Slashdot Mirror
Breaking a Car's Cipher
An anonymous reader alerts us to research out of Belgium and Israel that claims a practical attack on the KeeLoq auto anti-theft cipher. Here are slides from a talk (PDF) at CRYPTO 2007. From the researchers' site: "KeeLoq is a cipher used in several car anti-theft mechanisms distributed by Microchip Technology Inc. It may protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or a Jaguar. The cipher is included in the remote control device that opens and locks your car and that controls the anti-theft mechanisms. The 64-bit key block cipher was widely believed to be secure. In a recent research, a method to identify the key in less than a day was found. The attack requires access for about 1 hour to the remote control (for example, while it is stored in your pocket). The attacker than runs the implemented software, finds the secret cryptographic key, and drives away in your car after copying the key." Update: 07/23 15:27 GMT by KD : One of the researchers, Sebastiaan Indesteege, pointed out that the link to the paper was incorrect; their paper has not yet been released to the public. I also managed to mis attribute his nationality. He is Belgian, not Dutch. My apologies.
The linked paper is by Bugadanov (requires the entire code book). The authors of this paper have not published their paper in the wild (yet).
If a car thief has access to your keys for an hour, aren't you going to lose your car anyway?
Rob
KITT: Michael, someone's trying to hack into my operating system! Help me Michael!
GetOuttaMySpace - The Anti-Social Network
This is why there is a need for more than one security level. If one anti-theft device fails, there should be a backup - whether it's a simple thing such as "The Club" or a retrieval mechanism like LoJack.
It's amazing that people will invest so much money in a car and won't take any additional steps to protect that investment.
There's still a mechanical lock preventing the ignition from being engaged, and they would also have a steering wheel lock to work around. This is effectively bypassing the imobilizer that comes equipt on most modern cars. If someone wants your car bad enough now-a-days, they just take your keys from you.
For Christ's sake, get your geography right! the KU Leuven is one of the oldest universities in the world and quite well known around that same world. (For instance, it is the university where the Rijndael algorithmused in AES was developed.) Leuven is in Belgium. Belgium, like in 'the capital of Brussels", for ignorant Americans, or "the country of which Brussels is the capital" for the rest of us.
Linux user since early January 1992.
My truck doesn't have Air Conditioning, but I DO have an air conditioning button on my dash that connects the coil to ground.
Security through obscurity baby!
Some of these cars could quite possibly contain that whole "key in range push button to start" option. My cousin has that option on her car, though I forgot the make/model...
When man makes a better mousetrap, nature makes a better mouse.
Karma Whoring for Fun and Profit.
The research has been done in Belgium and Israël, not in the Netherlands and Israël as previuosly stated.
Another reason to carry around an RFID jammer.
Quick, someone create Faraday pants, or should I line my pockets with tinfoil?
It's BELGIAN research, by the Catholic University of Leuven.
They use your stolen coins and mints to help supplement their black budget.
Occasionally, when computer time is not available, they use a brute-force attack with a crowbar.
After following me around the mall for an hour with this little device, they would run the software, get into my Honda Civic, and then...
Hotwire it.
How easy is that? I think they'd just carjack someone before going through the trouble.
http://kuleuven.ac.be/ is a Belgian University situated in Leuven, not in the Netherlands.
I know it's a very small and unknown country for you Americans but please verify your sources.
OK, what part of "Katholieke Universiteit Leuven, Belgium" looks like "researchers in The Netherlands"??
In other news: The Canadian president George W. Bush invaded Iran because of the 9/11 attack on the World Trade Center of Chicago.
According to their slides, all you need is proximity to one of these devices for an hour, and the master key for the manufacturer can be found - which is simply XORd to the vehicle ID to authenticate. They were relying on a vast keyspace instead of a secure encryption method - security through obscurity.
Break one key device, break them all.
The key fobs work by producing a new code each time you press it, and the car remembers which ones it's heard, preventing you from recording someone getting into the car and playing it back later.
So I guess the magic is that with an hour's worth of data, you can now figure out the sequence. But why bother? If you somehow can record 3600 fob activations in an hour away from the car, you can with no special knowledge make a key that will work 3600 times. More than long enough to fence the car, or steal the laptop inside.
