Slashdot Mirror
Keyless Remote Entry For Cars May Have Been Cracked
WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"
Haven't we seen proof of concept hacks of these kinds for a while?
Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.
Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).
Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?
My car is so old it doesn't even have door locks, so not really a problem for me.
If I were God, wouldn't I protect my churches from acts of me?
You can get a keyless universal unlocker from china for around $2000USD.
This is probably something that is not what is expected, like some of those steering wheel locks that can be removed by breaking them in half by hitting in the middle of them rather than trying to pick the lock. They are not breaking the encryption, they are breaking the system, going around the expected secure path, not through it.
You can't handle the truth.
And getting access to the keys and/or algorithms that generate said keyfobs. How well are the companies protecting them?
Step 1: Set up lots of situations where surveillance shows a car getting "stolen." Do something no one can understand. Get it promoted to the news.
Step 2: industry professionals puzzle over this, finding and publishing some hole they end up finding.
Step 3: Steal cars using the newly published method, since most people are lazy and won't heed the software update/recall notices.
Convoluted? Sure. Plausible? Perhaps.
This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.
God spoke to me
What if the preference (or requirement) for doing this on the passenger side is due to the physical location of some wiring or other device that is susceptible to some kind of electronic signal or noise conduction into other circuitry that ends up causing the unlock?
Nah, it's just a tennis ball with a hole in it.
No sig today...
I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.
See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.
They sited Hondas and Acuras. As Acura is made by Honda - it seems like they're exploiting a bug or vulnerability in a specific device.
I have an exploit that works on all cars and I am willing to share it!
Step 1. Apply brick swiftly to car side window.
Step 2. Unlock car.
Step 3. Gain entry.
On some models Step 1 will need to be repeated several times before progressing to Step 2.
Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.
What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?
As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.
unlock = true;
try {
if (!rxkeycode()) { unlock = false; }
} catch { }
if (unlock) { unlock_the_door(); }
Short of having found a "master keycode", I'd suspect something analogous to the above. Pretty much find any type of problem in the hypothetical rxkeycode() and you win, if that's how it's implemented. The cars it doesn't work on... either the triggered bug doesn't happen, or the logic starts with "unlock=false" blah blah blah.
Would be interesting to know, not that they'll ever tell.
help me i've cloned myself and can't remember which one I am
My 1986 Nissan Maxima had a keypad. I keyed in a code(of my choosing, plugged in at the dealership) and it unlocked my driver door, all my doors, my trunk, etc. I loved it because I could stash my keys in the trunk when I was doing something where I didn't want to keep my keys with me(like going to the gym) and just punch my key in when I wanted access. Sadly, this never caught on. I like it much better than fobs(other than remote start in cold weather).
A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.
Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.
It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.
Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.
Boring...
BMW Hacking
I know with my Nissan, and I believe that all cars are the same, you need to press on the unlock button twice to unlock the passenger doors. Perhaps there is something in that sequence that allows them to create a shortcut sequence that opens the passenger doors.
For example, maybe there is something in the "lock" code that is sent to lock all of the doors that triggers the start of the "unlock passenger doors" sequence and all it is waiting for is the extra code from the second key press.
Some are vulnerable to replay attacks, but Hondas (and Acuras, which are Hondas) most definitely should not be. There was an European study that used more than just simple replay attacks, and they found a dozen brands of remote devices that were susceptible. Hondas were not amongst them.
This said, the article is retarded. I hope it's not the police officers' stupidity, but the authors'.
1) Of course they will go for the passenger's door, you morons, that's where drivers leave their stuff, and that's where the glove compartment is. The thieves are not stealing the cars, they are burglarizing them.
2) Of course, it will not work on all cars, you morons. The remotes use different protocols, and the thieves clearly have cracked Honda's. This will not help them much with Ford's.
3) Ok... three I'll keep to myself. As a former law enforcement agent, I'm sure the officers know that one, and are keeping it close to their chest. The authors are still morons, though.
No good deed goes unpunished...
This wasn't an amateur attack. This is security by obscurity. SMH. So they had it set to a high level of encryption like maybe 256. Computers are powerful enough now that it can be done with a short amount of time and patience. Thats what cops don't grasp. It was never hard to break in for someone skilled. It was time consuming. Yes it took someone who could roll crypto with program writing. How do you think, Iphones were jailbroken? Android rooted? DeCSS, and Blueray broken? Same way.
Honestly. they wanted to steal without getting caught. Now They simply unlock the door and look around.
The caveats are always the same. Never store valuables in your vehicle. Never assume its safe. Always be vigilant.
Actually, now that I have had two minutes to think about it, I have a theory.
It may be that the thieves did not hack the remote, maybe they are triggering accident detection, which unlocks the doors. If I were a Honda engineer, this is what I would look at first.
Hell, maybe Honda is even blameless. I know some car dealerships push poorly thought-out mods on their customers. I would check to see whether there isn't a local dealership that is peddling a 'safety' add-on.
No good deed goes unpunished...
You tease . . .
