Radio Attack Lets Hackers Steal 24 Different Car Models

An anonymous reader writes from a Wired article: A group of German vehicle security researchers has released new findings about the extent of a wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops. The Munich-based automobile club ADAC recently made public a study it had performed on dozens of cars to test a radio 'amplification attack' that silently extends the range of unwitting drivers' wireless key fobs to open cars and even start their ignitions (in German). The ADAC researchers say that 24 different vehicles from 19 different manufacturers were all vulnerable, allowing them to not only reliably unlock the target vehicles but also immediately drive them away. "This clear vulnerability in [wireless] keys facilitates the work of thieves immensely," reads the post. "The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner." [...] Here's the full list of vulnerable vehicles from their findings, which focused on European models: the Audi A3, A4 and A6, BMW's 730d, Citroen's DS4 CrossBack, Ford's Galaxy and Eco-Sport, Honda's HR-V, Hyundai's Santa Fe CRDi, KIA's Optima, Lexus's RX 450h, Mazda's CX-5, MINI's Clubman, Mitsubishi's Outlander, Nissan's Qashqai and Leaf, Opel's Ampera, Range Rover's Evoque, Renault's Traffic, Ssangyong's Tivoli XDi, Subaru's Levorg, Toyota's RAV4, and Volkswagen's Golf GTD and Touran 5T.

Scary ...

[gstoddart]

I had this in a rental car recently, and once I figured out there was not place to put the key (never seen it before, never even occurred to me) I did wonder just how secure it was.

So, what, it just continuously broadcasts "you can start now", with no intermediate encryption or anything? There's clearly no user interaction required to start the car (I never did get used to having the "key" in my pocket to start the car), no button to push or anything.

TFA says "every second semester electronic student should be able to build such devices without any further technical instruction." That positively screams of something which was built to be cool, but with no real thought about security.

I wonder if this is something which even changes on each invocation, or if you could simply record and play back the signal ... in which case this is a pretty pathetic system.

And, once again, the security of such things is purely an afterthought when it's pointed out how trivial it is to bypass. And, once again, I say companies need to have legal liability for shit like this.

Re:Scary ...

[omnichad]

People have been able to use replay attacks to get into houses via garage door openers for forever. I'm surprised by the lack of strong encryption on this, but do you even need to replay? If it's just MITM as an amplifier, no intermediate decoding is needed to get in and steal belongings anyway. It's a bad design all around.

Re:Scary ...

This isn't even attacking the encryption, just relaying the modulated radio signals that the car and key are transmitting. The two ways to secure this would be: one, to make the protocols have hard real-time requirements with very sensitive latency measurements to detect that the distance between car and key; two to require the human to initiate an action on the key rather than let it respond passively.

Re:Scary ...

[Aaden42]

It’s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They don’t continuously require it since if the process failed for some reason as you’re going down the highway & the engine just cut out... Not good

There’s some rudimentary obufscation at the protocol level, and recent-ish models have a reasonable degree of replay attack prevention. This attack appears to just amplify the radio signal in both direction with a repeater near the car & the key. You’d need one person ready to drive the car away and another to get close enough to the owner.

It’s only going to be good for one use though. Unless you can steal the key or stay on top of the owner, the car won’t re-start after you turn it off. Maybe you could slip the repeater in their bag or something to buy a little more time, but it’s pretty limited. Okay if you’re planning to scrap the car for parts, not so much if you expect to be able to keep driving it or sell it off after stealing it. It doesn’t look like this attack does anything to clone the key or defeat the challenge/response between key & car. It just lets you carry out that C/R at a distance.

Honestly, I might like a set of these to enable remote start at long range on my own car.

Re:Scary ...

[gstoddart]

I'm surprised by the lack of strong encryption on this, but do you even need to replay?

Well, think about it ... sit in a parking lot at an office or something, and passively collect a bunch of these things as people enter the building or something.

Instead of stealing belongings, you target a bunch of cars, come back the next day with a bunch of people, and drive off with a dozen or so cars in one go.

Why steal stuff when you can just drive off with the cars later and without needing to get the thing near enough to the keys to re-transmit?

You could have a bunch of cars in a chop shop before anybody even knew they were gone.

Re:Scary ...

[Anonymous+Psychopath]

I started typing a long, in-depth reply but it's easier to just link to the Wikipedia article as it covers your questions pretty thoroughly.

Re:Scary ...

[omnichad]

I don't think they are replay attacks. They are using MITM to amplify both sides of the conversation with the keys. The keys and car respond as if the victim is standing next to their car. Imagine a MITM HTTPS attack where the attacker didn't need to actually decrypt the data - just pass it along. So the encryption itself does nothing to protect the car.

That's not to say they can't do it with an entire office full of people, but it's not something you could do without the victim within range of your device (which could still be a long distance in the office).

Re:Scary ...

[tlhIngan]

Itâ(TM)s not a continuous broadcast. When key & car are in range, car broadcasts a challenge, and key replies. Most models only do it at door open & engine start. They donâ(TM)t continuously require it since if the process failed for some reason as youâ(TM)re going down the highway & the engine just cut out... Not good

It's not continuous, but on all the models I've seen, when the engine is running the key is checked quite often. If you have the engine running and then walk out with the key, the dashboard display immediately displays a warning that the key is no longer in the vehicle. Usually if this condition persists for about 5 minutes, the engine will shut off.

I presume the condition is checked when there is a status change in the car - e.g., the doors are opened or closed, but also checked at random intervals as well. (I've had it where the car starts, then it says the key is not detected, but then finds the key and continues on. This I attribute to some EMI in the area as things stopped working like garage door openers and such).

Our lives aren't significantly enhanced by wireless keys. Are they?

If you've ever carried bags of groceries to the car, being able to click the button on the door with the key in the pocket is a godsend. Of course, later cars have the ability to wave your foot and the trunk or rear door opens automatically.

Yes, there are ways around it, but it's just easier and more convenient to be able to carry your groceries to the car without fumbling or keys or putting the cart away afterwards.

Re:Scary ...

[eth1]

One start is plenty. It just needs to be driven somewhere out of the way, after which it can be ransacked for valuables/ID theft material at leisure. Then an accomplice can come pick it up with a tow truck/trailer to part it out, or whatever.

It means all of the suspicion-generating activity can be done out of view. No one would give a second look at someone getting into a car and driving away. Nor would they pay much attention to someone "having car trouble" taking stuff out of a car while it's being loaded on a tow truck.

Re:Scary ...

[cheater512]

It's a rolling code so you can't replay.

This attack is just making the key work from a few hundred meters instead of a few meters.

Re:Scary ...

[cheater512]

On the Honda HR-V it does appear to be polled at least every 5 seconds.

Open door, get out and walk two steps and the car is already pinging saying the key has been removed.
I haven't tried it, but I'd bet that if you passed the key out the window it would still do it that quickly.

Re:Scary ...

[Lorens]

It's not continuous, but on all the models I've seen, when the engine is running the key is checked quite often. If you have the engine running and then walk out with the key, the dashboard display immediately displays a warning that the key is no longer in the vehicle. Usually if this condition persists for about 5 minutes, the engine will shut off.

TFA says that "usually" thieves drive away, even refueling while leaving the engine running, to get out of the country and be able to circumvent protections at leisure.

Re:Scary ...

> Usually if this condition persists for about 5 minutes, the engine will shut off.

That's the setup for a huge lawsuit. The pinger dies, has interference when driving down the road, light in dash fails, etc. engine dies and causes a crash. They would be stupid to implement it that way, so I doubt they did. I bet it's a check for engine start only.

Re:Scary ...

[lgw]

These are in fact "MITM as an amplifier" attacks. The key works by being within a certain range of the car - typically just a few feet. Boost that signal (both ways) enough, and the car is unlocked. The practical attack seems to be to steal a car parked on the street in front of the house/building the owner is in, as otherwise it's impractical (too many potential signals, too much amplification required).

A useful, related trick when hunting for your car in a big parking lot - you can double-triple the range at which your remote works to lock/unlock your car to find it by pressing the remote against the side of your head.

Re:Scary ...