If they need to press the key some 3600 times, intercept the emitted code to calculate the cipher key, and they claim "one can press the unlock once a second, so about one hour access to the key is needed" then it sounds a lot less ominous. IMO.
Still valets, and mechanics will have access to the key fob for an hour and may be they can get the cipher key.
The rate at which electronics shrinks, I would not be surprised by a 128 bit or even a 256 bit cipher keys coming out soon, without any other change to the algorithm.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
All ur virtual fuzzy dice are belong to me!
While it may be simple to break the code on the chip, you still need a copy of the key unless the car is push-button-ignition.
These days, many high-end car keys are CNC cut (my mini's key has huuuuuge tooling marks from a spindle-out-of-square), which will actually cause a bit of trouble. This isn't something you could easily do a putty-transfer on, nor does the group of people who spend a lot of time breaking cyphers typically overlap with the group of people who have and can work with CNC equipment.
In the end, I think flatbedding the car is the way to go. All the big chop shops are doing this now. If you're small-time, carjack. Alternately, get a real job.
That's okay. If you own a Daewoo, you could hand the key to a thief and they still wouldn't steal it. Nothing to see here, move along.
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
There are a lot of cars that can be driven if the fob is in your pocket.
I'm almost tempted to tell my Mom and get her paranoid about her Prius. The thing handles miserably anyway. Sometimes good old mechanical is the best solution.
I just purchased a new car that doesn't have a mechanical ignition system. There's an place to attach the key (doesn't have metal teeth or anything), and a big "Start/Stop" button. The steering wheel lock is also electronic, and is controlled by the electronic signal from the key. I have no idea if my car uses KeyLoq--- I sure hope not.
Mechanical locks are on their way out, largely because they're ineffective against even moderately sophisticated criminals. That's the whole reason Immobilizer systems were rolled out in the first place. This attack effectively stips the immobilizer out of the car and rolls the security back to pre-Immobilizer levels. You only need to look at theft rates among models with and without immobilizers to see what impact that has.
Finally, for those who say that 1-hr access to the key is unreasonable: remember that the attack here is _key copying_, not theft. The immobilizer systems are designed to prevent copying, so that your valet or repair person can't make a copy of your key and steal it later. This attack takes a lot longer than other attacks which are out there (example), but it's still not out of the question.
The basic lesson of all these attacks is that manufacturers need to use strong cryptography rather than custom, homebrewed ciphers. Hopefully with fabrication prices dropping, this will be the last generation of truly ridiculous authentication systems.
They probably looked up Leuven in the Encyclopedia Britannica 6th Edition ;)
Knowledge is power. Knowledge shared is power lost.
The attack requires access for about 1 hour to the remote control (for example, while it is stored in your pocket).
This may be an interesting academic exercise in breaking a cipher, but if the implication is that someone who has physical possession of the remote is able to open the car, then from a practical standpoint no much has been compromised.
Some cars have a system where there is no mechanical key. MB & MBW have it, I hear Toyota has some too, presumably Lexus too. Basically, you have a card or fob in your pocket and you press a button to start the car.
Why don't remote keys resync symmetric, unbreakable keys with the car every time they're physically inserted into the ignition?
...) properly.
When someone patents that device, just point to this post as prior art. If it's patent free, anyone can use it, and there's no excuse for not securing cars (and homes, and bikes, and
You're welcome.
--
make install -not war
A physical key is still a key, y'know? There is considerable overlap in concepts and techniques - why, putty transfer is simply a replay attack, while a rake is actually used to brute-force a lock by generating many pin position combinations in a very short time.
Something bad is coming when people are suddenly anxious to tell the truth.
Bleh. The mechanical lock and steering wheel lock on many cars can be bypassed in 5 minutes with a dent puller. Tap the dent puller into the key switch and pull really hard. The key lock will pop right out. Some cars have an anti-theft arrangement here, so YMMV.
And if someone wants your car bad enough, they'll just put into a flatbed tow truck and drive away with it.
My blog
actually it was done by the catholic university Leuven in BELGIUM and ISRAEL
I actually have removed those. Had a friend, with an old maxima, whose key broke off in the ignition. The maxima actually has a bypass starter located in the dash, but it doesn't free the steering wheel. What I ended up doing is cutting slots into the steering lock mechanisms break-off bolts and removing them. After that, the steering wheel was free and the car started via the bypass.
