New Cars Vulnerable To Wireless Theft

tkrotchko writes "In a story published by Technology Review, researchers have demonstrated multiple times that they can bypass the security of wireless entry and ignition systems to take a car without the owner's permission. As researchers in the article point out, car security systems will begin have a real impact to every day use if a thief can simply walk up to your car and drive it away. Although this article is light on technical details, a companion article shows how the researchers accomplished the security bypass. An interesting read, and certainly something that will no doubt be the subject of a new movie any day now."

A movie, you say

[jeffmeden]

An interesting read, and certainly something that will no doubt be the subject of a new movie any day now.

How about "gone in 60 microseconds"?

Re:A movie, you say

[dch24]

gone ins 60 microseconds

Kind of like the "security bypass" - it talks about a completely unrelated hack on the TPMS... unless it disappeared before I read it. (I'm talking about the "companion article").

Why didn't they just use a standard passive RFID setup? They're not making money selling batteries to customers... I'm confused.

If on the other hand the key has enough power to transmit its signal 100 meters (passive RFID can't do that) then it has enough power to have a real PKI. But I don't think that's the best idea for this use case.

Re:A movie, you say

[NetNed]

According to TFA "Gone in 60 nanoseconds"

Re:A movie, you say

[increment1]

PKI won't help. The problem is that the attacker does not care about decrypting the data, they only need to relay the data in order for the car to unlock.

All an attacker needs to do for these systems is extend the range (via repeating the signal) in order to compromise the security. No amount of encryption will help in this situation.

Re:A movie, you say

[modecx]

Yeah, you're right. This is a procedural problem. And it might be most efficiently remedied by a syringe (loaded with an appropriate dose of fentanyl) in the driver's seat of a desirable honeypot car. The doors would lock when the would-be thief puts the car into drive, simultaneously actuating the tranquilizer which is injected into the thief's ass. I could see this being a revolutionary new form of entertainment for vigilantes.

Re:A movie, you say

[Burdell]

Without Ring TFA (in the finest /. tradition), if it is susceptible to a replay attack, an idiot designed it. With proper public-key encryption, you do a challenge-response handshake with a timestamp and a random number; voila, no replay attacks. Associating a key fob with a car means learning each other's public key, and you're done.

Re:A movie, you say

[demonlapin]

I thought that was why they called it...

carfentanil

I'll be here all week; try the steak and be sure to tip your server.

Re:A movie, you say

[Nikker]

The hack with the tire pressure manipulates the ECU into taking emergency precautions. So sending false values may trick the ECU into thinking you are in a dangerous situation cutting the engine and locking the brakes. This on it's own is a small hack but does open the door to buffer overflows and other common attacks to gain further access into the cars programming. Since many cars manufactured since 2008 or earlier have employed the CAN-BUS protocol which utilizes a type of wireless component, this new protocol is the successor of the ODBC I/II protocol. This could likely open the door to sophisticated attacks to manipulate the cars functions.

Re:A movie, you say

[gstrickler]

It's not a replay attack, it's providing a transmission conduit that extends the range of communication between the car and the key fob. The car and key are in fact communicating, and there is no interception or decoding of the signal needed. It's an attack on the "proximity" based feature of these system.

Re:A movie, you say

[increment1]

I said 'relay', not 'replay'.

There is no practical way to prevent the attack described in the article through key strategies or encryption. The solution you propose would not work because the entire handshake can be relayed between the key and the car. The man in the middle in this case does not care to decrypt or modify the data, they are acting as no more than a router on the Internet would be when it passes your SSL packets.

One possible solution that doesn't change the fundamental passive monitoring mechanism is to rely on very fine grained timing of the response (say the difference between how long it takes the speed of light to travel 2 meters vs 50 meters). I am not sure if such a system could be built reliably for a low cost.

Re:A movie, you say

[cheater512]

Thats what challenge response is for. The response has to be derived from the challenge so replay works wont work because the challenge will be wrong.

Re:A movie, you say

[increment1]

The challenge will be correct because the key itself is performing it.

All the attack is doing is effectively extending the range of the communication between the key and the car. Since the car unlocks anytime it can communicate with the key, this effectively breaks the security.

Re:A movie, you say

[cheater512]

No, the car sends the key a challenge, such as a timestamp or a random number. The key has to respond, but modifies the response (e.g. XOR) based on the challenge. You could replay it, but the challenge is different each time.

Re:A movie, you say

[gstrickler]

You're correct that a system that limits the response time window can limit the range to which a signal could be relayed. However, such a system needs to have a key fob that responds very quickly and with a very repeatable delay so that the total response time (fob response time + signal propagation time) can be tightly regulated.

A much simpler, and more reliable solution is to eliminate the passive nature, at least the passive start feature and/or require that a physical key be inserted and turned before the car can be driven. If it required some non-passive action from the user, such as pushing a button on the fob or inserting a key, this attack would fail (or at least be significantly more difficult)

Any security system that relies upon passive proximity using RF will be hackable using this technique unless they can get the timing down to restrict the range to under 10m, preferably under 5m.

Re:A movie, you say

[increment1]

No, the car sends the key a challenge, such as a timestamp or a random number. The key has to respond, but modifies the response (e.g. XOR) based on the challenge. You could replay it, but the challenge is different each time.

Relay and replay are two different things.

I am sure if you ponder it long enough you will realize why you are incorrect.

Re:A movie, you say

[Pentium100]

How about using an actual lock that you need to insert the key into, you know, like it is on older cars both to get into the car and for ignition. Sure, the thief can connect the wires to start the car, but it involves a bit more work, also, in the case of my car, the thief would also have to find and turn on some other switch (unofficial mod) to turn on the fuel.

Re:A movie, you say

[Pentium100]

That's a stupid system, why would anyone design a system like that? It looks to me that it would be possible to fix the system by making the key send a signal only when someone is pressing a button on it. Then the key and the car can use whatever technology to prevent replay attack and relay attacks won't really work because if the owner is pressing the button then he most likely is near the car.

Re:A movie, you say

[modecx]

Hahaha... Good catch. Hopefully the thieves are elephant size, or that's going to be a nap they don't wake from!

Re:A movie, you say

[jrumney]

The CAN buses in a car are not wireless. The wireless key fob receiver may be connected to the ECU via a CAN bus, but it is not simply a router - you cannot inject arbitrary CAN messages through the wireless protocol.

Re:A movie, you say

[Vegeta99]

They already have honeypot, or, as they call them, bait cars. They'll drive the bait car into a bad neighborhood where car thefts are regular, and cause some sort of scene, such as a husband and wife fighting. They both depart the car (say, husband chasing after wife), while leaving the car running. Dumbass car thief sees the chance, grabs the car, gets a few blocks down the road until *blip* all the doors lock and the engine goes into limp mode, all while taping the thief in the car. Thief. Busted.

I do, however, like your idea better. Usually the thief fucks the car all up in the process of trying to escape. Never figured out why one didn't use a screwdriver (all car thiefs have a screwdriver to break the ignition lock, right??) to smash out the window and run. Then again, that wouldn't make for a good COPS episode.

Re:A movie, you say

[Vegeta99]

And, in the case of mine, have the code out of the RFID chip in my key.

Seriously. I had a remote start on a 1994 car that was more secure than this! Sure, you might start and unlock the car by guessing the shitty rolling code, but touch ANYTHING in it except the heat, radio, or ignition without turning the key to on, the car dies and panics.

Fuck that pushbutton shit. I'll take a key.

Re:A movie, you say

[SeaFox]

I was expecting a link to Dude, Where's My Car? instead of Hackers on that last sentence.

Re:A movie, you say

[drinkypoo]

PKI won't help. The problem is that the attacker does not care about decrypting the data, they only need to relay the data in order for the car to unlock.

some vehicles are actually smart enough to have a rotating code, so you can't just do a replay. Unfortunately, some or all of these codes have been broken and you can buy an unlocked on dealextreme.

Re:A movie, you say

[TheFakeMcCoy]

Try Star Trek II, there's some old school wireless hijacking!

Re:A movie, you say

[JackOfAllGeeks]

If it required some non-passive action from the user, such as pushing a button on the fob or inserting a key, this attack would fail (or at least be significantly more difficult)

True, but it would also defeat much of the utility of the "feature" for many people. A buddy of mine has this on his car and simply LOVES the fact that he just walks over to his car, pulls the door open, and starts the car with a button press. The fact that this all happens invisibly to him just by having his key in his pocket (or occationally stuffed in some bag somewhere) is exactly what has him sold on it. If it required him to use the key, then what's the point?

This feature has always made me uncomfortable (I specifically don't have it on my car), but your solution doesn't fix the problem except by removing the utility.

Re:A movie, you say

[JackOfAllGeeks]

No, the car sends the key a challenge, such as a timestamp or a random number. The key has to respond, but modifies the response (e.g. XOR) based on the challenge. You could replay it, but the challenge is different each time.

Don't think "replay," think "man-in-the-middle."

Re:A movie, you say

[JackOfAllGeeks]

That's a stupid system, why would anyone design a system like that? It looks to me that it would be possible to fix the system by making the key send a signal only when someone is pressing a button on it. Then the key and the car can use whatever technology to prevent replay attack and relay attacks won't really work because if the owner is pressing the button then he most likely is near the car.

The system is designed to require no active participation from the user, and this is what users like. If they have to dig their key out of their purse to push a button, the whole utility of the mechanism is null.

You can fix keyless-entry by requiring a key, but that defeats the purpose.

Re:A movie, you say

[Gordonjcp]

My sister's car was prevented from being stolen once by a simple mechanical device - the manual choke. Her husband was woken up by the sound of a car revving and stalling repeatedly, but by that time my she was in the street in her pyjamas and steel-toecapped rigger boots, chasing the would-be thieves with a trolley-jack handle ;-)

My own car (Citroën CX) is reasonably tricky to start even without the immobiliser, because once you've figured out that it has a manual choke that needs to be not quite all the way out (too far and it will flood, and not start), you then find that it maybe won't turn over because the ignition switch is worn - so you need to hold the key just right too. If you get that far, then you've got to remember to wait 30 seconds for the hydraulic pump to bring everything up to pressure, otherwise the steering is impossible to turn and you have no brakes so you'll just roll into whatever's in front and stall because by now it needs the choke pushed back in or it'll flood.

Once you get past the first minute it's fine. I've flown aircraft that have a less involved startup procedure. I'll get round to fixing the choke and the ignition switch one day...

Re:A movie, you say

[dch24]

Sorry, increment1, in your rush to hit submit you've completely missed the boat. Here, I'll for you what I already said: But I don't think that's the best idea for this use case.

OK? PKI = bad when the attacker is performing MITM to relay the signal.

If you really wanted a system for auto-unlock & auto-start using the fact that the user is holding the key (a.k.a. proximity), do it this way:

Signal triangulation with encrypted modulation: the signal is triangulated by measuring phase differences modulated by the private key of the key fob. See GPS for an example of phase modulation. Basically the car is a GPS receiver for the key's broadcast and can pinpoint the key's location.

Re:A movie, you say

[increment1]

Your solution won't work. All you will be doing is triangulating the position of the relay, and not the key itself. The relay will be within the proximity of the vehicle, and so the car will unlock.

Now, maybe if both the key and the car had their own GPS receivers and transmitted their actual location as part of the communication then the car could verify where the key actually thought it was, but this would fail completely in underground parking lots etc.

The only other solution is to base the unlock on very precise timing, but the tolerance has to be under about 50 nano seconds to be effective, which is probably too difficult to achieve reliably.

