Slashdot Mirror
Keyless Remote Entry For Cars May Have Been Cracked
WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"
As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Never get into a car with a carjacker. People who do that wind up at the secondary crime scene, where the homicide (yours) takes place. Run away if you can, fight if you must, but don't get in the car.
There is no God, and Dirac is his prophet.
I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.
See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.
Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.
What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?
As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.
A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.
Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.
It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.
Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.
Most manufacturers outside of the German cars are using systems developed by KeeLoq, so a vulnerability in that would impact a large number of vehicles. Parts of the encryption method have been attacked by researchers, with papers like How To Steal Cars. Some of these papers point out that the exact security mechanisms used by manufacturers on top of KeyLoq's hardware are not public, so turning the theoretical hacks into a working device is still hard even with these issues identified. Based on that FAQ, KeeLoq itself seems secure against anything but very knowledgeable attackers with significant resources--they're quoting months of work to find a real-world vulnerability. However, we can't be sure that a specific implementation of the security approach wasn't weakened by a manufacturer mistake. I wouldn't place a large bet on that though. Someone like a car manufacturer wants to be able to say they passed the risk to someone expert in this area. If they start customizing things to add back doors, they're going to lose any ability to blame KeeLoq if there's a nasty vulnerability.