After taking a quick look at it, I'd say doing this would take 4 minutes at most on his car, now that I'm familiar with it.
His "key" is a flathead screwdriver. Still does it to this day.
import system.cool.Sig;
The hack wasn't by a university from the Netherlands, but one from Belgium (University of Leuven) together with researchers from Israel.
According to the local news here the hack would require you to be in the environment of the key for about 1 hour, after which it would require approximately 1 day of calculation to break the code.
No papers have been released yet - they would release them somewhere in April 2008.
Nice to see a fellow Mini driver on /.
Anyway, correct me if I'm wrong, but doesn't the Mini key communicate with the car's computer system when it's inserted?
I know when I take my car in for its 10k checkups, they just drop the key in this little scanner and pull the mileage off. Could be RF, too, for all I know. I guess one check would be to take my spare key around the car, but not use it to start/unlock the doors and then take it to the dealer and trick em.
KeeLoq's serials! :9
Cars stole my Jew!
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Have you seen the laser cut keys? You can't rake those locks.
I don't think the key has the mileage on it. It does have the vin or some kind of serial on it. Whenever I bring the car in, they check the mileage on the dash.
That aside, the whole point of the article was about how the cipher is breakable, so in theory, someone could pretend to be the key in all virtual senses. My point was that the physical key still adds a degree of difficulty when stealing.
-05 mcc
Well, that's very interesting, but I have to go.
I'm headed to the annual "Vegan food and wifi jamboree" at the co-op where I expect to "win" a new Prius.
Of course I have to bring my laptop. Don't worry, just because I'm sitting at the table next to you doesn't mean I'm using my machine to crack the crypto on your key while we enjoy our roasted yams. I'm just writing my tract about municipal wifi and organic gardening.
Oh, yeah? You own a Prius? In red? I always liked red. Man, you have the only red one here...
Use the Firehose to mod down Second Life stories!
Ghost Dog already did this. Eight years ago.
If it can be accessed, it can be stolen.
I am not very sympathetic at this point, because I bought an affordable car that isn't popular among car thieves. It looks fine, runs great, has low maintenance costs, and never gets broken into.
If you are buying a fancy car to show off your wealth or whatever, when perfectly good alternatives exist, you deserve to be robbed.
If you can't afford to have your expensive car stolen, then can you really afford that expensive car?
...cars steal YOU!
No such thing as a truly unbreakable anti-theft system.
1. What happens if someone genuinely loses their keys? There needs to be some way for the manufacturer to sort them out.
2. Car theft won't stop overnight. But it will cause more things like carjackings (rather more violent and distressing) and key theft.
3. In any major city, there are enough tow trucks that nobody will bat an eyelid if they see a car being lifted onto the back of one. It's brazen, but by the time it dawns on the driver that their car has been stolen it's in a lockup 100 miles away being modified to take a different key altogether.
No the intro clearly states that the thief has to have access to the remote control while is it in your pocket.
So next time you let a car thief put his hands into your pocket, make sure it's only for 50 minutes.
It is just me, or a lot of exploits like this. A Thief can gain access to ANYTHING in your house once they are INSIDE! OMFG!
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
*munches on popcorn* This argument of AC's isn't nearly as good as the time I heard two geeks argue over the pronunciation of GIF.
I am NONE of the AC's above. So nah.
No it's not. Lock picking is actually much more complicated than that. Please don't make stuff up and quote it as truth.
There's an place to attach the key (doesn't have metal teeth or anything), and a big "Start/Stop" button.
I like my Prius also. I have an older one that still uses a chip in the key. When you hack my remote, you also have to hack my key. The Prius does not have a 12 volt starter at all. The throttle is fly by wire. The EV transmission is a computer controlled motor/generator set. Unless you can convince the computer to operate, there is absolutely no way to drive it off with nothing but the data from the remote.
The new model with the keyless fob for the ignition may be wirelessly exploitable. It is a cool idea though. Walk up to your car and the door unlocks. Nice if you are carrying packages. Get in and press start and drive away. The wireless key fob, even though very nice, may be a security hole.
The truth shall set you free!