Re:A movie, you say

[dch24]

Your argument is invalid. All you will be doing by relaying is throwing the phase off. The speed of light dictates that the triangulation will be accurate; further, if your relay doesn't impedance-match air, the encoding of the phase using the private key will be changed and the car will detect the attack.

Timing under 50 ns is easy using this approach; GPS receivers do it this way.

Re:A movie, you say

[Pentium100]

In that case, if you want your car to work without the key, then don't be surprised if it works without the key.

Re:A movie, you say

[increment1]

You cannot triangulate to the key when the key is out of contact with the vehicle. When the relay comes into contact with the vehicle, there is no way to determine it is not the key without simply relying on very precise timing in order to rule out a signal that has been relayed too far (say 20m vs 3m, which is on the order of 50ns). This has nothing to do with triangulation, and does not relate to current GPS technologies (which are spoofable, by the way).

Building a pocket size low power device that can reliably respond within an error margin of the tens of nano seconds regardless of remaining battery power seems difficult to me, but it is not my area of expertise so maybe it is trivial. But this still has nothing to do with triangulation.

Re:A movie, you say

[dch24]

Show me how you plan on spoofing (not jamming) GPS.

GPS relies on precise timing, around 1-2 ns accuracy for a good fix. GPS has everything to do with triangulation.

Re:A movie, you say

[increment1]

Yes, GPS has everything to do with triangulation. Car proximity detection does not, and while it could use triangulation as a method of determining proximity, that would not prevent relay attacks in itself.

GPS spoofing is mentioned here, for one:
http://www.schneier.com/blog/archives/2008/09/gps_spoofing.html

Re:A movie, you say

[dch24]

The original blog has details on the mitigations in such an attack. They don't discuss the military applications of GPS. When the DoD deployed GPS, they designed it to be secure enough that the military receivers are not susceptible to either (1) relay attacks or (2) spoofing attacks.

It is those military techniques that you must use to correctly implement what I'm suggesting in the first place.

Re:A movie, you say

[increment1]

Yes, everyone knows the military use encrypted GPS. The techniques they use will not be helpful in this situation for proximity detection of a key to a car.

It all comes down to how reliably and precisely the round trip time from the key to the car can be determined. The entire process would need an error margin in the tens of nano seconds to ensure proximity within the tens of meters. GPS techniques have no bearing on this since they rely on multiple signals (4+ satellites) to compute timing errors, besides being one way communication.

Re:A movie, you say

[dch24]

Yes, everyone knows the military use encrypted GPS. The techniques they use will not be helpful in this situation for proximity detection of a key to a car.

You need to back that up with either sources or something equivalent, since it is the central thesis of my statement and the core of a secure triangulation system.

I've said it multiple times: GPS techniques, especially triangulation, and encrypted phase modulation, are what I'm proposing. If you have a better proposal, by all means, state it. You obviously don't understand GPS.

Re:A movie, you say

[increment1]

A couple of things. Firstly, GPS location detection is actually based on trilateration, but people often mean that when they say triangulation with regards to GPS (to use triangulation you would need directional antennas).

Secondly, it is impossible to find a source to disprove something that doesn't make any sense. Your proposal is akin to recommending using a brick to help someone swim. Whether phase modulation or frequency modulation are used as the data channel will not impact the success of a relay attack on proximity detection. Similarly, trilateration will only locate the location of the relayed signal.

It is not for me to disprove your hand waving at technologies you do not understand. Your argument is essentially: The US government knew what it was doing when it made GPS, so their solution must be good enough to solve this completely unrelated problem. Unfortunately, it doesn't work like that.

Re:A movie, you say

[dch24]

If you would disprove what I am saying, you'll need to cite sources.

Since I am only referring to an example, you'll need to either disprove the example or engage in a technical discussion of what I am proposing. Otherwise, your ignorance of the principles of RF design are boring me.

Re:A movie, you say

[increment1]

I give up, you win. Please, patent your wonderful system, it will be ever so secure.

Do me one favor though, let me know which cars use it, so I know what to avoid.

I disabled keyless entry on my car

Well sort of. I couldn't disable smash-the-window entry.

Re:I disabled keyless entry on my car

[dgatwood]

What do you mean you might not use it? Really? I think every geek dreams about being able to simultaneously set off ten thousand car alarms. It was awesome enough just being in a marching band and setting off five or six along the parade routes.

Re:I disabled keyless entry on my car

[dgatwood]

Yeah, and I might not post this.

Re:I disabled keyless entry on my car

[houstonbofh]

They have one. It is called a Harley Davidson with open pipes.

Re:I disabled keyless entry on my car

[Fluffeh]

This is one of those funny things I don't really get. I mean I am all for technology and love gadgets, but I don't see the point in putting technology into something just for the sake of putting technology into something. What ever happened to:

Does it have a valid use?
Does it improve the item in some way?
Has adding the feature still kept the product simple and intuitive?
Are the benefits going to outweigh the drawbacks?

In my books, if you answer "No" to any of those, then don't put it in. These rules really apply to just about everything, from cars and wireless in this case, to software design, to home improvement projects.

Duhhhh

[phantomcircuit]

I'm sure pretty much anybody who even remotely understands anything about tech saw this one coming.

Re:Duhhhh

[ThunderBird89]

Shameless self-promotion: I covered this in my blog when Hackaday did an article on a study about this.

The real threat isn't just someone stealing your car, imagine parking a car on the overpass above a busy highway, with a high-power transmitter, and beaming a bit of code at cars that disables the brakes. Or how easy untraceable assassinations will become: since the code can be made to erase itself after execution, nobody can prove it wasn't a technical error but sabotage.

Re:Duhhhh

[icebike]

Exactly.

The same is probably true for Near Field Communications being developed d for financial transactions, such as in the Nexus S smart phone. (In fact that is just about the only reason the Nexus S exists, in all other respects it is a pretty standard Samsung phone).

Keyless entry and NFC simply do not have the security layer in place for the tasks that are being asked of them.

But when everything moves into your phone, keys, credit cards, and passwords, better security layers will have to be developed. Right now, its way too soon to be pushing this stuff into the market place.

In the mean time, a physical key simply is not that much of a problem to deal with, and there is zero increase in user convenience in wireless key fobs. You still have to have it with you.

Re:Duhhhh

[plover]

No, this wasn't a glaringly obvious attack, as it's incorporating a new attack idea to thwart defenses proposed by Ross Anderson after he demonstrated a similar attack on contactless credit cards a few years ago.

This was not a classic "man in the middle" attack, where the MITM has to pretend to be one end or the other. This was a "stretching the wireless attack". By using a pair of radio repeaters, the attackers were able to have one end next to the car, with an accomplice near the person with the keys.

Ross said the attack he demonstrated should be defeated by tightening up the timing protocol between the card and the terminal. In this case, the attackers tightened it up even further by leaving the signal as analog.

This attack is more suited to popping the locks once and then stealing the stuff inside; it would still be hard to directly steal the car. In order to start and operate a 'keyless' car, the key must be located inside the passenger compartment, and in order for it to stay running the key must remain inside the passenger compartment. In the case of the thieves, the accomplice would have to remain near the victim's key fob continually until the car was driven away. But I've never actually tried throwing the key out the window while my car was running and in "drive". I have the feeling it would shut off again as soon as the car's speed dropped to zero, but now I'm thinking this calls for an experiment...

Re:Duhhhh

[dakameleon]

NFC in mobiles has been used for payments in Asia for years. One of the arguments against the iPhone's success in Japan for instance was that it did not support the NFC payments that other existing Japanese mobiles did.

Not saying it's secure, just saying it has a long-running existing installation that hasn't fallen over yet, so your fears might be a bit of hyperbole going on assumptions.

Re:Duhhhh

[Politburo]

I only have first-hand experience with the Toyota/Lexus system. In that system, if communication with the key is lost, an alert is lit and sounded. Nothing changes in the car's operation.

Re:Duhhhh

[plover]

It seems odd to me that it's a good idea for the car to continue to drive away from its key. But I understand from a safety perspective they don't want to power down the engine on the freeway just because the battery in the fob went dead.

After the "no key" alert is shown to the driver, does your car refuse to proceed after having been stopped and the transmission put in park?

Can it be disabled?

[commodore64_love]

If my car comes with a wireless key fob to unlock the car, can that function be disabled?

Re:Can it be disabled?

[TheL0ser]

Off the top of my head I'd say yes, if you have a big enough sledgehammer.

More seriously, while I know nothing about how these work, I would assume there is some kind of antenna receiving the fob's signal. Finding and either disconnecting or isolating the antenna is another story.

Re:Can it be disabled?

[shadowfaxcrx]

on most cars these days there are several: one on the outside, a few scattered on the inside, and one in the trunk to detect when you're about to lock your keys in there.

Re:Can it be disabled?

[dch24]

If you have the wrong type of keyless entry, you can't disable it.

Example: several brands of cars made in Germany. It's a good design. The dash wirelessly authenticates the key, in addition to the physical ignition lock.

You can't disable it (very easily). It's designed to be tamper-resistant, from the factory.

Re:Can it be disabled?

[peragrin]

No. The wireless part is tied into the ignition computer. Basically in order to turn it off you have to replace a SOC, with a version that works without it.

When the battery in mine died. I have a "valet" key that functions like a normal key however it can be driven without the fob present. Useful, but not without risks.

These FOB's need to be passive but still with random crypto. or at least make sure the transceiver part of the circuit is passive and only use the battery for the encryption system.

Re:Can it be disabled?

[Shadyman]

If it's an older car, it's typically just a fuse on the fuse panel to disable power door locks, and by extension, keyless entry.

Re:Can it be disabled?

[Kalidor]

Short answer is, yes. Longer is .. depends on the car manufacturer. My parents got a car with one of the wireless fobs as an occasional drive car, the problem is the receiver for the fob drains the battery a good 80% quicker with it on, so the manufacturer put a button under the dash near the bottom of the steering column, that when pushed and held for a certain time disables the receiver in the car. Ostensibly, it's a power save feature, however I view it as a security feature as well since the physical keys still work as does the alarm system.

Re:Can it be disabled?

[Enderandrew]

I just bought a new Rav 4 and it didn't come with a physical key, only a fob. The only physical key I was given was for the glove box.

Re:Can it be disabled?

[Local+ID10T]

I had a Porsche 911 a few years back with a fob as a key replacement. If the fob was within a few feet of the car, the doors were unlocked, and automatically locked when it wasn't. If the fob was inside the car, the engine could be started with the push of a button, otherwise not. Of course there was a key as well, either for a valet or emergency backup.

Re:Can it be disabled?

[fluffy99]

Example: several brands of cars made in Germany. It's a good design. The dash wirelessly authenticates the key, in addition to the physical ignition lock.

You can't disable it (very easily). It's designed to be tamper-resistant, from the factory.

And you can't get a replacement key for under $150. I'd prefer the ability to get $1.49 replacement keys and a decent insurance policy.

Re:Can it be disabled?

[Politburo]

Your dealer is an idiot.

Re:Can it be disabled?

[dontgetshocked]

From personal experience I can tell you that setting in my HHR all of a sudden my door locks started opening and closing by themselves.Someone with there fob had operated my car and I had to get the dealership to come out and get the car to unlock it because the car would not release the stick to engage the car.Cars are simply NOT secure.

Re:Can it be disabled?

[Enderandrew]

I was shown that key, and the key that pops out is fairly small. I was told that key is for locking valuables in the glove box when you give your car to a valet driver.

