its interior. In Bogotá, Colombia, motor car theft daily affects owners according to data delivered by the National Police. Most thefts occur when users park their vehicles on the street, on parking bays, in front of their homes, or in public car parks. In the last five years in Bogotá, the average number of stolen vehicles was 3,073 per year [1]. The most affected city localities were Kennedy and Puente Aranda, specifically in the neighbourhoods of Kennedy Central, Galán, Patio Bonito, Castilla, and Tintal. The highest theft frequency is between July and September, and the preferred colour by delinquents is white. The most appealing motor vehicles for theft are luxury vehicles, followed by SUVs, 4WD vehicles, and trucks [2]. There are different motor vehicle theft methods and delinquents are always looking for new techniques, so as not to be detected. In this sense, vulnerabilities in the electronic security systems of vehicles of different brands are currently made evident. These vulnerabilities are exposed in different scientific articles and lately, on blogs and videos. The most popular types of attack to exploit these vulnerabilities are replay, relay and brute-force attacks. Replay attacks consist in storing the radiofrequency (RF) signal sent by the system key to do the ulterior retransmission, and thus, have access to the vehicle [3]. Relay attacks generally involve two people working together. One is next to the vehicle, while the other is near the key. The interchange of messages between the real key and the vehicle is given by the two individuals carrying out the attack, since they set a channel of communication that is strange to the system. The control unit does not identify that the real key is in a remote place [4]. There is another type of attack called brute-force that generates all possible keys for the security systems until there is a match and unlocks the vehicle [5]. From a technical point of view, the security mechanisms for vehicles imply the direct use of alarms, which are considered security systems capable of alerting some abnormal state that may be present in the vehicle, whether it is forcing of handles or bumps on the surface. Traditionally, accessing and starting a motor vehicle is done through a physical key to unlock the door and the starting systems; however, the door and alarm unlock systems by RF have become popular and have evolved with different brands and models of vehicles. Among these systems, to highlight some, there are PKES (Passive Keys Entry and Start) and RKE (Remote Keyless Entry) systems. The RKE systems are designed for the owner to press a button to lock and unlock the vehicle and the PKES ones normally do not require any action by the user for unlocking [6]. The purpose for each system is to constantly be improved and to evaluate its proper functioning to identify flaws that allow refinement; vehicle security systems are no exception. From the point of view of informatics security, specifically the ethical hacking branch, it is defined that attacks can be used as a tool to identify these vulnerabilities and to work in favour of mitigating or eliminating them. The exploitation of vulnerabilities present in the security systems requires intrusion tests that help to verify and evaluate the physical and logical security of the information systems [7].
In the present work, the research is focused on developing attacks and identifying flaws to mitigate them, which is commonly called white hat hacking [8]. This project shows the reality of electronic security systems for the most used vehicles in Bogotá, and experimentally exposes different vulnerabilities in a study that involves types of systems, brands, and models. The use of SDR (software-defined radio) devices has become popular lately, and it is an accessible technology nowadays. Its main feature is the possibility to reconfigure the implementation of RF systems. This article exposes vehicle security system vulnerabilities at a specific location by using SDR technology in two types of attacks. These vulnerabilities can be more highly exploited due to the easy acquisition of SDR platforms and the lack of sophisticated security systems in common vehicles. This situation can be common in different countries with similar socioeconomic features from this region, given the fact that brands and providers are the same. This article also presents a reverse engineering analysis that allows reducing times in a brute-force attack for RKE systems with fixed code technology.
There are many proposed research projects that evaluate the possible attacks to which security systems of vehicles are exposed; hereunder, the most relevant projects that contribute to the structure of the current one will be highlighted. In [9], a study was done on the attacks to the PKES system in high-end vehicles. The attack was intended to access, start, and drive the vehicle away, by means of the retransmission of RF messages between the car and the key. Tests were made in 10 vehicles of 8 different manufactures concluding that the attack was 90% successful and the remaining 10% could not be executed due to robustness of the security systems. In [10], an analysis of vulnerabilities in the car keys is proposed based on the Hitag2 mechanism. The objective is to program a key fob and to carry out the extraction of the code, so that later, by means of a transponder, the code of the key can be imitated, and thus, be used to open the vehicle. This analysis was done in 8 vehicles, and it determined the possibility of recovering the secret key code sent by the alarm control unit of the vehicle once it is locked or unlocked.
