Slashdot Mirror
Car Thieves and Insurers Vote On Keyless Car Security
RockDoctor writes: The BBC reports that Britain's car thieves, rapidly followed by Britain's car insurance companies, have been expressing their opinions on the security of keyless car entry and/or control systems. The thieves are happy to steal them (often using equipment intended for dealer maintenance of the vehicles) and in consequence the insurance companies are refusing to insure such vehicles (or to accept new policies on such vehicles) unless they are parked overnight in underground (or otherwise secured) car parks. I guess I won't be considering buying one of those for another generation. If ever.
What I can't figure out is how incompetent the car industry's software engineers must be. The implication of this is that it's possible to clone a key based only on the signal it gives off. The implication of that is that they're sending out a static password.
I mean, why are these keys not just broadcasting an "I'm here" signal (possibly with a unique id), and then doing some challenge/response authentication ala SRP that can't have the key reverse engineered from the transmissions to actually perform the unlock.
How did the car companies think they could get away with such crappy security?
Because 10 years ago that's as good as it got. We moved on. Now the insurance companies are saying "This is fucking stupid. Fix it or we won't pay for your idiotic keyless thingamabob. Cmon guys, we fixed keys years ago. If you can't do better, don't bother"
The problem is lost keys. There has to be a mechanism for an automotive dealer or manufacturer to replace lost keys, and it has to function without the original key. It's the 2010's version of old master keys for tumbler locks.
Even the summary says thieves are using those reprogramming/recovery tools intended for dealers.
The thieves are happy to steal them (often using equipment intended for dealer maintenance of the vehicles) and in consequence the insurance companies are refusing to insure such vehicles
This is ironic. When electronic systems were first rolled out, the car manufacturers did a fantastic job of convincing insurance companies they were far superior to mechanical lock systems. So good, that in some cases insurance companies initially labeled any theft of such a car as being likely to have been done in conspiracy with consent of the owner, since it was obvious no common thief could have cracked such awe-inspiring technological marvels of security.
Of course, this point of view was unfortunate for those first-generation owners who, who were labeled as suspected frauds. But initially very convenient for the insurance company, who could find an excuse to not pay out (at least until the police began to figure out just how easy it was to fool that "fool-proof" security).
Basing your protocol's PRNG (I'm assuming that sort of design here, although it's by no means the only way to skin that cat) on a serial number is Bad Idea (#1). If you need to hide the algorithm, you've already lost. That's Bad Idea #2.
Something more along the lines of using public-key crypto for your CHAP is more sensible. The car spits out a one-time value and asks the key to encrypt it. Then, the car decrypts the result to verify it. (DISCLAIMER: I am NOT a cryptographer, just a hobbyist in this regard. There's about a million and one ways to screw this up, most of them non-obvious. Taking my advice for anything besides experimentation is downright stupid. Don't roll your own. Hire a professional to do the work.)
Locks keep honest people honest. They barely slow down a professional.
Damn straight.
Another thing people don't take into consideration is that about 40% of vehicle thefts are tow-aways.
That way they can work on the locks and security in the safety of their chop shops.