However, I will see if that key works for the door.

Re:Can it be disabled?

[toddestan]

If it's like the Prius it will lock/unlock the door. However, it can't be used in place of the fob to start the car.

Nor surprising ...

[gstoddart]

Apparently my mother in law used to have a civic with keyless entry ... in a small town of <30,000 there was another Civic of the exact same color which used the same code.

They found out one time at the mall that they could each open the other's car.

I bet there's not nearly enough uniqueness and security in these things.

Re:Nor surprising ...

[Colonel+Korn]

Apparently my mother in law used to have a civic with keyless entry ... in a small town of <30,000 there was another Civic of the exact same color which used the same code.

They found out one time at the mall that they could each open the other's car.

I bet there's not nearly enough uniqueness and security in these things.

Last week I drove a friend's late-90s Nissan in Mountain View. It's got a plain old mechanical key. On my way out of a store I walked up to a sedan of the same color, unlocked it, and then realized it wasn't even a Nissan. I confirmed that the key worked by locking it again from the outside before fleeing a couple aisles to the correct car.

Re:Nor surprising ...

[boom1shot]

Apparently my mother in law used to have a civic with keyless entry ... in a small town of <30,000 there was another Civic of the exact same color which used the same code.

They found out one time at the mall that they could each open the other's car.

I bet there's not nearly enough uniqueness and security in these things.

I think yo' momma [in law] is full of shit.

Re:Nor surprising ...

[gstoddart]

I think yo' momma [in law] is full of shit

Don't much care what you think -- this has been corroborated by several people who were there.

Re:Nor surprising ...

[Monkeedude1212]

That article doesn't debunk his in-laws story though.

Re:Nor surprising ...

[Shadyman]

No, it's just a statistical improbability. There was a story on FARK once about someone who came out of the mall, unlocked a car that looked identical to hers, and drove it home.

IIRC, about halfway home, she realized it wasn't hers, and took it back. In the meantime, the other woman had called police. I don't think charges were laid because it was an honest mistake.

[Citation needed]

Re:Nor surprising ...

[operagost]

FWIW, that's obviously not a proximity wireless key but the standard active one that doesn't transmit until you press a button. This article is about the proximity keys that transmit constantly.

Re:Nor surprising ...

Apparently last week my friend's mother in law used to have a late-90s civic with a plain old keyless mechanic. On her way out of a small town she unlocked three cars that were the same color.

All cars that are the same color must have the same keys!

Another mystery solved by /.

Re:Nor surprising ...

[Jah-Wren+Ryel]

Last week I drove a friend's late-90s Nissan in Mountain View. It's got a plain old mechanical key. On my way out of a store I walked up to a sedan of the same color, unlocked it, and then realized it wasn't even a Nissan. I confirmed that the key worked by locking it again from the outside before fleeing a couple aisles to the correct car.

In true slashdot fashion I shall pontificate without RTFA. Sounds like the wireless key designers have just carried over the mentality from the mechanical key designers here - a couple of hundred, maybe thousand, different key patterns distributed semi-randomly over millions of cars gives you pretty good security because testing any particular key on any particular car is a physical act with lots of manual overhead. But with wireless keys it can all be automated - you can even test multiple cars simultaneously without exposing yourself as a potential thief - just sit in your own car and let the laptop do all the work broadcasting all the possible keys to all of the cars in the near vicinity until one of them spontaneously unlocks.

It should be possible to do completely unique wireless keys and do them in a highly secure fashion, say with public key crypto for example to prove knowledge of a shared secret. I bet these key guys haven't done it because they aren't crypto experts and they don't know enough to call in the crypto experts to give them good advice.

Re:Nor surprising ...

Ha! I hopped into my car once with a group of friends outside a pub and spend half an hour drinking and smoking weed before I went to turn on the radio and realised it wasn't my car.

Re:Nor surprising ...

[boom1shot]

I guess it is possible, but it is human error; nothing else. I acquired certifications for 25+ sales people and finance managers at a dealership that sold 4 different manufacturer's lineups. It is possible to sync those keyfobs to two vehicles, as the keyfob itself is the actual authenticator to unlock the vehicle, in the communication between car and keyfob; and then car just authenticates that, "yes, you have sync'd me to this key before." Unlocking two cars with the same keyfob, regardless of whether or not it is a proximity fob with a continuous signal or a regular old push-button-to-unlock-fob, is only a matter of sync'ing both cars to that fob. It just means at some point in time, there was a cruddy mechanic who didn't decide to wipe the key because, "woops, I just sync'd this key to the wrong car... I wonder what I need to do." They leave the car to go ask someone, and then discover the key is still opening the car it belongs to. Works for them. Those keys didn't come from the OEM ready to open both cars. No way, no how.

Re:Nor surprising ...

[whoever57]

In true slashdot fashion I shall pontificate without RTFA.

And you would be completely, 100% wrong.

The keys rely on proximity. What the "attackers" did was to provide a boost to the signals sent out by the car, causing the key to respond at much larger distances from the car than normal. The near-proximity requirement only works one way (from the car to the key), so the key will respond to the boosted signals and the car will pick up the reply if the key is within 100 meters. This attack would allow a key inside a house to unlock and start a car on the driveway.

Re:Nor surprising ...

[0123456]

Last week I drove a friend's late-90s Nissan in Mountain View. It's got a plain old mechanical key. On my way out of a store I walked up to a sedan of the same color, unlocked it, and then realized it wasn't even a Nissan.

Yeah, my Lancia key used to work in my friend's Ford door locks. Then again, a screwdriver did too.

Re:Nor surprising ...

[Jah-Wren+Ryel]

The keys rely on proximity. What the "attackers" did was to provide a boost to the signals sent out by the car, causing the key to respond at much larger distances from the car than normal.

Sounds a lot like what I said. They made the error of assuming a manual overhead - physical proximity - applied to an electronic automat-able system.

Re:Nor surprising ...

[Cramer]

Depends on the manufacturer. VW has been doing this for a long time. Based on the security tag for my bug, I don't think anyone is going to guess the immobilizer code in my lifetime.

And FTA, these guys aren't technically breaking in. They are using *your* key while it's still in your possesion by building a wireless bridge to make it look like the key is near the car. For cars that acutally track the key -- and thus know how far away it is, this trick doesn't work so well. For example, (back to my bug) I can lock the car from over 100ft away, however, I have to be within 30ft to unlock it. (and the "pill" has to stay within a few inches of the key because the immobilizer periodocly reverifies it.) In my lexus (completely keyless), the fob has to be *inside* the car at all times or it will not move -- it'll park and ignore the accelerator. (I don't know what it would do if I threw to key out the window going down the road.)

Re:Nor surprising ...

[mlts]

Even the manual way is susceptible to an old attack -- tryout keys. These are keys that are cut with patterns that usually tend to work on most vehicles.

I wish STRATTEC and other vehicle lock makers would change the physical lock's keyway every 2-3 years. This will cut down on people's keys randomly fitting other vehicles. Other items can be added (such as items like items found in Evva-Inox's keys) without sacrificing the reliability an automotive lock has to have.

Maybe the physical security of the lock isn't a big focus, especially because almost any lock on a vehicle can easily be sprung with a crowbar after the window glass gets smashed. However, it would be nice for carmakers to have options for heavier duty locks to help deter the smash and grab meth-head.

Re:Nor surprising ...

[EkriirkE]

One time when I was parking my car, I click the button to lock&arm and immediately an old car down the road w/ an alarm system(?) starts honking erratically. Just to check my sanity that it was a coincidence I click again. The other car starts honking - it was almost like it was signaling out morse code. All of my buttons seemed to conjure up a different pattern...

Re:Nor surprising ...

[Rick17JJ]

In the early 1960s, there were two green 1957 Chevy station wagons, with the same mechanical type key, parked a few spaces away at a city park. I was in grade school at the time. My mother and I got into wrong green 1957 Chevy station wagon, started it up, and she backed it half way out of the parking space, before realizing it was not our car. Then, she suddenly noticed that several items on the seat were not ours. So, we quickly got into our car instead and drove off.

That was not the only such coincidence I encountered. Many years later, I discovered that the ignition key for my dad's 1971 Jeepster Commando, would also start our old 1959 R-185 International Harvester dump truck. But, the Jeep key would only work in the dump truck, if the key was not quite inserted all the way. That same key would also open the door to a 1965 Volvo, which I drove at the time, although the longer Jeep key would only fit part way into the lock.

Of course these examples were all with plain old mechanical keys.

Re:Nor surprising ...

[drinkypoo]

Given that the odds are against either vehicle ever having to have had its keyless entry system serviced, you're making an unwarranted assumption.

Re:Nor surprising ...

[DarthVain]

I remember my Dad did this when we were kids. Had a 1980 white diesel Mercedes. Was parked in a lot to get groceries. When we were about to leave, Dad noticed that the stupid wood bead seat covers were missing, and then quickly realized we were all in the wrong car. Dad left a note for the owner. Can't remember if he started it up or not, but the key sure opened the locks, I could tell dad was pretty surprised.

Re:Nor surprising ...

[Muad'Dave]

All cars that are the same color must have the same keys!

Thank heavens I had my car painted a custom color just last week. No one can break into it now!

Re:Nor surprising ...

[harl]

The size of the town is meaningless.

Unless each fob is unique what you describe will happen eventually.

Re:Nor surprising ...

[harl]

How much of the key space are they using?

How many times have people fucked up the implementation of a crypto system rendering it very insecure?

Re:Nor surprising ...

[gstoddart]

In other news, you meet a lot of people who have the same birthday as you, or the same birthday as other people you know.

Yes, it's called the birthday provlem -- by about 23 people you have a 50% chance of a duplicate birthday, and at 57 people, it's 99%.

However, you'd like to think the odds are lower with the car locks. Otherwise, they're not very secure at all. There's lots of people here citing a vastly bigger space than the number of possible birthdays.

Re:Nor surprising ...

[toddestan]

I considered that, but the cost of replacing the keyfobs was just too expensive.

Re:Nor surprising ...

[toddestan]

However, adding all the crypto in the world won't protect against an attack where an amplifier is used to boost the signals to/from the car. You basically need a way to determine how far away the key is from the car independent of signal strength. The only sure-thing I can think of is timing, but since you're dealing with distances of a few meters and the speed of light this just doesn't seem practical. I can think of a few other games you can play - for example you could have some kind of rolling frequency channel scheme, so that the thief would not know what channel the car is expecting the key to respond on, but the thief could get around this by amplifying the entire frequency range.

Re:Nor surprising ...

[toddestan]

It could be that the cars had aftermarket keyless entry systems installed, especially if these were 90's model Civics that probably didn't have it from the factory. While the OEM keyfob security is pretty good, the cheap aftermarket stuff is kind of spotty.

Re:Nor surprising ...

[drinkypoo]

So you want both of these Civics to have aftermarket alarm systems, you want them to have the same alarm system (at least from the same manufacturer) and further you want them to have been in the shop at the same time for service, with both of them having their remotes reset at the same time, or even in a spectacularly poorly designed system, at least one of them having a new fob paired. Now, I'm not saying that this is impossible, but the odds are going down with every assumption, and this story is looking less and less likely the more contrived it gets.

Re:Nor surprising ...

[toddestan]

All you would need is both cars to have the same aftermarket system installed on them. Go to Wal-mart, head over to the automotive section, and grab the cheapest aftermarket keyless kit they have. The one that comes in a big bubble package and costs about $39.88. Yeah, that one. Given their overall build quality and how flaky those systems are (your electrical system will never be the same again!), it wouldn't surprise me in the least if their security was a bit lacking.

