Keyless Remote Entry For Cars May Have Been Cracked

WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"

Stumped my ass

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Re:Stumped my ass

[ackthpt]

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Maybe the car is sentient, hates the current own and wants to be stolen.

Re:Stumped my ass

[Trepidity]

Yeah, the fact that it works only on certain makes/models, if anything, makes it much less mysterious. Compromises that exploit particular broken implementations of a cryptosystem are by far the most common kind of vulnerability, more common than fundamental breaks of a cryptosystem. If this device is opening only certain kinds of Hondas, it's likely Honda screwed up its implementation in at least some models.

Re:Stumped my ass

[chuckinator]

An older engineer I worked with once told me a story about a car manufacturer (don't remember which one) using the CAN bus to control the side view mirrors. Well, the CAN bus is an electrical bus without any form of authentication or security, and car thieves started to make a habit of busted off one of the side mirrors and issuing the unlock doors message on the bus. Note that the authenticity of this story is what you should expect from typical water cooler gossip.

Re:Stumped my ass

[optikos]

They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind.

Well, The Police did put out an album entitled Ghost in the Machine, so perhaps that qualifies as Borg-Lite.

Re:Stumped my ass

[Amouth]

that was a Volvo, everything uses the same damn bus

Re:Stumped my ass

[greg1104]

Most manufacturers outside of the German cars are using systems developed by KeeLoq, so a vulnerability in that would impact a large number of vehicles. Parts of the encryption method have been attacked by researchers, with papers like How To Steal Cars. Some of these papers point out that the exact security mechanisms used by manufacturers on top of KeyLoq's hardware are not public, so turning the theoretical hacks into a working device is still hard even with these issues identified. Based on that FAQ, KeeLoq itself seems secure against anything but very knowledgeable attackers with significant resources--they're quoting months of work to find a real-world vulnerability. However, we can't be sure that a specific implementation of the security approach wasn't weakened by a manufacturer mistake. I wouldn't place a large bet on that though. Someone like a car manufacturer wants to be able to say they passed the risk to someone expert in this area. If they start customizing things to add back doors, they're going to lose any ability to blame KeeLoq if there's a nasty vulnerability.

Re:Stumped my ass

[mjwx]

Borg-Lite.

Same great assimilation, only one calorie.

Re:Stumped my ass

[girlintraining]

Maybe the car is sentient, hates the current own and wants to be stolen.

That, or the guy carrying the backpack in the video has something big enough in it to need a backpack; like a large coil, battery, and circuit board. People seem to forget that every electronic device is both a radio transmitter and receiver. With a powerful enough transmitter, any signal can be induced in any part of a circuit. Of course, physics also demands that any signal induced would be strongest along parallel wires -- power cables, to be specific.

The reason why they're targetting passenger-side doors is probably because the control logic is in the driver side door, and the doors on the right-hand side would have the longest run of cable between the control board and the door's selenoid. of course, you don't run power cable from one side of the car to the other, you run a signal wire; which depending on what kind of logic gate is on the other side, may only require a tenth to a half volt of voltage across it to trigger.

The equipment to generate a short, broadband pulse at a right angle should be sufficient to induce the required voltage, thus causing the door to unlock. Never attack the crypto system when you can go after the control interface. This is, for all intents and purposes, a side channel attack. It would only work on makes and models of cars that have a sufficiently long run of signal cable running along the longitudal axis of the vehicle. The attacker would need to be within about 5 feet to do this, and to not be obvious the car would need to be equipped with a lock that is along the window-frame or make an audible noise during unlock -- otherwise an attacker would have to visually inspect the interior of the car first, and the suspicious behavior of doing so in a parking lot filled with cars could attract law enforcement.

Anyway, that's my suspicion for what's going on. To detect this, you'd need to be able to detect a sudden increase in broadband EMR, and triangulate its location, and the emission would only last a few milliseconds, if that. The police won't have the resources to find this, but the FCC might if the attacks are happening within a single metropolitan area... or if you had one of those multimillion dollar semitruck rigs with millimeter wave x-ray tech like what they use in airports to scan people (and their backpacks) for the tell-tale metal loop, which would be optimally placed around the circumference of the bag.

Mind you, all of this ignores potential 4th amendment issues, along with all manner of other legal obstacles, including the fact that you'd be irradiating innocent people who are also unaware of your activities while in public. Failing that, you're tasked with swarming an area with officers and detaining anyone with a backpack within a certain radius, that radius being defined as the response time between signal acquisition and having boots on the ground.