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
it more than that now though as more and more cars come with keyless start were you just have to have fob within a certin proximity of the vehicle to start it, now that this has been cracked all that it will take for a car theif is a little bit of crypto know how and they will be able to take off with random cars off the street and no one will be the wiser as to the car it will appear as though its the correct fob so no security alert like when someone tries to hot wire it or open the lock with a coat hanger.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
NXP, google it yourself, don't believe me. NXP's Mifare is insecure, used in Oyster, OV-Chip and a few other very large deployments. Similar weak chipsets are found inside key fobs. Similar problems. Trivially exploitable. Just listening and some knowledge of the platform is enough to predict the next 'secure' exchange. And steal the car. Embarrassing: the next car could as well be a extremely expensive Mercedes Benz S-class.
From what I've read, this is how the attack works: Keyfob on certain cars unlock your car where you "in range" of the car. For example, you leave key fob in your pocket, and when you get to your car, in unlocks. I have heard that this attack is being done by "amplifying" the keyfob signal. The keyfob is in the house, on a nightstand, who knows. If you can "boost" the signal of the key fob with some device, so its range is, say, 30 feet longer, then you should be able to unlock those cars, hell, even start them. once you are out of range, you could never re-start the car. This is an interesting theory.
It was in a paper I read not too long ago that thieves use a radio jammer so that the car never gets the signal to lock. Some cars lock the doors silently and some do it with a short honk of the horn. So, if its the type that is silent, then most people never notice the car did not lock when they pushed the button and walked away.
Presumably the way this works is that the car and the key fob are loaded with an algorithm and a short key. It is possible by brute force to find the key, given a recording of a few transactions and knowledge of the algorithm.
But a micro SD card can store four gigabytes of key data now, which should be good for the life of the system, so maybe the next step is to embed a one time pad in both the key fob and the car security system.
http://michaelsmith.id.au
Dude, do you even have the slightest idea of what you are writing about ?
I have created some amazing new software that will allow entry to virtually all vehicles. It's called Crowbar 1.0 and it is available in your trunk today.
Mean what you say...say what you mean.
A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :)
A small device with a 2W amplifier could cover a range from 500mts easily.
The "old" security was that the time to break in must be taken at the car. You must jimmy the lock, use a coathanger, etc. The concerning ones are the ones where the time and skill can be honed privately, and the access is instant. You spend years making the fob in your garage against your own Acura. Then, find it works for all Acuras, but not Fords or GM. Borrow or buy another of those makes and keep honing. The time to break into the car is instantaneous, but it takes work to get to that point. The problem is that this break in is indistinguishable from a regular user.
Learn to love Alaska
So they had it set to a high level of encryption like maybe 256.
There is so much wrong with that statement I dont even know where to begin.
"Encryption" isnt the word you want for this, since sending a static, encrypted message would be highly vulnerable to a replay attack. You want "authentication", which if its using a rolling code can be highly secure. But assuming youre talking about a 256-bit key, thats still not something you can just throw out as a "we can crack this". How fast you can brute-force it depends on how long it takes to attempt one key; any sane system would limit it to 1 attempt per 0.5 seconds or something, which would make it utterly infeasible to brute-force.
It was never hard to break in for someone skilled. It was time consuming.
Technically all computer security is "easy" if you have an infinite length of time to work with, but we're talking about time scales in the billions of years with a lot of modern computer security. We have the ability to have perfectly secure systems, the flaws are often in the implementation. With simple systems (ie, only access through an RF signal), your chances of getting security right are a lot higher.
Most of the things you listed are irrelevant. You are the owner of the device in all of those examples, so you must necessarily have all of the keys to access the content in question. Accessing a car is different; you need more than access to "the car" to break in unless you feel like disassembling the car, disassembling the internal computer, and reverse engineering the ROM chip inside.
What if the authentication between car and key for doors is different than key to ignition? If they enter from the driver's side, the second authentication fails. Not saying I know, but there's more than one reason to go to the passenger side.
Learn to love Alaska
One of our cars has remote start - but it cannot be driven without inserting the key into the ignition. That may not be the case for all vehicles with this feature... but it should be.
The key for my 2013 Ford Escape never leaves my pocket. When I touch the door handle it unlocks; I get in, step on the brake pedal, and press the Start button on the dashboard. Put it in gear and drive away.
All you need is the key within so-many feet of the vehicle.
If you're a zombie and you know it, bite your friend!
Obviously there is a back door in it. The thieves have figured out the code that is embedded in there that will open up to that.
I prefer the "u" in honour as it seems to be missing these days.
Interesting theory, but if you watch the videos the thieves are targeting specific vehicles.
Not to mention, I think most people would notice their keys had been stolen when they, you know, try to unlock something (like the front door to their homes).
An enigma, wrapped in a riddle, shrouded in bacon and cheese
On your previous message, you got what the news failed to. The cars were all Honda, Acura being a division of Honda.
Really, I wouldn't be surprised if it's what you're thinking. It may not be the trigger detection, but all kinds of other pesky things. It does seem to take close proximity to the passenger door handle. Otherwise, they'd just roll through parking lots to see which cars unlock.