As an American, I'll gladly admit that I don't know the difference between Dutchland and Belgia.
-- dR.fuZZo
I believe the Prius does that....I seem to remember a friend of mine showing me this 'feature'.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
OK, so in one hour with close proximity (measured in feet) to the controller, they can crack it. Give a guy (valet parking anyone?) your keys and he can copy it in 5 seconds. This is not news at all. You want to impress/scare me? Tell me they can do it without the remote.
excitingthingstodo.blogspot.com
Bahh ... I'm installing a trunk monkey. As long as they don't have bananas I'm fine!
Officer: "How many people had access to the key for an hour or more?"
reply: "Here's the short list."
It's simply not worth it to have to deal with electronics that break, batteries that die, etc.
That has turned out to be FUD now that they are getting lots of miles now. The battery pack is easier to change than a typical transmission and now costs less. In addition it has been proven more reliable. (Google search Prius Battery Failures). The little 12 volt battery is a much higher failure rate item needing a 3-5 year replacement cycle just like their conventional counterparts.
In the trade of of mechanical parts for electronic, most mechanical high failure items on the Prius has been eliminated.
Here is a short list..
No belts, not even for a water pump or AC.
No Hydraulics hoses or lines except the brakes.
No leaky AC rubber hoses or shaft seals.
No clutches, pressure plates, bands, or hydraulics of any kind in the transmission
Here is how the improvements work.
The AC is a sealed electric unit like a home refrigerator. The compressor is body mounted eliminating Leaky shaft seals, belts, clutch, and hoses.
The transmission has 7 moving parts. None of them is any kind of friction, shift, or hydraulic part. It's built like and as reliable as a differential. The battery pack is composed of 7.2 volt modules. A module failure does not equal a battery pack replacement.
The Power steering is a linear electric motor for assist. This eliminates the power steering pump, hoses, and power steering fluid issues.
The power brakes use a compressor so it is a trade off for the vacuum module for a compressor.
The cooling system is powered by electric pumps. It traded belt driven problems for electric pump problems. I haven't seen reliability reports on these pumps yet which is a good thing.
Even the starter moter with it's brushes, solonoid bendix gear and other failure items has been eliminated. The brushless AC Motor/Generator set in the transmission starts the engine.
I studied all these issues before I bought a Prius. TCO is an important number to me.
For me personally, Here are some of my stats.
I have 120,000 on my Prius. At 20,000 and 80,000 miles I changed tires (the originals don't wear well). At 70,000 miles I had to change the 12 volt battery in late 2005 so it lasted almost 4 years.
At the last tire change, I had the brakes checked. I have 80% remaining. Other than give it gas and regular oil changes, it has required zero repairs except a rock chip in the windshield.
Most other cars I drove with over 100,000 miles were getting into needing starters, alternators, brakes, belts, power steering, Air Conditioner, and transmission service.
The truth shall set you free!
A car analogy
Knowledge is power. Knowledge shared is power lost.
Actually, with a properly-prepared key blank you can impression "laser-track" locks just as easily as you can impression other types of pin-based lock. (Certainly in less than an hour -- and the key impressioning could be done in parallel with the technique described above.) While the key looks impressive, the internals of the ignition/door cylinders are often not very different than a traditional, wafer-based car lock.
Maybe Keeloq is broken and maybe it isnt but I think I'll wait for the paper and see what Microchip's response is before I assume these clowns are anything more than attention whores.
... window is a much easier way in.
UTF-8: There and Back Again
If the manufacturers ACTUALLY gave a crap about security they could easily enough make the system secure. Instead they're more interested in patentable special sauce and NIH.
The thing is, cryptography is at the same time very easy or very hard. It's very easy to utilize one of several freely available strong systems in order to be secure. It's very easy to invent a system from scratch that YOU don't know how to crack. It's very hard to invent your own system that nobody else will know how to crack. It's very easy to introduce a serious flaw when re-implementing someone elses crypto. If you haven't devoted your professional career to cryptography, the best bet is to utilize someone elses.
For example, Blowfish is completely free of encumberance and has several fully public domain implementations available in C. RSA is (now) equally free. It is well understood, has years of successful use behind it and years of analysis demonstrating that it would cost WAY more to crack the key than any car is worth (not to mention that it would take longer than the typical lifetime of a car). There are plenty of years old CPUs out there that have more than enough "oomph" to handle RSA and are well suited to embedded use. They might cost a dollar more, but this sort of system is not used in "bargain basement" cars.
