New Cars Vulnerable To Wireless Theft

tkrotchko writes "In a story published by Technology Review, researchers have demonstrated multiple times that they can bypass the security of wireless entry and ignition systems to take a car without the owner's permission. As researchers in the article point out, car security systems will begin have a real impact to every day use if a thief can simply walk up to your car and drive it away. Although this article is light on technical details, a companion article shows how the researchers accomplished the security bypass. An interesting read, and certainly something that will no doubt be the subject of a new movie any day now."

A movie, you say

[jeffmeden]

An interesting read, and certainly something that will no doubt be the subject of a new movie any day now.

How about "gone in 60 microseconds"?

Re:A movie, you say

[dch24]

gone ins 60 microseconds

Kind of like the "security bypass" - it talks about a completely unrelated hack on the TPMS... unless it disappeared before I read it. (I'm talking about the "companion article").

Why didn't they just use a standard passive RFID setup? They're not making money selling batteries to customers... I'm confused.

If on the other hand the key has enough power to transmit its signal 100 meters (passive RFID can't do that) then it has enough power to have a real PKI. But I don't think that's the best idea for this use case.

Duhhhh

[phantomcircuit]

I'm sure pretty much anybody who even remotely understands anything about tech saw this one coming.

Can it be disabled?

[commodore64_love]

If my car comes with a wireless key fob to unlock the car, can that function be disabled?

Re:Can it be disabled?

[Enderandrew]

I just bought a new Rav 4 and it didn't come with a physical key, only a fob. The only physical key I was given was for the glove box.

Re:Can it be disabled?

[Local+ID10T]

I had a Porsche 911 a few years back with a fob as a key replacement. If the fob was within a few feet of the car, the doors were unlocked, and automatically locked when it wasn't. If the fob was inside the car, the engine could be started with the push of a button, otherwise not. Of course there was a key as well, either for a valet or emergency backup.

Nor surprising ...

[gstoddart]

Apparently my mother in law used to have a civic with keyless entry ... in a small town of <30,000 there was another Civic of the exact same color which used the same code.

They found out one time at the mall that they could each open the other's car.

I bet there's not nearly enough uniqueness and security in these things.

Re:Nor surprising ...

[Colonel+Korn]

Apparently my mother in law used to have a civic with keyless entry ... in a small town of <30,000 there was another Civic of the exact same color which used the same code.

They found out one time at the mall that they could each open the other's car.

I bet there's not nearly enough uniqueness and security in these things.

Last week I drove a friend's late-90s Nissan in Mountain View. It's got a plain old mechanical key. On my way out of a store I walked up to a sedan of the same color, unlocked it, and then realized it wasn't even a Nissan. I confirmed that the key worked by locking it again from the outside before fleeing a couple aisles to the correct car.

Re:Nor surprising ...

[Shadyman]

No, it's just a statistical improbability. There was a story on FARK once about someone who came out of the mall, unlocked a car that looked identical to hers, and drove it home.

IIRC, about halfway home, she realized it wasn't hers, and took it back. In the meantime, the other woman had called police. I don't think charges were laid because it was an honest mistake.

[Citation needed]

Re:Nor surprising ...

[boom1shot]

I guess it is possible, but it is human error; nothing else. I acquired certifications for 25+ sales people and finance managers at a dealership that sold 4 different manufacturer's lineups. It is possible to sync those keyfobs to two vehicles, as the keyfob itself is the actual authenticator to unlock the vehicle, in the communication between car and keyfob; and then car just authenticates that, "yes, you have sync'd me to this key before." Unlocking two cars with the same keyfob, regardless of whether or not it is a proximity fob with a continuous signal or a regular old push-button-to-unlock-fob, is only a matter of sync'ing both cars to that fob. It just means at some point in time, there was a cruddy mechanic who didn't decide to wipe the key because, "woops, I just sync'd this key to the wrong car... I wonder what I need to do." They leave the car to go ask someone, and then discover the key is still opening the car it belongs to. Works for them. Those keys didn't come from the OEM ready to open both cars. No way, no how.

Re:Nor surprising ...

[whoever57]

In true slashdot fashion I shall pontificate without RTFA.

And you would be completely, 100% wrong.