It would be really embarrassing for Honda if it turned out to be a simple ultrasonic emitter would trip up a sensor and unlock the door. :)
Serious? Seriousness is well above my pay grade.
It was actually nice when automakers rolled out RFID car keys about a decade ago, bringing two-factor authentication to the car's ignition. You needed a key with the right RFID, AND the correct mechanical cut to start the car. Two completely different systems had to be defeated to start the car, and it was difficult to do so without arousing suspicion. Now automakers are taking a step back in security, Not only is keyless ignition only single-factor authentication (relying on RFID exclusively), which makes it susceptible to remote attack, but it is also used to autonomously operate the door locks. A thief can steal a compromised car without any suspicious activity.
I can open a car in under 5 seconds. faster then most people can with a key. And it isn't obtrusive.
I can also get OTHER people to break into a car for me.
The issue at hand can be fixed with authentication.
The Kruger Dunning explains most post on
If the owner of the car is near enough that they see their car's headlights blink from the unlocking, seeing someone standing by the driver's side door would appear to be intent to steal the car. Someone standing by the passenger side could more realistically feign ignorance or claim they were just going to steal belongings from inside the car (likely avoiding the grand theft felony).
That's not a new low - it's a new high! All the other articles around here are from the Yesterday Show.
It seems to me that the obvious solution is for the car manufacturers to offer a bug bounty. Then if someone builds a fob, they can collect the bounty instead of selling it to criminals and risking prison time.
I heard in fact that it was a GUI interface in VB that allowed them to crack this.
Central Ohio Home Theater Installation - The Theater People
The device uses an EMP to trigger the unshielded electronics in the car, that's why it has to be brought near. Else there's a back-door in these devices that the criminal element got hold of.
AccountKiller
If you are going to go there, you should also look at the shielding on the control relays. Maybe the internal control signals are predictable, and the car, being poorly grounded, is susceptible to bursts of RF inducing the same unlock signal. Not unlike triggering a crash would be, but targeted directly at the door locks. Though, what's the operation of door unlocking if the alarm is set? For my car, if I set the alarm with the remote, unlocking a door from the inside and opening it will set off the alarm. The alarm is only disabled with a signal from the remote, so I'd assume these to work similarly. Does a crash disable the alarm? If so, I'd see more people whacking the front bumper with a sledgehammer before breaking a window and grabbing stuff out.
Learn to love Alaska
Set up honey pot cars, catch the thieves, charge them for the honey pot expenses and some more: Profit!
Self-financing mechanism to reduce car thefts.
The encryption on these devices was not broken. It was bypassed due to a software vulnerability.
Only the State obtains its revenue by coercion. - Murray Rothbard
So have my last two cars. My newest vehicle (CLS 550) does have a "valet" feature that will alert you via email or text if it leaves an area you set. Mercedes can also track its location, supposedly.
Definitely scary stuff, though as I'm one of those people who hates having things in my pockets and almost always leave my wallet in the car. Of course, I can see it from my office window and my house/garage are alarmed.
Chance favors the prepared mind.
Perfect is the enemy of good.
What, an expert at bumping? Doesn't that require key blanks that fit? You'd need a large pocket full of blanks to have good matches, and it'd take you more than those 5 seconds to find the one that fits, assuming you have a match in your pocket somewhere.
Learn to love Alaska
Actually, now that I have had two minutes to think about it, I have a theory.
It may be that the thieves did not hack the remote, maybe they are triggering accident detection, which unlocks the doors. If I were a Honda engineer, this is what I would look at first.
Hell, maybe Honda is even blameless. I know some car dealerships push poorly thought-out mods on their customers. I would check to see whether there isn't a local dealership that is peddling a 'safety' add-on.
Still, even if it is a mod, Honda would still want to test the bejesus out of it.
BTW, I know exactly what you're talking about with bad dealers, had one put a crappy mild steel cat-back on a Honda Integra that was 1/2 an inch too big for it just to make it louder, ended up melting the underside of the bumper and rusted within a year.
Calling someone a "hater" only means you can not rationally rebut their argument.
Perfect systems? They do not exist.
Chance favors the prepared mind.
Perfect is the enemy of good.
I can open a car in under 5 seconds. faster then most people can with a key. And it isn't obtrusive.
I'm just gonna go ahead and call you out on this right now.
A cop can't do that.
A AAA guy can't do that.
A mechanic can't do that.
A locksmith can't do that.
The car's manufacturer can't do that.
You can't do that.
Your options for getting in are:
Pick the lock. Not quick and easy. Often obtrusive. No matter how much you practice, each time you go to a lock you're feeling your way around blindly. It takes the most skilled of nerds an average of 3 attempts to plug in a USB cable in the back of a host.
Forcing the window down. Not quick and easy. Obtrusive.
Using a coat hanger or slim jim to trip the door latch. Not quick and easy. Obtrusive.
Smashing the window with a rock. Quick and easy. Very obtrusive.