In [11], a strategy attack is carried out, which is called jam-listen-and-replay or replay attack. This attack requires the transmission of interference and a recorder of signals; the attack is evaluated with six models of vehicles, thus exposing the vulnerabilities presented by these systems, and it is concluded that the solution for keyless remote systems cannot be dimmed safe. In [12], PKES systems are analysed in high-end vehicles and it is revealed that systems are based on a 40-bit encryption for starting and unlocking. It is concluded that these systems are vulnerable to relay attacks, in addition to not performing mutual authentication to unlock the vehicle. In [13], a Hitag2 attack is presented which allows recovering the encrypted key of a vehicle, and thus, the cloning of its remote control. This attack was tested in 17 cars from 8 manufactures and it was successful in 100% of the cases. In [14] and evaluation of 2 attacks is done: Jam-listen-and-replay on the RKE and PKES systems; an Android app was developed to detect the presence of a strong constant signal to a determined frequency. It is concluded that it is easy to detect signals from an alarm control unit through low-cost SDR devices. In [15], the recording of a signal and then its transmission to unlock a vehicle are proposed, without having access to the real code; the tests were done with 6 brands of cars that work at different frequencies. It is concluded that the signals sent by the control unit of the vehicle are within reach of anyone when carrying out a replay attack and that it is possible to capture and transmit them again. In [16], attacks with Hitag2 are studied to identify weaknesses of an alarm encryption, by executing three practical attacks that recover the secret key code using wireless communication. This attack was made with more than 20 vehicles from multiple brands and models, finding thus, several weaknesses within the systems.
Different research projects revealed some of the technologies and hardware used for making the attacks. In [17], a transceiver system based on RTL is studied, a hardware that includes an RF mixer and a USRP. A cost evaluation is done between these devices to carry out a reception and transmission of radio signals. It is concluded that the proposed method that uses the RF and RTL-SDR mixer is the best for the transmission and reception of signals due to its low cost in comparison to the USRP. In [18], the evaluation of the low-cost RTL-SDR dongle is done through GNU-Radio and SDR. Coding of digital signal processing (DSP) algorithms is studied to process radio signals coming from any type of device over the frequency range of 57 kHz to 92.9 Mhz. The facility to listen to, capture and transmit radio signals with any SDR device is determined.
On the other hand, from the studies oriented towards detecting and mitigating attacks in motor vehicles the following can be underlined: In [19], a vehicle security system is presented through GSM/GPRS networks for the control and monitoring of the vehicle. The system, by means of a call to the vehicle phone number, can control it and activate or deactivate the alarm, open and close the locks, start and stop the vehicle, turn on and off the air-conditioning, open the hood and the trunk, and also, request information of the vehicle physical variables such as temperature, gas and oil levels. The car status information is sent via text messages to the user's mobile phone. In [20] an analysis of vulnerabilities is done via wireless technology applied in vehicles in Guayaquil, Ecuador. Through simulation, the vehicle central computer is emulated to develop hacking tests using CAN-BUS networks. It is concluded that it is possible to hack the central computer by means of these networks, and a proposal is made to solve the detected vulnerabilities through a Link Management Protocol (LMP) algorithm. In [21], a detection method of a relay attack in vehicles is proposed by means of the intensity of an RF signal. The method allows, through the intensity of the signal, to deduce if the receiving signal belongs to the car control unit or if it is the retransmission of one of the attackers' device.
Once the theoretical exploration is performed, vulnerabilities were detected in most of the vehicle security systems, which can be exploited through attacks such as replay, relay, signal jamming, and brute-force ones. This research project proposes the detection of vulnerabilities in the security systems of 43 vehicles of different brands, sold and registered in the city of Bogotá between 2000 and 2019. The replay attack is proposed, as well as a modification to the brute-force one. This modification is presented from the analysis of known security system encryption in vehicles from different manufacturers. The implemented brute-force attack allows a reduction of substantial time in the unlocking of a vehicle compared to the brute-force attack using all possible combinations for the number of bits of a code. For the execution of the attacks, the low-cost software-defined radio (SDR) HackRF One platform and the GNURadio software are used. Two scenarios are proposed in which the SDR system is used to capture, replicate, or generate the RF signals with which the attacks are made in the operation frequency of the key fob. The SDR system consists of the SDR platform and a PC. The type of blocking system, the key code number of bits, and the carrier modulation, encryption and frequency were analysed, and the attacks algorithms were implemented. The geographical limitation of the study reveals average situations of the region that make these kinds of attacks prevail even today.
This article is initially organised with a state of the art that confirms the importance of evaluating the vulnerabilities within these security systems. The second section presents a theoretical contextualization of security systems in vehicles, exiting attacks, SDR, among others. The third and fourth section present the proposed scenarios and the analysis of obtained results, respectively. Finally, conclusions on the executed attacks are presented.

