Slashdot Mirror

← Back to Stories (view on slashdot.org)

Breaking a Car's Cipher

Posted by kdawson on from the soon-all-cryptographers-will-drive-fancy-cars dept.

An anonymous reader alerts us to research out of Belgium and Israel that claims a practical attack on the KeeLoq auto anti-theft cipher. Here are slides from a talk (PDF) at CRYPTO 2007. From the researchers' site: "KeeLoq is a cipher used in several car anti-theft mechanisms distributed by Microchip Technology Inc. It may protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or a Jaguar. The cipher is included in the remote control device that opens and locks your car and that controls the anti-theft mechanisms. The 64-bit key block cipher was widely believed to be secure. In a recent research, a method to identify the key in less than a day was found. The attack requires access for about 1 hour to the remote control (for example, while it is stored in your pocket). The attacker than runs the implemented software, finds the secret cryptographic key, and drives away in your car after copying the key." Update: 07/23 15:27 GMT by KD : One of the researchers, Sebastiaan Indesteege, pointed out that the link to the paper was incorrect; their paper has not yet been released to the public. I also managed to mis attribute his nationality. He is Belgian, not Dutch. My apologies.

13 of 253 comments (clear)

  1. That's why I have a hidden kill switch. by Anonymous Coward · · Score: 1, Interesting

    My truck doesn't have Air Conditioning, but I DO have an air conditioning button on my dash that connects the coil to ground.

    Security through obscurity baby!

  2. Re:they Still can't simply drive away with your ca by _14k4 · · Score: 2, Interesting

    Some of these cars could quite possibly contain that whole "key in range push button to start" option. My cousin has that option on her car, though I forgot the make/model...

  3. Summary by Anonymous Coward · · Score: 3, Interesting

    According to their slides, all you need is proximity to one of these devices for an hour, and the master key for the manufacturer can be found - which is simply XORd to the vehicle ID to authenticate. They were relying on a vast keyspace instead of a secure encryption method - security through obscurity.

    Break one key device, break them all.

  4. Re:So? CNC... by foodnugget · · Score: 5, Interesting

    While it may be simple to break the code on the chip, you still need a copy of the key unless the car is push-button-ignition.
    These days, many high-end car keys are CNC cut (my mini's key has huuuuuge tooling marks from a spindle-out-of-square), which will actually cause a bit of trouble. This isn't something you could easily do a putty-transfer on, nor does the group of people who spend a lot of time breaking cyphers typically overlap with the group of people who have and can work with CNC equipment.
    In the end, I think flatbedding the car is the way to go. All the big chop shops are doing this now. If you're small-time, carjack. Alternately, get a real job.

  5. Symmetric Key Exchange by Doc+Ruby · · Score: 3, Interesting

    Why don't remote keys resync symmetric, unbreakable keys with the car every time they're physically inserted into the ignition?

    When someone patents that device, just point to this post as prior art. If it's patent free, anyone can use it, and there's no excuse for not securing cars (and homes, and bikes, and ...) properly.

    You're welcome.

    --

    --
    make install -not war

    1. Re:Symmetric Key Exchange by Doc+Ruby · · Score: 2, Interesting

      Why doesn't your car have a different symmetric password for each physical key? Make it easier to secure the car after losing a key. And to restore her personal settings for seat position, mirrors, stereo, etc.

      --

      --
      make install -not war

  6. Re:So? CNC... by Magada · · Score: 2, Interesting

    A physical key is still a key, y'know? There is considerable overlap in concepts and techniques - why, putty transfer is simply a replay attack, while a rake is actually used to brute-force a lock by generating many pin position combinations in a very short time.

    --
    Something bad is coming when people are suddenly anxious to tell the truth.
  7. Re:So... by RandoX · · Score: 5, Interesting

    All you need is the correct sequence on the parking brake.

    The mythical Honda override exists: It's a series of presses and pulls of the emergency brake. Each car, it seems, has a unique override code, which correlates to the VIN.

  8. Re:So? by BosstonesOwn · · Score: 3, Interesting

    Except for that fact that Lojack doesn't work in all parts of the us.
    http://www.lojack.com/where/lojack-coverage-areas. cfm

    if it can't get a signal it can't send. since it rides traditional communications services.
    http://www.lojack.com/lojack-faqs/index.cfm

    They can remove the transponders rather quickly if they are experienced car thieves.

    I had a 2004 Dodge Ram that was stolen for the gear in the bed of the truck since it was a capped truck with a security system it was easier for them to take the whole truck and work on the locks elsewhere. They found the lojack unit and threw it in a dumpster 3 cities over, police found that 3 hours after I reported the truck missing. They found my truck in a Southern State 6 weeks later completely stripped. They even took the Navi dvd's and the sirius radio tuner.

    --
    This package Does Not Contain a Winner
  9. Re:So? by cayenne8 · · Score: 4, Interesting
    "The article (or at least the summary) implies what you say, although I find it hard to believe that someone would be so retarded as to design a key that communicates at all without manual initiation by its owner. Or, to use the technical term, pushing a goddam button."

    Nope..I first found this on my first corvette...a '97 C5. It had a setting through the dash display, where you could set the car to sense when you came near enough with the keys, and it would automatically unlock. You could set it to unlock either both doors, or just drivers side.

    I played with it awhile, but, I found that the hook I kept my keys on near the front door...were too close to where the car was parked...and would at times unlock the car in the driveway. I turned it off after that.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  10. Lojack anecdotes by robbiethefett · · Score: 2, Interesting

    Wow, I'm actually surprised they found the thing at all. My only experience with Lojack was pretty funny.. A friend of mine had this big passenger van he used for work. One night we went out to get drunk in Brooklyn, and parked the van on the street. Long story short, we got far too drunk, couldn't find the van, and ended up calling it in as stolen. The next morning the van was located using Lojack, and it happened to be about 2 blocks from where we *thought* we left it. The funny bit is that he had no idea it even had Lojack. I guess the moral of the story is that if you don't remember where you parked, Lojack can make you feel quite foolish.

    --
    "Luke, you've switched off your targeting computer, what's wrong?"
  11. TPMS Systems by Anonymous Coward · · Score: 1, Interesting

    The problem lies in the modern TPMS systems. Tire Pressure Monitoring Systems regularly use the keyfob frequency to transmit to whatever smart power box controls your body functions (i.e. door locks, windows, ignition, headlamps, etc.) All they have to do is steal your tires with TPMS and voila, instant keyfob. Little details like cipher get blocked out when they realize that all they have to do is start putting the little pins on the IC to +5V or GND until the door locks pop.

  12. Re:So? by Torvaun · · Score: 2, Interesting

    A friend of mine had his minivan stolen. It was returned, three days and 8 miles later. We have never stopped giving him shit for that.

    --
    I see your informative link, and raise you a pithy comment.