Car Thieves and Insurers Vote On Keyless Car Security

RockDoctor writes: The BBC reports that Britain's car thieves, rapidly followed by Britain's car insurance companies, have been expressing their opinions on the security of keyless car entry and/or control systems. The thieves are happy to steal them (often using equipment intended for dealer maintenance of the vehicles) and in consequence the insurance companies are refusing to insure such vehicles (or to accept new policies on such vehicles) unless they are parked overnight in underground (or otherwise secured) car parks. I guess I won't be considering buying one of those for another generation. If ever.

I wish I'd thought of that

[j2.718ff]

I've never been a fan of the keyless car design. But if I wanted a new car, I had little choice. And I knew I'd have no chance convincing car manufacturers to make a keyed version. All this time, I should have been making a fuss to the insurance industry instead.

Thank you insurance industry for making a sensible decision. Unfortunately, that may suck for anyone who owns such vehicles.

Re:I wish I'd thought of that

[weilawei]

And master-keying a pin tumbler comes with the caveat that you multiply the number of keys which can open a given door. If you use multi-level master keying, you wind up with potentially dozens of key bittings that you didn't intend to allow but will also open such a lock.

Theoretically, we should be able to avoid that problem with a challenge/authentication protocol. Of course, I'm still skeptical of it being implemented well any time in the near future. For now, I'll stick with my crusty old sidebar wafer locks.

Oh yeah, any halfway competent locksmith (not these fly-by-night people) can open most of your physical locks without any real effort. The only reason they're drilling is to save a few minutes. And if we're talking about a car, it's usually faster to use some other sort of opening tool. Heck, my old Subaru, you could bend the window out with your bare hands and shove your whole arm in to unlock the door.

Locks keep honest people honest. They barely slow down a professional.

Re:I wish I'd thought of that

[drinkypoo]

Even the summary says thieves are using those reprogramming/recovery tools intended for dealers.

Mostly they aren't. They're using other tools which connect to the same interface. It's trivial (in theory anyway) to put your ELM327 into sniffer mode, and with it hidden inside of the car someplace connected to the diagnostic bus, the dealership will never know that you're logging. I can literally buy an off the shelf device for a hundred bucks that will read the immobilizer code out of my Audi, and it's not an Audi-approved tool. Or I can get the code with freeware and a ten dollar cable.

Re:I wish I'd thought of that

[AK+Marc]

I had a popular car (name withheld to provide obscurity). I only had copies of the keys (the keys are old, and the technical "originals" were long lost). They weren't working as well as they should. I called the dealer, no way to get a key made from the original template. So I took a picture of the key, and sent it to a place that re-cuts keys based on the key, but using the standard tumbler-stops to get the new-key fit. Worked much better.

Eventually my glove-box lock failed. Since it was a convertible, that was important (I left it unlocked always, so nobody would cut the top to get in, the glove box was always locked, and the faceplate for the radio was always removed). So I ordered a new lock. They took my VIN, and when the lock came in, it came with two brand-new keys, and the lock was already keyed to go with my old keys. So, just read the VIN off your neighbor's car, and order a replacement glove box lock mechanism, and you'll get two keys to his car. At least, that worked for me. Verified the locks were never re-keyed as well.

Re:I wish I'd thought of that

[PPH]

So, just read the VIN off your neighbor's car,

Keep your VIN number covered up.

I have a neatly printed and laminated card that says "Bait Car #6" over mine.

Re:I wish I'd thought of that

[weilawei]

And that's a disc lock (not to be confused with a "disk"/wafer lock). Those aren't terribly common, although the price has come down significantly in the past couple years. I've got a couple on hand and the tools to pick them (yes, IAAL--I Am A Locksmith). And yes, they can also be picked, although it's a real bear, because they don't give you any feedback on whether or not you've spun the disc to the right position (they're built very similarly to a sidebar wafer lock in the sense that they use a sidebar to avoid giving you feedback). One of my bicycle locks is also a disc lock, works fabulously for gritty/dirty conditions that would murder a pin tumbler. They also have another vulnerability to speed things up, but this isn't a locksmithing forum and I'm too lazy to do your googling for you.

If I had a customer ask me to get in, I'd probably suggest drilling it. The price has come down enough to replace them.

Re:I wish I'd thought of that

[weilawei]

Okay, I typed out a whole post, but this is laughable.

Most locksmiths (I Am A Locksmith) and thieves have the same goal, but for different reasons: get in, and get in quickly. (For the professional locksmith, time is money, and I can make more calls if I bust your lock open versus spending a few more minutes to pick it; for the thief, the longer you stand around, the more likely you are to be caught).

They'll just break out the drill if you make it too hard to pick quickly. Or the screwdriver. It's amazing what a long-handled flat-bladed screwdriver will do to your average pin/wafer tumbler lock...

The only way tools/knowledge get expensive is if you're into safecracking (oohhh.. so pretty...>/drool>). The idea that you can make a physical lock (crypto offers some quite nice advantages here) that the average locksmith is going to spend time picking but a thief won't is absurd.

I'll just tell the customer to replace it, unless they have some weird sentimental attachment and feel like paying me to stand there and pick it (I'm totally cool with that too). A disc (not to be confused with a disk tumbler) is a good option in the "hard-to-pick" category (though not unpickable by any stretch, and the Abloy Protecs have a serious flaw... you can google for it). They also take about 10 seconds to drill with the proper milling cutter. If that.