RESEARCH METHOD -THEORETICAL CONTEXTUALIZATION 2.1 Theoretical contextualization on alarms
An alarm is considered a system capable of alerting and announcing the change of an abnormal state presented in any setting. In a vehicle, it is an electronic security device considered as an audible system capable of alerting cases such as: forcing of doors, tilting or sudden movement, breakage of glass, among others. Accessing and starting a vehicle is done by means of a physical key and a control command system (alarm) which enables unlocking the door lock system and the starting of the vehicle. However, alarm and door locking unlocking systems through RF have become popular. Alarms in vehicles enable the detection of the signal by means of RF sensors and send the signal to the alarm central kernel, which analyses the signal, identifies its authenticity, and suspends the car security elements. Alarms have average ranges of 10 to 20 m when unlocking a vehicle, and they have operation frequencies of 315, 370, and 434 MHz. As time progresses, alarms have evolved in line with different brands and models of vehicles in the market. Two security systems can be found in vehicles: PKES and RKE. RKE are electronic access systems that can be controlled in the distance. PKES are systems that work automatically when the user is near the vehicle. They unlock the door when the user is coming closer or when the door handle is pulled and lock it when the user walks away or touches the vehicle when exiting. Table 1  • The module within the vehicle continually sends encrypted messages.
• If the control unit is within range, it responds.
• If encrypted messages are correct, the vehicle and key fob identify each other, and the door opens.
• It always uses different codes avoiding replay attacks.

