Slashdot Mirror

← Back to Stories (view on slashdot.org)

Latest Samy Kamkar Hack Unlocks Most Cars

Posted by samzenpus on from the open-it-up dept.

msm1267 writes: Samy Kamkar has built a new device called Rolljam that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on her key or remote, the device grabs the unique code sent by the remote and stores it for later use. The device takes advantage of an issue with the way that vehicles that use rolling codes for unlocking produce and receive those codes. Kamkar said that the device works on most vehicles and garage doors that use rolling, rather than fixed codes.

52 of 97 comments (clear)

  1. Or just use the key by glitch! · · Score: 1, Interesting

    I have never had a car with a remote lock/unlock device. I suppose it might be handy at night, but I don't have any trouble using a key by feel, either. So it seems to me the easiest way to prevent a problem is just not to use the electronic unlock.

    Or don't worry about it. What are the odds that some bad guy will target your vehicle?

    --
    A dingo ate my sig...
    1. Re:Or just use the key by timrod · · Score: 4, Insightful

      The real question is, what are the odds that a car thief is going to spend the money (likely more than $30 if they're buying from someone who knows how to make one) or the time to learn how to make one of these? The barrier to entry just to get one of these working (having to have technical knowledge to put one together, having to hide it under the car and get the owner to open it first and potentially notice the device when it jams their unlock signal) means that thieves will stick to the tried-and-true $5 wrench method rather than try one of these.

    2. Re:Or just use the key by lgw · · Score: 4, Interesting

      A thief will just smash a window or pop a lock. A detective, OTOH, will find this quite appealing, if they need to do a "sneak and peek". Want to search someone's car and leave no sign that you did?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    3. Re:Or just use the key by sjames · · Score: 1

      For cars, it would need to be a regular location. Stake out a place of business for a few days, stick transmitter under a target vehicle. The next day, steal the car.

      But it's still more trouble that other methods, so it isn't likely to happen.

    4. Re:Or just use the key by TWX · · Score: 4, Interesting

      The best theft is one where the victim doesn't know that they were stolen from.

      The second best theft is one where the victim doesn't know when they were stolen from.

      The ability to quickly gain access to a locked place without leaving any sign that one gained access would be incredibly useful, especially in environments where valuables are routinely left in cars. Laptops and technical service tools would be big targets in-general, and some people in certain occupations would also be excellent targets for the privileged information that might be in a briefcase in an otherwise-securely-locked trunk.

      Then there's the issue of people that leave things in their cars, like copies of their housekeys, that could let a thief in to somewhere else that's more lucrative, or those that leave extra vehicle keys in vehicles so that once a locksmith would let them back-in to the car after they lose their primary keys, they could drive away.

      I can see this being an incredibly big problem depending on proliferation. It should at least require people to stop keeping expensive things in trunks that might have been somewhat safe through being hidden.

      --
      Do not look into laser with remaining eye.
    5. Re:Or just use the key by mjwx · · Score: 4, Insightful

      The real question is, what are the odds that a car thief is going to spend the money (likely more than $30 if they're buying from someone who knows how to make one) or the time to learn how to make one of these? The barrier to entry just to get one of these working (having to have technical knowledge to put one together, having to hide it under the car and get the owner to open it first and potentially notice the device when it jams their unlock signal) means that thieves will stick to the tried-and-true $5 wrench method rather than try one of these.

      Considering most cars are stolen to be parted out, if it only costs $30 to get $5000 odd of parts, even the dumbest crims will figure the economics of that one out.

      This is a bigger problem in Europe where the car can simply be driven over the border and resold. It may cost 600 Euro to put a new lock and immobiliser system in, but you can sell it for thousands of euro in a variety of places in eastern Europe (not to mention the illegal car export industries that exist in these places).

      If you honestly dont believe that this technology will find its way into the mainstream criminals hands, just look at the number of card skimmers out there.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    6. Re:Or just use the key by TWX · · Score: 1

      People want long range.

      I have a mid-nineties GM with a remote. Despite changing the batteries in the remote I can only get about 30' range at the max on a good day. On a bad day I'm damn near standing next to it to get it to unlock the doors or open the trunk. Honestly it's a little too short.

      --
      Do not look into laser with remaining eye.
    7. Re:Or just use the key by OverlordQ · · Score: 1

      Or 1 smart ringleader gets a few of these and gives them to his street thugs.