The keys rely on proximity. What the "attackers" did was to provide a boost to the signals sent out by the car, causing the key to respond at much larger distances from the car than normal. The near-proximity requirement only works one way (from the car to the key), so the key will respond to the boosted signals and the car will pick up the reply if the key is within 100 meters. This attack would allow a key inside a house to unlock and start a car on the driveway.

Re:Nor surprising ...

[mlts]

Even the manual way is susceptible to an old attack -- tryout keys. These are keys that are cut with patterns that usually tend to work on most vehicles.

I wish STRATTEC and other vehicle lock makers would change the physical lock's keyway every 2-3 years. This will cut down on people's keys randomly fitting other vehicles. Other items can be added (such as items like items found in Evva-Inox's keys) without sacrificing the reliability an automotive lock has to have.

Maybe the physical security of the lock isn't a big focus, especially because almost any lock on a vehicle can easily be sprung with a crowbar after the window glass gets smashed. However, it would be nice for carmakers to have options for heavier duty locks to help deter the smash and grab meth-head.

Ross Anderson

[betterunixthanunix]

Ross Anderson's security engineering textbook discusses this problem, as well as how cryptographic systems like Keeloq might be attacked, and some other related topics. I am going to guess, though, that the manufacturer's view is that a thief with the technical skills needed to take advantage of these vulnerabilities is rare (not saying I necessarily agree) and that most thieves will just smash the window and try to steal the radio before the cops arrive (do people still steal car radios?).

Re:Ross Anderson

[fuzzyfuzzyfungus]

The problem with the manufacturer's view(banks seem to approach ATM skimmers with the same naivete) is that it only takes somebody with technical skills to do the actual cryptoanalysis, followed by some opportunist with a shady supply chain to "productize" the hack into something that you'll be able to buy over the internet for a few hundred or thousand dollars and operate with about as much difficulty as the average MP3 player...

Obviously, if every thief had to make his own tools, the intersection between people who can analyze novel(if flawed) cryptosystems and then build attack hardware that puts out sufficiently clean RF output exploiting whatever vulnerabilities exist and the people who steal cars for a living is pretty much zero. Stealing cars just isn't lucrative enough, unless times are very hard for engineers of reasonable talent.

That isn't the way it works, though. The guys doing the break-n'-grab are just peons using tools created by others(apparently, with ATM skimmers, there are even "franchise" style setups, where you get access to the hardware in exchange for uploading a percentage of your skims to your sponsor...) And, building sophisticated electronic tools is a perfectly fine business, definitely worth the time of talented people, particularly ones in locales with weakish rule of law and relatively low local wages...

Analyzing a system's security by saying "eh, how many carjackers are cryptoanalysts?" is sort of like dismissing the risks of a bad neighborhood by saying "Eh, how many muggers are machinists and gunsmiths?" It is true that the answer is "Not many, possibly zero"; but that won't exactly keep you from getting shot.

Re:Ross Anderson

[dgatwood]

Exactly. It's basically the DRM problem all over again. Companies spend money to build DRM under the assumption that 99.99% of people won't have the ability to crack it, forgetting that it only takes one to put it on Bittorrent, at which point it doesn't matter that the other thousand folks couldn't crack it. The only difference is that at least with car alarms, you aren't trying to keep your actual customers from getting the key data from their dongles. (Well, knowing the automakers, they probably are, if only to prevent third-party replacement key manufacturing, but at least it isn't a significant part of their business model.)

A lot of car theft is highly organized already. I mean, it's not like you can sell those stolen cars on the street, and operating a chop shop takes money, space, equipment, etc. So if there are weaknesses in the security, the question is not whether they will be exploited, but when.

Re:Ross Anderson

[plover]

This attack had nothing to do with the cryptography used, and would succeed regardless of how the keys are cryptographically secured. Keyloq and 4096-bit RSA would both fail equally.

The attack concept was very simple: extend the range of the normal keyfob RF communications with a pair of radio repeaters, one of which is presented to the car as a surrogate, and the other is hidden near the victim's real key fob (perhaps a disguised repeater is hidden in their shopping cart while they were in a store.)