RKE
• The user who holds the device presses a button to lock or unlock.
• This system operates at 315 MHz for vehicles manufactured in North America.
• It operates at 433,92 MHz for European, Japanese, and Asian vehicles.
• It enables controlling the car starting systems, the security alarm, horn, lights, and trunk.

Alarm systems
Alarm systems are passive security elements capable of warning about possible issues or abnormal situations, thus fulfilling a deterrent function. These systems are composed of one or more sensors connected to an alarm horn. Most systems have door, movement, tilting and vibration sensors, and a horn and radiofrequency receiver to enable wireless control. The main components for a vehicle alarm system can be seen in Figure

Types of Attacks
An attack consists in taking advantage of a system or software vulnerability, to obtain some sort of benefit; for a vehicle security system, an attack is considered when a person takes advantage of a weakness or flaw in the software or hardware to be able to steal it or to steal belongings within it. Among attacks to the electronic system of a vehicle the following can be underlined [23]: • Replay Attack: In this type of attack, the attacker takes the content of the message, it means, the signal sent by the alarm control unit, and stores it to subsequently perform the retransmission of the information and thus, have access to the vehicle. Afterwards, the attacker can make use of the obtained information at any moment [3]. • Relay Attack: It is done to vehicles equipped with smart keys. To execute the attack, a receiver and a transmitter that mutually amplify signals are needed; the transmitter must be located as close as possible to the vehicle, and the receiver must be located at 8 meters or less from the alarm control unit. The attack can be successful because the vehicle detects the signal that was replicated from the owner's original key. [4] • Signal Jamming Attack (Master Key): This attack requires a control unit identical to that of the owner of the car to deactivate the alarm and have access to it; in some cases, this control unit also works as a starting key. With this device the security system circuit is altered and there is no need for physical forcing of the vehicle [24].

SDR (Software-Defined Radio)
SDR is defined as: "Radio in which some or all functions of the physical layer are defined by software". It is defined as a collection of hardware and software technologies where the operative functions of the radio are implemented by modifiable software or firmware that works with programmable processing technologies. These devices include FPGA, DSP, General Purpose Processor (GPP), System on a Chip (SoC), and specific programmable applications. The use of these technologies enables adding new capabilities and wireless functions to the existing radio systems without requiring new hardware. [25] The most common SDR platforms are USRP, RTL, and HackRF One. The latter provides the same functions as the USRP but at a low cost. Both USRP and HackRF can transmit or receive radio signals in the range from 1 MHz to 6 GHz. HackRF One is an open-source hardware platform that can be used as a USB peripheral or can be programmed for standalone operation. [26]

EXPERIMENTAL DESIGN AND SIGNAL ANALYSIS 3.1 Proposed Scenarios
Two scenarios are proposed to detect and exploit vulnerabilities in RF key fob security systems. In both scenarios, an SDR system is used to capture or generate the RF signals with which attacks are performed on the key fob frequency operation. The SDR system consists of the SDR platform and a computer. Table 2 shows the technical characteristics of the equipment used for both scenarios.

Vehicle
• To execute the attacks, 43 vehicles were chosen from models between 1998 to 2019. Their characteristics are random since they vary depending on the model of each one of them.

Scenario Characteristics
• Scenario 1: Key fob (Its characteristics are random since they vary depending on model and manufacturer) • Sample Frequency: 2Msps • Carrier Frequency: 315MHz, 370MHz, or 443MHz The first scenario is shown in Figure 2. In this scenario, the signal is generated by the key fob that normally controls access and locking of the vehicle. The SDR system works as a passive signal receiver that crosses the environment freely and unrestrictedly. The attack consists in retransmitting the signal captured by means of the SDR platform, cheating the security system into believing it is the real key fob transmission to accomplish its deactivation. The signal is retransmitted using the same SDR platform used for the capture (it is also possible to use one of similar characteristics). This attack is known as "Replay Attack". The software used for capturing, storing, and retransmitting the signal is called GNURadio. The distance between devices (PC and HackRF One) and the vehicle depends on the space where the car is located to carry out the execution of the proposed scenario.  Figure 3 shows the second proposed scenario. In this scenario, there is no available key fob to generate the RF signal that opens the vehicle. In this case, it starts from knowing the signal that must be transmitted. It is necessary to know the type of locking system, the number of bits in the key code, modulation, encryption, and carrier frequency. The main principle is the implementation of an algorithm to generate passwords through a binary counter. These passwords are encoded, modulated, and transmitted with characteristics of a real signal using the SDR platform. This attack is known as "Brute-Force Attack" and seeks to generate all possible passwords for the security system until there is a match and the car is unlocked. The generation and transmission of signals were carried out through the GNURadio software. To know the unlocking signals of an RKE-type security system, the received signal from a real system key fob was analysed using Matlab.