They spend the extra cash on fine leather seats and steering wheel covers but use Yugo quality locks to protect it?
It consists of an RF transmitter to open the doors, etc, and a passive RFID chip that had to be read by the steering column before the car will start. If you look at the other products on the FCC site by Valeo, you'll see various steering column readers and door lock receivers. The transmitter is actually fairly complex - it uses rolling codes to help prevent theft by replaying/predicting codes.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Wow, I'm actually surprised they found the thing at all. My only experience with Lojack was pretty funny.. A friend of mine had this big passenger van he used for work. One night we went out to get drunk in Brooklyn, and parked the van on the street. Long story short, we got far too drunk, couldn't find the van, and ended up calling it in as stolen. The next morning the van was located using Lojack, and it happened to be about 2 blocks from where we *thought* we left it. The funny bit is that he had no idea it even had Lojack. I guess the moral of the story is that if you don't remember where you parked, Lojack can make you feel quite foolish.
"Luke, you've switched off your targeting computer, what's wrong?"
I've raked a lock open before.
Lock picking is NOT that complicated. Basically, just apply a rotation to the cylinder, while pushing each pin up until you find the one that binds. (Locks are not perfect, one pin will usually bind before the others.) Push that pin up until the shearline is at the right point, and the cylinder will rotate slightly, keeping that pin in place. Repeat to find the next pin that binds.
Now, there are some types of locks that make it harder to do this. (Through various means I won't get into here.) But ANY lock can be 'picked', even if just by bruteforcing it.
Nice to see someone finally poke a hole in this. The Packet Sniffers talked about this in episode 4:
s _episode_04_en_lo.wmv
http://www.packetsniffers.org/
Show link: http://www.archive.org/download/tps_episode_04/tp
My old car just had a plain old key. No chip, nothing. When I bought it, all I got was one valet key and one original. I went into a locksmith store and asked for a copy of the original.
I assumed he'd just take the original and copy it, like most box stores. Not this guy. He said no thanks, went out to my car, and without my keys he made a working key in about 5 minutes.
I wouldn't have believe it possible unless I saw it with my own eyes. He filed a blank key until it worked, feeling the lock. I think he was showing off.
Anyway, point is, someone this good can fabricate the old keys in 5 minutes. 1 hour to copy a key & you must have physical access to the key is better than the old way.
The problem lies in the modern TPMS systems. Tire Pressure Monitoring Systems regularly use the keyfob frequency to transmit to whatever smart power box controls your body functions (i.e. door locks, windows, ignition, headlamps, etc.) All they have to do is steal your tires with TPMS and voila, instant keyfob. Little details like cipher get blocked out when they realize that all they have to do is start putting the little pins on the IC to +5V or GND until the door locks pop.
Ok, interesting post, but why wasn't the master key posted? I want to make a legit copy of the key of my neighb^h^h^h^h^h^hjaquar. Without it, no 65 minute crack...
people who have this knowledge will be more interested in breaking into Mercedes and high end cars, not fords and equivalents, however from the usual idiots i know, they wont waste their time trying to decipher a encrypted code......they just bash in the window or tap the window with porcelian and use a screwdriver to pop the ignition, or just do bumble bee, christmas tree(black yellow, green red) with the wires, then there usually arrested after not using the car for practical purposes(ie: going 200 on the highway with 5 police cars chasing them....that freind is in for around 20 years last i checked....fucking dumbass...)
-Noc
Yeah, emergency responders just love the idea of a vehicle that can suddenly accelerate on electrical power (no startup/noise/warning) just because a keyfob is in the vicinity. Even more fun than having a side impact air bag fire while you're trying to extract someone.
You can rake any pin lock, even the DSP and magnetic ones, the motion is just not 'raking' anymore. $100 will get you a nice set of jigglers, tailored to the make, model and year of car you wish to steal, and if they work on the barely used door lock, they will make short work of the ignition barrel.
... nor does the group of people who spend a lot of time breaking cyphers typically overlap with the group of people who have and can work with CNC equipment.