It's a common problem with security people. We get so focused on addressing the problems we already understand, such as "let's use a two inch anti-magnetic titanium deadbolt controlled by public key cryptography with a radioactive decay module for random number generation to ensure the IV is unrepeatable" that we forget to look beyond the existing security. And then some kid comes around and pops the locks by hacking a tire pressure monitor with an Arduino.

Ghost Dog did it first

[elrous0]

This was how the lead character in Ghost Dog stole his cars. Great movie, BTW.

relaying the wireless data?

[YesIAmAScript]

That's really weak. That's barely a security hole at all. Someone has to be near me to have a system to talk to my car key?

Also, the explanation article isn't an explanation at all, it talks about tire pressure monitoring systems and how to spoof readings from those to the dash. It also makes the mistake of saying that the TREAD Act requires you have a wireless tire pressure monitoring system. That's not true at all, the requirements for tire pressure monitoring can be done completely passively by monitoring the effective circumference of the tire (rotation speed) and is done so in many makes.

I saw this happen last Knight

So I was drinking a wine cooler and watching Knight Rider last night and Some dude totally hacked Kit using a TI computer and an ATARI joystick. This tech has obviously existed since the 80s. Sheesh.

Re:This still won't cause much of an impact

[peragrin]

You do realize Nissan is selling keyless ignition systems on their Sentra model line right? a $20,000 car isn't that much but you can get one of these systems.(I know I love the convience of mine, but I do wonder about the risks)

Re:This still won't cause much of an impact

[hardburn]

I drive a stick. I expect most car jackers today will manage to get maybe three feet away.

More seriously, this really isn't a big deal. Car thieves use much faster and cruder methods, like hammering a screwdriver into the lock, or just break the window. Car alarms are a joke, too. When was the last time you heard somebody's car alarm go off that wasn't due to a big truck running by, or a dog brushing up against it, or kids throwing rocks?

Re:Can be turned off

[afidel]

Why? Mechanical locks are just as vulnerable if not more vulnerable so why put up with the inconvenience? Heck thieves have been known to use flatbed wreckers to haul off cars to take them to a chop shop, disabling your keyless entry certainly isn't going to stop that!

Take without permission, otherwise known as steal

[noidentity]

they can bypass the security of wireless entry and ignition systems to take a car without the owner's permission

If only we had a word that meant taking something without the owner's permission...

Re:Already on TV

[StikyPad]

I'm sure he was commenting on the last sentence of TFS, not the viability of the attack.

New patent: Unsnoopable car lock

[Midnight+Thunder]

This patent presents a locking system for automotive vehicles that can not be snooped by a nearby wireless hacker. This approach eliminates the need for problem prone wireless receivers and transmitters, whose signal can easily be captured by a third party in the vicinity. This devices presents an opening in the door of about 2mm x 5mm and requires the use of a specifically shaped piece of metal This piece of metal would be unique to each owner. Activation and deactivation is accomplished by a rotational action in either clock-wise or anti-clockwise directions.

This patent is truly ground-breaking since it eliminates the need for an electronic system to function.

Re:New patent: Unsnoopable car lock

[TheL0ser]

I can find no fault nor prior art with regards to your patent application. Your application is hereby approved. Please note that on the way out the door intent to sue forms are on your left, and a directory of lawyers on your right. For your convenience, we have also supplied a list of the largest companies that may be possible targets for your legislation. Thank you for visiting the Lawsuit-o-matic Patent Office, and have a nice day.

Re:New patent: Unsnoopable car lock

[tool462]

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting vehicle theft. Your idea will not work. Here is why it won’t work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Thieves can easily use it to harvest spare change
( ) Remote starts and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop vehicle theft for two weeks and then we’ll be stuck with it
( ) Users of cars will not put up with it
( ) Chrysler will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from thieves
( ) Requires immediate total cooperation from everybody at once
( ) Many car companies cannot afford to lose business or alienate potential passengers
(x) Car thieves don’t care about invalid keys
( ) Anyone could anonymously destroy anyone else’s car or truck