Usually if this condition persists for about 5 minutes, the engine will shut off.

Citation needed. On all the models I've seen, the car will bitch and moan about it, but will continue to operate just fine until you shut it off.

This is because it's actually not all that uncommon for the fob to stop working, either because the battery just died, or the owner spilled soda all over it while driving, and you don't want the legit owner stranded in the middle of nowhere because the fob is busted.
Some models use a dual type of unit, where there's a fob but also a physical key inside it. If the fob quits working, you can just use the physical key. But some of the newer models don't have the physical backup key, they are all keyless.

And just FYI, 5 minutes is plenty of time to drive the car around the block to where you have a towtruck waiting to take it the rest of the way to the 'chop shop'.

Re:Scary ...

[TechyImmigrant]

These are in fact "MITM as an amplifier" attacks. The key works by being within a certain range of the car - typically just a few feet. Boost that signal (both ways) enough, and the car is unlocked. The practical attack seems to be to steal a car parked on the street in front of the house/building the owner is in, as otherwise it's impractical (too many potential signals, too much amplification required).

A useful, related trick when hunting for your car in a big parking lot - you can double-triple the range at which your remote works to lock/unlock your car to find it by pressing the remote against the side of your head.

Try raising it above your head. The benefit comes from the height not the RF properties of a human head.
Telling people to touch it to their head just get them to lift it higher.

Separate the variables. Touch the transmitter to your head, then foot and see if the range improves. Then stand on your head and touch the transmitter to your elevated foot and your ground level head. Report back with results.

Re:Scary ...

Sounds like a scene for the next Mission Impossible movie.

Re:Scary ...

[sudon't]

The keys and car respond as if the victim is standing next to their car.

Doesn't the owner have to press a button, though? It'd be kinda nuts if your car unlocked and/or started everytime you walked near it, (or a window facing your driveway). Sorry, I couldn't RTFA due to some kind of pop-up, but I don't get exactly how this works.

Re:Scary ...

[sudon't]

Unless you can steal the key or stay on top of the owner, the car won't re-start after you turn it off.

As long as you can get it to the chop shop, that's not a problem. Even if they weren't using the car merely for parts, I imagine this system could be replaced.

Re:Scary ...

[lgw]

Here you go: a physics prof demonstrates and explains the antenna effect. https://www.youtube.com/watch?...

Sixty Symbols is a great channel for debunking commonly held physics misconceptions (whether they're right here or not).

Re:Scary ...

[omnichad]

The keys work via proximity (like RFID or NFC) and the iginition is a button. The door unlocks as you approach the car. And is as full of as many problems as you might imagine.

Re:Scary ...

[TechyImmigrant]

His explanation is a little odd. Either the head-antenna is a more efficient isotropic antenna, so more power is being drawn from the battery, or it's creating a more directional antenna with more of the energy pointed in the direction of the car, or both.

Maybe we should fit our key fobs with Yagis.

Re:Scary ...

[stackOVFL]

One nice thing is it's impossible to lock the fob in the trunk of my BMW. One day I kept closing the trunk and and the car kept opening it right back up. I was about to start swearing at the car when it occurred to me to check by briefcase. Behold, there was my fob.

If there was a app for biometric security here it is. Wireless fob paired with the owners thumb print. Of course we could just drop our fobs into a metal card file box and close the lid. Shields the RF and makes it harder to loose the fob (don't move the box)!

Re:Scary ...

require the human to initiate an action on the key rather than let it respond passively

But, but, MUH CONVENIENCE! How do you expect me to push a button on my key fob while I'm chugging a Brawndo in one hand and watching the latest episode of Ow My Balls on my phone with my other hand?

Re:Scary ...

[ripvlan]

yeah - the idea that the FOB is always awake surprises me. I'd have thought pressing the button would wake it up for "30 seconds" and then go back to sleep. "I did not initiate this request"

More modern ones apparently don't allow replay (aside from that hacker thing - geez). I remember years ago (1998) my VW Beetle had a reprogrammable FOB - one simply placed the key in the ignition, turned it "on" and for 30 seconds any FOB near the car with both buttons held down would be allowed future entry to the car. Still couldn't start it because the key was chipped. So I stood beside my buddy who had a similar car and stole his code as a prank. While it seemed unlikely somebody would do that (possible but low probability) it sure seemed like a poor design - and in light of this amplified attack I would now measure that attack much more likely. I could have put one in a parking lot and grabbed all cars.

Need to start with Secure by Design. Cars as IoT devices - here we go!!

Re:Scary ...

[bughunter]

It's more like a lensing effect. Same principle as a fiber optic coupling sphere - it's all EM, just the wavelength is different.

http://www.edmundoptics.com/re...

Hold the key a few inches behind your head and look at the car you want to lock/unlock.

That trick has worked for me for years.

Re:Scary ...

[delt0r]

So it is a plain old man in the middle attack. A way to prevent this, is use GPS in the keyfob as part of the challenge response and compare with the car GPS. But this does make the keys more expensive and GPS dependent (parked in a basement anyone?). AKA people get real upset when their car won't start. Also stolen cars are much less of a thing that it use to be in many parts of the world. I would also assume this won't work for after market alarms and imoblizers.

And there the is magnavolt, the final word on car alarms.

Re:Scary ...

[nukenerd]

The keys work via proximity (like RFID or NFC) and the iginition is a button. The door unlocks as you approach the car.

I have obviously got an old-fashioned car as I completely failed to understand this story until I read your comment.

WTF, are people incabable of pushing a button on their fob any more?

Personally, I would rather choose the moment when my car doors lock or unlock, not leave it to proximity.

Re:Scary ...

[jrumney]

So, what, it just continuously broadcasts "you can start now", with no intermediate encryption or anything?

No, there's encryption between the key and the car. The signal is coming from the original key in realtime, tunnelled over another channel. It is not a record and playback later type of attack. This attack is putting a range extender in the middle so the car thinks the original key is nearby, and unlocks and allows the engine to start.

Re:Scary ...

[jrumney]

Doesn't the owner have to press a button, though?

No. The way it usually works is there is a touch sensor on the back of the door handle, and the combination of key proximity and a touch of the door handle unlocks the car. Some have an option to unlock and open the trunk automatically when you are standing next to the trunk for a few seconds, in case you have your hands full.

Re:Scary ...

[Agripa]

The keyfob has very little battery capacity and power available making the use of a GPS receiver impractical. And even if GPS was an option, either the car or the keyfob or both are regularly going to at least be used in areas where GPS is not available. And even if they never were, nobody is going to put up with the delay caused by the keyfob generating a GPS solution while they wait for their car.

What might work is a TDA (time domain arrival) solution where the distance between the keyfob and the car is measured or at least estimated but it will still lower the operating lifetime of the keyfob many times before it needs a new battery.

Re:Scary ...

[imboboage0]

I'm an auto tech and inspector where I reside, and I deal with this all the time. Some BMWs have places to put them (not required usually unless they fob is really dead), some have nowhere to put them (cupholder looks great), some like Audi have you push the key fob into a slot as the start button, then it ejects back out to a run position until you pull it out. As far as I can tell, it makes little difference if they key leaves the vehicle other than an annoying message. Leave it running and you're home free. I have all sorts of customers walk away with the fob, and it makes no difference except to the fuel they burn inside.

Re:Scary ...

[delt0r]

High accuracy TDA with phase measurement is pretty easy and accurate to very fine levels and shouldn't be much of a power drain. 10^-4 phase angle detection is fairly straight forward and at 40Mhz that is down to a meter resolution. Even without that you can get down to meter resolution with timing in the nanoseconds, which is just not that hard to do anymore.

but lets face it. It is not these guys top priority. And the car thief can just do it the old fashion way.

Re:Scary ...

[Agripa]

I am very familiar with high resolution interval timing and I think that would be the way to go although there are some refinements which can be used when you can make a repetitive measurement.

The tricky part I think would be the transmitter strobe to receiver timing uncertainty caused by any digital processing of the signal. The key-fob and receiver no doubt use a lot of relatively slow synchronous logic and that is going to add massive amounts of jitter. That can be overcome but would require strobing the key-fob transmitter asynchronously to its own internal clock unless the key-fob makes its own high resolution time-interval measurement between the received signal and its own internal clock. With a repetitive measurement maybe that can all be ignored.