Hacking the remote entry system. Quick and easy once you set it up and test it at home. Unobtrusive.
But please continue to sell us your bullshit about your 1337 skillz.
Dealerships often install a box to override some car's functions, like preventing it from starting, in case the lessee stops making their payments. They also give the dealership GPS locations for the car. (This was featured on Car Lot Rescue recently.) It wouldn't surprise me if there was also a door-lock override so they could more easily do a repo.
For that matter, what about OnStar? So keeping score, I'm counting 6 ways to get into a car: it was unlocked (duh), physical key entry, regular remote fob, remote dealership, remote OnStar, and accident detection. I guess you could throw into the mix forced entry (breaking window, slim jim, sun roof, etc.)
"Police and security experts say they are 'stumped.'"
Let me help: Car makers just don't give a fuck and they have zero background in security. It's the combination of that.
See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.
Simple radio tricks can still work quite easily with rolling codes. Consider the following scenario:
1. Jamming signal/recorder applied to victim arrival area.
2. Victim arrives using key fob to open doors. Jaming signal prevents automatic door open or close from registering. Victim opens and closes doors manually before walking off to their destination.
3. Attacker subtracts recorded fob signal from jamming signal and recovers unused open command.
4. Attacker replays unused command while vicitim is away.
I would be surprised if the majority of keyless entry was RFID. It may be that the vulnerable ones use this, but RFID is not in anyway a form of authorization. It is a form of identification. The difference is your username and your password. Anyone should be able to get the RFID and be no closer to accessing the system, just as your username is not private information and is fairly useless without the password. Their are lots of easy and inconspicuous ways to steal an RFID because it's just their saying "HEY, I'm 157951234654..." and anything can read that ID and then easily masquerade as that RFID.
A proper keyless system uses cryptography(and does so properly). This is why many FOBS are quite expensive to replace and have a battery inside. When you attempt to unlock the vehicle, the vehicle sends a challenge to the FOB, and the FOB uses a private key to sign it, the vehicle then gets that signed response and verifies it using the public key. I know that my FOB uses a 40bit key, which isn't very strong. Hopefully the vehicle has delays in place to prevent someone from trying thousands of keys a second, otherwise it could be broken with brute force given the small key size. This would still take a good while though.
It's possible that some of these vehicles are vulnerable if someone got their hands on a database of public keys(or worse private keys), from which you could spend time searching for the private keys through brute force and build up a database of the private keys, and then load that list onto a portable device the masquerades as a FOB.
There's lots of possibilities.
Hey dude, you better check the driveway.
As for why pasenger door, they stand outside the car and rifle through the glove box and center console. That's easier from the passenger side.
Learn to love Alaska
" 7 dog years = 1 human year. How many years would it be for a digital dog @ 4.4GHZ?"
The same amount of time as it would be for a digital human. Changing the units of measurement does not turn years into seconds, it's still the same length of time. You are so blatantly stupid, yet think you are qualified to tell people they are wrong regarding things you obviously possess only a pseudoscience knowledge of... is the only thing that is mind blowing.
OnStar, CarShield - likely others. Maybe one of them has an exploit and comes standard on some trim packages.
A fool throws a stone into a well and a thousand sages can not remove it.
A little over a decade ago, I went to visit my sister. I parked my car and locked my door. When I did so, though, I heard a second car beep. Sure enough, every time I locked my car, a car across the street (not the same make or model, by the way) would unlock. Now, it could have been a huge coincidence that I parked my car near another car that had the same access code, but exactly how big of a coincidence could that have been? How big a pool do they choose those access codes from?
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
I saw that report and the first thing I thought was "have any of these 'baffled' people done some searching online?" I'm guessing these thieves aren't technological geniuses who all come up with the same amazing technology all on their own. Chances are, there's some underground site that either shows you how to make this device or, more likely, sells it.
Sure enough, someone here posted a link to a "universal unlocker" sold from China for $25. If that's the device these crooks are using then they just "invest" a small amount of money and can quietly and quickly rob valuables from dozens of cars.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Just saying they can't doesn't make it so. It doesn't make GP true either, but there are so few details/parameters here that I'm sure it's absolutely true for some people with some vehicle models.
My own story is that I unlocked three different cars with just a coat hanger when I was only 13 or so and it only took me 15-20 minutes. I was a complete noob to it and was just helping a friend who locked themselves out, but was able to do it. One of those times, I picked a set of keys up off the seat with a coat hanger and pulled them through the window (damaging the lining... keys were locked in the old beat up pick up).
I'm sure someone who knew what they were doing with the right tools can pop open an older car/truck in moments, and it wouldn't surprise me if a pro could do most new cars almost as quickly (the tennis ball trick does work on a lot of models too).
If this works the way it seems to work, it would seem to be a backdoor attack.
A car's security system will disable after some number of wrong attempts, for a length of time, usually ~30 seconds.
A device that pretty much instantly works is a "master" code.
Most governments require backdoors, so this is probably a leak of Law Enforcement devices.
