Slashdot Mirror
Car RFID Security System Cracked
jmichaelg writes "The NY Times reports that the security chip in new auto keys has been cracked. A team at Johns Hopkins have found a method to extract the 30 bit crypto key that tells your car that the physical key in the ignition switch is the correct key. Texas Instruments has sold some 150 million security chips that are stored in the car key. The devices are credited with reducing car thefts of some car models by 90%. Stealing a crypto key requires standing next to the victim and broadcasting a series of challenges to the key and capturing the responses. The team claims an iPod-sized device would suffice to steal the crypto key in under a second. They advise wrapping your keys in foil when you're not using them. TI admits the team has cracked their code but denies there's any problem."
You know, I'm starting to wonder if there was something to all those old sci-fi movies and tv shows where the characters were all wearing shiny tinfoil-like clothes. Perhaps in the future we will all be wearing stuff like that to prevent others from wirelessly stealing our keys/wallet/identity, etc.
All you'd have to do is put a towing company logo (or something made-up and likely-looking), and who'd say anything?
And take your time getting ready to leave, because the very worst that'll happen is that someone'll come back early and bribe you into leaving.
Carousel is a lie!
I worked as a locksmith for awhile and getting those keys made is expensive to say the least. Plus you need a transponder machine to encode a key with the correct information. And they don't come cheap. Where I live it's usually over a $100 to get a new transponder key made and some dealerships charge around $60-$70 to make you a new one.
Risk everything, or gain nothing.
No. They need the RFID chip in addition to the physical key. So they would have to wander through the restaurant, crack the crypto key, fabricate their own and work out which car it belongs to before they could try to steal the car normally. It's just an extra layer of security on top of the normal ignition key.
Don't you hate meta-sigs?
Actually, all the ones for the high-end Lexuses are not only a real key, but they're a very secure U-channel design. You can't see the key's cut shape, meaning you can't sneak a picture and cut one later, and it has the RFID-style circuit in addition to that.
. jpeg
Here's a pic of the u-channel design: http://image.www.rakuten.co.jp/lock/img1039136153
Sounds like bullshit to me. What does happen is that after a certain number of incorrect codes, the ignition/injection ECU will lock out, usually requiring a special tool to reset. Or, in the case of all BMWs made since 1981, a 6" piece of wire to short two pins for a few seconds.
First off, the key doesn't use static from the ignition. Read about this baby that swallowed a key to have that bit set straight.
Secondly, responding to the parent of this post's parent, a neighbor of mine who owned an Integra Type R (that, it just so happens, was exactly like mine) had his car stolen in under two minutes while mall security guards watched. The monkeys smashed the window, opened up the passenger floorboard, snipped the immobilizer lead, shoved a screwdriver into the ignition, and drove off.
The very next morning his car was found, minus its motor and expensive bits, rolled over, several times, into a lake. That he didn't have insurance at the time doesn't make the implementation details of immobilizers more or less important. Improperly implemented, these chips are about as potent as Master locks on chicken-wire fences.
My parent's new Prius has absolutly no ignition at all just a "Smart Key" that automatically opens the car when it gets with in a set distace. And once inside they key remotely enables a button that you push to start the car. I don't know if it's the same chip but if you could get that code remotely it would make it very easy to steal a 2005 prius. I mean walk up, open the car, sit and bush a button.
The chip is an rfid device which means when it gets close to the reader, the reader sees it. The reader encrypts a string of bits using a crypto key shared by the reader and car key and then broadcasts the encrypted bits. The car key sees the broadcast and decrypts the bits using the same crypto key. It then does something to the bits, i.e, add 5, divide by 8, whatever and then recrypts the result. The encrypted result is broadcast back to the reader which sees the encrypted result. It decrypts the result, and compares it against its version of the result. If they match, then the car starts.
At no time does the key get broadcast. The attacker just pretends to be the reader and sends several encrypted strings and looks at the results coming back and acts on that information. The attack succeeds because the attacker has access to huge processing power whereas the car key is relying on the power it can suck out of the rfid antenna. The disparity in available power drives what's feasible for the key to do in a short amount of time. If the key were substantially longer, the car key would take considerably longer to decrypt and encrypt which means you'd put your key in the ignition and nothing would happen while the car key was thinking. Not something most folks would tolerate. The attacker on the other hand, can take the encrypted bits coming out of the car key, and given enough samples, can just brute force the crypto key.
I'll bet the next level of security will entail the car supplying the car key with enough power so the embedded chip can crank a bigger crypto key.