Alternatively whatever technique the current generation of short range integrated radar transceivers use might apply if it does not require a wide bandwidth transceiver.

Re:Scary ...

[eric_harris_76]

Security gets little attention for all sorts of reasons. It seems to boil down to being unobvious, in two stages.

In a world where "Good, cheap, fast: pick any two" is true (the world we live in, where tradeoffs exist) the two that get picked most often are the ones management and others can easily see: schedule ("fast") and budget ("cheap"). Quality ("good") gets slighted a lot.

Especially the part of quality that isn't easy to spot.

Security that doesn't work right because it makes things difficult or impossible for customers is obvious, and gets addressed pretty quickly. Security that doesn't work right because it makes things possible or even easy for criminals (private sector or public sector) is inconspicuous, and gets found and addressed later or never.

So, engineers and software developers focus on how to make things work and be usable for their intended ways, not how how to make them not work (for criminals) and not be usable for unintended ways by criminals.

Did anyone not see this as a dumb idea?

Seriously? Not interfacing the keys with the car physically was just a bad idea.

The more I see how we are using technology, the more I become a Luddite.

Re:Did anyone not see this as a dumb idea?

[smooth+wombat]

This is why analog is still better, but I'm sure there will be people on here who will give excuses for why we absolutely, positively, without exception MUST go digital.

Because . . . digital.

Re:Did anyone not see this as a dumb idea?

[Locke2005]

Actually, I kind of liked my Mazda key that was designed so that I never had to take it out of my pocket, except: 1) My sister-in-law drove the car, gave it back to me while it was still running, I drove my daughter friend home, turned the car off... then couldn't start it again, because I didn't have the key! and 2) You get so used to pushing the button on the door handle to unlock it that it comes as a shock when you push the button and noting happens, as you slowly realize you never put the key in your pocket that morning.

Re:Did anyone not see this as a dumb idea?

[omnichad]

Analog car remotes were subject to much more trivial replay attacks. Of course those at least required you to know when the owner was pressing a button. Once you're in the car, you can steal it if it's an older car without computer-based security.

Re:Did anyone not see this as a dumb idea?

Sorry for your bout of PEBKAC but I have this on my Honda and love it. I leave the key in my booksack or pocket. Just push the appropriate buttons to unlock, lock, start/stop the car.

It is really not that hard to figure out. I've tested the range and it is pretty short for my car's implementation so I'd at least get a look at you if you were trying to signal-jack me.

Re:Did anyone not see this as a dumb idea?

Yeah, because you can't possibly amplify analog signals. Right?

(I don't see any drawback in digital over analog here.)

Re:Did anyone not see this as a dumb idea?

Directional, high-gain antennas will take care of that 'short range' pretty handily.

Re:Did anyone not see this as a dumb idea?

[EvilSS]

This makes me seriously wonder how many people keep the key in their car when they park at their house, to prevent just such an occurrence.

Excuse me, I need to go... car shopping.

Re:Did anyone not see this as a dumb idea?

I think (s)he means analog, as in requiring you to put a key in the ignition to start and rive the car.

Re:Did anyone not see this as a dumb idea?

[Khyber]

Try educating yourself. Digital is just discrete analog.

All signals are prone to reamplification attacks.

Re:Did anyone not see this as a dumb idea?

man sarcasm

Re:Did anyone not see this as a dumb idea?

[iotaborg]

Both our Toyota and Subaru has keyless ignition and it constantly yells/beeps at you telling you the key is not in the car. Did you not notice, or did Mazda forget to put such an obvious alert?

Re:Did anyone not see this as a dumb idea?

[CycleFreak]

My Mazda 6 (2015 model) will not start unless the keyless remote is inside the car. I don't know exactly how this works, but it does work. I have tried setting the key on shelf only a foot from the car. It knows the key is nearby, but instead of starting, it flashes a red key icon.

Further, if the car is running and I get out of the car with the key in my pocket, the car beeps and the doors will not lock. And, if I shut off the car, but leave the key inside the car, the car beeps at me as I walk away. You'd have to be fairly oblivious to these warnings and actively circumvent them to lock yourself in/out of the car.

Re:Did anyone not see this as a dumb idea?

While that is indeed the best kind of key it got nothing to do with analog at all.

Same as you can build a wireless key analog or digital, you can build such a key with mechanical, analog and digital security features. AFAIK most cars currently use a compination of mechanical ("teeth") and digital (crypto challange) that both must succeed in order to start the car.

Re:Did anyone not see this as a dumb idea?

[vtcodger]

On top of which, when was the last time the batteries in a $2 mechanical key died?

Re:Did anyone not see this as a dumb idea?

[Grishnakh]

I have a 2015 Mazda3, and it's the same. It works by having multiple transceivers mounted around the vehicle: one on each front door, one on the hatch door, and one (maybe two) inside the passenger compartment. It can tell where the key is that way.

Re:Did anyone not see this as a dumb idea?

[Grishnakh]

He didn't notice. I have a Mazda too, and if you leave the engine running as you leave the car (with the key in your pocket), it beeps loudly and annoyingly, just like your Toyota and Subaru (though not "constantly", it beeps for several seconds as you walk away). You'd have to be deaf to miss it.

Re:Did anyone not see this as a dumb idea?

[Streetlight]

My Prius has a remote keyless entry and start system. If the battery dies, the fob has a physical/hard metal key that can open the doors. To start the car the car's manual says one can touch the metal Toyota label on the fob to the start button and the car will start. I've tried that and it works. I'm not quite sure how that works but it's possible the fob or the button has an RFID chip for communication or the button provides electricity to the fob. The start button is black with silver painted text but doesn't look conductive, so I I'm not sure the latter suggestion is correct. Anyway, if the fob's battery dies one can gain entry to the car and get it started. Also the display console has a notice when the fob battery is getting weak so there is a warning to replace the battery.

Re:Did anyone not see this as a dumb idea?

[superdave80]

I don't know how they get the position of the key so accurate, but my 2015 Santa Fe can tell the difference between me standing right next to the driver door with the key in my pocket, or the key sitting in the center console (only 3 feet difference). I once accidentally left the key in the center console, got out of the car, and attempted to lock the car. It would not let me. I was actually getting pretty pissed because I thought the car wasn't working correctly because I thought the key was in my pocket. Nice little feature to keep idiots like me from locking myself out. That came in REALLY handy that day, since I had my sister-in-law's wedding dress in the car... and I was delivering it for her to get ready for her wedding. Hyundai engineers kept me from having to smash the window of my brand new car. Thanks guys!

Re:Did anyone not see this as a dumb idea?

[fahrbot-bot]

Analog car remotes were subject to much more trivial replay attacks.

My analog is an actual key in the actual ignition switch.

I have a 2001 Honda Civic Ex and 2002 Honda CR-V Ex and have only ever used the remote entry fobs occasionally and don't usually even carry it -- them -- with me. I like to keep my keys hooked on my belt loop and stuffed into my back pocket and the remote fobs are simply too big - and unnecessary if you have the key.

I don't have key-less start - yet (it's becoming inevitable) . While I can understand the perceived appeal -- especially to the manufacturer as they get to stop supporting keys and yet charge more for the electronics -- I think it's stupid and unnecessary and can't stand it. I can only hope that by the time I have to buy a new car, I can get a regular key even if I have to pay more.

Re:Did anyone not see this as a dumb idea?

[omnichad]

analog signal != physical objects

The same remotes are also used for keyless entry and not just keyless ignition. I do think keyless ignition is a mistake, at least in its current form.

Re:Did anyone not see this as a dumb idea?

[Locke2005]

2011 might not have had this feature. It complains if you leave the key in the car or in the trunk (I'm surprised it can tell if it's inside or outside the car); I haven't noticed it beeping if you drive off without the key, but I may have had the stereo blasting.

Re:Did anyone not see this as a dumb idea?

My analog is an actual key in the actual ignition switch.

You seem to be confusing analog vs. digital, with physical vs. remote, and mechanical vs. electronic.

