Keyless Remote Entry For Cars May Have Been Cracked

WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"

Stumped my ass

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Re:Stumped my ass

[ackthpt]

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Maybe the car is sentient, hates the current own and wants to be stolen.

Re:Stumped my ass

[Trepidity]

Yeah, the fact that it works only on certain makes/models, if anything, makes it much less mysterious. Compromises that exploit particular broken implementations of a cryptosystem are by far the most common kind of vulnerability, more common than fundamental breaks of a cryptosystem. If this device is opening only certain kinds of Hondas, it's likely Honda screwed up its implementation in at least some models.

Re:Stumped my ass

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

The linked article on Today is horrible. They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind. Better articles with more facts and less made up stuff can be found. It's the Long Beach Police Department, btw.

Re:Stumped my ass

[chuckinator]

An older engineer I worked with once told me a story about a car manufacturer (don't remember which one) using the CAN bus to control the side view mirrors. Well, the CAN bus is an electrical bus without any form of authentication or security, and car thieves started to make a habit of busted off one of the side mirrors and issuing the unlock doors message on the bus. Note that the authenticity of this story is what you should expect from typical water cooler gossip.

Re:Stumped my ass

[optikos]

They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind.

Well, The Police did put out an album entitled Ghost in the Machine, so perhaps that qualifies as Borg-Lite.

Re:Stumped my ass

[Amouth]

that was a Volvo, everything uses the same damn bus

Re:Stumped my ass

[greg1104]

Most manufacturers outside of the German cars are using systems developed by KeeLoq, so a vulnerability in that would impact a large number of vehicles. Parts of the encryption method have been attacked by researchers, with papers like How To Steal Cars. Some of these papers point out that the exact security mechanisms used by manufacturers on top of KeyLoq's hardware are not public, so turning the theoretical hacks into a working device is still hard even with these issues identified. Based on that FAQ, KeeLoq itself seems secure against anything but very knowledgeable attackers with significant resources--they're quoting months of work to find a real-world vulnerability. However, we can't be sure that a specific implementation of the security approach wasn't weakened by a manufacturer mistake. I wouldn't place a large bet on that though. Someone like a car manufacturer wants to be able to say they passed the risk to someone expert in this area. If they start customizing things to add back doors, they're going to lose any ability to blame KeeLoq if there's a nasty vulnerability.

Re:Stumped my ass

[mjwx]

Borg-Lite.

Same great assimilation, only one calorie.

Re:Stumped my ass

[guruevi]

I have wondered myself recently too if it were at all possible. Someone was trying to open a rather expensive car in a parking lot (forgot keys or whatever, security was helping too so not a burglary) - I thought, if you can just pop the hood (you can open a hood with simple tools) and connect to one of the busses, can't you just tell the car to unlock by sending a message on it. It's most likely on a CAN or I2C bus, something open-y enough that you can just get a generic system for most cars. An Arduino could probably do it.

Re:Stumped my ass

[girlintraining]

Maybe the car is sentient, hates the current own and wants to be stolen.

That, or the guy carrying the backpack in the video has something big enough in it to need a backpack; like a large coil, battery, and circuit board. People seem to forget that every electronic device is both a radio transmitter and receiver. With a powerful enough transmitter, any signal can be induced in any part of a circuit. Of course, physics also demands that any signal induced would be strongest along parallel wires -- power cables, to be specific.

The reason why they're targetting passenger-side doors is probably because the control logic is in the driver side door, and the doors on the right-hand side would have the longest run of cable between the control board and the door's selenoid. of course, you don't run power cable from one side of the car to the other, you run a signal wire; which depending on what kind of logic gate is on the other side, may only require a tenth to a half volt of voltage across it to trigger.

The equipment to generate a short, broadband pulse at a right angle should be sufficient to induce the required voltage, thus causing the door to unlock. Never attack the crypto system when you can go after the control interface. This is, for all intents and purposes, a side channel attack. It would only work on makes and models of cars that have a sufficiently long run of signal cable running along the longitudal axis of the vehicle. The attacker would need to be within about 5 feet to do this, and to not be obvious the car would need to be equipped with a lock that is along the window-frame or make an audible noise during unlock -- otherwise an attacker would have to visually inspect the interior of the car first, and the suspicious behavior of doing so in a parking lot filled with cars could attract law enforcement.