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for car keys
( ) Open roadways in foreign countries
(x) Ease of searching tiny valid keyspace of a mechanical key
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new mechanical things
( ) Public reluctance to accept weird new forms of keys
(x) Huge existing software investment in Keyloq
( ) Susceptibility of protocols other than Keyloq to attack
(x) Willingness of users to insert keys into doors
( ) Armies of rust-riddled pickup trucks
( ) Eternal arms race involved in all locking approaches
(x) Extreme profitability of car theft
( ) Joe jobs and/or vehicle theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with car thieves
(x) Dishonesty on the part of car thieves themselves
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) Keyloq algorithms should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) Countermeasures should not involve registration fraud or insurance fraud
( ) Countermeasures should not involve sabotage of public roads
( ) Countermeasures must work if phased in gradually
( ) Unlocking car doors should be free
(x) Why should we have to trust you and your key makers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time keys are cumbersome
( ) I don’t want the government opening my car door
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don’t think it would work.
( ) This is a stupid idea, and you’re a stupid person for suggesting it.
( ) Nice try, assh0le! I’m going to find out where you live and burn your house down!

Just saw somethign similar on the morning news!

[Phizzle]

The morning news in SF Bay Area showed home security footage of someone just walking up to a supposedly locked up car (Toyota) and looting it without using a key or smashing windows. Apparently there has been a bunch of car robberies of this nature around the Bay Area.

Re:This still won't cause much of an impact

[afidel]

Exactly, the people capable of this are able to get jobs that pay much better than stealing cars and there won't be easy to use tools for the idiot thieves to use because simply selling criminal tools is a crime, again keeping the skilled people out of the market.

This matters for nothing

[BigSlowTarget]

If they are going to take your car they are going to take your car. It might be easy, it might be hard but as long as cars can be towed you'd better kiss it goodbye if someone wants it bad enough.

The biggest theft deterrent around is probably title registry and money laundering laws, the locks just protect you from the joyriding kids.

Re:This matters for nothing

[eepok]

False dichotomy: Criminals want to steal your car or they don't.
Tautology: If they are going to steal it, then they are going to steal it.

The decision to commit a crime is relative to the reward of the crime and the risk of getting caught. If the risk is low enough in relation to the value of the crime, then the criminal will commit the crime. If it's not, and there's no mitigating circumstances, the criminal will not commit the crime.

Make your car as difficult as possible to be stolen and your car will be less likely to be stolen. If it is stolen, then you will have a higher chance of recovery.

Re:I disabled keyless entry on my car

[dgatwood]

What do you mean you might not use it? Really? I think every geek dreams about being able to simultaneously set off ten thousand car alarms. It was awesome enough just being in a marching band and setting off five or six along the parade routes.

Obligatory RIAA joke.

[Riceballsan]

If this technology became more commonplace, and car theft becomes easy as downloading an ap for your iphone we may have to reverse our slogans. Start an anti car-theft promotion, You wouldn't download a song would you?

Re:Take without permission, otherwise known as ste

[thewils]

That would be "copyright infringement" right?

The "companion" article is irrelevant

[sirwired]

The companion article talks about something entirely different, namely security issues with wireless Tire Pressure Monitoring Systems. Neither the main article nor the "companion" article talk about the TPMS hack having anything whatsoever to do with vehicle theft or sabotage at the current time.

Re:I disabled keyless entry on my car

[dgatwood]

Yeah, and I might not post this.

Re:Top Gear showed that this is possible now.

[PitaBred]

How will the car know? It's the fact that the key isn't very strong that determines the range. If I get a more powerful antenna, there's no way the car could tell that it was coming from outside the car versus inside.

Re:This is not the least bit surprising

[mlts]

Steering column locks are a joke to a serious thief. When I was in college out of high school, my car got broken into, and the steering column smashed open. What kept the vehicle from disappearing is the fact that I put in a kill switch so it would start, but as soon as the ignition returned to "on", it would immediately stall. So, frustrated thieves would just haul ass out of there after a few failed starts.

From what I have personally experienced. What doesn't work:

Normal car alarms.

What does work:

Kill switches. Time is not on the side of thieves, and having to fish through the dash to find the splicing is not in most of their playbooks unless the vehicle is worth it.

Re:Can be turned off

[Migraineman]

Capable thieves use a tow truck or flatbed, as demonstrated here. They'll typically climb under and chop the ground wire to the battery. 15 seconds, tops.

Re:Can be turned off

[Migraineman]

Apoligies for self-replying. This demo is better.