      --
      Your hair look like poop, Bob! - Wanker.
    8. Re:Or just use the key by Trogre · · Score: 1

      I disagree. A car with no visible signs of forced entry will sell better on the black market.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    9. Re:Or just use the key by demonlapin · · Score: 1

      My 2009 Lexus uses something like this - there's a small sensor in each of the door handles to detect a hand being put into the gap (probably optical interruption). It can clearly tell the difference when I'm standing at the driver's door vs the driver's side rear door - in fact it doesn't work if the key is in a bag strapped to my back. If my key is in a bag it needs to be up front and close to the lock to work.

      I lock remotely a lot, but I almost never unlock without using this mechanism. Slip your hand in, hear the beep(s), pull the handle. And the handle and the key have to match - if I'm standing with the key at the driver's door but you're on the opposite side and put your hand in, it will not unlock.

      If the battery fails, you have to pull a physical key out of the fob to open the door, but then the ignition runs on short-range RFID where you press the start button, it tells you to put the fob up against the start button, and it does its thing and you can start the car.

    10. Re:Or just use the key by LinuxIsGarbage · · Score: 1

      I've never had a car where I regularly used the key that the lock didn't end up freezing on me. Even recent cars have this issue. If you're anywhere that regularly receives freezing weather a remote can be the fastest way into your car.

      Even with remote entry I've had both front door locking mechanisms freeze up. Thankfully I could get in the back door. Even once I got to work (with the heat blasting the whole time) I had to get out the back.

    11. Re:Or just use the key by Anonymous Coward · · Score: 1

      Most cars on the black market are on the black market as car parts.

      Since the manufacturers discovered that at retail, a consumer will pay three to four times (or more) for a part than could be charged when attached to an entire vehicle, the parts market is ideal. You discard the parts that carry serial number identification or just damage the serial numbers, and convert a car into twice or thrice it's former value.

      Only chumps sell stolen cars assembled. Without a plan, it's far too easy to trace the entire car, even if you move it out of country.

    12. Re:Or just use the key by Aighearach · · Score: 1

      No, that is just damage, the same as any other damage to a used car. Stolen cars are rarely sold, they're usually driven by the thief for a few days and abandoned. There is almost no "black market" for stolen cars. Most of them get parted out, and the parts are then sold on the "grey market" because individual parts are not traceable and don't require paperwork. Cars that are sold on the black market have to have all their numbers changed, which requires a "chop shop" that is actually just a regular auto shop. They can fix any damage. It would be minor, like a door window, or some door trim.

      A car stereo, now that sells better without damage. There is a significant black market because the parts are marked with serial numbers. A car stereo sells better without damage, because it is small enough that if it looks normal, maybe nobody checks. A whole car? The bucket seats are each worth more than the car stereo, because they don't have serial numbers. You get full used price for seats. And almost the whole car. The car stereo gets thrown out, it has little value.

    13. Re:Or just use the key by AmiMoJo · · Score: 1

      This method has the advantage of not looking suspicious. The thief simply acts as if they were the car's owner and can rob it in broad daylight, and no-one will blink an eye. Car park security won't react like they would if the window was smashed. No car alarm going off. It's definitely attractive.

      Having said that, in the UK there have been a spate of thefts where people steal car body parts at night. They come along in the early hours of the morning, pop the bonnet open and simply remove the entire front of the car body, bits of the engine and anything else they can get at with normal tools. It doesn't make much noise but it's pretty blatant, happening in public streets in residential areas.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re:Or just use the key by Anonymous Coward · · Score: 1

      WRONG.

      Oh, so very, very wrong.

      The best thief is one who not only convinces their victim to give them the item, but also that doing so rights some sort of long-standing wrong and the victim should be ashamed of themselves for ever having had said item in the first place.

      "Citizen, having this locked up is a blow for TERROR, but if you unlock it for me I will ignore it -- just this once."

      That's how you do it, sonny.

    15. Re:Or just use the key by lgw · · Score: 1

      There is actually a market for stolen cars - cars expensive enough to ship overseas after being stolen. Those cars are stolen with tow trucks, however. Tow trucks are rarely questioned - sometimes the spouse will even open up the garage door.

      I hear the practice is common enough that a Ferrari that is lifted to a certain angle (without a security code first being entered) will blow e-fuses and need carefully tracked replacement parts. (I have no idea how that works out in hilly areas, making me wonder how true it is.)