Anyway, that's my suspicion for what's going on. To detect this, you'd need to be able to detect a sudden increase in broadband EMR, and triangulate its location, and the emission would only last a few milliseconds, if that. The police won't have the resources to find this, but the FCC might if the attacks are happening within a single metropolitan area... or if you had one of those multimillion dollar semitruck rigs with millimeter wave x-ray tech like what they use in airports to scan people (and their backpacks) for the tell-tale metal loop, which would be optimally placed around the circumference of the bag.

Mind you, all of this ignores potential 4th amendment issues, along with all manner of other legal obstacles, including the fact that you'd be irradiating innocent people who are also unaware of your activities while in public. Failing that, you're tasked with swarming an area with officers and detaining anyone with a backpack within a certain radius, that radius being defined as the response time between signal acquisition and having boots on the ground.

As to profiling them, you're probably looking for a van without windows, SUV, or similar vehicle where stolen goods can be dropped off and the attacker picked up quickly and removed from the area... statistically, he'll be within a few blocks. The equipment needed to generate a powerful enough EM pulse would take up most of the backpack and be very bulky -- even with high energy density batteries... it probably wouldn't have enough room to store much in the way of stolen items, necessitating a nearby collection point.

Re:Stumped my ass

[girlintraining]

Oh, and P.S., if you're trying to catch this crew without the multimillion dollar anti-terrorist equipment or the FCC, you should canvas upscale shopping malls and retail establishments that cater to people who make an excess of $40,000 per year and are aged 45+; Look for lots filled with cars that are 2007 or newer, SUVs, etc. That's the most lucrative target for this type of criminal. Prioritize for surveillance areas with a lot of vehicle traffic, but not a lot of foot traffic. You already know their M.O., and if you're playing by the numbers, you should only have to put about 30 or so places under surveillance. Don't bother putting places already hit under surveillance -- you're dealing with an RF engineer or someone similarly-trained (like an EE), they're going to know enough not to return to the scene of the crime, at least not this early in their 'career'. They may get sloppy, or desperate, later, depending on what the motivation is for these attacks is.

You probably don't know where and when the first attack like this was, but if by some incredible stroke of luck you do, center your search radius on that point. That was the test area. A rig like this would have to be tested, and human nature suggests they'd pick a place not too far from their home to try it out.

You might also want to check for a spike in cable TV, internet, etc., service calls within the same metropolitan areas; It would look not dissimilar to a lightning strike in its pattern, but have a smaller geographical foot print and (obviously) no lightning on the day of the reports. It's very unlikely he used a faraday cage or had the proper equipment to isolate the emissions from other vulnerable devices... he might have even blown out his own cable TV receiver or internet while building it. Creating the equipment to perform an attack like this is relatively straightforward for an RF engineer or EE, but an experienced amateur radio operator or hobbyist could probably also build it; It's just exceedingly unlikely they got it right on the first attempt.

Good luck guys.

Re:Stumped my ass

[Maximum+Prophet]

At some point in there, the encryption has to end, and a logic 0 or 1 has to be sent to some device to unlock the door. If you found that point, and had a way to get into it... ...

A regular car probably has some place where exactly 1 logic 1 or 0 can be sent to unlock the door, but it's not unusual to have a system that first requires an enable solenoid to be activated, then simultaneously the unlock solenoid actually moves the bolt. (Mostly military stuff)

The solenoids also take a bit of current, so if the logic controller is well shielded and takes a stream of bits to open, your system would be fairly secure against EMP type attacks, even if the solenoid isn't well shielded. You don't want your doors unlocking every time you pass a Semi with a 1kw linear amp on his CB rig.

Just a thought.

[Capt.DrumkenBum]

they always seem to strike on the passenger side

Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?
My car is so old it doesn't even have door locks, so not really a problem for me.

Re:Just a thought.

[dkleinsc]

Also, the passenger side is right next to the sidewalk if the car is parallel-parked. That makes it a lot easier than trying to break into a car while traffic is barely missing your tush.