While the key itself is mechanical it still uses an electronic ignition which won't engage without the electronic chip in the key. Usually that's a digital electronic communication, but it's possible to find a few early versions which used an analog electronic mechanism.

Re:Did anyone not see this as a dumb idea?

This makes me seriously wonder how many people keep the key in their car when they park at their house, to prevent just such an occurrence.

My car won't lock the doors with the fob inside without a person inside.
I supposed you could set a heavy weight on one of the seats to fool the sensor, but that seems to be a lot of trouble to go through to avoid having to put your damn keys in your pocket (or purse) in the morning.
Especially when most people just put the fob on the same keychain as their house keys.

Re:Did anyone not see this as a dumb idea?

So your doors can be bypassed with a coat hanger and your ignition can be bypassed by someone who can generate an electronic signal via wiring... cool.

Re:Did anyone not see this as a dumb idea?

Try educating yourself. Digital is just discrete analog.

All signals are prone to reamplification attacks.

Maybe you should try educating yourself. I have an out of use 1997 Ford Taurus (the 1986 model was better - marketing got to the 1997 model). It uses an analog key. No reamplification necessary; no digital or analog signals exist.

Re:Did anyone not see this as a dumb idea?

[Grishnakh]

Yeah, it may be new. But the beeping on my 2015 Mazda3 is from a beeper under the hood (the same beeper that tells you the car is unlocking or locking). You'll hear it after you close the door, even with the stereo blasting.

Re:Did anyone not see this as a dumb idea?

[EvilSS]

This makes me seriously wonder how many people keep the key in their car when they park at their house, to prevent just such an occurrence.

My car won't lock the doors with the fob inside without a person inside. I supposed you could set a heavy weight on one of the seats to fool the sensor, but that seems to be a lot of trouble to go through to avoid having to put your damn keys in your pocket (or purse) in the morning. Especially when most people just put the fob on the same keychain as their house keys.

Yea but how many people lock their car doors when they are parked in their own garage? I certainly don't.

Re:Did anyone not see this as a dumb idea?

[EvilSS]

I'm referring to people leaving the fob in their car when they park in their garage at night for convenience, not locking yourself out. I don't know about you, but I don't lock my car doors when it's parked inside my own garage. While I do lock the door between my house and garage (and thus would notice if I left my house key, attached to a fob, in the car) many people don't do that either.

Not really and different than leaving their keys in it but still, I know people personally who are doofy enough to do it. I'm sure there are plenty of other out there who would.

Re:Did anyone not see this as a dumb idea?

[Agripa]

The reed switch glued to the underside of my cup holder is not computer based and works to prevent operating my car just fine unless you have my magnetic coaster.

Re:Did anyone not see this as a dumb idea?

It uses an analog key. No reamplification necessary;

Reamplification not being necessary isn't the point* The problem is that it's POSSIBLE. Which it is.

no digital or analog signals exist.

You literally just said it uses analog. (Don't know/care about the car.)

*It being neccessary (IE the only possible attack vector) might actually be a good thing.

HA!

My Jeep isn't on the list!

At least my last hack was patchable.

Pudding pops?

[DNS-and-BIND]

"their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops"

Huh? Pudding pops? What does that even mean? I thought the new Slashdot management was going to get rid of these horrible summaries that don't make any sense. Since the word is capitalized, I assume this means Jell-O Pudding Pops? The frozen snack from the 80s? They stopped making these a long, long time ago. So you should keep your key fob in the freezer? How does that help?

Re:Pudding pops?

Freezer = faraday cage.

Re:Pudding pops?

I was about to post the same thing, except I didn't even know they were a snack.

Does anyone know how to write anymore ?

Re:Pudding pops?

That is how it was phrased in the article....or did you not RTFA.

Re:Pudding pops?

RTFA

Re:Pudding pops?

Possibly a reference to Edward Snowden requiring visitors to put their phones in the fridge to prevent snooping?

Re:Pudding pops?

[mlw4428]

I think so. I believe it's a common practice for people who want to horde/hide stuff to hide it in their freezers. I think the statistic on that is 1 in every 4 Americans.

Re:Pudding pops?

[Nidi62]

"their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops"

Huh? Pudding pops? What does that even mean? I thought the new Slashdot management was going to get rid of these horrible summaries that don't make any sense. Since the word is capitalized, I assume this means Jell-O Pudding Pops? The frozen snack from the 80s? They stopped making these a long, long time ago. So you should keep your key fob in the freezer? How does that help?

I just assumed this was a hidden slashvertisement for a new car security service led by Bill Cosby.

Re:Pudding pops?

[Khyber]

"Huh? Pudding pops? What does that even mean?"

If you can't figure out that this means "Put your shit in a faraday cage like a freezer" then you are showing either your ignorant youth or your increasing senility.

Given your UID, I'll have to assume the latter.

Re:Pudding pops?

http://s62.podbean.com/pb/7a8943ae18c17d50b38e55f00bfe28e2/56f16214/data1/blogs57/627033/uploads/puddingpops.jpg

Re:Pudding pops?

[MobyDisk]

That doesn't matter.
1) The text wasn't in quotes, so the author of the summary is responsible for it.
2) Even if it was in quotes, the submitter and Slashdot editors are responsible for writing summaries that make sense. That may mean putting things in their own words, rather than copy/pasting text from the article.

Re:Pudding pops?

[OzPeter]

"Huh? Pudding pops? What does that even mean?"

If you can't figure out that this means "Put your shit in a faraday cage like a freezer" then you are showing either your ignorant youth or your increasing senility.

Or you don't have a shared cultural reference that allows you to connect the dots.

Protip .. the internet doesn't end at the boarders of the USA.

Re:Pudding pops?

Yes, it took me an extra 1.5 seconds to figure out that they meant a Faraday cage. 1.5 extra seconds of my life I will never get back.

Re:Pudding pops?

[gstoddart]

Well, there's this:

After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times' former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car's keyless entry system into thinking the key was in the thieves' hand. He eventually resorted to keeping his keys in the freezer.

Cuz, you know, Pudding Pops are frozen. And go really nicely with quaaludes, apparently. ;-)

Re:Pudding pops?

[Coisiche]

Huh? Pudding pops? What does that even mean?

I too was somewhat puzzled with that one since I didn't bother RTFA and thought it was probably something American that nobody outside the USA would know of. Some pondering of the summary led me to conclude that it was something kept in the fridge since that would block radio signals, although other comments seem to indicate that they are stored in a freezer. Same difference, one might think, but even though car keys tend to have big plastic grips there's still enough exposed metal that I'd favour the fridge for less complications while hurriedly picking them up.

Re:Pudding pops?

[gstoddart]

2) Even if it was in quotes, the submitter and Slashdot editors are responsible for writing summaries that make sense.

I'd go with the fallback of "you must be new here", but, really, have you ever seen any evidence of this?

I sure as hell haven't. I'm skeptical it's even in the job description, because people have been griping about the editors as long as I've been using Slashdot.

Re:Pudding pops?

[thegarbz]

If you can't figure out that this means "Put your shit in a faraday cage like a freezer" then you are showing either your ignorant youth or your increasing senility.

Or maybe didn't grow up in your city with your parents and your diet. What the heck is a Pudding Pop anyway? And why would you keep Pudding in a freezer. That would just make it go hard.

Re:Pudding pops?

the freezer should be metal skinned and reduce the signals significantly.

Re: Pudding pops?

[Type44Q]

And why would you keep Pudding in a freezer. That would just make it go hard.

Being put in a freezer has quite the opposite effect on me...

Re: Pudding pops?

[Type44Q]

...it was probably something American that nobody outside the USA would know of.

...or anyone inside the USA who wasn't a total fat-ass at the time; for the rest of us, well some cultural references were meant to die a healthy death.

Re:Pudding pops?

A few problems with this:

1. Not everyone is familiar with this particular item. Or is it hip these days to drop references to discontinued junk foods?

2. Pudding Pops are more likely to be associated with Bill Cosby than freezers or even food. Even when they were sold, the Cosby connection was probably stronger. So the reference would send people off in the wrong direction.