Re:Nor surprising ...

[Jah-Wren+Ryel]

The only sure-thing I can think of is timing, but since you're dealing with distances of a few meters and the speed of light this just doesn't seem practical.

You could make the system require that a token be passed back and forth between the car and the fob for thousands of round trips and then measure the total time for the entire process rather than just one hop. Make the token contain a hop count and re-sign it on each hop to prevent replay attacks. The time to sign it should be constant and known ahead of time so that can be subtracted out to get the total transit. It should be reasonably easy to distinguish between the transit time for 3 meters x 1000 versus 500 meters x 1000.

Predicted future news

[Even+on+Slashdot+FOE]

Wireless communications are vulnerable to spoofing, news at 11.
Also, cloned cell phones!

Beats getting carjacked

[commodore73]

I mean, if they're going to take the car anyway...

So...

Thats why we have insurance. And i assume they'll use the nav system to go to your house and rob it and kill your family and pets too right. Gimme a break.

This still won't cause much of an impact

[DontLickJesus]

This may become a problem for high-end cars. But to be honest lower to middle class folks only typically go so far as wireless entry. You still have to get the ignition going in these cases. Those systems have already been exploited, and yet most car thieves still simply result to smashing or picking something. Tech overhead on low end crime doesn't usually work well.

Re:This still won't cause much of an impact

[peragrin]

You do realize Nissan is selling keyless ignition systems on their Sentra model line right? a $20,000 car isn't that much but you can get one of these systems.(I know I love the convience of mine, but I do wonder about the risks)

Re:This still won't cause much of an impact

[hardburn]

I drive a stick. I expect most car jackers today will manage to get maybe three feet away.

More seriously, this really isn't a big deal. Car thieves use much faster and cruder methods, like hammering a screwdriver into the lock, or just break the window. Car alarms are a joke, too. When was the last time you heard somebody's car alarm go off that wasn't due to a big truck running by, or a dog brushing up against it, or kids throwing rocks?

Re:This still won't cause much of an impact

[afidel]

Exactly, the people capable of this are able to get jobs that pay much better than stealing cars and there won't be easy to use tools for the idiot thieves to use because simply selling criminal tools is a crime, again keeping the skilled people out of the market.

Re:This still won't cause much of an impact

[Riceballsan]

Well on alarms to your statement I would say that comparison is on par with saying "when was the last time your smoke alarm went off and your house was actually on fire". Car thieves generally don't hit in times and places where you would be passing by. However I do agree on thier uselessness primarally due to the quanity of false alarms have desensitized everyone to the sound. If you hear a car alarm go off outside your appartment your first reaction is, will someone shut that f*cking thing up, instead of someones car is being broken into, I should call the police.

Re:This still won't cause much of an impact

[JonySuede]

Some peoples are skilled morons with a penchant for crime, other are drug addicts with car stealing friends , etc...

Re:This still won't cause much of an impact

[drinkypoo]

Why don't you search dealextreme for vehicle unlock tools before you get cocky? You can buy completed devices sold specifically to defeat a number of these schemes.

Ross Anderson

[betterunixthanunix]

Ross Anderson's security engineering textbook discusses this problem, as well as how cryptographic systems like Keeloq might be attacked, and some other related topics. I am going to guess, though, that the manufacturer's view is that a thief with the technical skills needed to take advantage of these vulnerabilities is rare (not saying I necessarily agree) and that most thieves will just smash the window and try to steal the radio before the cops arrive (do people still steal car radios?).

Re:Ross Anderson

[fuzzyfuzzyfungus]

The problem with the manufacturer's view(banks seem to approach ATM skimmers with the same naivete) is that it only takes somebody with technical skills to do the actual cryptoanalysis, followed by some opportunist with a shady supply chain to "productize" the hack into something that you'll be able to buy over the internet for a few hundred or thousand dollars and operate with about as much difficulty as the average MP3 player...

Obviously, if every thief had to make his own tools, the intersection between people who can analyze novel(if flawed) cryptosystems and then build attack hardware that puts out sufficiently clean RF output exploiting whatever vulnerabilities exist and the people who steal cars for a living is pretty much zero. Stealing cars just isn't lucrative enough, unless times are very hard for engineers of reasonable talent.

That isn't the way it works, though. The guys doing the break-n'-grab are just peons using tools created by others(apparently, with ATM skimmers, there are even "franchise" style setups, where you get access to the hardware in exchange for uploading a percentage of your skims to your sponsor...) And, building sophisticated electronic tools is a perfectly fine business, definitely worth the time of talented people, particularly ones in locales with weakish rule of law and relatively low local wages...

Analyzing a system's security by saying "eh, how many carjackers are cryptoanalysts?" is sort of like dismissing the risks of a bad neighborhood by saying "Eh, how many muggers are machinists and gunsmiths?" It is true that the answer is "Not many, possibly zero"; but that won't exactly keep you from getting shot.

Re:Ross Anderson

[mcgrew]

The problem isn't just that they can get into the car easily, it's that they can get in the car, start it, and drive away.

Stealing cars used to be easy. There were no fancy electronic keys like we have now, no steering locks like now. All you had to do was open the hood, run a wire from the battery to the coil, and short two terminals on the starter, get in, and drive away.

Re:Ross Anderson

[dgatwood]

Exactly. It's basically the DRM problem all over again. Companies spend money to build DRM under the assumption that 99.99% of people won't have the ability to crack it, forgetting that it only takes one to put it on Bittorrent, at which point it doesn't matter that the other thousand folks couldn't crack it. The only difference is that at least with car alarms, you aren't trying to keep your actual customers from getting the key data from their dongles. (Well, knowing the automakers, they probably are, if only to prevent third-party replacement key manufacturing, but at least it isn't a significant part of their business model.)

A lot of car theft is highly organized already. I mean, it's not like you can sell those stolen cars on the street, and operating a chop shop takes money, space, equipment, etc. So if there are weaknesses in the security, the question is not whether they will be exploited, but when.

Re:Ross Anderson

[houstonbofh]

But what is hard now is easy later. The iPhone 10 will have an app to start 7 year old cars... Sorry. I meant Android 10.

Re:Ross Anderson

[mlts]

Fundamentally, the problem isn't like DRM, although I agree that nothing is 100% secure, and if someone can make it, someone can break it.

DRM is where Alice has encrypted to stuff to send to Bob, and wants to prevent Charlie from getting to it. However, Bob and Charlie are the same person.

The problem with the remote communication is easier (though not trivial in any way) -- Alice wants to send stuff to Bob, keep it out of Charlie's hands, and Charlie isn't connected to either endpoint.

For the standard cryptography issue, we have stuff that can withstand the test of time. However, keyfobs usually don't have the power to do regular cryptography, so shortcuts have to be taken (KeeLoq is a good example of trying to balance security with low CPU ability.)

The ideal security? Having a key cylinder that has physical contacts (or use NFC) where the key and the vehicle can communicate without concern about eavesdropping or a live MITM. The two devices negotiate a one-time pad which gets stored, and then a symmetric key. The key is when the OTP is exhausted, so some security is maintained. This is a simple mechanism, and an eavesdropper is not going to be able to decode a properly implemented OTP. For additional security, the key can ID itself with a public/private keypair, but in an ideal symmetric crypto setup (where there are no third parties), assymetric cryptography isn't really needed after the two parties are able to recognize and keep a shared key (think WPA2-PSK).

Re:Ross Anderson

[dgatwood]

First, I'm not saying that the problem is like DRM from a crypto perspective. In fact, I thought I made that pretty clear when I said that at least the automakers aren't trying to keep the shared secret from their customers. The point was that any weak crypto has the same inherent flaws as DRM (for different reasons)---that once broken by one person, it is broken for everyone.

In this specific case, though it is even more like DRM in that the flaw is not the crypto itself. It could be perfect and the system would still be exploitable because all the attackers are doing is providing a radio relay to the actual dongle. In effect, the only way to prevent the bad guys from stealing the car would also prevent the actual owner from driving the car. The same process by which the good guys can drive it can also be used by the bad guys to steal it.

There are exactly two solutions that are workable. One is a physical contact solution. The other is putting the button to start the engine on the device itself instead of on the console of the car. Any mechanism in which a passive (or active but not human-controlled) device is used to grant entry or use is exploitable in this way. At the speed of light, it's really, really hard to prevent this.

Re:Ross Anderson

[plover]

This attack had nothing to do with the cryptography used, and would succeed regardless of how the keys are cryptographically secured. Keyloq and 4096-bit RSA would both fail equally.

The attack concept was very simple: extend the range of the normal keyfob RF communications with a pair of radio repeaters, one of which is presented to the car as a surrogate, and the other is hidden near the victim's real key fob (perhaps a disguised repeater is hidden in their shopping cart while they were in a store.)

It's a common problem with security people. We get so focused on addressing the problems we already understand, such as "let's use a two inch anti-magnetic titanium deadbolt controlled by public key cryptography with a radioactive decay module for random number generation to ensure the IV is unrepeatable" that we forget to look beyond the existing security. And then some kid comes around and pops the locks by hacking a tire pressure monitor with an Arduino.

Re:Ross Anderson

[Pentium100]

The attack concept was very simple: extend the range of the normal keyfob RF communications with a pair of radio repeaters, one of which is presented to the car as a surrogate, and the other is hidden near the victim's real key fob (perhaps a disguised repeater is hidden in their shopping cart while they were in a store.)

Low tech solution - put a switch on the key fob that disables the communications unless you press it. If the owner does not have a habit of constantly pressing the button then this sort of attack won't work.

And then some kid comes around and pops the locks by hacking a tire pressure monitor with an Arduino.

Why would a car lock and tire pressure monitor be connected in any way?

Re:Ross Anderson

[plover]

The attack concept was very simple: extend the range of the normal keyfob RF communications with a pair of radio repeaters, one of which is presented to the car as a surrogate, and the other is hidden near the victim's real key fob (perhaps a disguised repeater is hidden in their shopping cart while they were in a store.)

Low tech solution - put a switch on the key fob that disables the communications unless you press it. If the owner does not have a habit of constantly pressing the button then this sort of attack won't work.

The key has two independent RF behaviors. One is the active transmitter, which sends the ordinary "door lock" types of signals, and is not the issue here. The other acts like an RFID card. It is always on, passively looking for a signal from the car, at which point it will respond with its coded info. This signal must be responsive at all times when the car is operating, or otherwise the car thinks the key isn't present and shuts the engine off. A momentary switch will not work. It would have to be a toggle.

The convenient appeal of these keys is that you just keep it in your pocket or purse, and you don't have to touch it at all. If the driver's door RF reader senses the key, it unlocks the driver's door. If the start button is pressed, and the interior RF reader senses the key, it starts the motor. Flipping a switch on the remote would counter the ease of use, and would not be used by the general public who buy these cars. They would just leave it toggled on 100% of the time.

Honestly, their auto insurance protects their interests better than a switch they would never use.

And then some kid comes around and pops the locks by hacking a tire pressure monitor with an Arduino.

Why would a car lock and tire pressure monitor be connected in any way?

That's exactly the kind of thinking that leads to security holes. If you assume they have no reason to be connected, you wouldn't suspect them. Yet they are both connected to the car's bus.