Re:Just a thought.

[gl4ss]

maybe they should try to find which device it is.
here's a thought though, maybe it causes induction in the lock relay itself.
a more realistic reason though is this: it's less suspicious if someone goes to a car on the passenger side, gets something and gets out again, like picking something up from the car he's supposed to be picking up.

or cars are just parked with the passenger door towards sidewalk....

Re:Just a thought.

[wile_e8]

Also no steering wheel on that side. As long as they are just stealing valuables from the car, it's one less obstacle to pull stuff around and no chance of hitting the car horn and alerting the people in the house.

Re:Just a thought.

[CAIMLAS]

Add to the fact that most in-vehicle theft is performed with a broken window, it's kinda stupid. I'd prefer to leave my doors unlocked so I don't have to shell out $300 for new glass - and a broken window is a much more visible sign of B&E than someone fiddling with a coat hanger or gaining access keyless.

Re:Just a thought.

[ThePeices]

Add to the fact that most in-vehicle theft is performed with a broken window

Isnt that kinda dangerous for the burglar? Walking around with a broken window to be used to break into a car is unwieldy, and they can easily cut themselves on the glass of the broken window they are carrying.

Not to mention it would look pretty suspicious walking down the street with a broken window.

kits for sale online

You can get a keyless universal unlocker from china for around $2000USD.

Re:kits for sale online

[ArchieBunker]

Care to back up this statement?

probably not a key that is sent

[roman_mir]

This is probably something that is not what is expected, like some of those steering wheel locks that can be removed by breaking them in half by hitting in the middle of them rather than trying to pick the lock. They are not breaking the encryption, they are breaking the system, going around the expected secure path, not through it.

Re:probably not a key that is sent

[mindwhip]

You are probably right... Either that or its a brute force attack and they just throw lots of codes at it in a short time and hope one works which is unlikely.

My guess is they have radio/microwave transmitter that is causing a computer reboot/corruption or messing with the sensor information being fed from the mechanical parts of the lock and tricking the computer into thinking the mechanical key was used which triggers the central locking to open. As for the passenger side thing it could be that side is more vulnerable due to longer/shorter wires or the actual location of the computer.

This tempts me to go black hat so bad.

[GoodNewsJimDotCom]

This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.

Re:This tempts me to go black hat so bad.

[h4rr4r]

That sets off car alarms, most cars do not have them.

He wants to trigger the panic button, which just uses the normal horn and pretty much all cars with keyless entry have.

Not code cracking but some other mechanism?

[cruff]

What if the preference (or requirement) for doing this on the passenger side is due to the physical location of some wiring or other device that is susceptible to some kind of electronic signal or noise conduction into other circuitry that ends up causing the unlock?

Re:Not code cracking but some other mechanism?

[bobbied]

OR.... They simply are opening unlocked doors..... (See post from jklovanc below)

Re:just now?

[Joce640k]

Nah, it's just a tennis ball with a hole in it.

Re:Seems an unnecessary feature

[Trepidity]

As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.

Re:Seems an unnecessary feature

[VAXcat]

Never get into a car with a carjacker. People who do that wind up at the secondary crime scene, where the homicide (yours) takes place. Run away if you can, fight if you must, but don't get in the car.

Re:just now?

[jeffmeden]

I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.

See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.

Seems to be "Honda-Specific"

[bradgoodman]

They sited Hondas and Acuras. As Acura is made by Honda - it seems like they're exploiting a bug or vulnerability in a specific device.

Thumb

[jklovanc]

Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?

As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.

Re:Thumb

[workactnumberfive]

The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

He is walking by cars, hitting the button on his device. If you watch it again, you'll see that as he walks by, the lights in the car go on before he touches it...just like they do when you hit your unlock button on the keyfob. When that happens, he then backs up to enter the vehicle, as it is now unlocked.

Re:Thumb

[jklovanc]

His hand is on the door handle as he walks by. The inside lights come on when the door is unlatched as well as when the remote is used.