Attack Execution, Processing and Analysis 3.2.1 Replay Attack
A replay attack is executed in two parts. The first part is storage, for which the block diagram of Figure 4 is defined and implemented through GNURadio. This allows storing the signal sent by the RF key fob that travels freely through the air. The "Osmocom Source" block is used to configure the HackRF parameters. The "Ch0: Frequency (Hz)" parameter configures the main oscillator frequency; this frequency can vary depending on the security system key fob that is being analysed. The "Sample Rate (SPS)" parameter is used to configure the sample frequency, and, for practical effects, it is equivalent to the bandwidth of the received signal due to the SDR device IQ configuration. The RF and IF gain is configured to maximum values to obtain a good signal level at a greater distance. The "File Sink" block enables storing the received signal in a complex format (IQ). The signal is stored without any modification. The "QT GUI Sink" block processes the signal through FFT (Fast Fourier Transform) and presents the result in a graphical user interface. Figure 4 shows how the signal from a key that works in a frequency close to 370 MHz is stored. The spectrum delivered by this block diagram is shown in Figure 5. In the central spectrum frequency (369.5 MHz), an undesired peak generated by the SDR platform is observed. This peak is the result of the mixing process in the RF stage of the HackRF platform. The highest observed peak in the spectrum is the signal in frequency transmitted by the key fob. If the local oscillator is tuned at the same key frequency, interference is generated between the two peaks and it is possible that the attack fails due to decrease of the signal quality. For this reason, the local oscillator is configured under the transmission frequency of the key fob. The second part of the attack consists in transmitting the stored signal. The block diagram in Figure  6 shows how the stored signal transmission is done. The program consists of 2 blocks; the first block, "File Source", reads the signal stored in a complex format and delivers it to the "Osmocom Sink" block. The latter is configured with the same parameters from Figure 4. The execution of this block diagram enables the transmission of the stored signal coming from the security system key fob. In this sense, the vehicle receiving system obtains the same signal that would be transmitted by the original key.

3.2.2
Brute-Force Attack For the execution of the brute-force attack, two tests were carried out. This attack is based on the analysis of the signal transmitted by the security system key fob. The signal was analysed using Matlab. Figure  7 shows a baseband signal into the time domain. The acquisition of the signal was performed under similar conditions as in Figure 5.   Figure 8, the coding of each bit and the blank spaces are also detailed. Each of the 25 bits is coded and modulated in ASK as shown in Figure 9. The coding of a "1" is a sequence of three high levels and one low level. The coding of a "0" is a sequence of one high level and three low levels. Each level (high or low) has a duration of 330µs, which is equivalent to 660 samples if a sampling rate of 2 Msps is used as in this case. A blank space "B" is equivalent to 6-bit time. Each of these spaces equivalent to one bit is coded with a sequence of four levels in low (L), that is 24 L for each "B". = × + × (2) Where is the number of samples of the key, + is the number of bits of the sequence "A" plus the equivalent bits of the blank sequence "B", and NR is the number of repetitions of sequences "A" and "B" together. For this case, = 660 , + = 31 bits y = 8, therefore, = 654,729 , considering a "B" at the end of the frame in Figure 8. The duration of the key can be found using Equation 3.

= (3)
Where is the sampling frequency: In this case, = 0.32736 . This last time is the same it would take for an SDR system to generate a key in a brute-force attack. If a 25-bit counter is used to generate consecutive keys, the maximum worst-case attack time can be calculated from Equation 4.

