Slashdot Mirror
Car RFID Security System Cracked
jmichaelg writes "The NY Times reports that the security chip in new auto keys has been cracked. A team at Johns Hopkins have found a method to extract the 30 bit crypto key that tells your car that the physical key in the ignition switch is the correct key. Texas Instruments has sold some 150 million security chips that are stored in the car key. The devices are credited with reducing car thefts of some car models by 90%. Stealing a crypto key requires standing next to the victim and broadcasting a series of challenges to the key and capturing the responses. The team claims an iPod-sized device would suffice to steal the crypto key in under a second. They advise wrapping your keys in foil when you're not using them. TI admits the team has cracked their code but denies there's any problem."
Where I live it's usually over a $100 to get a new transponder key made and some dealerships charge around $60-$70 to make you a new one.
If you don't loose your keys, you can save a bunch of money. Blanks are easy to find on the Internet. I have a Prius. Blanks were about $20 each. This is much cheaper than what the dealer wanted. On the Prius, the key isn't really programed. It's simply seral numbered. The car is then programmed to accept a particular key. You can do this yourself if you have the master keys. Almost any key shop will cut your supplied blank for very little. My spare keys cost me a buck each to have cut. Finding a blank key that you can custom program to an existing accepted serial number for my car would take some expensive hardware. Copying the serial number of the key into a new chip is only half the difficulty. Getting the alarm shut off so you can enter the car undetected to hack the physical ignition cylinder is the next challange.
All but the most high tech thief would find it difficult to sniff the key, copy it to a writable blank, and then using the blank to take the car. As a defense, I can always add a bunch of extra transponder keys that have been lost to my keyring. Reading a bunch of wrong codes could make it more difficult. Anytime when I now trade in a car, I'm keeping the spare keys just to keep them on my keyring to confuse sniffers.
The truth shall set you free!
You have to realise that AES 256 takes some rather beefy hardware to implement. Even 3DES is non-trivial. Now it's all no big deal when you talk PCs, they've got power to spare. However when you are talking embedded apps, it's different. In this case you are talking a VERY tiny chip that obviously must have very low power requirements. This places realistic limits on what it can do.
Also, when you get down to it, it's probably good enough. We aren't talking military secrets here, we are talking a car. The point isn't to make it unbreakable, because that's worthless, it's just ot make it harder to steal the car. You can't make a secure car. No matter what you do, someone can find a way to override it and steal your car. What this does is add a layer of security that makes it much harder for normal thieves.
Physical security isn't like virtual security. We get so used to haveing essenitally perfect (until someone finds a hole) virtual security, some expect the same thing in the real world. No, actually basically all real security has known flaws when it's setup. However the difficulty in bypassing the security is considered to be higher than the reqard in doing so, if the security is good.
Like for example I ahve a Medeco lock, and we use the same kind all over campus. Medeco locks aren't like normal locks, they have a biaxial pin system that makes them a real bitch to pick. Also means normal key copiers can't handle their keys. On top of that, Medeco patents and dilligently controls key distribution. You can't, in theory, go and get a copy of a Medeco key made without being the authorized owner of the lock.
Well it's easy to find a way around that. Ignoring other ways in my house, one could simply bribe/corerce my roomate out of a key. While you couldn't easily copy it, the key itself would still be perfectly usable for getting in.
Why then, would I pay a premium price for this lock, if I know it's not perfect? Because it's better than most. It does mean that my roomates can't copy the key and hand it out to girlfirends or the like, and it'll take a lot more physical abuse than a normal lock. It isn't perfect, but it's better.
That's what you have to deal with in the world of physical security. You just try to design a system that it good enough to thwart whoever might want to circumvent it, make it not wroht their while. I mean realise that even if this had an uncrackable code on the keys, you can wire around it, given time and skill. The engine is still just started by a simple electrical connection. It's not easy to access what you need to make it happen, but it's easier than you might think.
Basically, I'd rather have a weak crypto key that's feasable to make than nothing at all. Most people aren't going to pay for an expensive seperate crypto unit that is physically fairly large, which is what you'd need to do strong crypto at this point. So put weak crypto in the key, which is still better than most cars (a screwdriver is about all one needs to override the key on my car) and it helps.
Yes it does, unless you somehow create dual contacts to the key within the ignition (you can't just have a floating communications signal... you need a reference voltage), which will have HUGE reliability problems. Recalls galore with that one.
In all seriousness, there are many, many ways to get around PATS (Passive Anti Theft System)...the RIFD technology they're talking about. Probably one of the most common "professional" ways of stealing the car is just carrying around an extra PCM (Powertrain Control Module) which doesn't rely on a signal from a PATS module to start the car... just disconnect the old module and connect it to the new one, and away you go.
Think that doesn't work? Well the Europeans think so. They have installed an extra casing around the PCM to deterr just this kind of theft. People don't realise that they've already found ways around all the security measures they have with cars... it's just that joe crack head can't steal your car, but the guys who make a real living off this will.