Keypad

[bhcompy]

My 1986 Nissan Maxima had a keypad. I keyed in a code(of my choosing, plugged in at the dealership) and it unlocked my driver door, all my doors, my trunk, etc. I loved it because I could stash my keys in the trunk when I was doing something where I didn't want to keep my keys with me(like going to the gym) and just punch my key in when I wanted access. Sadly, this never caught on. I like it much better than fobs(other than remote start in cold weather).

Re:Keypad

[organgtool]

My friend had a keypad on his garage door opener with a four-digit code. One day he invited me and another friend over, but he didn't answer the door when we got there. Calling his house line also proved futile. We figured he fell asleep before we got there (which turned out to be the case). However, while we were waiting, the friend who was stuck outside with me started punching numbers on the garage keypad. I tried telling him that there were 10,000 possible combinations, but that didn't dissuade him. After a few seconds, the garage door opened up. I asked him how he knew the code and he pointed out that four of the numbers on the keypad were very worn. I did the math and realized that his observation took the number of possible combinations from 10,000 to 24! The point is, be careful with those keypads and change the numbers periodically if possible.

Re:Keypad

Just fyi for any other maths people. That's an exclamation point, not a factorial.

Re:Keypad

[organgtool]

My friend knew beforehand that the code was four digits long and there were four worn keys, therefore it was highly unlikely that any of the digits were repeated.

You must not be familiar with keyless

[1800maxim]

A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.

Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.

It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.

Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.

Re:You must not be familiar with keyless

[innocent_white_lamb]

My 2013 Ford Escape does exactly this.

It also opens the back hatch if you kick your foot under the back bumper when the key is in your pocket, which is very handy. The owner's manual warns you about having the key in your pocket when washing the vehicle, though -- if you spray water under the rear bumper you could suddenly have the hatch opening. I always leave the key in the driver's cupholder when washing it to avoid that problem.

Re:Seems an unnecessary feature

[CAIMLAS]

I believe the key actually has to be present only for the initial start of the car, though I might be mistaken. That would be how I'd design it, at any rate. I see no point in the key needing to be present while the vehicle is in operation.

On a whole, keyless start is an irritating and stupid feature, I think. For those of us who work out of our vehicles, it's irritating to have to lock/unlock the vehicle frequently just to make sure it's not jacked.

Re:Seems an unnecessary feature

Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).

There are several systems involved here.
First of all you have the remote lock/alarm/window fobs. These are powered by a small watch-style battery in the fob, and allow the car to be locked/unlocked (or roll down windows) from a pretty good distance away.. sometimes as far as 50 yards or more. This is basically a coded message using a pre-shared key stored on the FOB and in the car's computer system. Unless you have a specific remote-start system added to the car (or builtin to a few luxury models) this won't actually start the car itself.

The second system involved is a Proximity based system. This also relies on the battery working, and allows a push-button unlock on the door to be used or the car to be started if the fob is inside the passenger compartment and within a few feet of the ignition. It's a similar mechanism to the remote unlock, and like the remote unlock if the battery fails it doesn't work.

Finally, you have an RFID-based anti-theft/anti-key-copying system built into the ignition. Each physical key has an RFID chip built into it, sometimes you can see them embedded in the key itself, sometimes it's hidden inside the plastic molding on the head of the key. This is not battery powered, and will not unlock the car at all. All it really does is prevent the ignition from working unless the inserted key has a functioning RFID chip.

Most fobs have a physical key that can be removed from the fob, so that if the battery stops working the key can be used physically for unlocking and starting the car- but remember the RFID will not allow the push-button unlock or the keyless ignition to work, it has to be physically inserted.

Now down to the article.
They don't bother telling us if any of those systems have remote start capability, or if they are just keyless entry and keyless start systems.
They also don't tell us how close the thieves are getting to the vehicle.
They don't come out and say it, but they are calling these thefts of the actual vehicle, not just people robbing stuff from the interior.

So what this boils down to is as follows:
If the thieves are actually stealing the cars, then we must know if the stolen vehicles had remote start or just keyless start. We must also know how close they get to the door. Once they have that information, they should be able to easily deduce which system is being compromised- the remote start or the keyless entry.