There are from 50 to 70 tiny computers hanging off the bus interconnecting the computers on a modern car, and include everything from the anti-lock brake system to the gas tank sender. Think about the computer that manages the engine. It sends out the car's speed on the bus every second or so. When the instrument console system sees the speed on the bus it displays it on the speedometer. The safety and security system also watches the speed on the bus, and has a rule that if it exceeds 4 MPH it auto-locks the doors. It also has a safety rule that says to auto-unlock all the doors for the rescuers if the airbags ever deploy.

The four tire pressure monitors each send an RF signal every ninety seconds indicating tire pressure. The tire pressure RF receiver reads the data and puts the tire's pressure on the bus, perhaps sending a message like "TIRE(3)PSI=35". The instrument console system watches the pressure messages and warns the driver if they're ever out of range.

But what if there's a buffer overflow mistake in the tire pressure data RF receiver? What if I transmit an RF message pretending to be from tire #3 saying the tire pressure is "35<NULL>AIRBAG(1)DEPLOYED=TRUE" and the whole thing is put on the bus?

*click*

That's how you get security problems.

Re:Ross Anderson

[Pentium100]

The key has two independent RF behaviors. One is the active transmitter, which sends the ordinary "door lock" types of signals, and is not the issue here. The other acts like an RFID card. It is always on, passively looking for a signal from the car, at which point it will respond with its coded info. This signal must be responsive at all times when the car is operating, or otherwise the car thinks the key isn't present and shuts the engine off. A momentary switch will not work. It would have to be a toggle.

Simple - the RFID "switch" is actually two pieces of wire that are shorted when the key is inserted into ignition.

The convenient appeal of these keys is that you just keep it in your pocket or purse, and you don't have to touch it at all. If the driver's door RF reader senses the key, it unlocks the driver's door. If the start button is pressed, and the interior RF reader senses the key, it starts the motor. Flipping a switch on the remote would counter the ease of use, and would not be used by the general public who buy these cars. They would just leave it toggled on 100% of the time.

Well, it amazes me that people still drive cars - all that steering, braking, changing gears is much more inconvenient than putting the key into ignition and turning it. But yea, if you want your car to work without the key, then don't be surprised when it works without the key.

I would also suggest fingerprint authentication, but I guess that would also be even more inconvenient, since you would have to authorize everyone who should be able to drive the car.

That's exactly the kind of thinking that leads to security holes. If you assume they have no reason to be connected, you wouldn't suspect them. Yet they are both connected to the car's bus.

And that's stupid. My car does not have a bus and guess what, it works - the lights turn on when I switch them on, I can see the speed on my speedometer, I can also see the coolant temperature, oil pressure and fuel level too.

But what if there's a buffer overflow mistake in the tire pressure data RF receiver?

Maybe the manufacturer should test the software of the car just as well as they test the hardware (I mean the engine usually works OK without any "engine randomly blows up" bug).

There are from 50 to 70 tiny computers hanging off the bus interconnecting the computers on a modern car...

That's why I like my old car - it only has a few "computers" and most of them consist of a few transistors and electromechanical relays.

Re:Ross Anderson

[plover]

And that's stupid. My car does not have a bus and guess what, it works - the lights turn on when I switch them on, I can see the speed on my speedometer, I can also see the coolant temperature, oil pressure and fuel level too.

Stupid? Hardly. The systems on a modern car work together better than anything even a few years old, and incorporate everything from diagnostics and maintenance to navigation, safety, performance, and fuel efficiency, just to name a few. These cars automatically redistribute power from the rear wheels to the front wheels in the event of lost traction. They'll auto adjust the cruise control speed to maintain a relaxed following distance if the car ahead is traveling slower than it's set for, reducing driver anxiety. They can modulate the brakes and stiffen the suspension in a slide to help prevent rollovers. They can provide almost a second of warning to the driver in the event of an impending front-end collision. They warn the driver if there are vehicles in the blind spots. And they provide back-up cameras to prevent accidentally running over unseen children in the driveway.

And in the event of an accident, the correct air bags deploy at a speed appropriate for the situation, the doors unlock, the lights come on, and tries to auto-dial the driver's cell phone to 911. The frame is designed to passively protect the occupants by absorbing a serious impact through the distortion of metal all around the vehicle, and they have been design tested in thousands of simulations, backed up by real world crash data.

There is nothing stupid about these systems. They work, all the time, in real world conditions with real world drivers. They save lives.

There are from 50 to 70 tiny computers hanging off the bus interconnecting the computers on a modern car...

That's why I like my old car - it only has a few "computers" and most of them consist of a few transistors and electromechanical relays.

That just sadly sounds like a bitter old guy saying "and that's why my old 80486 runnin' Windows 3.1 is better than your fancy quad-core i7. It can't hardly do nothin', but it does everything I need and that's the way I likes it." It's a very tired argument against progress, and isn't terribly believable.

There's nothing wrong with enjoying a classic car for what it is, but it seems disingenuous to suggest that it's a comparable substitute to a modern vehicle.

Re:Ross Anderson

[Pentium100]

Well, if somebody can inject whatever they want into the main bus of the car, I'd say it's a problem.

Also, not everything you listed depends on the car having a common bus for everything, for example - I could install the back-up camera in my car and it would not require rewiring the entire car to use a common bus for everything I could just run a video cable from the camera to some small LCD screen in my car and control it by connecting the camera to the back-up light. The frame of the car also does not depend on how the electrical signals are passed inside the car.

Also, if it is simpler to have a main bus instead of a lot of cables, how about firewalls? A computer network is also common for the entire building or whatever, but if the sysadmin does his job then somebody even with access to the LAN port cannot impersonate a server or some user. Why can the tire pressure sensor impersonate the airbag sensor (as in your example), when they should not have access to each other.

Also, my classic car was good enough 28 years ago when it was new and it is good enough now, while a 28 year old PC is crap now, why? Because the roads did not change much during that time. The speed limits were even lowered in some areas where I live (most notably the default speed limit in the city was lowered from 60km/h to 50km/h). OTOH, we are now using computers for things that not anybody could imagine in the past (nobody would have believed you if you told them that while the shiny new 286 is too slow for that, a few decades later people would be watching HD (higher resolution than on TV) videos on their computers over the internet and would not need to wait a few months for those videos to be downloaded).

The only problem with my car is that it is old, so some stuff rusts and so on, but that is not the problem with its design, after all, I doubt that many cars made in 2010 would be drivable in 2038.

Re:Ross Anderson

[Viceice]

So someone read the urban myth that you could unlock your car if you lost the remote entry fob by calling home and having someone press the spare fob next to the phone, had a laugh, then went "wait a minute..."?

Re:Ross Anderson

[jimbolauski]

Ross Anderson's security engineering textbook discusses this problem, as well as how cryptographic systems like Keeloq might be attacked, and some other related topics. I am going to guess, though, that the manufacturer's view is that a thief with the technical skills needed to take advantage of these vulnerabilities is rare (not saying I necessarily agree) and that most thieves will just smash the window and try to steal the radio before the cops arrive (do people still steal car radios?).

While it may be true that a person with those skills may not be stealing cars, if that person has an uncle Tony he may be able to sell a few of those devices to him.

Re:Ross Anderson

[uninformedLuddite]

Screwdriver in the ignition is much easier. Why would you need to open the bonnet. Geez. If you are hard pressed you can use the tin foil from a cigarette packet on older models.

Re:Ross Anderson

[mcgrew]

If you're 16 and stealing your mom's car from her work parking lot, the screwdriver in the ignition isn't such a good idea.

Re:Ross Anderson

[uninformedLuddite]

I'm not talking about sticking the screwdriver in the key hole or stealing Mum's car (only a Seppo would say Mom). You do realise that around 70% of cars on the market can be stolen with a flathead screwdriver don't you? And that a lot of secure car alarms can be defeated with a 9v battery.

Re:Ross Anderson

[mcgrew]

only a Seppo would say Mom

Yes, I'm an American. To us, "mum" means keeping quiet.

I'm surprised that there are cars you can't start with a screwdriver, and hadn't known you could defeat an alarm with a 9v battery.

Ghost Dog did it first

[elrous0]

This was how the lead character in Ghost Dog stole his cars. Great movie, BTW.

relaying the wireless data?

[YesIAmAScript]

That's really weak. That's barely a security hole at all. Someone has to be near me to have a system to talk to my car key?

Also, the explanation article isn't an explanation at all, it talks about tire pressure monitoring systems and how to spoof readings from those to the dash. It also makes the mistake of saying that the TREAD Act requires you have a wireless tire pressure monitoring system. That's not true at all, the requirements for tire pressure monitoring can be done completely passively by monitoring the effective circumference of the tire (rotation speed) and is done so in many makes.

Re:relaying the wireless data?

[shadowfaxcrx]

Exactly. They were flipping out about this on some car forums a few weeks back (yeah, /. is behind the curve here) but I don't really see the issue. First off, TPMS monitors receive three kinds of signals: "This is my ID," "This is the tire pressure," and "Error."

It's not like you can send a "shut off the motor" signal through TPMS. It's not set up to receive that (and would therefore just drop it as junk data) and even if it were, it's not set up to carry out the command. At best on some of the better cars you could disable traction control by reporting pressures outside the limits of TCS to handle.

Re:relaying the wireless data?

[blair1q]

Actually, it's a hell of a security hole.

The vulnerability is that the system depends on proximity but does nothing to verify proximity, it merely assumes that the presence of a recognizable signal implies proximity of a valid security token.

The exploit is to create a wormhole in proximity space, bringing the transmitted signal closer to the receiver space even though the transmitter space is far, far away, without making the transmitter traverse the Euclidean space in between.

Unless hands-free keyless systems are somehow upgraded to ensure that proximity of the signal is proximity of the security token, this spells their utter doom. We're back to fishing in our pockets for the Unlock button.

BTW, the second link is an apparent screwup. The first article had all the info needed. /. summarizers are only a few IQ points above /. editors, who would have a hard time out-parcheeseing a truffle.

Re:relaying the wireless data?

[TubeSteak]

I remember reading about this back in 2006
http://arstechnica.com/old/content/2006/05/6750.ars
The software has been out there to do this for years now.

IIRC, it took 15 minutes max

Re:relaying the wireless data?

[vux984]

The concern about tpms isn't about hacking your car, its about tracking it. The premise being that if you deploy a bunch of receivers that listen for "This is my ID" from the TPMS, you can track everyone's vehicle.

Re:relaying the wireless data?

[deadweight]

YES! Finally someone actually RTFA. You have to have one guy at the car and another guy with his gizmo near the key. Not something I'll stay up late worrying about. Now on to how cars really get stolen: BMW has excellent encryption in the keys. So you: A - Break in house and grab keys, which are usually hanging near the door. B - Get friend at dealer to run copies of cars in for service.

Re:relaying the wireless data?

[0123456]

It's not like you can send a "shut off the motor" signal through TPMS.

Some of the people hacking TPMS claim to have been able to send a 'completely brick the TPMS control unit' signal through TPMS from a hundred yards away with a directional antenna. If the firmware is that poorly written, it's unlikely but not inconceivable that they could make the TPMS unit send out crap that would interfere with the operation of other components.

And, either way, most people wouldn't be too happy about having to buy a new TPMS control unit because someone sent bad data to it.

Re:relaying the wireless data?

[bws111]

I read comments like this on here when the TPMS story was first out, and they are just as wrong now as they were then. You claim 'poorly written firmware'. Do you have any evidence of that at all? Here is the situation: a safety system in the vehicle gets data that doesn't make sense. What is it supposed to do, just ignore the bad data (which MOST LIKELY means something is wrong with the system)? Maybe a better idea would be to inform the driver that one of his safety systems is not working correctly (turn on a light). So the driver takes his car to the dealer, and the dealer scans the error and finds out the computer logged that it was receiving crap data. What is the dealer supposed to do, just turn off the light and send the customer home with a potentially malfunctioning safety system? No, the dealer will do what the manufacturer suggests - replace the unit.