The closest thing to an unpickable lock is the one on some fortress phones which uses a ratcheting lever lock (so once you raise a lever, it will never come down any lower than that). It also doesn't give you any feedback, so if you screw up, it's back to the drill with you!

Re:I wish I'd thought of that

[weilawei]

Forget it. They'll just smash the window and replace it, or haul it onto a flatbed and work on it at their leisure.

Lever tumblers aren't going to be my first choice for something like a car. Large mechanism for one that's difficult to pick, and not as robust as a disc lock. Drill points are available from the manufacturers. Not hard to get. Hard plate and ball bearings and chips are wonderful, but...again, better for safes. Also, auto lockies are going to hate you. Relockers? Same deal. That sort of thinking works better for safes, where you have an object which is purposely large, heavy, and bolted down to concrete. Modern cars already have immobilizers.

Electronic locks hold an immense amount of promise for the future of auto locks. They're not nearly so prone to dust, dirt, space, or cost. A proper implementation will take work, but I don't see it as being infeasible. Crypto done right is harder to get past than a physical lock, which will of course just shift the means of entry to something more appealing. Modern car thieves will use a laptop more than a lockpick. That's just how the arms race goes.

Modified car?

[jd659]

I have a car that uses a wireless key. After browsing the web trying to find more about the security, I found that you could buy a programmer that connects to the car's data port and programs a new key. What was surprising to me was how relatively easy it is to buy such a device and how quick the programming process was (about 30 seconds). A thief would have to get an entry into the car first (breaking a window, perhaps), but once that is done, it's relatively easy to just drive off with a newly programmed key. What I did was to disable to data port, not permanently, but more of a need to use basis. Since it works on obfuscation, this is not a type of security to be mass produced. Not knowing how exactly the port is disabled, it will take a long time to make it work, so I don't expect a thief to start taking the car apart. Wonder if you can claim for the insurance that the port is disabled. There are many other ways to steal a car, I just want to prevent the easy ones known today.

Re:Key or keyless, all the same

[Immerman]

>According to BMW their so-called "security" is so secured that there are BILLIONS of combination in their "secure key" system

Well there's the problem right there - obviously they didn't take computer security seriously or they'd realize that billions of combinations hardly gives a brute-force hacking simpleton time tor their coffee to cool - I don't think anyone has considered 32 bit encryption keys secure since... ever, really. And that's assuming there's no vulnerabilities in the system. Meanwhile in order for the mechanic to be able to replace a lost key you need to install a gaping back door in every car you make, rendering your security system irrelevant except to the most casual of thieves.

Re:Key or keyless, all the same

[hawguy]

>According to BMW their so-called "security" is so secured that there are BILLIONS of combination in their "secure key" system

Well there's the problem right there - obviously they didn't take computer security seriously or they'd realize that billions of combinations hardly gives a brute-force hacking simpleton time tor their coffee to cool - I don't think anyone has considered 32 bit encryption keys secure since... ever, really.

Given that physical keys can have only "thousands" of combinations and provide reasonable security (car thiefs will break the window rather than try to pick the lock), you don't need a bit 128 digital key to make a secure car door lock, you just need to rate-limit brute force attacks. no thief can spend the time testing thousands of physical keys in the lock door lock, and if the system stops listening for 5 minutes every N number of incorrect keys, then even a 32 bit digital key can be immune to a brute force attack (though the protocol has to protect against snooping)

And that's assuming there's no vulnerabilities in the system. Meanwhile in order for the mechanic to be able to replace a lost key you need to install a gaping back door in every car you make, rendering your security system irrelevant except to the most casual of thieves.

It needn't be a big gaping back door -- if every new car-key generation request has to be signed by the secure private key only known by the manufacturer, then stolen car-key programming equipment has a very short lifetime - it's only good until the equipment is reported stolen, and only validated service stations can get their car-key requests signed and it's trivial to track stolen cars back to the machine that generated the key.

Re:Key or keyless, all the same

[Technician]

Most of those billions of codes are easly circumvented by a replay attack. The cure is to lock and unlock your car with a physical key to prevent reading of the code. The other step is to add a switch to simply turn off the RF trancievers in the car when parking it in an unsecure location. A replay attack will fail when the RF is OFF.

Re:Key or keyless, all the same

[sjames]

Rate limiting would help a LOT, but may not be enough if the bad guys rig up a strong transmitter. If you are in a crowded parking lot, you probably don't much care which BMW you steal, the first one to unlock will be good enough.

It's not like BMWs are bargain basement cars, surely they could have spent a bit on an actually secure keyless entry system.

Re:Key or keyless, all the same

[drkim]

...The cure is to lock and unlock your car with a physical key to prevent reading of the code. The other step is to add a switch to simply turn off the RF trancievers in the car when parking...

Great point.

Once hackers started popping passenger doors remotely, I found out you could disable remote door unlock just by pulling the fuse on the receiver.

Now you need a physical smart key turn to open the door and disable the alarm.

Just picking the lock won't work either, because it's the smart key that disables the alarm.

Re:Key or keyless, all the same

[AmiMoJo]

The radios they use in these systems are ISM band, often 433MHz (Europe), 432MHz (Japan) or 915MHz (US). The bit rate is fairly low, often 9600 or maybe 30kb tops. Thus you can really only try maybe a couple of hundred keys per second, at the absolute limit.

Fortunately there is no need to brute force. Just set up a jammer, wait for someone to fail to notice that their car didn't lock as they were walking away, and attach your hardware to the car's debug port.