As for how they are doing it, it's most likely a weakness in how the key codes are being generated by the systems in question, or else a weakness with one particular remote start system. The initial keycodes in the fobs are generated at the factory, but can be reprogrammed at a dealership (which you have to do if you get a new key or replace a lost key). So it could be just a problem with factory default codes being too predictable. I would guess the "device" is just a normal keyless entry transmitter which has a bunch of pre-loaded codes that it runs through until it gets a "hit".
But it's also possible they're running a brute-force attack and just trying all possible combinations. These things use a pre-shared key to encrypt the remote commands, but as there are very limited number of commands and the format doesn't vary it might very well be possible to crack the crypto using other methods as well. These are all proprietary systems and they won't even tell you the key length, let alone details about how the communication works.

Re:just now?

[Tuidjy]

Some are vulnerable to replay attacks, but Hondas (and Acuras, which are Hondas) most definitely should not be. There was an European study that used more than just simple replay attacks, and they found a dozen brands of remote devices that were susceptible. Hondas were not amongst them.

This said, the article is retarded. I hope it's not the police officers' stupidity, but the authors'.

1) Of course they will go for the passenger's door, you morons, that's where drivers leave their stuff, and that's where the glove compartment is. The thieves are not stealing the cars, they are burglarizing them.

2) Of course, it will not work on all cars, you morons. The remotes use different protocols, and the thieves clearly have cracked Honda's. This will not help them much with Ford's.

3) Ok... three I'll keep to myself. As a former law enforcement agent, I'm sure the officers know that one, and are keeping it close to their chest. The authors are still morons, though.

Re:just now?

[thunderclap]

This wasn't an amateur attack. This is security by obscurity. SMH. So they had it set to a high level of encryption like maybe 256. Computers are powerful enough now that it can be done with a short amount of time and patience. Thats what cops don't grasp. It was never hard to break in for someone skilled. It was time consuming. Yes it took someone who could roll crypto with program writing. How do you think, Iphones were jailbroken? Android rooted? DeCSS, and Blueray broken? Same way.
Honestly. they wanted to steal without getting caught. Now They simply unlock the door and look around.
The caveats are always the same. Never store valuables in your vehicle. Never assume its safe. Always be vigilant.

Re:just now?

[Tuidjy]

Actually, now that I have had two minutes to think about it, I have a theory.

It may be that the thieves did not hack the remote, maybe they are triggering accident detection, which unlocks the doors. If I were a Honda engineer, this is what I would look at first.

Hell, maybe Honda is even blameless. I know some car dealerships push poorly thought-out mods on their customers. I would check to see whether there isn't a local dealership that is peddling a 'safety' add-on.

Re:just now?

[lister+king+of+smeg]

it more than that now though as more and more cars come with keyless start were you just have to have fob within a certin proximity of the vehicle to start it, now that this has been cracked all that it will take for a car theif is a little bit of crypto know how and they will be able to take off with random cars off the street and no one will be the wiser as to the car it will appear as though its the correct fob so no security alert like when someone tries to hot wire it or open the lock with a coat hanger.

Re:Seems an unnecessary feature

[Richy_T]

They're in my glove box if you'll just lean in and grab them for me...

Re:Seems an unnecessary feature

[Sponge+Bath]

...the secondary crime scene, where the homicide (yours) takes place.

Like this from yesterday.

That's some sad stuff.

Thinking out of the box - Jamming the close signal

[quilombodigital]

A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.

Re:just now?

[AK+Marc]

The "old" security was that the time to break in must be taken at the car. You must jimmy the lock, use a coathanger, etc. The concerning ones are the ones where the time and skill can be honed privately, and the access is instant. You spend years making the fob in your garage against your own Acura. Then, find it works for all Acuras, but not Fords or GM. Borrow or buy another of those makes and keep honing. The time to break into the car is instantaneous, but it takes work to get to that point. The problem is that this break in is indistinguishable from a regular user.

Re:just now?

[LordLimecat]

So they had it set to a high level of encryption like maybe 256.

There is so much wrong with that statement I dont even know where to begin.