It's obvious that you haven't attended their conventions. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Currently on MSN's main website newsticker, there's an article showing a headline, "Are you afraid to file a car insurance claim?" That's what is called "directed questioning". Why should you be afraid to file a car insurance claim? The informed and rational mind would reject MSN's headline question -- why the insinuation of fear? Who said anything about being afraid? But the nature of directed questioning is that it is suggestive. Now the suggestion of fear has been made, and people who aren't so well informed or rational will hold the questionable fear-state in their mind while searching the article, which is probably also rife with suggestivity. But why all this suggestion, why not just be better informed (or more rational, take your pick)?
s ureYourCar/InsureYourCarDyn.aspx?cp-documentid=524 9792>1=10331
The article:
http://articles.moneycentral.msn.com/Insurance/In
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
It seems that the cipher (as in: cryptographic algorithm) is broken. It's not even "has been broken" because if it is broken now, it was broken yesterday. If it is indeed a XOR method, it has been known to be broken for a while. I think the author meant determining the value of a key for a car using a new, faster method to do so. The title is therefore rather wrong. Oh, and I've always understood that it should be "a cipher of a car" instead of "a car's cipher", but maybe that's only true for old style English.
Why am I even bothering to post this? Oh well, I've got karma to burn anyway. It *is* nothing less than the title of the summary, so maybe that's what triggered me.
"Follow me" the wise man said, but he walked behind.
Your sig is incorrect. "The truth shall MAKE you free."
What does CNC have to do with anything? Any car key, including simple ones that you could do a putty transfer on could have been cut by a CNC machine. They probably all are originally anyway.
Keeloq is not used much in the automotive industry. I've had exposure to immobiliser and security systems for the last 6 years on DC, GM, Ford, Volvo, Jaguar and Iveco and have not come across a single Keeloq system. From what I've seen the big players are NXP and Infineon.
My bet is the authors pulled the list of companies using Keeloq from Wikipedia. Putting a list of company logos with "Supposedly all use Keeloq" is irresponsible.
Access to the vehicle is just half the story. Vehicle immobilisers provide the real security against vehicle theft and are separate to the remote entry system. Ford and Jaguar use the PATS for immobilisation which is separate from algorithm used to unlock the car. Most european car manufacturers have the same functionality, even on low end vehicles. The claim in the press release that "Once we have found the key, we can deactivate the alarm and drive away with your car" is rubbish - all you have is access to the interior of the vehicle. The independent antitheft system has to be defeated before the engine can be started.
Vehicle manufacturers take vehicle security very seriously. More and more, firmware and calibrations are digitally signed to prevent hot chipping. Electronic control units are paired together using robust cryptography to prevent swapping modules to defeat vehicle security. Software based 128 bit encryption is common in UHF key fobs. Hardware AES is finding it's way into Passive Keyless Entry systems. Last year I was working on a vehicle platform that used 3DES, Ripemed, SHA256/RSA as well as propretry algorithms - and that was just the cluster and EMS.
The authors seem to have no understanding of the industry. They found a weakness in Keeloq and say the result is they can drive away with my car. Bullshit. Research your claims instead of chasing the headlines.
Your sig is incorrect. "The truth shall MAKE you free."
Um, that's someone else's tagline. I'll keep mine. The only change I've considered is changing it to "keep you free".
The truth shall set you free!
So you work in the automotive industry and your employer has instructed you to deny the impact of this result?
Good job!
Where I live, the largest taxi company in town has switched the majority of its fleet to hybrids (they used to use propane crown victorias and such).
I queried a driver about the reliability. His vehicle (new body style prius) had around 200K km on it. He had replaced the tires once and brake pads etc (expendables). They have another in the fleet that had 300K km before they sold/upgraded it (not sure if it was a lease or owned or what have you). No problems with that one either, but they had gotten their money's worth out of it.
Even though it was completely anecdotal ("yeah these cars are great") I was impressed.. those taxi drivers drive the isht out of those poor cars. I don't think my own car (Accord) would stand up to that kind of driving long (clutch, tranny, brakes.. etc would all be suspect very quickly).
"If you are going through hell, keep going." - Winston Churchill
As someone who uses the KeeLoq routines from Microchip often, there are points I'd like to clarify.