Truth isn't Truth - Guliani
The car alarm will still go off for any of those, except for hacking the remote entry system, and the immobilizer will prevent the car from going anywhere.
Clearly, on reading this, I will continue to only use cars that have RFID transponders in the key itself and won't go anywhere without the key in the ignition.... I may have to stop leaving the expensive sunglasses in the car, is all.
That bounty would have to be pretty high to have any chance of succeeding. 7 figures at least, I would think... Stealing cars, especially high end cars with no damage at all, can be extremely profitable.
So tell me Mr. Crypto Wizard, is "512" twice as much encryption as "256"? If a dog can crack a "256" key in one day, how fast can a 4.4 GHz dog crack a "512" key? (Please, others that have a clue, don't respond. I'm trying to enjoy the humor in the ridiculousness of this)
It wasn't a rolling code system then.
With a rolling code remote the receiver has to learn the transmitter, which has a unique code set at the factory. Every time you press the button a counter is incremented. Some secret algorithm is applied to this counter and the unique code and the output is what is transmitted.
The receiver has the same algorithm and if it knows the unique code and the counter value it can verify the transmitted code is correct.
If the receiver is out of sync and doesn't have the correct value for the counter it has several options. It can try the transmitted code with a series of counter values, under the assumption the remote was used while out of range and it counter is a few digits off or it can refuse the code and wait for the next attempt. Using a different 'secret' algorithm the receiver can use the unique code and two of the transmitted codes to recreate the current value of the counter.
Not all manufatures of rolling code techology use the same algorithms but they're all along the same principal.
If I had to guess as to what the car thieves have done is they have discovered a vulerability in a specific manufactures implementation, so all car manufactures/models that use the same keyless entry system are vulnerable.
They've either discovered a bug in the receiver so they don't require previous knowledge or they've discovered the algorithms used and have recovered previous transmissions by the car owners and have come back later after discovering the unique if of their keyfob.
A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :)
A small device with a 2W amplifier could cover a range from 500mts easily.
I have the habit of always hitting the lock button twice, and making sure I hear the horn. That way I know my truck is locked.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
Collision detection is usually done via an accelerometer. My car has one in between the front seats to detect head on impacts and deploy the air bags.
I guess cars with curtain airbags would have sensors in the doors, but if they were being triggered why aren't the airbags going off?
Perhaps there is a water sensor in doors to unlock in case the car gets submerged. That would allow someone to rescue a person stuck inside a car. Maybe the thieves are squirting water in the key holes or something.
If you want to steal a car, you go for the drivers door.
If you want to rob it, you go for the passenger door. The glovebox is there, people usually hide stuff under the passenger seat too, not the drivers one. You have more room to rip out stereos etc if you feel the need, with no steering wheel to get in the way. Its usually the door next to the footpath when parallel parked as well.
maybe it's just a high voltage spark from a piezo device, like a gas oven lighter or cigarette lighter. It upsets the electronics and causes the door to unlock. Used to work on a type of public telephone, why not some types of alarm systems?
There was an unknown error in the submission.
just have a wide spectrum receiver, enough samples and a powerful enough computer and you are in. Just leave a datalogger connected to the receiver, collect the sample, decrypt it with a laptop, set up a transmitter to run through the possible challenge & response codes and you're in.
Keyless entry that uses proximity to a wireless fob, and that explicitly does not require a button press to activate, has been well and thoroughly cracked and the exploit published. The basic idea to use two bent-pipe analog repeaters to fool the car into thinking your fob is right beside the car and not currently inside Wal-Mart (or in this case, Tessco perhaps?) where the accomplice is standing somewhat close to you and the fob in your pocket.
Oh lookie... here's the popular-press article right here.
Some models of newer cars don't have physical keys at all. There's just an electronic widget.
And the thieves don't have to crack your code. Instead, the buy a device that will open many many cars.
Why do the thieves need help with Fords? There are plenty of Hondas to rob.
All you need is the key within so-many feet of the vehicle.
Great... so as soon as you get within X feet of your car, some crook can just dash in front of you; pop open your door, start er up, and then drive off.
Or if you accidentally leave your purse in the car after you get home, with your keys in it... one of your kids can get in and start the car, since the key is still within X feet?
The dealers and factories don't have the source to rolling code remotes either.
The chip manufacturers are the only ones who do, because if it got leaked, all the security is gone.
My newest vehicle (CLS 550) does have a "valet" feature that will alert you via email or text if it leaves an area you set. Mercedes can also track its location, supposedly.
And this is not a privacy concern? Why?
If Mercedes can track you... you know the government can require access to that data held by a 3rd party, with just a request.
They don't even need a warrant, and nothing prevents them from sharing this data with other companies or other members of the public, who might not have your best interests at heart....
Of course... one of the biggest concerns, is that crooks could discover when noone's at home, by getting real time tracking data on all the vehicles (e-mail account compromise would be ideal -- and the /legitimate/ alerts could be a dead giveaway).
In that case, they would know that they have plenty of time to work slowly and disable any alarm or other security measures, before breaking in, that might otherwise be a strong deterrant.