      --
      Socialism: a lie told by totalitarians and believed by fools.
    16. Re:Or just use the key by michelcolman · · Score: 1

      That's exactly how it works. Just leave it under the car, and it will always have a code ready for you to use. Every time the owner unlocks the car, it replays the previous code and stores the latest one.

    17. Re:Or just use the key by michelcolman · · Score: 1

      The attacker doesn't have to open the car right away. The car can drive around for days, being opened and closed multiple times by the owner. The device remains attached to the car. Whenever the owner presses the button, the device plays the previous code and stores the latest one, so it always has a usable code ready for the attacker to use.

    18. Re:Or just use the key by Aighearach · · Score: 1

      All you need to detect tow condition is an attitude sensor. Anti-roll will engage when a modern vehicle is pulled onto a tow truck while in gear, based on the wheel movement; if the car can detect the vehicle angle then it can easily note that it is "rolling" uphill and engage an anti-theft fuse or other lock-out.

      You could probably add that aftermarket to most modern vehicles if you can get the anti-roll activation off the data bus.

    19. Re:Or just use the key by RockDoctor · · Score: 1

      I suppose it might be handy at night, but I don't have any trouble using a key by feel, either.

      You can get these little torches that fit on your key ring too. If you can't do it by touch. If you don't have a torch in your normal day-sack anyway (I do ; I'm a caver, I learned that lesson long ago).

      Far the bigger use of the remote (by my wife) is locating the car in the car park, because the remote also causes the car to flash it's lights. Then again, it's over 20 years since I had a car stolen or broken into, so my attitude to security isn't particularly paranoid.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Re:Misread by turkeydance · · Score: 1

    well, Hagar does, too.

  3. Nothing Novel Here by Anonymous Coward · · Score: 1

    This appears to be a long known attack, bundled up with a cute name and small hardware package. Nothing to be (newly) concerned about. Here's a blog post from a year and a half ago, for example: http://spencerwhyte.blogspot.ca/2014/03/delay-attack-jam-intercept-and-replay.html

    Aside: I don't know any professional or academic security researcher who takes Samy seriously. His work is almost entirely of this style, packaging prior knowledge and selling it with panache.

  4. Well you still need some sort of key. by Stonent1 · · Score: 2

    Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.

    1. Re:Well you still need some sort of key. by David_Hart · · Score: 1

      Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.

      Most cars have a manual method of switching to neutral. This is necessary because it simply doesn't make sense to cause thousands of dollars of damage to a car while towing simply because of an electrical problem.

    2. Re:Well you still need some sort of key. by hawguy · · Score: 2

      Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.

      Most cars have a manual method of switching to neutral. This is necessary because it simply doesn't make sense to cause thousands of dollars of damage to a car while towing simply because of an electrical problem.

      Even if you can't get the car in neutral, it only takes a few seconds to jack up the car and put dollies under the wheels.

    3. Re:Well you still need some sort of key. by hawguy · · Score: 1

      And you need to unlock car to do this exactly why?

      If you're a legitimate tow truck driver, you try to open the car because you're too lazy to get the dollies off the truck and there's a small additional risk if you don't strap them on securely. If you're an illicit driver, then if you can you partner to unlock the car and get it in neutral, you don't even need to get out of the truck to hook it up, just set the wheels on the wheel lift and go - no need to help him lift the car and set the dollies.

    4. Re:Well you still need some sort of key. by mjwx · · Score: 1

      Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.

      Most cars have a manual method of switching to neutral. This is necessary because it simply doesn't make sense to cause thousands of dollars of damage to a car while towing simply because of an electrical problem.

      Even if you can't get the car in neutral, it only takes a few seconds to jack up the car and put dollies under the wheels.

      Also most cars are 2 wheel drive. Even most "all wheel drive" cars are just front wheel drive with a transfer box that is disengaged until the electronics detect the front wheels slipping. So all you do is jack up the front and take the handbrake off.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    5. Re:Well you still need some sort of key. by ArylAkamov · · Score: 1

      Volvo's had this since at least 1998. I just got done dealing with replacing it, the antenna goes out after awhile and even though the key is correct nothing will happen.

      The funny thing is after I replaced the antenna the security system needed to be reset. Dealership wanted $xxx and a week to do the work.

      A few minutes on google showed me all you do is lock/unlock the door 5 times to reset it. A week my ass.

      Personally I just install a hidden kill switch to every car I own. Difficult to start the car if there is no power going to either the ignition coil or starter relay.