You know what most people don't like even more than having to replace a TPMS because some dickhead intentionally screwed with them? Having malfunctioning safety systems, and having to return to the dealer because the dealer did nothing to FIX a problem, he just turned off the light.

Re:relaying the wireless data?

[toddestan]

Well, situation A is kind of worrying. If the car is in the driveway, and keys are in the house by the door, just put one gizmo near the car, and the other gizmo by the front door, and car starts.

Granted, keeping the keys near the front door is already unwise as thieves will break into the house to grab the keys. But now they wouldn't have to.

Re:Top Gear showed that this is possible now.

[shadowfaxcrx]

I'm pretty sure that was staged for entertainment purposes. Most cars require that the key be *inside* the car, or very close to it in order to start. A guy sitting in a diner with a wall/window and several feet of parking space/sidewalk/restaurant between him and his car probably wasn't close enough.

Detraction

[blair1q]

these types of solutions detract from the convenience that makes passive keyless entry systems worthwhile.

But when the key is not even a key, that detracts from the thing that causes it to exist, so it might as well not.

I saw this happen last Knight

So I was drinking a wine cooler and watching Knight Rider last night and Some dude totally hacked Kit using a TI computer and an ATARI joystick. This tech has obviously existed since the 80s. Sheesh.

Re:I saw this happen last Knight

[StikyPad]

Wine coolers are for pussies. Now Zima, that's a man's drink.

Is it just me or?

[Johnny+Fusion]

Does the line: "car security systems will begin have a real impact to every day use if a thief can simply walk up to your car and drive it away." seem to imply car thievery is a new thing? Thieves have been stealing cars since you had to hand crank the engine. Sure the techniques in 1911 were different from the techniques in 2011 but this is a a bit hysterical isn't it? Criminals are always getting better than security which leads to better security which leads to more cunning thieves, like any living system, it will continue to evolve.

Re:Is it just me or?

[blueg3]

This is like a variation of when lawmakers write a law that takes an already-illegal act and adds "on the Internet" or "with a computer".

Yes, car thieves can steal your car. But now it's wireless!

Which Models, I wonder

[GizmoToy]

The article doesn't say which models and brands were attacked. I'd be curious to see which ones they got.

These keys are certainly extremely useful. The key on mine detects if its inside or outside the car, and can even open the trunk if I touch a button by the tail lights. The fact that the manufacturers haven't considered the security ramifications of these keys is unsettling.

From the description, this seems to be a variation on the standard man-in-the-middle attack. These manufacturers should know better.

yes. take the battery out of the fob

[YesIAmAScript]

These people are all just doing replay attacks (due to the rolling code systems used), so if you turn off your transmitter, they'll never find the way into your car.

Re:yes. take the battery out of the fob

[commodore64_love]

Oh okay.
Mine's laying in my sock drawer - never been used. So any thief would never be able to use a transmitter to record its code (unless they broke in my house and stole it). The reason it's in my drawer is because I don't like the bulk of those fobs sitting in my pocket.

Re:yes. take the battery out of the fob

[CrashandDie]

Disclaimer: I used to work for one of the companies cited in this post.

I highly doubt that cars have such a sophisticated method of authentication. Simply considering the fact that the Vasco/ActivIdentity/RSA OTP dongles (the small dongles with a 10-digit screen, and sometimes a keypad for PIN code) require pretty nifty algorithms around desynchronisation (32-bit clock counter with only 22 or 24 MSBs used or so) due to clock drift, and that resynchronisation is an absolute pain in the bum to handle.

Sure, the reason why those dongles are so prone to clock drift is because there is a relatively massive delay between the generation and the user keying it into the computer keyboard, but the problem is the same for a car: if the car uses the time stamp to validate a key's authentication request, then both needs to be synchronised. How is this done? Every time the key is connected to the ignition? Could be. Otherwise, if there is _no_ validation of the time stamp, then there is no use for a clock in either devices.

The other mechanism that could be used is an event counter. Every time the button is pressed, the event counter gets incremented. Part of the event counter is transmitted in clear text (for example, the last digit), so that there aren't too many calculations that need to be done.

Example: Last used internal event counter value is 1224 (last used value to interact with the car), this number is known to both the car and fob. The fob is activated a few times out of range of the car, so the counter for the fob is now 1241, but the car still expects 1225, in a best case scenario. The fob transmits in clear text last digit value "1". Now, the car only has to test 1231, 1241, 1251, 1261. Admitting a range of +50, for people with too much caffeine, or whatever range can be calculated in a time sufficiently short that it seems "instant". The rest of the request is encrypted using a symmetric key (_not_ PKI), probably something like 3DES, the strength of the key doesn't really matter, as long as it can't be decrypted fast enough to enable brute force.

3DES still requires a good 10 hours or so to be broken, IIRC (feel free to correct me), so it really does the job. As soon as the code is transmitted, a new 3DES key is generated using the event counter and the old key as salt. This new key will be used to encrypt future transmissions. The fob simply needs a bit of memory to store the event counter in a way that is not dependent on the battery, so that even if the battery is depleted or removed, it can resume operation (also, a lot cheaper in terms of battery usage than using a clock counter).

My 2c,

The ultimate theft deterrant

Is a stick shift. Even if they get into your car & manage to get it started, your average car thief has no idea how to drive a stick shift.

Re:The ultimate theft deterrant

[TechnoFrood]

Perhaps in any country where Automatic transmission cars are the norm, here in the UK the vast majority of cars are Manual transmission.

Re:The ultimate theft deterrant

[by+(1706743)]

Of course, it's also easier to roll a stick shift car onto a flatbed -- shifting into neutral and disengaging the parking brake requires physical access alone, whereas shifting into neutral in an slushbox usually (right?) requires the key. Not exactly a showstopper if you're just gonna put it on a trailer, but still.

Re:The ultimate theft deterrant

[mirix]

I know criminals (at least the type that steal cars) are generally fairly daft, but are there no thieves in the US with an IQ higher than 50? It isn't exactly rocket science.

Re:The ultimate theft deterrant

[toddestan]

Many automatic cars have a shift-lock override. Usually it's a small slot, often with a plastic cover on it, near the shifter. Stick a screwdriver or a key or similar object in there and you can shift the transmission. This can usually be found on cars where the shifter is still mechanically connected to the transmission. Newer cars where it is all electronic are less certain - many of those are impossible to get out of park if the battery is flat.

Fob range extender

[foo1752]

This just sounds like they build a range extender for the key fob, allowing the fob to be MUCH farther away from the car than it would normally have to be. This is nice to allow access to the car and to get it started, but once you've driven the car out of range of the (range-extended) fob, you'll never get the car started again. Maybe it doesn't matter if they're just taking the car to a chop shop. Still scary, though.

Re:Can be turned off

[afidel]

Why? Mechanical locks are just as vulnerable if not more vulnerable so why put up with the inconvenience? Heck thieves have been known to use flatbed wreckers to haul off cars to take them to a chop shop, disabling your keyless entry certainly isn't going to stop that!

Take without permission, otherwise known as steal

[noidentity]

they can bypass the security of wireless entry and ignition systems to take a car without the owner's permission

If only we had a word that meant taking something without the owner's permission...

Re:Already on TV

[StikyPad]

I'm sure he was commenting on the last sentence of TFS, not the viability of the attack.

Thieves must be fairly dumb

[turing_m]

I think you need to be a little switched on to know and try this sort of stuff in the first place. Which means you can probably either get an acceptable paying job (at least, better paid than burger flipping) with zero risk of going to jail, or perhaps a higher paying and ethically dubious occupation but with less risk there too. Like an "opportunistically pricing" mechanic, for example. He may charge a woman $500 for changing a spark plug but he's not going to go to jail for it.

The reason I came to this conclusion is reading the famous Chula Vista Residential Burglary Reduction Project report. Only 4% of burglars pick locks. Now why is that? Is it too hard for the average burglar to learn, or was it too hard to learn how to pick locks when that was written? I'm guessing the former was the deciding factor.

Re:Thieves must be fairly dumb

[Migraineman]

Thieves don't like exposure. Picking a lock requires finesse and time. It's generally the "time" element that's an issue. If kicking the door in, grabbing the purse, and leaving takes 20 seconds, that has the same exposure as picking the lock by itself.

Re:Nope.

My prius doesn't need a key in the ignition at all. It just needs the transceiver to be close.

I leave it in my pocket when I drive.

Mini Faraday Cage

[rnaiguy]

Surround the fob with foil (or a more custom-designed solution) while away from the car, and problem solved.

Re:Mini Faraday Cage

[MiniMike]

Surround the fob with foil...

Great, now people will think my key fob is crazy...

Re:Mini Faraday Cage

[rnaiguy]

But it would go well with the headgear of many slashdot readers.

they can only hack tire Pressure Monitors

[jroc242]

the companion article only mentions hacking the tire pressure monitors which are wireless sensors in the wheels. it makes no mention of starting the car and driving away.

Re:they can only hack tire Pressure Monitors

[GizmoToy]

I think the "companion article" is not as related as the posted claimed it to be. After having read both, they're about two completely different topics.

New patent: Unsnoopable car lock

[Midnight+Thunder]

This patent presents a locking system for automotive vehicles that can not be snooped by a nearby wireless hacker. This approach eliminates the need for problem prone wireless receivers and transmitters, whose signal can easily be captured by a third party in the vicinity. This devices presents an opening in the door of about 2mm x 5mm and requires the use of a specifically shaped piece of metal This piece of metal would be unique to each owner. Activation and deactivation is accomplished by a rotational action in either clock-wise or anti-clockwise directions.

This patent is truly ground-breaking since it eliminates the need for an electronic system to function.

Re:New patent: Unsnoopable car lock

[TheL0ser]

I can find no fault nor prior art with regards to your patent application. Your application is hereby approved. Please note that on the way out the door intent to sue forms are on your left, and a directory of lawyers on your right. For your convenience, we have also supplied a list of the largest companies that may be possible targets for your legislation. Thank you for visiting the Lawsuit-o-matic Patent Office, and have a nice day.

Re:New patent: Unsnoopable car lock

[tool462]

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting vehicle theft. Your idea will not work. Here is why it won’t work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Thieves can easily use it to harvest spare change
( ) Remote starts and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop vehicle theft for two weeks and then we’ll be stuck with it
( ) Users of cars will not put up with it
( ) Chrysler will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from thieves
( ) Requires immediate total cooperation from everybody at once
( ) Many car companies cannot afford to lose business or alienate potential passengers
(x) Car thieves don’t care about invalid keys
( ) Anyone could anonymously destroy anyone else’s car or truck

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for car keys
( ) Open roadways in foreign countries
(x) Ease of searching tiny valid keyspace of a mechanical key
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new mechanical things
( ) Public reluctance to accept weird new forms of keys
(x) Huge existing software investment in Keyloq
( ) Susceptibility of protocols other than Keyloq to attack
(x) Willingness of users to insert keys into doors
( ) Armies of rust-riddled pickup trucks
( ) Eternal arms race involved in all locking approaches
(x) Extreme profitability of car theft
( ) Joe jobs and/or vehicle theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with car thieves
(x) Dishonesty on the part of car thieves themselves
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) Keyloq algorithms should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) Countermeasures should not involve registration fraud or insurance fraud
( ) Countermeasures should not involve sabotage of public roads
( ) Countermeasures must work if phased in gradually
( ) Unlocking car doors should be free
(x) Why should we have to trust you and your key makers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time keys are cumbersome
( ) I don’t want the government opening my car door
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don’t think it would work.
( ) This is a stupid idea, and you’re a stupid person for suggesting it.
( ) Nice try, assh0le! I’m going to find out where you live and burn your house down!