3. Even if you did make the connection to frozen food, the freezer part isn't a given. The article is about cars, and you would use a car to transport your Pudding Pops home from the store, so your Pudding Pops are in a grocery bag. Keep your car keys in a grocery bag? More misdirection.

4. You're at home, the Pudding Pops are in the freezer. They are never coming out because they don't actually exist, so we've reached our destination. And we need to block signals going to/from our keys, so the keys are going in the freezer. Because that's where I naturally put electronics to keep them safe. In a very cold and humid environment. The defining characteristic of a freezer is obviously "metal box" and not anything else, and there's no other obvious way of blocking signals in the kitchen. I mean, it's not like I would have some sort of tinfoil hat at the ready if I were already paranoid about such things...

But I guess kids today are just tossing everything in the freezer, so whatever, Just keep your keys next to grandpa's old batteries and unexposed film.

Re:Pudding pops?

[lgw]

Pudding Pops were frozen snack, with Bill Cosby in their TV ads. There's a recent meme from those ads, good joke material given the recent allegations against him. Whether you're old and savvy, or young and hip, you should get the reference.

Re:Pudding pops?

[thegarbz]

you should get the reference.

I don't think you quite get how localised some of the things you consider everyone should know really are.
Bill Cosby? I've never seen him in an advert. Actually I think I've seen him more in the news than in any TV show (though at least I know he was in a TV show).

Re:Pudding pops?

[sudon't]

They stopped making these a long, long time ago

Interesting. The disappearance of Pudding Pops coincides with the disappearance of Quaaludes. Coincidence?

Re:Pudding pops?

[lgw]

I'm guessing from your UID that you weren't a kid in the 80s, or weren't watching US TV programs (even those that went abroad). TV Guide called it "TV's biggest hit in the 80s".

Re: Pudding pops?

[Outta_the_way_peck!]

You're just not staying in there long enough.

Re:Pudding pops?

[OzPeter]

TV Guide called it "TV's biggest hit in the 80s".

You know you are not going to win an argument about specialized localization if you offer up the fact that a US based company called a US TV show a big hit, from which the main US based character was advertising a US based food product.

Re:Pudding pops?

[lgw]

Slashdot is a US-centric site. Expect US-centric cultural references. Also, it's called "soccer", football is the US sport. :p

Re:Pudding pops?

protip .. there's no 'a' in borders.

Re:Pudding pops?

[thegarbz]

TV Guide called it "TV's biggest hit in the 80s"

Who's TV guide? I was a kid in the 80s. I may have seen 1 episode in my life, and I watched my fair share of TV. Again don't assume localisation translate to an international website. Or should we start comparing parts of article summaries to soiled panty vending machines and complain when the non-Japanese don't understand what they are talking about?

Actually I'm very interested now to see if there's correlation between age and UID. In theory there should be some correlation since there's a finite age limit a UID can go back to and in general I believe this website caters to the interests of a wide age group, but it still would be interesting to see exactly how well it correlates.

Re:Pudding pops?

[Solandri]

Just get one of the RFID-blocking pouches that's big enough to fit your key fob. Easy enough to test that it works. Or if you're into the classics, build one yourself out of tin foil.

I'm curious though why the press seems to have latched onto the idea of putting it in the freezer, when the refrigerator would work just as well. So would a metal toolbox.

surprise, surprise!

Could the researchers explain why this attack SHOULD NOT be possible?
Is there technology available that can be used to verifiability check how far is the device that emits the signal?

Re:surprise, surprise!

[Nemyst]

Even assuming there were, a device that perfectly re-emitted the signal would be seen as the original source by the car, and there'd be no way of differentiating it. The signal itself can't carry that information, so it can't be encrypted to prevent tampering.

Re:surprise, surprise!

[suutar]

The only reliable way I know of to do a distance check using radio is to time a signal/response loop, but at the distances we're talking about here, processing time in the fob is probably the majority of it and if that's not precisely predictable it doesn't help much.

For example, at 300m the speed-of-light round trip time is about two microseconds, so if the time it takes the fob to accept, process, and respond to the signal has more than 2 microseconds of variation the car can't tell if it's far off or just slow.

Re:surprise, surprise!

As mentioned in the article itself, timing requirements would significantly mitigate this method of attack.
The car's makers know the time it takes the fob to respond to the car's request for verification. Make it so that the car waits *only* long enough for that processing time, plus the speed of light round-trip for the signal up to 5 feet away. The extra 'lag' introduced by the longer distance of the attack, plus the receive and rebroadcast time would prevent it.

We need to stop solving problems that don't exist.

[Simulant]

Our lives aren't significantly enhanced by wireless keys. Are they?

Not entirely a surprise, But...

[foxalopex]

To be honest this wasn't entirely a surprise, wireless I have to admit is very convenient thou and well as they say there's a fine balance between convenience and security. On the other hand a lot of modern cars feature systems such as OnStar which means your vehicle can be tracked or disabled by the manufacturer so they're not exactly the most ideal cars to try to steal.

And no, these keys are encrypted but the problem is they're using a "range-extender" to make make it seem like your key is right next to the car when in reality it is a fair distance away.

timestamps

[selectspec]

Solution:

(Assuming the key/car are using private/public key pairs)

You'd have to put a reasonably accurate clock in the key, and then have it encrypt and send timestamps to the vehicle using a sequence of rapidly fired request messages followed by response messages.

The car could then decrypt the messages and compare the timestamps from the sequence of messages measuring the distance between the key and the car. The clock in the key would have to have similar accuracy to a laser ranger finder.

The actual protocol would be a bit more complicated in the details, but the basics outlined above are what is needed.

Re:timestamps

I have a patent pending on a very related topic. The problem with timers for this solution is that the resolution and tolerances cannot match the very small timescales we're dealing with. The difference between a signal that travels 5 meters vs one that travels 1000 meters is only like 3.3 us. Even with regular calibration, that is not a lot of tolerance to work with.

Re:timestamps

[Sleuth]

So, you're going to install a laser? You need one to get the accuracy you're talking about... (and line of sight, etc...)

Re:timestamps

[ledow]

Or just make the user press a button to actually unlock / start their car.

Which seems a fecking good idea anyway.

All this "do things from out of visual range" junk is just asking for trouble when you have to a) touch the door to open it anyway and b) touch the pedals/wheel to drive it anyway.

Re:timestamps

[fraxinus-tree]

Much simpler solution: the car should not wait more than 40 light-meters for the second, previously-encrypted answer from the key.

Then again, most people right now need mitigation measures. I am not sure if removing the battery from the key is a good one - the design is bad enough to expect the key forgetting the data when left without power.

Re:timestamps

Solution:

You'd have to put a reasonably accurate clock in the key, and then have it encrypt and send timestamps to the vehicle using a sequence of rapidly fired request messages followed by response messages.

Great, that'll suck so much power we'll have to remember to charge up our car keys every fucking night !

Stop overcomplicating things, keyless entry and ignition is a fucking gimmick, a solution to a non-existant problem.

Re:timestamps

[inject_hotmail.com]

Ok, so run the conversation in a loop 10 000 times to amplify the delay. You'll be into the millisecond range by then. Wouldn't that be a wide enough tolerance?

Re:timestamps

[selectspec]

Agreed. The processing times of the ASICs in the car and the key would have to be extremely well calibrated with very low clock drift tolerances. Crypto would all have to be out of band, with some kind of signature exchange at the end of the process to validate the message chain.

Good luck with the patent.

Re:timestamps

You just reduced battery life from years to months at best.

Re:timestamps

Simpler solution:

Require the push of an actual button before doing anything... I never understood why this modern 'touchless' key thing was needed... was it really too much effort to press a button?

And yes, an even simpler solution:
No remote unlocking or starting at all. Like we did in the olden days - an actual physical lock that needed an actual physical key to match it and be turned...

Re:timestamps

[firewrought]

Unfortunately, the solutions they're actually considering are more at the analog signals level... e.g., checking various characteristics of the waveform. I'm not an EE, but that probably means the attacks will still be possible [though more difficult] on generation 2 fobs.

Like the other poster said, just checking that the roundtrip time is 40 light-meters would mitigate most of this attack (assuming it's already resilient against replays).