  5. So I guess it's time.... by bobbied · · Score: 2

    For automobile manufacturers to start factoring in the time of day and keeping the "key" hidden...

    It works this way... You have an pre-shared key and you encrypt an ever changing sequence of messages, say something related to the current time of day or the "rolling code" thing they use now only the code rolls over time not when it's used. Then the "code" that worked 5 seconds ago, won't work in the future. That ends the "record and playback" messages from being seen as valid and all you need to have is a reasonably accurate scheme to advance time on both the car and the key fob. I imagine that regular resyncing of the clocks might be necessary, but I'm sure we can work something out where you "program" your key fob by inserting it into a port on your car or by using some RF backscatter power process the fob and the car can get into sync.

    It doesn't stop brute force attacks to recover the key, but it does make it time consuming and unlikely to be accomplished by some thief walking though the parking lot.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:So I guess it's time.... by msauve · · Score: 1

      So, a remote becomes like one of those security fobs (e.g. SecurID) which instead of displaying a number on the LCD, transmits it to the car.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    2. Re:So I guess it's time.... by bobbied · · Score: 1

      Exactly!

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:So I guess it's time.... by paulpach · · Score: 1

      For automobile manufacturers to start factoring in the time of day and keeping the "key" hidden...

      A much more secure method would be a challenge/response protocol, the car sends an encrypted random challenge to the key, the key decrypts it, calculates a response to the challenge and sends the response back to the car. The car checks the response and if valid, it unlocks.

      There is no way to replay messages as long as the challenge is randomized, and the car obviously should not unlock if it receives a response to something other than the last challenge. There is no way to get the encryption key since it never goes over the air, it is just used internally by the car and the key to encrypt/decrypt the message.

      The only problem with this is that it requires 2 way communication between the key and the car, so your solution would be cheaper and simpler.

    4. Re:So I guess it's time.... by bobbied · · Score: 1

      I agree, the solution you suggest would be MUCH safer, but as you point out, this makes the fob a whole lot more complex (and power hungry).

      In fact both of the suggested solutions are not new concepts, but have been used in networks for years.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. Must slow down... by JustNiz · · Score: 1

    I need to slow down reading stuff... I quickly scanned the headline and saw:
    Latest Sammy Hagar track unlocks most cars...

  7. Can it get past engine-kill too? by mark-t · · Score: 1, Informative

    If not, then ho-hum...

    Breaking into cars is easy... driving off with one without a proper key, when they have sophisticated anti-theft systems in place is considerably less so.

    --
    File under 'M' for 'Manic ranting'
    1. Re:Can it get past engine-kill too? by ArchieBunker · · Score: 1

      So you are inside the car, now what? You can't start it. Are you going to steal the radio and loose change?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:Can it get past engine-kill too? by drinkypoo · · Score: 1

      So you are inside the car, now what? You can't start it. Are you going to steal the radio and loose change?

      You do know that a lot of these immo codes have been broken wide open, right? For example the defeat on the one on the Bosch ME7 series is well-known. You don't need to log in or anything, you can get access to the flash without doing that, without even cracking the case. So an educated attacker, or someone carrying a tool made by an educated attacker who knows their way around an ELM327 can recode the immobilizer on a whole range of vehicles, including a lot of very spendy (if now somewhat older) VAG products, including the Audi S8.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Can it get past engine-kill too? by mark-t · · Score: 1

      Thousands of dollars in damage that will only cost me a phone call to my insurance company and a two hundred dollar deductible to take care of, and I will be able to use a rental car while mine is getting fixed.

      --
      File under 'M' for 'Manic ranting'
  8. I don't understand. by Anonymous Coward · · Score: 1

    Why don't these electronic keys use a public/private key authentication system with nonce signing to avoid replay attacks?

    This is simple to implement and is very strong against this kind of attack.

  9. My Honda CRX SI 86's superior security is immune by Anonymous Coward · · Score: 1

    No power locks, no power windows (cranks), no power steering, no power...

  10. Schematics? by Plugh · · Score: 1

    This looks like a really good educational project to do with the kids. I googled all over for it but couldn't find schematics or how-to's. Seriously I presume an Arduino and a wifi card is more or less all one needs. What do I have to do, search on Silk Road? Anybody got the infos?

