Keyless Remote Entry For Cars May Have Been Cracked

WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"

Stumped my ass

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Re:Stumped my ass

[ackthpt]

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Maybe the car is sentient, hates the current own and wants to be stolen.

Re:Stumped my ass

[chuckinator]

An older engineer I worked with once told me a story about a car manufacturer (don't remember which one) using the CAN bus to control the side view mirrors. Well, the CAN bus is an electrical bus without any form of authentication or security, and car thieves started to make a habit of busted off one of the side mirrors and issuing the unlock doors message on the bus. Note that the authenticity of this story is what you should expect from typical water cooler gossip.

Re:Stumped my ass

[optikos]

They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind.

Well, The Police did put out an album entitled Ghost in the Machine, so perhaps that qualifies as Borg-Lite.

Re:Stumped my ass

[greg1104]

Most manufacturers outside of the German cars are using systems developed by KeeLoq, so a vulnerability in that would impact a large number of vehicles. Parts of the encryption method have been attacked by researchers, with papers like How To Steal Cars. Some of these papers point out that the exact security mechanisms used by manufacturers on top of KeyLoq's hardware are not public, so turning the theoretical hacks into a working device is still hard even with these issues identified. Based on that FAQ, KeeLoq itself seems secure against anything but very knowledgeable attackers with significant resources--they're quoting months of work to find a real-world vulnerability. However, we can't be sure that a specific implementation of the security approach wasn't weakened by a manufacturer mistake. I wouldn't place a large bet on that though. Someone like a car manufacturer wants to be able to say they passed the risk to someone expert in this area. If they start customizing things to add back doors, they're going to lose any ability to blame KeeLoq if there's a nasty vulnerability.

Re:just now?

[Joce640k]

Nah, it's just a tennis ball with a hole in it.

Re:Seems an unnecessary feature

[Trepidity]

As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.

Re:Seems an unnecessary feature

[VAXcat]

Never get into a car with a carjacker. People who do that wind up at the secondary crime scene, where the homicide (yours) takes place. Run away if you can, fight if you must, but don't get in the car.

Re:just now?

[jeffmeden]

I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.

See Rolling Code for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.

You must not be familiar with keyless

[1800maxim]

A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.

Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.

It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.

Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.

Re:Just a thought.

[ThePeices]

Add to the fact that most in-vehicle theft is performed with a broken window

Isnt that kinda dangerous for the burglar? Walking around with a broken window to be used to break into a car is unwieldy, and they can easily cut themselves on the glass of the broken window they are carrying.

Not to mention it would look pretty suspicious walking down the street with a broken window.

Thinking out of the box - Jamming the close signal

[quilombodigital]

A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.