Re:timestamps

Solution: Require a piece of metal to be inserted into an opening that, when rotated, allows the driver to operate the vehicle. The rotation will only occur with a properly-shaped metal device so in order to copy it, you must physically obtain it from the owner for a period of time and replace it without him knowing. Bonus points if an electronic countermeasure is included in the key itself, so that the proper security codes must be obtained in order to start as well.

Re:timestamps

[idji]

Light travels 1 meter in 3 nanoseconds. At 1GHz light travels 30 centimeters per clock cycle. You'd need a very fast response in everything. Even the Large Hadron Collider and the Italians had problems resolving nanosecond level timing problems.

Re:timestamps

[selectspec]

This problem has been solved in TOF laser range finders, like the hand held ones used on golf courses. An expander chip takes the incoming analog signal and stretches it out a million times with considerable precision. The signal can then be analyzed by standard low cost and low power processors.

The challenge here is that instead of a reflecting laser, you have the call/process/response in the equation. That process time will be orders of magnitude larger than the signal traversal. So, you'd have to have very accurate and standard processing times.

Re:timestamps

[Solandri]

You don't need a super-accurate clock. All you need is a timer with good resolution on the car, and a keyfob which is programmed to always take the same amount of time to reply to a query. The car can then measure the elapsed time between when it sends the challenge and when it receives the response. Subtract the time the keyfob spends generating an (encrypted) reply, and you get the travel time for the radio signal. That tells you how far the keyfob is from the car. The keyfob doesn't even need a clock.

Re:timestamps

[Agripa]

The tolerances might be a problem but the resolution is not; it just requires a different way of thinking.

The speed if light is about 1 nanosecond per foot implying that you need a 1 GHz counter to get to that resolution. In practice however analog interpolation easily allows single shot measurements with 2 or more orders of magnitude better resolution so only a 10 MHz counter is needed which is not difficult at all. Some of the newer PIC microcontrollers even have the hardware (CTMU or charge time measurement unit) to support this built in. I am used to discrete implementations which easily get down to 50 picoseconds. The bandwidths needed are not all that high either and 50 MHz is sufficient to get down to differences in time below 1 nanosecond.

What would be needed though is a invariant fixed delay between the strobed transmitter, reply from the key-fob, and the receiver which is likely going to require some major design changes to prevent sampling error do to their clocked digital design. The delay measurement itself is almost trivial in comparison.

Re:We need to stop solving problems that don't exi

[swb]

If you haven't owned a car with keyless drive like this, you can't imagine how convenient it is to just walk up to locked car, open the door and drive away without digging out a ring of keys.

I can go days without ever taking my keys out of my coat pocket.

Re:We need to stop solving problems that don't exi

This is why I stick with wired keys only.

User must still press the button

If I am reading it correctly this only extend the radio frequency but the user still have to press the button on their remote.

Now if you are talking about breaking the window and press the start button in the car then I can see that could be a problem. I would hope the car maker use triangulation to detect if the remote is within the car

Re:User must still press the button

[selectspec]

No, they don't. The keys passively send out signals without user interaction, probably in response to a signal sent out by the car which has a bigger battery than the key. In either case, if you have a keyless car, the car communicates with the key without user interaction.

Re:User must still press the button

[ledow]

This is the so-called "keyless" entry system where mere presence of the key-device is considered enough to open the doors and start the car.

All they are doing is extending that "probe" range artificially so the key thinks it's near the car and the car thinks the key (and thus the driver) are near too.

It's one of the incredibly STUPID ideas that I actively removed from the list of options on a new vehicle that I was offered recently, for precisely this reason. If you have the traditional "press a button to open doors" keys, then you're still subject to radio interception attacks (dependent on the complexity of the protocol, it's not hard to imagine it can be secure but that it's not as secure as you might think) but not to simple "passive" authorisation at a distance like this.

Re:We need to stop solving problems that don't exi

From long distances, not really. It would be best if they only worked within a few feet of the car, that would balance security and convenience.

Re:Insurance

[PPH]

Stick shift. So that eliminates some thieves right there. Manual choke. Most thieves were not alive when one had to know how to start a car with one of these.

And if I want to be really nasty, I'll disable the electric starter and use the crank handle that fits into the crank pulley (yes, my truck has one of these).

Add a secure lock mode

[swb]

They could add a secure lock mode, where if you affirmatively press the lock button on the keyfob, the car will require an affirmative unlock press on the keyfob and not unlock based on the "presence" of the keyfob.

I also wonder why they couldn't have some means of shutting off the radio in the keyfob so it didn't produce a signal that could be relayed to the car. Maybe a motion sensor in the keyfob that when it wasn't moved for a period of time would shut off its radio completely until enough movement woke it up.

Re:Add a secure lock mode

Your point about "secure lock mode" makes sense in a duct-tape way. Bu the bigger picture, physical vs wireless key has obvious utility. But proximity-based/hands-free unlocking?

What's next, computer switches off porn when girl friend is within range? A couple of years later, women will regularly amass huge RF amplifiers and screw with you from a a great distance..

Re:Add a secure lock mode

[thegarbz]

They could add a secure lock mode, where if you affirmatively press the lock button on the keyfob, the car will require an affirmative unlock press on the keyfob and not unlock based on the "presence" of the keyfob.

Reminds me of a convertible we owned. One press on the key locked the car. A second press on the key locked the lock so you couldn't just reach over the window through the open roof and unlock the door.

Re:Add a secure lock mode

[Solandri]

I also wonder why they couldn't have some means of shutting off the radio in the keyfob so it didn't produce a signal that could be relayed to the car.

Because people are lazy and don't want to turn their wireless key off. They want it to just work without any user interaction. Well, this is what happens when you remove the user interaction. "It just works."

IOW: Your garage door opener is more secure?!?

[denis-The-menace]

Years ago you could open your neighbour garage door with a radio transceiver and a tape recorder. Today you can't because all of them use ROLLING CODES.

Does this mean car FOBs don't use rolling codes?!?!

Re:IOW: Your garage door opener is more secure?!?

[Khyber]

"Today you can't because all of them use ROLLING CODES."

Wrong! Cars now days have the means to tune into the rolling code transmission (this is how newer cars have the ability to 'program' them with your garage door's rolling code, so you can open your garage door by pressing a button on your steering wheel or whenever the car detects it is getting near your home.)

Re:IOW: Your garage door opener is more secure?!?

No, it means car manufacturers are idiots.

The keyless entry things they're talking about are "proximity" detectors. The concept is simple - the car can detect the key is near and automatically unlock if it is. (Well, automatically unlock if the key is near and you press a button on the car.)

The problem is that it detects that the key is "near" using (effectively) signal strength. So all an attacker needs to do is boost the range of the radio signal from the car to the key and, presto, the car decides the key is there and automatically unlocks. There's no way to fix this because it's a dumb idea. The only way to fix it would be to require the user to physically press the key to use it.

But the key does need to be present. The attacker isn't duplicating the key, they're just extending the range so the car thinks the key is closer than it is.

Re:IOW: Your garage door opener is more secure?!?

Wouldn't that require pressing the association button in the radio receiver of the garage opener?

Re:IOW: Your garage door opener is more secure?!?

A remote is paired with the door opener, and assigned a separate rolling code sequence. It is similar to pairing your phone to your car using Bluetooth. So while your car can be programmed to open any door, that door needs to have gone through a pairing sequence that involves pressing a button on the opener and letting it shake hands with the remote.

Re:IOW: Your garage door opener is more secure?!?

[Khyber]

Shake hands? This particular garage door opener was made in the late 80s. It's a dumb transmitter, no receiver inside it.

Re:IOW: Your garage door opener is more secure?!?

[Agripa]

No, the key-fobs already use rolling codes to prevent replay attacks.

The current problem is that it is possible to construct a two-way radio repeater to extend the distance over which the car can contact the key-fob. This same exploit can also be used against securely encrypted contactless money cards unless they require a PIN or other out of band authentication.

So good my '82 UAZ is completely keyless...

[fraxinus-tree]

The doors never ever had locks (and even if they had, you can fold the tent without tools or access from the inside). It starts with a button on the dashboard.