= × 2 (4)
For Equation 4, is the maximum execution time of the attack and is the number of bits in the key. Solving the equation for the 25-bit key gives a maximum attack execution time of 10,984,378s or 127.13 days. The total number of keys generated is 2 = 33,554,432. Figure 10 illustrates the flowchart of the program developed to execute the brute-force attack. The program uses a 25-bit counter as a key generator; each count represents a testing "A" key. The counter passes through a parallel-to-serial converter to achieve the bit-by-bit transmission. Each bit is coded as shown in Figure 9; after the transmission of the last bit, a blank space "B" is generated. The red signal shown in Figure 11 was generated with a counter value started with the code of a testing vehicle and without subsequent counter increment. Figure 11 shows the generated signal vs. the original stored signal from the testing vehicle. The times meet the analysis described in this section. To test the brute-force attack, a counter was started 50 values behind the key value of the testing vehicle, and it was increased to 50 values afterwards. The counter is incremented by leaving only a "B" space between the end of a key and the beginning of another. When the attack is executed, the vehicle does not open; however, when the counter passes the correct key, the security system makes a particular sound. Subsequently, by performing the same experiment, the time space between each key was increased before the counter increment. Each test increments an additional "B" space at the end of the key, and it is maintained for the 100 iterations. At the end, the vehicle is unlocked with 25 "B" spaces as shown in Figure 12. The 25 repetitions of "B" form a "C" sequence. can be obtained, which is = 17,628,156 or 204.02 days using all possible combinations. Performing this attack ensures that the vehicle will be unlocked when the keys match. Nonetheless, a long-time attack as such is not practical.

RESULTS AND DISCUSSION 4.1 Replay Attack
The replay attack was executed in different vehicles like those shown in Figures 13 and 14. In these Figures, the real scenario of the assembly displayed in Figure 2 appears.  Table 3 shows the results of the attack and some basic characteristics of the security system for 43 different models of -randomly selected-vehicles registered in the city of Bogotá. The vehicles shaded in blue have a security system that uses a technique called "rolling code", with which the transmitter and receiver generate identical pseudo-random keys based on the same seed. When the key is afar, it may generate codes that the receiver cannot collect; to solve this problem, the receiver (in the vehicle) generates the next 256 keys and accepts any of them in that range, as long as it does not repeat. To execute the attack in this type of vehicle, one or more key signals are stored away from the receiver, where it has no coverage, more than 10 m in practice. After a successful execution of a stored key, it can no longer be used to open the vehicle again. If several keys are stored, each one can only once be used to open the vehicle; under these conditions, the attack works.  Once the attack was carried out, it was determined that 39 from the 43 vehicles managed to be unlocked, which is equivalent to 90.69% of the total samples. The 51.16% of vehicles (22) are opened simply by retransmitting the key signal without any additional conditions. The 39.53% of all vehicles (17) have a "rolling code" technique coding system and are opened with the condition described above. The remaining vehicles have the particularity that the type of security system is PKES. The latter type of security system is more robust and cannot be unlocked through this attack. In this type of system, when the stored signal is replicated, the vehicle is locked during some time and the owner must carry out a procedure to unlock it; at this point, it is vulnerable to the theft of its belongings in the case of being approached by criminals.