As to profiling them, you're probably looking for a van without windows, SUV, or similar vehicle where stolen goods can be dropped off and the attacker picked up quickly and removed from the area... statistically, he'll be within a few blocks. The equipment needed to generate a powerful enough EM pulse would take up most of the backpack and be very bulky -- even with high energy density batteries... it probably wouldn't have enough room to store much in the way of stolen items, necessitating a nearby collection point.

Just a thought.

[Capt.DrumkenBum]

they always seem to strike on the passenger side

Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?
My car is so old it doesn't even have door locks, so not really a problem for me.

Re:Just a thought.

[dkleinsc]

Also, the passenger side is right next to the sidewalk if the car is parallel-parked. That makes it a lot easier than trying to break into a car while traffic is barely missing your tush.

Re:Just a thought.

[ThePeices]

Add to the fact that most in-vehicle theft is performed with a broken window

Isnt that kinda dangerous for the burglar? Walking around with a broken window to be used to break into a car is unwieldy, and they can easily cut themselves on the glass of the broken window they are carrying.

Not to mention it would look pretty suspicious walking down the street with a broken window.

Re:just now?

[Joce640k]

Nah, it's just a tennis ball with a hole in it.

Re:Seems an unnecessary feature

[Trepidity]

As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.

Re:Seems an unnecessary feature

[VAXcat]

Never get into a car with a carjacker. People who do that wind up at the secondary crime scene, where the homicide (yours) takes place. Run away if you can, fight if you must, but don't get in the car.

Re:just now?

[jeffmeden]

I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.

See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.

Thumb

[jklovanc]

Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?

As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.

Re:Thumb

[workactnumberfive]

The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

He is walking by cars, hitting the button on his device. If you watch it again, you'll see that as he walks by, the lights in the car go on before he touches it...just like they do when you hit your unlock button on the keyfob. When that happens, he then backs up to enter the vehicle, as it is now unlocked.

You must not be familiar with keyless

[1800maxim]

A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.

Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.

It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.

Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.

Re:just now?

[Tuidjy]

Some are vulnerable to replay attacks, but Hondas (and Acuras, which are Hondas) most definitely should not be. There was an European study that used more than just simple replay attacks, and they found a dozen brands of remote devices that were susceptible. Hondas were not amongst them.

This said, the article is retarded. I hope it's not the police officers' stupidity, but the authors'.

1) Of course they will go for the passenger's door, you morons, that's where drivers leave their stuff, and that's where the glove compartment is. The thieves are not stealing the cars, they are burglarizing them.

2) Of course, it will not work on all cars, you morons. The remotes use different protocols, and the thieves clearly have cracked Honda's. This will not help them much with Ford's.

3) Ok... three I'll keep to myself. As a former law enforcement agent, I'm sure the officers know that one, and are keeping it close to their chest. The authors are still morons, though.

Re:just now?

[Tuidjy]

Actually, now that I have had two minutes to think about it, I have a theory.

It may be that the thieves did not hack the remote, maybe they are triggering accident detection, which unlocks the doors. If I were a Honda engineer, this is what I would look at first.

Hell, maybe Honda is even blameless. I know some car dealerships push poorly thought-out mods on their customers. I would check to see whether there isn't a local dealership that is peddling a 'safety' add-on.

Re:Keypad

[organgtool]

My friend had a keypad on his garage door opener with a four-digit code. One day he invited me and another friend over, but he didn't answer the door when we got there. Calling his house line also proved futile. We figured he fell asleep before we got there (which turned out to be the case). However, while we were waiting, the friend who was stuck outside with me started punching numbers on the garage keypad. I tried telling him that there were 10,000 possible combinations, but that didn't dissuade him. After a few seconds, the garage door opened up. I asked him how he knew the code and he pointed out that four of the numbers on the keypad were very worn. I did the math and realized that his observation took the number of possible combinations from 10,000 to 24! The point is, be careful with those keypads and change the numbers periodically if possible.

Thinking out of the box - Jamming the close signal

[quilombodigital]

A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.

Re:just now?

[JonBoy47]

It was actually nice when automakers rolled out RFID car keys about a decade ago, bringing two-factor authentication to the car's ignition. You needed a key with the right RFID, AND the correct mechanical cut to start the car. Two completely different systems had to be defeated to start the car, and it was difficult to do so without arousing suspicion. Now automakers are taking a step back in security, Not only is keyless ignition only single-factor authentication (relying on RFID exclusively), which makes it susceptible to remote attack, but it is also used to autonomously operate the door locks. A thief can steal a compromised car without any suspicious activity.