"Encryption" isnt the word you want for this, since sending a static, encrypted message would be highly vulnerable to a replay attack. You want "authentication", which if its using a rolling code can be highly secure. But assuming youre talking about a 256-bit key, thats still not something you can just throw out as a "we can crack this". How fast you can brute-force it depends on how long it takes to attempt one key; any sane system would limit it to 1 attempt per 0.5 seconds or something, which would make it utterly infeasible to brute-force.

It was never hard to break in for someone skilled. It was time consuming.

Technically all computer security is "easy" if you have an infinite length of time to work with, but we're talking about time scales in the billions of years with a lot of modern computer security. We have the ability to have perfectly secure systems, the flaws are often in the implementation. With simple systems (ie, only access through an RF signal), your chances of getting security right are a lot higher.

Most of the things you listed are irrelevant. You are the owner of the device in all of those examples, so you must necessarily have all of the keys to access the content in question. Accessing a car is different; you need more than access to "the car" to break in unless you feel like disassembling the car, disassembling the internal computer, and reverse engineering the ROM chip inside.

Re:just now?

[skelly33]

One of our cars has remote start - but it cannot be driven without inserting the key into the ignition. That may not be the case for all vehicles with this feature... but it should be.

Re:Or attacking the source...

[fuzzyfuzzyfungus]

Valid, and stupid on their part. That is why I said should.

Fair enough. I'm just deeply pessimistic that the (wise and superior) "knowledge of the algorithm Must Not compromise the system" standard that crypto systems are held to prevails with keyless entry systems.

For whatever reason(whether it be power/gate constraints, cultural sharing with the world of locksmithing, or vendor lousiness uninhibited by the ruthlessness of the internet), keyless-entry/RFID auth/etc. seems to be one of the last major bastions of vendors talking about 'Proprietary Encryption' as though it were a feature, rather than a point of shame. Encryption algorithms on general purpose computers went through that stage, at one time; but the lightweight RF hardware market seems to be lagging considerably in terms of awareness.

Re:just now?

[innocent_white_lamb]

The key for my 2013 Ford Escape never leaves my pocket. When I touch the door handle it unlocks; I get in, step on the brake pedal, and press the Start button on the dashboard. Put it in gear and drive away.

All you need is the key within so-many feet of the vehicle.

Back door password

[WindBourne]

Obviously there is a back door in it. The thieves have figured out the code that is embedded in there that will open up to that.

Re:One time pad?

[MichaelSmith]

But a micro SD card can store four gigabytes of key data now, which should be good for the life of the system, so maybe the next step is to embed a one time pad in both the key fob and the car security system.

Erm... I don't think this would be necessarily a good idea. If you move out of range of the car and use the fob, you can record a copy of the next key that will be used in the sequence, and then broadcast it back. Not only would that allow you to unlock the car, but it immediately borks the key fob as well....

But surely its a challenge response thing:

key -> car (lets talk)

car -> key (random challenge number)

key -> car (challenge combined with key)

In this case the challenge would be an index into the array of key values stored at both ends.

Re:just now?

[JonBoy47]

It was actually nice when automakers rolled out RFID car keys about a decade ago, bringing two-factor authentication to the car's ignition. You needed a key with the right RFID, AND the correct mechanical cut to start the car. Two completely different systems had to be defeated to start the car, and it was difficult to do so without arousing suspicion. Now automakers are taking a step back in security, Not only is keyless ignition only single-factor authentication (relying on RFID exclusively), which makes it susceptible to remote attack, but it is also used to autonomously operate the door locks. A thief can steal a compromised car without any suspicious activity.

Re:just now?

[geekoid]

I can open a car in under 5 seconds. faster then most people can with a key. And it isn't obtrusive.
I can also get OTHER people to break into a car for me.

The issue at hand can be fixed with authentication.

Re:just now?

[unencode200x]

So have my last two cars. My newest vehicle (CLS 550) does have a "valet" feature that will alert you via email or text if it leaves an area you set. Mercedes can also track its location, supposedly.

Definitely scary stuff, though as I'm one of those people who hates having things in my pockets and almost always leave my wallet in the car. Of course, I can see it from my office window and my house/garage are alarmed.