Although I cannot disclose the exact operation of the routines I can tell you that KeeLoq transmitters are only sending codes in response to a button press, they do not send codes all the time (the battery life would be too low). So, you would need access to an activated (button pressed) transmitter - just being in proximity to a fob in someones pocket won't do a thing for you. You'd need to sniff the codes from many, many transmissions.
Even with knowledge of the internal code table, you'd need enough transmissions to determine where you were in the code table and what the various IDs are (manufacturer, device, etc). They are probably suggesting that with 3600 messages you could determine this (which seems a little high, but in the right ballpark). However, if you obtained that many messages far enough away so the RX couldn't receive, the fob would be hopelessly out of sync and would no longer function. At that point, it would have to be re-learned.
So, to summarize... Yes, KeeLoq can be broken - but it would be far easier to just steal the fob.
No problem! /. readers aren't encumbered by a need to read it in any case.
...not quite as impressive as the original movie title
Even though it was completely anecdotal ("yeah these cars are great") I was impressed.. those taxi drivers drive the isht out of those poor cars. I don't think my own car (Accord) would stand up to that kind of driving long (clutch, tranny, brakes.. etc would all be suspect very quickly).
Stop and go driving is the car's good point. Many quickly point out heavy stop and go may reduce the mileage to 20, but compared to the standing the taxis do on a regular basis, that is excellent. Sitting with the engine running results in 0 MPG in traditional cars and hybrids. The difference is in a traditional car, the engine runs all the time unless the operator shuts it down and pays the starter wear penalty. The Prius with a long wait time is not running the engine over 80% of the time. It is not required by the EPA, but the fuel consumption rate at idle should be on the window sticker. Those fleeing Katrina and stuck in traffic often got less than 60 miles to the tank of gas.
Seattle did an experiment with Hybrid buses. They blew it and tried to save lots of money by putting them on the long haul express routes. Bad move. At expressway speeds and driving they don't do much better than their counterparts. They should have put them on the downtown routes and compared them in stop and go and stop and creep traffic. That is where they shine. Even when they shine in that type driving, the numbers are nothing to shout about. Stop and go driving kills economy even in a hybrid, but not nearly as bad. In some creep and stop traffic, I once got under 5 MPG for about 1 mile. It took almost 2 hours to make that mile.
I have put in inverter in my car (1,000 watt) and have used it to power things in power outages. I have literally locked a key in the car, shut off the lights, heater and anything else and let the car run an entire weekend running a fridge, small freezer, a couple CF lights, and a computer part time. Even though I left it idling an entire weekend, I still got 32 MPG on that tank of gas. I used less than a quarter tank. Not bad for a 12 gallon tank.
In that mode it typically runs for about 5 minutes and shuts down for almost a half hour then repeats the cycle.
The truth shall set you free!
A while (as in a few months) ago, Courtois, Bard and Wagner published a paper about algebraic and slide attacks on KeeLoq. I wonder if this new paper builds on that older one, or if offers an alternative way. As Courtois has often said, an algebraic/XLS attack could be used to attack AES, if certain algorithms used in the process were improved. A truly paranoid friend of mine suggested that the new paper is a smokescreen (known attack given by spooks) to divert interest away from researching such algebraic attacks - hence the press releases, the person thinks the PR storm was not due to vanity. I think my friend is nuts, but his paranoid ramblings suit this site well!
Couldn't you just hotwire the car after cloning the cypher? Or is there something I'm missing...?
Besides, the jackass who stole my car stereo smashed my window. I want shatter-proof glass and a way to automatically hide my valuables.
No, I will not work for your startup
How did you lock the key in your Prius? I can't lock my key in mine - the doors unlock when I close them with the key in it.
How did you lock the key in your Prius? I can't lock my key in mine - the doors unlock when I close them with the key in it.
Leave the engine running, get out and use a second key to manually lock the doors from the outside. The remote key fob is inop when the ignition is on. (Not sure if this works on the newer models but works fine with mine.)
The truth shall set you free!
The Prius 2.0 != Seattle Hybrid Bus. Just google Toyota Echo 1.5L ICE vs Toyota Prius 2.0's 1.5L ICE in highway MPG. Prius still beats Echo.
Hybrids are not created equal.