Re:New patent: Unsnoopable car lock

I disagree about the unsnoopable part. Watch some of the documentaries about prisons and you will find that many require guards to have a piece of material occluding their version of your "piece of metal" to prevent the prisoners from looking at it and duplicating it.

Re:New patent: Unsnoopable car lock

[Kakari]

So far you only have 3 mod-ups... I feel like that much effort into a post deserves the other two.

Re:New patent: Unsnoopable car lock

[Midnight+Thunder]

I disagree about the unsnoopable part. Watch some of the documentaries about prisons and you will find that many require guards to have a piece of material occluding their version of your "piece of metal" to prevent the prisoners from looking at it and duplicating it.

Well, any deficiencies in the design can be worked around using the DMCA as a defensive mechanism.

Re:New patent: Unsnoopable car lock

[bertoelcon]

This piece of metal would be unique to each owner.

That would be slightly better than the keys we have now, as they do end up with the same key every so often.

Re:Top Gear showed that this is possible now.

[YrWrstNtmr]

The key to a Chevy Charger

A what?

Just saw somethign similar on the morning news!

[Phizzle]

The morning news in SF Bay Area showed home security footage of someone just walking up to a supposedly locked up car (Toyota) and looting it without using a key or smashing windows. Apparently there has been a bunch of car robberies of this nature around the Bay Area.

Re:Just saw somethign similar on the morning news!

[whoda]

Yep, I saw it too. The interior lights all came on and everything, just like it would with the normal clicker.
Of course Toyota says they haven't ever received any proof of it happening. LOL

Re:Just saw somethign similar on the morning news!

[mlts]

There are other ways to pop open cars. Take the slim jim for example. Even if that doesn't work, the metal on car doors is thin, so someone using a screwdriver to peel back the metal around the door handle, or perhaps punch the door handle in to be able to pull on the locking rod. This is why there are third party reinforcing plates sold (Jimmi Jammer) to protect against exactly that.

Other than adding heavy gauge containers (either bolting or even welding them down), it is almost impossible to stop smash-and-grabbers.

Wireless Theft Aint nothin new

[thewils]

In my old car I had the wireless stolen. I just put another one in.

Luddites

[nurb432]

Good thing i refuse to have those options in my car.

This matters for nothing

[BigSlowTarget]

If they are going to take your car they are going to take your car. It might be easy, it might be hard but as long as cars can be towed you'd better kiss it goodbye if someone wants it bad enough.

The biggest theft deterrent around is probably title registry and money laundering laws, the locks just protect you from the joyriding kids.

Re:This matters for nothing

[eepok]

False dichotomy: Criminals want to steal your car or they don't.
Tautology: If they are going to steal it, then they are going to steal it.

The decision to commit a crime is relative to the reward of the crime and the risk of getting caught. If the risk is low enough in relation to the value of the crime, then the criminal will commit the crime. If it's not, and there's no mitigating circumstances, the criminal will not commit the crime.

Make your car as difficult as possible to be stolen and your car will be less likely to be stolen. If it is stolen, then you will have a higher chance of recovery.

Re:This matters for nothing

[goudan]

These shoes may look a bit like watching a girly side where to buy cheap air max 90 and candy, but there is a sneaker that confidence men, colorful sneakers and testing by providing more masculine side. But if doubt is always a problem, better not buy one (of course). If you're discount air max uk one for storing your shoes are clean and fresh, then you can put your mind at ease and rest, because these trendy trainers come in a wooden box to keep extra secure? Shoes even equipped with a small handbag for them unless asked to wear. If you have a couple of your ideal would be to wrap the logs Kix, but it is too big for trainers shiny gold wait a sellout for sure!

Re:This matters for nothing

[L4t3r4lu5]

Best defence against both theft and rogue car clamping: Clamp the car yourself when you park.

Re:This matters for nothing

[eepok]

Funny you say that... I've been doing quite a bit of research on bicycle security and that's the effectively the main type of security theft.

Quite common-sensical, when you think about it.

Woopdeedoo

[trollertron3000]

This one guy showed me he could do the same with a screw driver and a hammer when he stole my car. And he didn't have any research grants..

Re:Take without permission, otherwise known as ste

[trollertron3000]

LOL I wish I had mod points. I thought the same exact thing when I read that.

Obligatory RIAA joke.

[Riceballsan]

If this technology became more commonplace, and car theft becomes easy as downloading an ap for your iphone we may have to reverse our slogans. Start an anti car-theft promotion, You wouldn't download a song would you?

Re:Take without permission, otherwise known as ste

[thewils]

That would be "copyright infringement" right?

Insurance companies don't pay

When your car is stolen with no obvious sign of forced entry. They consider it to be a fraudulent claim and that you were the one that stole your own car.

Re:Nope.

[wcrowe]

Um, yeah. I think you need to do a little field research.

The "companion" article is irrelevant

[sirwired]

The companion article talks about something entirely different, namely security issues with wireless Tire Pressure Monitoring Systems. Neither the main article nor the "companion" article talk about the TPMS hack having anything whatsoever to do with vehicle theft or sabotage at the current time.

Re:Can be turned off

[eepok]

Wireless Activation: Walk up to car, get in car, drive away.

Mechanical Locks: Walk up to car, break window or slim jim the lock (both loud when the car has an alarm), hotwire/break ignition system, try to disable the alarm, drive away.

It's the difference between using a fake ID to get into a bar and having to punch a couple of people in the face to get into the door. The latter is inherently a bit more risky and likely to draw attention.

The "inconvenience" of using a key is worth the minute effort for the small, but more significant deterrence possibility.

My Solution

[frinkster]

I drive a car that nobody wants to steal. In fact, so few people wanted my car that Volvo stopped selling it in the US.

Re:Take without permission, otherwise known as ste

[TheL0ser]

No, no, no... "stealing" is taking without permission. "Copyright infringement" is setting fire to someone's house, kicking their puppy, selling their child off for medical research, punching them in the nose, and then taking something without permission.

Undetectable murder

[NewToNix]

The worry here should possibly be that someone, with essentially off the shelf hardware and software could conceivably commit the perfect murder --car component failed, deadly crash issues.

Get rid of your mother-in-law and maybe collect insurance and big settlement because some sensor or CPU 'malfunctioned'.

Not saying the tech is there yet, but I'd wager it will be soon enough --and that someone will attempt it eventually (possibly successfully --how would anyone know?).

Re:Undetectable murder

[couchslug]

"Get rid of your mother-in-law "

Your ideas intrigue me and I would like to subscribe to your newsletter.

Re:Already on TV

If you think the police can't use the onstar system against you, you are ignorant. With the correct codes they can have onstar lock/unlock, start/stop the engine and just about anything else onstar is capable of. AFAIK there is no iphone app for law enforcement to do this with, but that doesn't mean they couldn't replace operators with machines. (like that ever happens).

How do they bypass the steering wheel lock?

[bill_kress]

Are they making cars without steering-wheel locks requiring physical keys now? I thought it was federal law that you couldn't do that--but maybe that was just an assumption.

I have remote door locks and remote start, but getting into the car isn't that hard anyway (Brick authorized entry works as well as it always has)--getting past the steering wheel lock requires SOME kind of solution...

Re:How do they bypass the steering wheel lock?

[rrossman2]

you either break it or you remove it. It's really not as hard as it seems.

Re:Top Gear showed that this is possible now.

[PitaBred]

How will the car know? It's the fact that the key isn't very strong that determines the range. If I get a more powerful antenna, there's no way the car could tell that it was coming from outside the car versus inside.

Re:Top Gear showed that this is possible now.

[MachDelta]

Oh yeah, the three hosts took a Chevy Charger, a Ford Camaro, and a Chrysler Mustang on a cruise. Great episode that one! ;)

PS: The car was actually a Dodge Challenger, so grandparent can't even claim part marks on it. Owch.

Re:Take without permission, otherwise known as ste

[bobdotorg]

they can bypass the security of wireless entry and ignition systems to take a car without the owner's permission

If only we had a word that meant taking something without the owner's permission...

It's not necessarily theft.

Off the top of my head here are some non-theft reasons:
          firemen moving the car out of the way of a fire
          a repo
          parents surreptitiously retrieving their car from an out of bounds kid

But you're right, probably mostly for theft...

Another Danger is Carbon Monoxide Poisoning

[Ron+Bennett]

Another potential danger of unauthorized remote auto-start is carbon monoxide poisoning of the car owner, if the car (in particular, those with traditional combustion engines) is parked near living areas, such as in an attached garage.

Do cars with remote auto-start have safety features to prevent it from being misused, such as excessive idling?

Ron

Re:Another Danger is Carbon Monoxide Poisoning

[rrossman2]

They run for a pre-programmed about of time (typically 10-12 minutes or 20-24 range). They tell you right in the manual (for those dumb enough to try) to not use in garages, enclosed areas, etc etc.

Re:Take without permission, otherwise known as ste

[noidentity]

firemen moving the car out of the way of a fire: they moved it; they didn't take it

a repo: the repo is the owner

parents surreptitiously retrieving their car from an out of bounds kid: it's the parents' car, not the kid's

Stolen cars of the "future"

[dillpick6]

I for one will never be caught driving a Gibson...

Physical security

[RightwingNutjob]

My solution is to put a big steel bracket around my brake pedal that would take more than a few minutes of cutting to get through before you can drive away. It doesn't prevent a determined party from taking the car if he really wants to, but it's a layer of actual physical security that prevents someone from duplicating a software key and riding away, just like it prevented someone from picking the lock and hotwiring the ignition and riding away on an older model.

Re:The car companies really don't care

[deadweight]

No one is IMPERSONATING your key. Your real actual key is really starting the car - just from farther away than you might have wanted! Once they drive off they can't ever start it again.

Movie release

[formfeed]

An interesting read, and certainly something that will no doubt be the subject of a new movie any day now.

Yeah. But in the movie the hacker will have to maneuver around some vector graphic blocks popping up on a green laptop screen, in order to "bypass" the system.
After bypassing the last cipher "block" the screen will change to a CAD-drawing of a car highlighting various control systems. At which point the car doors will pop open (not unlock, pop open!) and the hacker will shout "I'm in!"

In Other News

[gearloos]

In other news today, the Chinese government buys 300 Container "Super Ships" preparing for some type of boon industry. Speculation abounds.

This is not the least bit surprising

[rrossman2]

If any of you have ever installed a remote start on a car with a chip-in-the-key security, you'd realize this isn't that exciting or unexpected. In the earlier days of bypassing the chips in the keys, this is the exact technique we used. It was analog-to-analog too. The key was placed into a winding of wire (maybe 11 to 60 loops), one end of the loop connected to a relay. Then, at the ignition cylinder, there was another loop of wires, again typically anywhere from 5 loops to 30 loops, with one end of that loop connected to a relay, and the other end of each loop connected to each other. When the relay was activated, and the ignition powered up, the antenna loops would allow the power from the antenna in the ignition to power the chip in the key, and allow the now powered chip to relay it's code back to the antenna at the ignition cylinder.