Re:just now?

[AK+Marc]

What, an expert at bumping? Doesn't that require key blanks that fit? You'd need a large pocket full of blanks to have good matches, and it'd take you more than those 5 seconds to find the one that fits, assuming you have a match in your pocket somewhere.

Re:just now?

[AaronLS]

I would be surprised if the majority of keyless entry was RFID. It may be that the vulnerable ones use this, but RFID is not in anyway a form of authorization. It is a form of identification. The difference is your username and your password. Anyone should be able to get the RFID and be no closer to accessing the system, just as your username is not private information and is fairly useless without the password. Their are lots of easy and inconspicuous ways to steal an RFID because it's just their saying "HEY, I'm 157951234654..." and anything can read that ID and then easily masquerade as that RFID.

A proper keyless system uses cryptography(and does so properly). This is why many FOBS are quite expensive to replace and have a battery inside. When you attempt to unlock the vehicle, the vehicle sends a challenge to the FOB, and the FOB uses a private key to sign it, the vehicle then gets that signed response and verifies it using the public key. I know that my FOB uses a 40bit key, which isn't very strong. Hopefully the vehicle has delays in place to prevent someone from trying thousands of keys a second, otherwise it could be broken with brute force given the small key size. This would still take a good while though.

It's possible that some of these vehicles are vulnerable if someone got their hands on a database of public keys(or worse private keys), from which you could spend time searching for the private keys through brute force and build up a database of the private keys, and then load that list onto a portable device the masquerades as a FOB.

There's lots of possibilities.

Re:jailbreak != breaking encryption

[AaronLS]

Exactly, jailbreaking a phone is a completely different animal, because within the device somewhere is the private key, and it is only hidden through obfuscation. Just like a desktop, you have access to the complete system, and it's just a matter of time, skill, and effort to pulling it a part and either finding the private key or bypassing.

On the other hand, a proper keyless system has the private key in the FOB, and assuming all the components of the system are properly implemented using well established security standards, then there should be no FEASIBLE way to defeat the cryptography in a short amount of time without physically stealing/breaking open a FOB or physically modifying the vehicle.

In the phone case, the manufacturer wants to prevent you from breaking into the phone, but they handed you the private key inside the phone. In the case of the vehicle, only you the owner carry the private key in your FOB, and the criminals do not have that. Unfortunately there's probably alot of vehicles with vulnerabilities or not even an architecture that could laughably be called security.

Re:Acura = Honda

[AK+Marc]

As for why pasenger door, they stand outside the car and rifle through the glove box and center console. That's easier from the passenger side.

Re:Thinking out of the box - Jamming the close sig

[Nidi62]

A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.

I have the habit of always hitting the lock button twice, and making sure I hear the horn. That way I know my truck is locked.

Re:just now?

[__aaltlg1547]

Some models of newer cars don't have physical keys at all. There's just an electronic widget.

Re:Seems an unnecessary feature

[Bob+the+Super+Hamste]

That sounds similar to my experience, I haven't been driving for 30 years but 25. All I have driven have been high mileage used vehicles and a couple of them the tumbler in the ignition was so worn that any thing that would go into the key slot would work, screwdrivers, other random keys, my pocket knife, etc. Granted most of those vehicles were around 20 years old and had well over 200,000 miles on them. One of them eventually got so bad you didn't even need anything in the key slot and could just turn the ignition and it would start (that was my 88 Bronco II).

Using Information Readily Available

[muskyhunter]

The assumption in the article is that the thief has a device that contains the "magic code" to open car doors. In 2011 the Network and Distributed System Security Symposium presented a paper titled "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars ( reference http://www.internetsociety.org/events/ndss-symposium-2011-0) discusses this very topic. A direct link to the paper is http://www.internetsociety.org/sites/default/files/franc.pdf The relay attack seems more feasible to explain this phenomenon, where parking locations or specific vehicles are targeted rather than randomly targeting vehicles. In the paper, section 5 does the best to describe an attack scenario that might best explain the thieves mechanism. A thief will exploit with what is readily available. Apparently, like a card scanner, they are able to capture the original key fob signal and present it in another form.