Slashdot Mirror

← Back to Stories (view on slashdot.org)

Car Thieves and Insurers Vote On Keyless Car Security

Posted by Soulskill on from the experts-agree dept.

RockDoctor writes: The BBC reports that Britain's car thieves, rapidly followed by Britain's car insurance companies, have been expressing their opinions on the security of keyless car entry and/or control systems. The thieves are happy to steal them (often using equipment intended for dealer maintenance of the vehicles) and in consequence the insurance companies are refusing to insure such vehicles (or to accept new policies on such vehicles) unless they are parked overnight in underground (or otherwise secured) car parks. I guess I won't be considering buying one of those for another generation. If ever.

9 of 221 comments (clear)

  1. I wish I'd thought of that by j2.718ff · · Score: 5, Interesting

    I've never been a fan of the keyless car design. But if I wanted a new car, I had little choice. And I knew I'd have no chance convincing car manufacturers to make a keyed version. All this time, I should have been making a fuss to the insurance industry instead.

    Thank you insurance industry for making a sensible decision. Unfortunately, that may suck for anyone who owns such vehicles.

    1. Re:I wish I'd thought of that by mythosaz · · Score: 5, Insightful

      The problem is lost keys. There has to be a mechanism for an automotive dealer or manufacturer to replace lost keys, and it has to function without the original key. It's the 2010's version of old master keys for tumbler locks.

      Even the summary says thieves are using those reprogramming/recovery tools intended for dealers.

    2. Re:I wish I'd thought of that by weilawei · · Score: 5, Interesting

      And master-keying a pin tumbler comes with the caveat that you multiply the number of keys which can open a given door. If you use multi-level master keying, you wind up with potentially dozens of key bittings that you didn't intend to allow but will also open such a lock.

      Theoretically, we should be able to avoid that problem with a challenge/authentication protocol. Of course, I'm still skeptical of it being implemented well any time in the near future. For now, I'll stick with my crusty old sidebar wafer locks.

      Oh yeah, any halfway competent locksmith (not these fly-by-night people) can open most of your physical locks without any real effort. The only reason they're drilling is to save a few minutes. And if we're talking about a car, it's usually faster to use some other sort of opening tool. Heck, my old Subaru, you could bend the window out with your bare hands and shove your whole arm in to unlock the door.

      Locks keep honest people honest. They barely slow down a professional.

    3. Re:I wish I'd thought of that by drinkypoo · · Score: 5, Interesting

      Even the summary says thieves are using those reprogramming/recovery tools intended for dealers.

      Mostly they aren't. They're using other tools which connect to the same interface. It's trivial (in theory anyway) to put your ELM327 into sniffer mode, and with it hidden inside of the car someplace connected to the diagnostic bus, the dealership will never know that you're logging. I can literally buy an off the shelf device for a hundred bucks that will read the immobilizer code out of my Audi, and it's not an Audi-approved tool. Or I can get the code with freeware and a ten dollar cable.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:I wish I'd thought of that by PPH · · Score: 5, Interesting

      So, just read the VIN off your neighbor's car,

      Keep your VIN number covered up.

      I have a neatly printed and laminated card that says "Bait Car #6" over mine.

      --
      Have gnu, will travel.
  2. This most important thing in the article by gewalker · · Score: 5, Funny

    "By far the most common way of a car being stolen is still from thieves breaking into homes and stealing keys," he said.

    Don't leave your keys in the obvious places, including the spare keys.

    For bonus points: Have some keys labeled "neighbor's house" that are useless.

  3. Modified car? by jd659 · · Score: 5, Interesting

    I have a car that uses a wireless key. After browsing the web trying to find more about the security, I found that you could buy a programmer that connects to the car's data port and programs a new key. What was surprising to me was how relatively easy it is to buy such a device and how quick the programming process was (about 30 seconds). A thief would have to get an entry into the car first (breaking a window, perhaps), but once that is done, it's relatively easy to just drive off with a newly programmed key. What I did was to disable to data port, not permanently, but more of a need to use basis. Since it works on obfuscation, this is not a type of security to be mass produced. Not knowing how exactly the port is disabled, it will take a long time to make it work, so I don't expect a thief to start taking the car apart. Wonder if you can claim for the insurance that the port is disabled. There are many other ways to steal a car, I just want to prevent the easy ones known today.

    --
    There's no such thing as "illegal download"
  4. Re:Key or keyless, all the same by Immerman · · Score: 5, Interesting

    >According to BMW their so-called "security" is so secured that there are BILLIONS of combination in their "secure key" system

    Well there's the problem right there - obviously they didn't take computer security seriously or they'd realize that billions of combinations hardly gives a brute-force hacking simpleton time tor their coffee to cool - I don't think anyone has considered 32 bit encryption keys secure since... ever, really. And that's assuming there's no vulnerabilities in the system. Meanwhile in order for the mechanic to be able to replace a lost key you need to install a gaping back door in every car you make, rendering your security system irrelevant except to the most casual of thieves.

    --
    --- Most topics have many sides worth arguing, allow me to take one opposite you.
  5. Re:Key or keyless, all the same by hawguy · · Score: 5, Interesting

    >According to BMW their so-called "security" is so secured that there are BILLIONS of combination in their "secure key" system

    Well there's the problem right there - obviously they didn't take computer security seriously or they'd realize that billions of combinations hardly gives a brute-force hacking simpleton time tor their coffee to cool - I don't think anyone has considered 32 bit encryption keys secure since... ever, really.

    Given that physical keys can have only "thousands" of combinations and provide reasonable security (car thiefs will break the window rather than try to pick the lock), you don't need a bit 128 digital key to make a secure car door lock, you just need to rate-limit brute force attacks. no thief can spend the time testing thousands of physical keys in the lock door lock, and if the system stops listening for 5 minutes every N number of incorrect keys, then even a 32 bit digital key can be immune to a brute force attack (though the protocol has to protect against snooping)

    And that's assuming there's no vulnerabilities in the system. Meanwhile in order for the mechanic to be able to replace a lost key you need to install a gaping back door in every car you make, rendering your security system irrelevant except to the most casual of thieves.

    It needn't be a big gaping back door -- if every new car-key generation request has to be signed by the secure private key only known by the manufacturer, then stolen car-key programming equipment has a very short lifetime - it's only good until the equipment is reported stolen, and only validated service stations can get their car-key requests signed and it's trivial to track stolen cars back to the machine that generated the key.