It wouldn't have been hard to increase the sensitivity of this setup to get a longer range (both in terms of how far the wire loops could be spread apart, but also how far away the one loop could pick up the key, and the other loop the ignition cylinder) using a bi-directional amp and possibly more windings.

The fact this was done to a system DESIGNED to have longer range (as the intelli-key systems are active and not passive in the RF signals) it's no real surprise. They didn't technically hack the system, they just extended the range of the wireless communications. It's a big deal to people who didn't know this could be done, or those who could have their car stolen using this technique, but it's really not that shocking to people who should or do know better than to think it's fool proof.

As a side note, on the earlier Ford's with the chip-in-key system, you could disable the system by pulling a certain fuse under the hood, and instead of defaulting to a "no code, no start" mode, the car would failsafe into a "you can start without the chip". And to those asking about the steering wheel lock.. they aren't THAT hard to break or remove if you really want to break or remove one.

Re:This is not the least bit surprising

[mlts]

Steering column locks are a joke to a serious thief. When I was in college out of high school, my car got broken into, and the steering column smashed open. What kept the vehicle from disappearing is the fact that I put in a kill switch so it would start, but as soon as the ignition returned to "on", it would immediately stall. So, frustrated thieves would just haul ass out of there after a few failed starts.

From what I have personally experienced. What doesn't work:

Normal car alarms.

What does work:

Kill switches. Time is not on the side of thieves, and having to fish through the dash to find the splicing is not in most of their playbooks unless the vehicle is worth it.

Newer cars and RFID key chips

[spineboy]

I have a Porsche, and the key comes with an RFID chip to unlock the sterring column, so even if the theives wirelessly unlock my doors, they still aren't going to start it.

Probably just towing it away on a flatbed is much easier, and less conspicuous.

Many cars now come with pretty good factory stereos - reducing the risk. Many stereos also have pretty good anti theft tech as well. I rarely hear of anyone anymore having a stereo stolen.

Re:Newer cars and RFID key chips

[frecky]

What, you're telling me that RFID isn't wireless?

Re:Can be turned off

[Migraineman]

Capable thieves use a tow truck or flatbed, as demonstrated here. They'll typically climb under and chop the ground wire to the battery. 15 seconds, tops.

Re:Can be turned off

[Migraineman]

Apoligies for self-replying. This demo is better.

The full exploit...

[mob)barley]

1) Would-be thief uses gizmo to cause the TPMS light to display on the dash. 2) Unwary driver pulls over, gets out and begins to inspect the tires. 3) Thief jumps in and takes off. 4) Profit. This not only takes technical expertise, but also stealth and a high level of physical fitness.

Did they try driving away?

[spectro]

So they can relay the handshake between the keyfob and the car allowing them to enter the car and turn on the ignition. The question is how far away can they drive once the keyfob is no longer in range?

If the car manufacturer didn't build a security measure shutting down ignition after sometime of the car being off-range then I would be worried. Otherwise robbers just ran away a few hundred meters and maybe could steal some stuff from the car without having to break into it.

I will ask that question before buying my next car if it comes with keyless ignition.

Re:Did they try driving away?

[toddestan]

With Toyota's system, you only need the key to start the car. After that, it will run until it is shut off. If the car senses the key is gone, it will beep at you, but you can still drive it across the country if you felt like it.

Aha, now it makes sense

[gstrickler]

This technology was clearly the inspiration for the freak wormhole that started the war between the Vl'hurgs and G'Gugvuntts

Re:Top Gear showed that this is possible now.

[shadowfaxcrx]

Well, the Anon Coward was talking about Top Gear, which used a stock vehicle with the normal keyfob, so the transmitting strength of the sending unit was not enhanced as you propose.

Additionally, at least in my car, there are several antenna receivers. Some are on the outside, some are on the inside, and one is in the trunk (in case I close the trunk with the key inside, it will automatically open it up again).

Plus, the signal strength of the transmitter is irrelevant for actually starting the car. The transmitter strength only determines how far away you can be and still unlock the doors. The key itself is chipped with an RFID, and the car scans for it when you try to start it. It's pretty unlikely that the RFID detector can detect one when the car's in the parking lot and the key is in the pocket of someone inside a restaurant.

At any rate, if the thief has the spoof key/RFID identifier, range doesn't matter. He just gets in the car, fires up the spoofer, and goes on his way.

Re:Take without permission, otherwise known as ste

[Haedrian]

Not to mention a dirty commie practice. Better dead than red!

Re:just take the car

[Pentium100]

You can always leave your keys inside the car in a visible place so any thief can take them if he wants to.

As I said to almost everyone about the hidden button in my car (if you don't press it, the engine does not get fuel) - yes, a smart thief wold be able to figure it out (the car is old, it does not have complicated electronics), but some junkie or kid might not, which means that I have reduced the number of people who can steal my car. And even the smart thief (who would know how to find or bypass the button if he knew what he was looking for) may be fooled by the system to think that the car just does not start (car is old, stuff happens).

Another example of "security through obscurity"

[jonwil]

There is no reason this has to be so complicated or proprietary.
All you need is a secret in the keyfob and the same secret in the car. There are published cryptographic protocols that exist that allow 2 endpoints to verify that both of them have a matching secret but in a way that does not allow someone listening in to steal the secret. (and since these are published they have presumably been exposed to more analysis by people looking for flaws than the proprietary solutions).

Re:Another example of "security through obscurity"

[gstrickler]

Apparently you didn't read, or failed to comprehend the article. They are not intercepting or decrypting the communication in any way. This is a relay attack in which they use a type of RF repeater/extender to allow the car and the key fob to communicate at much greater distances than intended. In doing so, the car's "thinks" the key fob is in range and unlocks the doors and starts the car. They're simply extending the range of the "proximity", the car and key fob are doing exactly what they're intended to do, passively communicate, unlock the doors, and start the engine.

Re:Another example of "security through obscurity"

[jonwil]

All the cars I have seen with key fobs require you to press a button on the fob to open the doors. So even if you have a relay attack going on, you cant get it working unless you can get the victim to press the "door open" button when they are far enough away from the car not to notice that someone is standing near it ready to get in and steal it.

Although I havent had any experience with these "keyless start" cars where you just need to have the fob in your pocket and press the "start engine" button to start the car so those may be different.

Re:Another example of "security through obscurity"

[gstrickler]

And the keyless start cars are the ones the article is about. It's completely passive, and that's the fundamental problem that makes this attack possible.

Re:Can be turned off

[afidel]

They move completely totaled vehicles all the time, a little bit of friction isn't going to stop a big winch and the guys parting them out don't care if one piece is broken.

Re:Take without permission, otherwise known as ste

[L4t3r4lu5]

In the UK, we had to create the crime "Taking Without Owner's Consent" (TWOC) as a common defence in car theft was "I was only borrowing the car, I would have returned it!" Apparently, it worked at least once. Hence, now the act of taking the car is a crime, as opposed to depriving the owner of it permanently (as was previously the case). TWOC may well be the correct term for these cases.

NEW New patent: Unsnoopable car lock

[L4t3r4lu5]

This patent presents a locking system for automotive vehicles that can not be snooped by a nearby wireless hacker. This approach eliminates the need for problem prone wireless receivers and transmitters, whose signal can easily be captured by a third party in the vicinity. This devices presents an opening in the door of about 2mm x 5mm and requires the use of a specifically shaped piece of metal This piece of metal would be unique to each owner. Activation and deactivation is accomplished by a rotational action in either clock-wise or anti-clockwise directions using a computer.

I'm going to be rich!

That's how it works, right? Right?

Re:NEW New patent: Unsnoopable car lock

[Midnight+Thunder]

What is this computer you speak of. Never heard of one before. Clearly this is mentioning a new concept never known to the American public. Approved.

Re:Can be turned off

[drinkypoo]

You usually have to tow for 50 miles or so before damage occurs. And some of the newer AWD vehicles have designs that prevent such damage, so that they can be towed by old people behind RVs. Amusingly my '92 Ford 4x4's transfer case lube pump is driven by the rear axle, so you can tow it without dropping the driveline, just shift the case to N.

Research Paper

[coremayo]

Here's the actual research paper if anyone is interested: http://eprint.iacr.org/2010/332.pdf

Re:Take without permission, otherwise known as ste

[L4t3r4lu5]

Give that man a prize!

If he returned the car with a full tank of petrol and £10 to cover maintenance (as long as he didn't thrash it from cold), I wouldn't mind at all. Yes, I know this is an internet joke, but it's still true.

An even better theft deterrant

[Cro+Magnon]

is to have a crappy car. You couldn't pay a car thief to steal my old Pontiac J(unk) 2000. I know because I tried to.

Re:Take without permission, otherwise known as ste

[harl]

Remember kids. Jesus did it.

Luke 9:16
Mark 6:41

I have a solution... seriously...

[Dallas+Caley]

Ok so i'm not here trying to blatantly give a promo out to the product that i just spent a year developing so i won't say the name. I'll just say that is from one of the leading alarm company manufacturers and you can find it on the net. The gist of the product is this: why should you have to have a separate device that you put on your keyring that allows you to start your car when you already have a smartphone (well most people do, or at least most people who can currently afford keyless entry on their car). What our product does is allows you to open your car door (and lock the door and start the engine/warm it up) right from your phone. The good thing about this is that on top of each account being password protected, they are also linked to the particular identification code for your exact phone so there is no way that anyone is going to hack this (in theory). The way it works is via a cellular device not a radio wave emitting from the car so its much more difficult to intercept (in theory). Also the best part about it is that because it's a cellular device we can also track the exact location of the vehicle so in the case that someone does steal your car we will find them right away. The trick to protecting yourself from thieves and criminals is to stay one step ahead of them. 15 years ago this was with keyless technology, but now this is old school, we simply need to switch to the latest gadget.

um ... one-time keys?

[Lazy+Jones]

When I bought my car, I was hoping that the signals sent between key and car were not identical every time, since it's an obvious attack method to just detect/copy the signal and extremely easy to put e.g. a few 1000 random "keys" in the sender and receiver that need to be used sequentially (makes it harder to have multiple keys, but there are ways to fix that). I guess I was wrong ...

Re:Can be turned off

[toddestan]

If the intent is to take the car to a chop shop and reduce it to parts, they may not much care.

it's a security hole, not a hell of one

[YesIAmAScript]

First of all, there's no wormhole here. The signal still goes through Euclidean space. You're not beating spacetime here, you're just beating signal attenuation (r^3 falloff due to radiation).

No, this doesn't spell any utter doom. This attack is complicated to pull off and also requires a person be near you to do the attack. If they're going to get that close, they might as well steal my key off me.

There are many handsfree systems that are very sophisticated about locating the key. The one on my car only opens the door you are standing next to. If I stand by the driver's door, the passenger door won't be unlocked. And vice-versa. I have to stand near the trunk to open it (or press the button). If I leave the key inside the car, it will refuse to lock its down doors, as far as I can tell, it is impossible to lock the key in the car, including in the back.

A system like this which is locating the key spatially is less likely to be fooled by trying to pretend the key is in a location other than it is by relaying signals. I am of course not saying it is unfoolable.

Either way, before electronic keys, all someone had to do was take a picture (or impression) of your car key and they could replicate it and steal your car. Now they need to have two people, a lot more sophisticated equipment for rebroadcasting signals and to tail you constantly to get in the car to open.

So I fail to see how we're approaching utter doom. Things were worse before and we still survived and most cars were not stolen.

Besides, the easiest way to steal a car now and then is still to just use a tow truck. You don't need to find the owner and rebroadcast his signal to do that.