No, the key has to be inside the passenger compartment to start it.
Seems to be a implementation issue with certain manufacturers. Rolling codes are reasonably secure and have been for a while.
Chewbacon
The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
If a delay of 1 second was required after each failed start attempt, would this make it take so long to roll through the codes as to make it too time consuming to do it? Or maybe after ten failed start attempts, force a 30 second wait?
The "bad guy" may have a laptop with a repurposed GPU just for cracking rolling codes, but if we slow his communication to a drunken stutter, he's going to have to wait a long time before he gets his reward - he'd come out better getting a job and buying the car outright.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Most governments require backdoors,
I believe this is where wikipedia inserts a [citation required], or simply flags it as "Weasel Words".
Thats such an unbelievably vague and broad claim that Im surprised you thought you could get away with it.
No, the key has to be inside the passenger compartment to start it.
My sister reports that her car started just fine with the keys on the roof or hood. Not that they stayed there after the car started moving...
You already (should) be buckling a seat/shoulder belt. That's more effort than putting a key in a key hole. So, I don't see that the risks of keyless entry *and* starting make up for the minor convenience of not having to use a key. YMMV.
I also noticed, that it does not seem to work from afar, so for certain not a keyfob hack.
My guess is they use an electromagnetic field in some way to unlock the car. Can they use induction to create the unlock doors signal on the CAN bus ? Or is it shielded enough ? There is holes in the door plate near the (plastic?) handle
Or physically move something in the lock ?
We don't know if they have larger batteries on their body. But certainly not a keyfob attack.
And there's another blog entry on it: Where Things Fall Apart: Protocols (Part 2 of 2)
The summary is that there's a mutual authentication key (MAK) that should be different for each vehicle on the road, however if some manufacturer has taken a short cut and used the same key on a large number of vehicles then all those cars are at risk, and looking at the article it seems to be the case - the device works for some vehicles but not other.
As for their habit of going in on the passenger side - that's where the glove compartment is and where it's likely that some valuables are found.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
my thought was that the ECU is usually in the passenger footwell and perhaps they are able to open the doors but not start the engine without an ECU mod; either a piggyback board or indeed complete replacement ECU.
What makes you think that wasn't done? I never suggested the length of time required or the amount of skill required. I simply said it could be done.
As to Authentication and RFID yes I did ignore that. My bad. Obviously they found a way around them.
The point I was making is if you truly want to break something, you will. No one will stop you from entirely disabling and extracting all the roms from a modern car,. viewing them on a Oscilloscope, doing the same to a key fob and rolling a program. Is it insane? yes. Is it time consuming? Yes, Will it achieve the objective? YES.
As for irrelevancy, I disagree. No one could break the Iphone until someone rolled the program. I seem to remember that one jailbreak actually required soldering a point inside the Phones board.
The difference is people are jailbreaking others phones. If they did, we would have a crap load of celebrity pron. yet we don't.
As for the scales of Billions of years not true. You can chain enough processor power and pull that down. Remember the govt wants in to all your stuff too. Also Bitcoin for another example.
What most likely happened? Acura or Honda had a bug or a flaw in their implementation and someone discovered it. Either hardware or software they did. Back tot the orginial post. never rely on Security by Obscurity. It will always be broken.
Most governments require backdoors,
So do most Porn companies. At least they get more pleasure out of them.
English is not this
My car is a Nissan Maxima and the problem with this is that I've accidentally left the key in the car in the console under the radio and the car locked because the key fob lost contact with the car for a few seconds. So even though it wasn't supposed to be possible to lock yourself out of the car, it has happened to me twice. I just use the real key now. The wireless keys are solving a problem I never had and causing more problems for me.
A little over a decade ago, ... every time I locked my car, a car across the street would unlock.
About that time, my boss (who had the usual boring company car in the usual colour) returned to a large car park, thought he found his car, and unlocked it with the remote. He was actually sitting in the drivers seat before he realised it was not his car.
Except, if this were the case, how would your spare key work? Removed from the vehicle, it will not roll over..
I am not an expert here, but I suspect there is some two way communications going on. The vehicle asks for for code number x, which the key must supply correctly sort of thing.
I have determined that my sig is indeterminate.
"No smoke without fire" fallacy. GGP is posting to Slashdot rather than living the high life in St. Tropez, so I think it's fair to say he's full of shit.
Well, passenger side door, apparently.
Wrong again, take for instance a dog. 7 dog years = 1 human year. How many years would it be for a digital dog @ 4.4GHZ? Exactly. Your billions of years suddenly turned into seconds with digital dog decryptographic technique. Don't even get me started on applying quantumn mechanics to this because it would blow your mind. Is there a car, is there a key? Is it locked or unlocked?!
Hah, you just made my day. That was a good one.
Except, if this were the case, how would your spare key work? Removed from the vehicle, it will not roll over..
I am not an expert here, but I suspect there is some two way communications going on. The vehicle asks for for code number x, which the key must supply correctly sort of thing.