And then, you need to know how to drive it, be strong enough to actually do that, and a good reason to steal a pile of soviet-era rust. It is a very good city car.

Re:We need to stop solving problems that don't exi

Equally why do people care. You would be mad to drive around without full comprehensive insurance these days and if you have full comprehensive insurance with new for new, cost or even market value***, do you really care if your car is stolen? It'll be an inconvenience for a few days, sure, but you even get a car as part of your insurance these days...

*** Maybe you should not have paid $60k for that car if it's market value was going to drop to $25k 2 years later. That new leather smell... ;)

Re:Insurance

[pahles]

Most cars in Europe are stick shift...

and if it happens to your rental discover will not

[Joe_Dragon]

and if it happens to your rental discover will not cover you. That will be 22K

They may or may not of used a hack to take the car but as a renter you will be on the hook if they fail to update there car software.

http://elliott.org/should-i-ta...

what about the speed pass. Free gas is nice!

what about the speed pass. Free gas is nice! To bad the lotto desk does not take it.

Easy to detect, thwart, log and inform

[Kevoco]

Yes, correct. The simple fix here is to notice the delay in response from the vehicle's hail to the keyfob, and the keyfob's response. The amplification attack introduces a detectable latency in the keyfob's response due to the time required to process and relay the communication.

I am embarrassed for the vehicle manufacturer's that do not introduce a simple time-out for a keyfob response, and perhaps even introduce a check-engine-like vehicle app indicator for the driver to see that such an attack has been detected (plus where and when) and thwarted.

Re:Easy to detect, thwart, log and inform

[jenningsthecat]

The amplification attack introduces a detectable latency in the keyfob's response due to the time required to process and relay the communication.

That's only true if they are demodulating and remodulating the data. If they are simply up-converting / down-converting the RF signals using mixers and local oscillators, the additional latency probably isn't detectable without complex and expensive circuitry at the car end, and extremely consistent processing delays in the key itself.

Re:Insurance

[vtcodger]

But do not fear. For just $5USD a month, we can install a package on your vehicle that will detect the theft, drive the vehicle to the nearest police station, lock the doors, tune the radio to celinedion.24_7.com, and turn the volume up to 135dB. You can contact us at www.makethebastardspay.com

Incentive to improve security?

[Knightman]

Do car makers really have good incentives to fix their security?

Not really, since they can sell a new car paid by the insurance company when someones car gets stolen. The only downside is negative reporting - but that can be fixed by massive ad-campaigns; just look at VAG, they are running ads like crazy in Europe right now, but they have dropped their tag-line "vorsprung durch technik" (lead by technology). I guess they don't want to use the new and improved tag-line "vorsprung durch betrug" (lead by cheating).

The whole wireless key fob thing is a pure convenience thing that when it fails becomes extremely inconvenient because convenience is security's biggest enemy. I can't understand that people would accept that their car have no physical security to speak of since it is quite a huge investment for many people.

The only mitigation I can think of if you still want the convenience of a wholly wireless key fob is that they introduce a check for max latency for the key-challenge response which is like 27 picoseconds(?) for a 4 meter radius not including the electronics internal response time. This means of course that the timing of the key exchange must be wholly deterministic.

Re:Insurance

[fraxinus-tree]

For completeness, you can add an LPG system to the mix. But, boy, still don't leave it unattended here in Bulgaria.

It hate it when . . .

[msk]

. . . my car starts in German.

OK, can we stop calling them hackers?

[bferrell1047]

Do you call the person who uses a slim-jim (not the meat sticks), lock picks or a slide hammer to steal your car a lock smith? No we call them car thieves. Simple, plain ol' un-glamorous car thieves. It IS useful to know the car makers are so stupid as to make car entry systems as simple as this, BUT, this is NOT hacking. It is practice for breaking and entering.

No tesla

[WindBourne]

At least so far, no Tesla. This id interesting Considering that in 1.5 years they are expected to make a huge impact.

keyless "comfort access" is dumb.

Honestly, all these designs utterly suck and only exist for stupid reasons. yes it's Sooooooo hard to put a key in the ignition, I am guessing these same people complain that their 15" laptop is ungodly heavy and crushes them under the weight of having to carry it.

Needs two factor authentication

[marciot]

This could be solved by two factor authentication. Not only would the key fob transmit a radio signal, but you would also need a metallic dongle with uniquely coded grooves that when inserted into a specialized slot would engage a mechanical door release mechanism.

Re:Needs two factor authentication

Shocking no one has thought of this already!

Re:Needs two factor authentication

you would also need a metallic dongle with uniquely coded grooves that when inserted into a specialized slot would engage a mechanical door release mechanism.

Holy shit, you're a genius! Why didn't auto makers ever think of using something like that? Makes the whole system so much more secure.

Auto systems security is terrible

[burtosis]

Many of these manufacturers plan on creating autonomous vehicles as well. Yet they DGAF about security, sometimes on this embarrassing of a level. I'm eager to see how that plays out, except perhaps for the inevitable deaths.

Re:We need to stop solving problems that don't exi

That is EXACTLY what the thieves are saying. You can't imagine how convenient it is to not have to smash windows, use slim jims, figure out some hack around the computer security, etc. It is SO much more convenient to just walk up to the car with this pringles can looking thing and just open the door and drive away. Technology is the best!

Re:Insurance

[DrXym]

Automatic vehicles exist but not in significant numbers. Companies like Hertz laugh their asses off by hiring them out to US visitors for a small fortune.

Re:We need to stop solving problems that don't exi

I can go days without ever taking my keys out of my coat pocket.

Longer if somebody steals your car.

That'll teach you

[kheldan]

That'll teach you to buy a car that doesn't use a plain-old physical key you insert into a lock.

While I'm on the subject, any car that has any sort of wireless systems built into it needs to have a hardwired switch you use to turn OFF the transceivers completely, so the car is isolated and can't be hacked into wirelessly.

Re:Insurance

[Grishnakh]

Most cars in Europe are stick shift...

I thought Europeans were more interested in fuel economy, since fuel taxes are so high there. Automatics get better fuel economy than manuals in all new cars now.

Re:Insurance

Just place an hidden switch that cuts power, which also prevents the battery from being drained.

My Nissan

[Tighe_L]

Only has physical locks. #Baseline.

Nope

[dlenmn]

Automatics get better fuel economy than manuals in all new cars now.

Sounds good. The only problem: it's not true. Granted, the efficiency of non-manual transmissions (traditional automatics, CVTs, automated manual transmission , etc.) has improved greatly, and in some cases it's better than manual transmissions, but from what I've seen from shopping for small cars, manual transmissions are still a bit more fuel efficient on average.

I won't post a ton of links, but your statement only requires a single counterexample to disprove, so here's one: the Hyundai Accent.

Re: Nope

[Type44Q]

but from what I've seen from shopping for small cars, manual transmissions are still a bit more fuel efficient on average.

You're misinterpreting the data; you're seeing manual transmissions on smaller, more fuel-efficient cars [that typically ship with manual transmissions]... but they're not more fuel efficient because they're manual...

Re: Nope

[TemporalBeing]

but from what I've seen from shopping for small cars, manual transmissions are still a bit more fuel efficient on average.

You're misinterpreting the data; you're seeing manual transmissions on smaller, more fuel-efficient cars [that typically ship with manual transmissions]... but they're not more fuel efficient because they're manual...

Fuel efficiency of a manual transmission primarily depends on the driver's ability to use the manual transmission. The reason why a manual transmission will always be more efficient than an automatic transmission (until we have a fully autonomous vehicle that can do the same thing) is that a driver brings a situational awareness to the use of gearing that an automatic transmission has no ability to account for.

For instance, automatic transmissions do not gear down (engine brake) when going down a hill; nor do they chose gearing based on what is about to happen - they're always reactive, not proactive. An autonomous vehicle that takes the same data into account could probably achieve the same efficiency.

As to CBTs and the likes....they have some major faults (such as not being able to do engine braking going down a steep incline) that also keeps them from really being more efficient even if they can be more efficient in some scenarios.