Brute-Force Attack
The execution of this type of attack as described in section 3.2.2 is only possible for the 22 vehicles in Table 3, which support the replay attack without any conditions because they do not have an additional coding; however, as mentioned before, the execution of the attack is not viable from a temporary point of view. Based on this impediment, an analysis of the codes provided by each key fob was performed, considering the brand and model of each vehicle, to determine any possible relationship between them. The 22 vehicles were grouped into 4 brands which were named W, X, Y, and Z, corresponding to 4 of the most representative manufacturers in the market at a national level; the letters are used instead of the manufacturers' own names.  4 sets out the convention for showing coincidence in the least significant bits of two or more codes within the same brand. Yellow, for example, indicates a match in bit 3, in addition to the three fixed bits mentioned above. So, if it is yellow with dashes, it indicates that the coincidence in bit 3 is matched at "1", and if it is yellow without dashes, it indicates that bit 3 is matched at "0". Table 4 Bits 0-7 Bits 0-8 Table 5 establishes the convention for showing coincidence in the most significant bits of two or more codes within the same brand. For the convention handled in the most significant bits, green represents coincidences of 2 or 3 bits, but it can vary with dashes, dots, or other for different matching combinations in the 3 bits.   In Table 6, additionally to the coincidences per column, there is a coincidence in the least significant bits depending on the model of the vehicle. In the vehicles of models 2011 and 2012, there is a match in the 7 least significant bits; therefore, if we add the match in the bits from 13 to 15, we have a total of 10 matching bits. It decreases to 0.199 days (4.78 hours). The same happens with the vehicles of models 2014 and 2015, with a variation in the value of bits 3, 5, and 6. In addition to this, there is also a match in the 3 most significant bits, having a total of 13 matching bits in those years. For the latter case, would go down to 0.024 days (0.5977 hours). For the vehicle of model 2019, the maximum coincidence is 8 bits.   Table 7 is the one with most coincidences per column, with a total of 9. With 9 fixed bits, the time is reduced to 0.3984 days (9.563 hours). Besides, additional coincidences can be made in bit 6 and bits 20, 22, and 23, depending on the model of the vehicle.     Table 9 is the one with the fewest number of coincidences. Nonetheless, it maintains 7 columns with fixed values.   Table 10 shows the decrease of the maximum execution time from the brute-force attack TMA due to fixed or matching values within the keys. Brands W, Y, and Z have at least 7 coincidences, and the brand X has at least 9. These coincidences may increase depending on the model of the vehicle; therefore, it can be up to 13 known or fixed bits within a key. In Table 10, only fixed bits by columns for the different brands are shown.

CONCLUSIONS
From this research project, it is concluded that the security systems implemented in a large part of the vehicles in Bogotá are susceptible to successful attacks using the proposed methods. It is evidenced that vehicles sold in recent years have vulnerable security systems and, in many cases, with weak technologies. This may come as a result of the final cost of the vehicle, which is affected by the implementation of a more modern security system, apart from other accessories; this fact may influence purchase decisions. Table 3 shows that even vehicles sold in recent years -such as 2018 or 2019-have the most vulnerable security systems (although there are exceptions). This situation could be more alarming if we consider that the useful life of a vehicle in Colombia can be longer than 20 years, unlike other countries, where a vehicle fleet is more frequently renewed. The latter implies that the vehicle may be vulnerable to theft of belongings left inside it when it is no longer attractive to be completely stolen. On the other hand, it is concluded that, from the analysis, the brand and model of the most vulnerable RKE systems allow to carry out brute-force attacks in just few hours, only in case there is no possibility to carry out a replay attack first. Furthermore, such attack can be used in a place with a high density of vehicles and when executed, one or more vehicles can be opened. It is worth mentioning that in Bogotá, the model of a vehicle can be deduced from its license plate.
Regarding replay attacks, it can be concluded that they are not 100% effective, because, in the analysed sample, 4 vehicles have PKES systems that do not allow this type of attack. However, in the reviewed literature, vulnerabilities in relation to other types of attacks are evident. To execute a replay attack in its basic form, it is necessary for the user to press the unblocking button, so the signal can be stored and later retransmitted. Concerning the latter, an important conclusion is that the unlocking code can be generated from the locking one. In the tests performed on the 22 vehicles to which replay attacks could be applied unconditionally, it became clear that the locking code only differs from the unlocking one in the last three bits. Therefore, by using the signal generation method discussed in section 3.2.2, it is possible to generate the unlocking signal from the locking one. On the other hand, for the replay attack, there are 17 vehicles that use the "rolling code" technique and have the condition that the signal must be stored away from the vehicle coverage and will work only once. In theory, this would not represent a vulnerability if the owner of the vehicle always carries the keys; however, there can be several situations in which the owner can be separated from them. For example, in many car parks in Bogotá, it is required to leave the car keys there to park more vehicles in available spaces. Also, many others have valet parking service, just to mention some cases.
Although replay and brute-force attacks are widely known, SDR platforms are used to implement them in this article. Additionally, a reverse engineering method on RKE systems with fixed code technology is presented. On the other hand, a discussion regarding more vulnerabilities in vehicles depending on the research location is promoted.