    --
    Part of the Second American Revolution!
  11. The only reason that works by hcs_$reboot · · Score: 1

    That works because manufacturers don't want (time, money, complexity...) to implement a system using a protocol based on a dialog between the key and the car. That would allow for instance the car submitting a random 64b number to the key. The key would have to cipher the number and send the result back to the car within a short time window (0.5"). Much harder to hack.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  12. Re:My Honda CRX SI 86's superior security is immun by imboboage0 · · Score: 1

    I've had a perfectly good xbox 360 in the back seat of my car wide open since February. I also leave the keys in the ignition sometimes, always unlocked, and typically with windows down/t tops out.

    but hey, if you tried driving my 86 Mustang GT with bearings instead of bushings and the not so friendly motor, I wouldn't be surprised if you brought it back. especially with the headliner in the way of the mirror.

    "Nah man, you can keep this one."

    --
    Honesty may be the best policy, but by process of elimination, dishonesty is the second best policy.
  13. Most? by wonkey_monkey · · Score: 2

    Latest Samy Kamkar Hack Unlocks Most Cars

    There are still plenty of old cars on the road. Do more than 50% of them have remote locking?

    --
    systemd is Roko's Basilisk.
    1. Re:Most? by toddestan · · Score: 1

      The hack also requires that the car's owner uses the keyfob to unlock the car too. I wonder how many people don't use them? I bought my car used and the previous owners had managed to lose all the keyfobs. I never bothered with replacing them and just use the key.

  14. Bah by LordWabbit2 · · Score: 4, Interesting

    The don't get that technical here in South Africa. They just broadcast ANY other signal as you walk away from your car and hit the lock button on your remote. It interferes with your lock signal and the car remains unlocked. If you are not paying attention you don't notice that your car fails to lock and they are in. And no, they are not trying to steal the car, they just steal whatever you left behind in the car, most of them don't even bother trying to steal the radio. Unemployment is high, they steal what they can. It's gotten so bad they kick down your front door, alarms blazing, steal whatever they can grab and make a runner in the 5 minutes it takes armed response to get there (and yes, that's happened to me).

    --
    There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    1. Re:Bah by WillgasM · · Score: 1

      Perhaps it's such a small subset of robberies because thieves know that kicking a door down in the middle of the night is likely to be met with buckshot.

    2. Re:Bah by LordWabbit2 · · Score: 1

      Sigh, no it's not. They want you home so that they can force you to hand over the valuables. And it's not one or two people kicking down the door, it's usually 4 or more. Also the legalities and issues around having a firearm in South Africa (legally that is) means most home owners are not armed. These are desperate people. One of the things they raid is the groceries in the fridge / deepfreeze. They want cellphones, tablets, laptops, TV's, bank cards. I have a guitar, worth a lot of money, didn't even touch it, admittedly they probably didn't realise how much it was worth.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  15. Jamming... by Matt_Bennett · · Score: 1

    Because this requires jamming the original signal, this is detectable, otherwise, it is MITM. Jamming is typically very easy- you just have to generate enough energy to overcome the incoming signal- the difficult part is being able to intercept the signal in the presence of your own noise. There are ways to cancel out the noise (like noise cancellation headphones)- but it is a really hard problem, even if you know the exact "noise" you're putting out.

    This may push us faster into better types of keys, such as keys with 2-way radios, or even get us out of keys altogether, incorporating the key into one of the other devices we may have on us. We haven't had those keys commonly because of the expense of the technology- technology will progress, and so will the hacks.

  16. yet another invention of the wheel by rch7 · · Score: 1

    How many wheels do you really need to invent? Such devices were for sale for professional auto thieves at Warsaw marketplace a decade ago. They don't always work though if remote has separate buttons for lock and unlock.

  17. Re:This is why I have manual locks by PPH · · Score: 1

    My alarm has remote locking. I disabled the unlock function so one still needs the key to get in. Go ahead and chirp the alarm all you want. In fact, this will screw up Kamkar's system as it will have expended its one good code. Yes, the alarm is off and a thief could just break a window. But having a system behave in a manner that they don't expect is probably enough to discourage them.

    --
    Have gnu, will travel.
  18. Public/Private Key by tingentleman · · Score: 1

    Why not use a handshake - with a small amount of processing power in the fob, hidden key pairs could be used to authenticate just like SSH or HTTPS: the keyfob asks a computable question of the car and vice-versa - no amount of record/playback could get you in.

    This is getting toward being considered ancient tech in the IT world - surely car companies have techies who can achieve this.