Multi-key support is maintained by the processor in the car, it simply assumes that any new key being paired goes in the "next" slot, and they often have 4 slots or so. Each received transmission is checked until it matches the right code (the computer has no problem checking each key slot 256 times or so) or is thrown away. You are right that there must be a two-way handshake of some sort at some point in the system's life, and this is essentially what is done when the car is put in programming mode (a special sequence of key position changes in the ignition, usually). From that point on, the PRNG in the key and the car move in lock step, and no one but those two parties know what the "next" key is (without a pretty significant amount of intercepted data and CPU horsepower).
#3 - The passenger door has more fingerprints on it than the driver-door. It is no secret.
But there is some science, but not much. Go to eBay and search on key reprogrammers for MB, BMW, and Mini. They use a field coil to program the key, after the security code has been read from the ODB2 connector.
What's wrong in taking the signal in the field coil and overwhelming the receiver inside the car with a strong signal, or set of signals that is the delta of codes generated to make keys? The delta can't be huge, maybe a few million of them. How long does it take to go thru the list until POP goes the lock? A little science, but in the end, real hacking is science but also intuition and just plain tenacity.
---- Teach Peace. It's Cheaper Than War.
Makes sense...
I have determined that my sig is indeterminate.
That bounty would have to be pretty high to have any chance of succeeding. 7 figures at least, I would think... Stealing cars, especially high end cars with no damage at all, can be extremely profitable.
You don't need to convince the "bad guy hackers" to send in the fix, you just need to encourage any "good guy hacker" to send it in. Yes, the "underworld" might pay more for the info, but most people do not have contacts with them, while a bug bounty program is easily found and you have a reasonable expectation that you will get paid and little risk that you might end up in jail.
I never suggested the length of time required or the amount of skill required. I simply said it could be done.
Right, and the way you said it makes it clear that you arent in a position to make those sorts of declarations. This isnt hollywood, just because something exists doesnt mean that it is possible to crack its security in human timeframes.
The point I was making is if you truly want to break something, you will
Oh OK. Tell that to the governments who were asking Blackberry some way to crack BES (not BIS) traffic, only to be told "it cant be done". Or China, who currently tries to block OpenVPN traffic because its not really breakable. Or any court case where forensics has a truecrypted drive and cant get any further because they dont have the keys.
I seem to remember that one jailbreak actually required soldering a point inside the Phones board.
The only way to get that level of access in a car is to disassemble the whole thing. Once you have done that "breaking into the car" is sort of irrelevant.
Not to be harsh but you really dont know what you are talking about. You are speculating and making statements about things that you have only the most rudimentary knowledge about.
See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.
I have wondered how the rolling code stays in sync if you ever press your key fob while out of range. The code would increment to the next one and the car would still be expecting a different one. I haven't found an answer to how this works in a quick Google search, do you or anyone here know how that is handled?
-- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
"No smoke without fire" fallacy. GGP is posting to Slashdot rather than living the high life in St. Tropez, so I think it's fair to say he's full of shit.
Maybe he is posting to Slashdot from his high life in St. Tropez! Ever think of that?
-- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
I have simpler explanation that doesn't require a wall of text. They are opening the passenger side, because that is where the glove box is and people typically stash valuables on or under the passengers seat.
Yeah, I'm sure the police have turned to the public because they didn't consider that, and out of all the security footage they have, would be unaccustomed to the typical behavior of car thieves, so when they say something is unusual (like always opening from the passenger door and always wearing a backpack) it's probably some totally obvious reason any anonymous coward sipping on his beer in his mother's basement could crack.
Whereas my answer offers an explanation that wouldn't be obvious to a typical law enforcement officer, provides enough detail for the typical law enforcement officer to follow up on to verify, and a likely profile of the attacker so they can narrow their search. And all before my morning beer in my mother's basement.
#fuckbeta #iamslashdot #dicemustdie
Actually, it sounds like its more of a passenger door attack...
The assumption in the article is that the thief has a device that contains the "magic code" to open car doors. In 2011 the Network and Distributed System Security Symposium presented a paper titled "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars ( reference http://www.internetsociety.org/events/ndss-symposium-2011-0) discusses this very topic. A direct link to the paper is http://www.internetsociety.org/sites/default/files/franc.pdf The relay attack seems more feasible to explain this phenomenon, where parking locations or specific vehicles are targeted rather than randomly targeting vehicles. In the paper, section 5 does the best to describe an attack scenario that might best explain the thieves mechanism. A thief will exploit with what is readily available. Apparently, like a card scanner, they are able to capture the original key fob signal and present it in another form.
Just a coincidence they named it "Escape"?
I have wondered how the rolling code stays in sync if you ever press your key fob while out of range. The code would increment to the next one and the car would still be expecting a different one. I haven't found an answer to how this works in a quick Google search, do you or anyone here know how that is handled?
Wikipedia says that the receiver usually checks a 256 code range for the received signal in case it missed some clicks. That seems like it would eventually work it's way out of sync though.
No. He probably lives in the USA or a western european country, where warrantless tracking is setting serious self-justifying precedence.
See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.
I have wondered how the rolling code stays in sync if you ever press your key fob while out of range. The code would increment to the next one and the car would still be expecting a different one. I haven't found an answer to how this works in a quick Google search, do you or anyone here know how that is handled?
Pretty simple. Only increment the counter if the fob gets an "unlock successful" pingback from the car.
It's not the years, honey, it's the mileage. - Colonel Henry Walton Jones, Jr., Ph.D.
When you click once the driver door is unlocked. You have to click twice and all doors unlock. Must be two different programs and the hacker only needs the one. PureWaterHQ
And you seem to be missing the entire point. You seem to think I am talking about breaking into someones car first. So to clarify. I am not. This is why I am using Iphone jailbreaking as an example. If someone wants to break into an acura the most logical solution is by the car and the fob! Hello! To access all other cars one would obviously need both the car and the way to get into it! Dudes popped open the doors did it one of three ways.
1. Its their car
2. They defeated the locking mechanism
3. or they used a key
Obvious one and thee are false. To defeating the computer system you need all the components. That includes a car. Yes, someone can actually disassemble a car, Since by your post you don't believe that, I can't help you. I would expect nothing less.
Also, I actually know a lot more about the subject than you do because:
www dot engadget dot com slash 2010 slash 03 slash 09 slash 1024 dash bit dash rsa dash encryption dash cracked dash by dash carefully dash starving dash cpu dash of dash ele
If China truly wants to restrict they can. They don't want too. They want to control information about themselves which isn't possible. With the internet its either off or on. There is no middle ground. Besides VPNs are just as hackable. Need I post a YOUtube of it? I can. As for BES, RIM is dying. BES is pretty much irrevalent to most hackers because its 1%. Its like windows phone, i can be done but why?. However to answer your question, Can it be hacked, yes, Opensecurity talks about it.
Our govt and most others uses archaic computers systems and is Dumb. Do I expect them to be able to? Also NSA wanted to just to collect info for the purpose of collecting info so of course you tell them no
Finally, I take it you were unaware of the court case where first the guy suspected of Child porn doesn't have to open his drive because they asked (it was true crypt) The after the cops do actually decrypt a drive and find evidence suddenly the judge orders him to open the others.
Finally I'm being harsh either but you are unwilling to believe what is staring you in the face. It can be done and done now. All encyption can be broken easily. It requires raw computational power. I am not talking the 'hacking the gibson' bullshit either.
As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. An RSA key length of 3072 bits should be used if security is required beyond 2030.[6] NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.
I dont believe those cars were encrypted with 2048. I believe they were 512. So please go off some where with your troll like behavior. If you want to have a intelligent discussion on cryptography awesome, otherwise, GTFO because you obviously aren't keeping up or doing research because I can back up all my statements with hard facts from reputable sources as I have worked in the industry.
according to RSA 40bit keys were crackable in 2010. To not be crackable without a massive amount of computational power (chained supercomputers for the obvious idiots here) it needs to 112 bits.
RKE fobs are usually made by different manufactures that use 315 MHZ (for North America). The one I tested with was made by Texas Instruments which I assume most Ford vehicles use. The signal usually consist of 3 parts; small amount of Bits for the manufacture code, followed by a large security code which is encrypted and rolling, and another small amount of Bits for the function (unlock, lock, panic, trunk). The rolling code only cycles so many times and would not be easy even if you had a device that was able to brute-force it. Since they are using the passenger's side door they are probably using a new method exploitable to flawed vehicles or just people doing insurance fraud. I would assume this method involves overloading the circuit. If anything I would reach out too Texas Instruments and see what they have to say, since they probably created most of the technology behind the RKE fobs. Below I posed a link to an example of a RKE fob made by TI and a link to a video I made in 2009. http://www.ti.com/lit/ds/slws011d/slws011d.pdf http://www.youtube.com/watch?v=l24mgY2Ro8g
... that a thief isn't going to put a brick through the window.
Once they can see something valuable enough to be worth the risk of getting caught, the glass is going to go and the dude is going to be off down the road with the goodies. Or if it's the car that is valuable enough, it's going to go onto the back of a tow truck (itself stolen, perhaps).
That's nothing to do with key-less systems.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
I do. And considering Snowden's revelation, do you really think still is beyond the pale?
They can have my POS TSX. What a lemon...
Yes, these are concerns.
I do live in the US where they track the heck out of everyone anyway. However, I actually came from a communist country where there is much fear of the government and people are afraid to speak up. People who do have been known to disappear, etc.
What really bugs me is the common retort "if you have nothing to hide..." Well, why not just strip search everyone (which they basically do at airports), or put a police officer in everyone's house. Or stick a chip in everyone, or start tracking people's thoughts....
All that being said... there's nothing like a Mercedes V8. Can't get it w/o the tracking. Also if my wife or I were in an accident or an emergency it would help. The concierge service (where you can call in and get directions, etc.) is also very useful for someone like me that travels a lot.
Chance favors the prepared mind.
Perfect is the enemy of good.