Re: Nope

I would say that someone adept at shifting can do excellent fuel mileage, but in general, most people are not going to beat an automatic. It always is amusing to see people fumbling for a few seconds trying to get off a light, or even worse, roll back.

Even the SMART car's AMT (basically a manual transmission that a computer shifts) will beat 95% of people on the road when shifting.

Re: Nope

[Grishnakh]

Completely wrong.

First off, automatics DO engine brake downhill. My Mazda does. It sounds like you haven't driven an automatic in over a decade.

But your biggest flaw is assuming that automatics and manuals have identical mechanics, and identical gear ratios. If you were comparing a manual transmission to an automated manual transmission (and I don't mean a DSG, because the mechanics are different, I mean a real manual transmission with the shifter and clutch operated by solenoids instead of a human), you might be correct, IF you were using an expert driver as the human.

But this is not the case. Automatics are very different from manuals. The biggest difference is that the gear ratios are entirely different. Manuals have shorter gears, automatics have taller gears. This makes a huge difference in highway fuel economy, because the automatic can drive around at almost lugging rpms, while the manual is buzzing at 1000rpm or more higher at all times. The automatic can get away with higher overdrive gears because it takes milliseconds to downshift when necessary, whereas a manual car can't count on the driver to do the right thing and manual drivers tend to hold gears a lot because shifting takes a lot of time and is extra effort. Also, manual drivers these days seem to only care about performance, not fuel economy, so carmakers have set the gear ratios accordingly.

Being able to choose a gear proactively doesn't make enough of a difference to make up for all this.

In addition, in many cars, automatics simply have more gears available to choose from. I've never heard of an 8-speed manual in a car, but 8-speed automatics are getting to be common.

Re: Nope

[KGIII]

This is not necessarily true. Sorry to pick on you but, you know... I've a whole slew of posts and pictures and discussions about automotive related things. I believe that makes me able to skip the novella. But, if you want a novella, I can do that. ;-)

The gist of what said novella would say is that I have taken the same model year - and have done so with recent automobiles, and consumed less fuel in a manual. I did the driving for both. Both were on the same route. Both were at nearly same temps. Both had tires inflated to proper levels. No alterations were made.

Disclosure: Err... I had to make multiple runs with the manual in order to get it below the consumption level of an automatic. Today's automatics are really much more efficient than they used to be.

Re: Nope

[KGIII]

It appears you've not driven a manual in a lot of years. You somehow managed to be both right and wrong - at the same time. I'm not quite sure how you did that.

The gist of it is this, both have come a long ways. It's actually difficult for me, using the same vehicle model, to get much of a difference from a manual vs an automatic. Yup. However, it's easy to find a six speed. Some manuals actually have some variability in them, depending on how much you want to spend.

I am probably the closest thing to an "expert" driver here on this board. (Don't let that harm anyone's ego - I've spent a lot of money, time, and dedication for this.)

To give an example, I've always wanted to be the driver in automobile commercials. Yes, yes i know how odd that sounds. I think it would be awesome - you might not realize the skill that goes into that. I've taken lots of in-class lessons in order to go hit the track. I took almost a week's worth of lessons before hiring a coach and spending another week doing nothing but laps at Nurburgring. The coach, a nice lady, even let me quasi-rent her car (a very nice Benz) but would not sell it.

So, somehow you're both right and wrong at the same time. I suspect you haven't gotten into a manual drive vehicle in a while either. It's not your granddaddy's 'three on the tree." Then, if you want to get into larger vehicles - we're talking gears as high was 18 being standard though some go even higher. I think the most I've personally driven was 24 gears. I believe there are more. I've not personally encountered them so I won't swear to it. I do have a Subaru with a CVT that's nice. I hardly ever drive it. It seemed like a good idea at the time but every time I drive it, it makes me feel like I'm an Angry Woman from Vermont.

It also brings back memories of my youth. My youth where I owned a Subaru and was stupid enough to put my fucking name on my license plate. Yup. I am retarded. Man, I got caught for *everything.* It took me longer than it should to figure out why I kept getting caught. Tough cars though, but I digress.

Re: Nope

[pixelpusher220]

Your points are valid, but possibly outdated. Manuals *mostly* had 4-5 forward gears. Autos had 3. Today autos have upwards of 8 gears. That alone will give autos an advantage. CVTs as you said get the 'perfect' gear all the time (with massive sacrifice of performance and feel).

My current CVT (2012 Insight) has lower gear settings so it can be used for engine braking of at least a limited ability.

Driver ability is definitely in the mix, but tech is on the way to surpassing it.

Re: Nope

[Grishnakh]

You've somehow managed to go on a long rant and tell me I'm "both right and wrong" but neglected to provide any kind of specifics or supporting evidence.

If it takes an expert driver who's driven around the Nurburgring many times to get equivalent fuel economy in a manual, then in the real world, it's not equivalent, because almost no one is an expert driver. I have driven modern manuals, both 5 and 6-speed, and I've driven 18-wheelers (in a parking lot). 18-wheelers aren't remotely comparable; they're far heavier than any car, and they're powered by large diesel engines because of the torque needed for that kind of load and performance. The first 6 speeds in an 18-speed truck aren't even used most of the time, they're a special low range. Anyway, what works in a 3000-pound gasoline-powered car isn't going to apply to a 80,000 pound diesel-powered truck.

It's really not that complicated: when you combine lower overall gear ratios and fewer forward speeds (usually 6 in any decent car now), to higher overall gear ratios and as many or more forward speeds (6-8), the latter is going to have better fuel economy, particularly on the highway due to the taller gearing.

Re: Nope

[KGIII]

Which is much my point. You'd said this:

The automatic can get away with higher overdrive gears because it takes milliseconds to downshift when necessary, whereas a manual car can't count on the driver to do the right thing and manual drivers tend to hold gears a lot because shifting takes a lot of time and is extra effort. Also, manual drivers these days seem to only care about performance, not fuel economy, so carmakers have set the gear ratios accordingly.

In order, there a multiple manual transmissions that have more than four or five gears. A good driver can shift gears almost instantly (with little/no clutch use). You can't count on the driver to do the right thing in an automatic either. I can regularly exceed expected results based on driving habits - in an automatic. The last sentence is a bit silly and akin to saying all black people seem to steal.

So, you weren't *that* wrong - just some niggling details. Otherwise, I've have not said both right and wrong at the same time. I'd have just said wrong.

As an aside, and perhaps some food for thought, will the be any benefit to having manual shift in an EV? I should think there might be but it'd be very limited use.

Re: Nope

Disclosure: Err... I had to make multiple runs with the manual in order to get it below the consumption level of an automatic. Today's automatics are really much more efficient than they used to be.

Thereby destroying your own argument. By sheer chance, you might manage that in an incident or two, regardless of your driving.

To get it regular and consistent, that would be a challenge.

In any case, GP above, is citing a 1 MPG benchmark out of a standard process, which is necessarily abbreviated. The EPA standard is useful in that it's supposed to be the SAME (though as we all know with the VW affair, that can't be given), but it's not necessarily applicable to your own usage.

Re: Nope

[KGIII]

No, you misunderstand. I should have probably been more clear but I assumed it was easy figure out from the context. Once I achieve that point, I'm good to go. Once I start beating the automatic transmission then it remains that was, almost invariably, so long as I am mindful to drive appropriately. Each manual transmission, even from the OEM, seems to be marginally different than others - some are drastically so. Once I've dialed that transmission in, I can exceed the automatic most every time.

That also includes where I've taken the time to try it in the same model with the same engine, in the same conditions, but having an automatic transmission. Once I've got the manual and characteristics figured out (and that takes a few runs sometimes) there's a growing difference with the normally associated law of diminishing returns.

I suppose I could have included that but my goal was brevity and I thought it obvious. I'm a bit busy on a project. It is an in-browser project so Slashdot is open in a tab of its own.

Re: Nope

[Grishnakh]

No, a good driver can't shift that fast, at least not as fast as a DSG. Those shift in milliseconds. Humans can't move that fast. There's a reason race cars moved to those.

As for counting on the driver in an automatic to do the right thing, it's a lot easier there because they don't need to change gears, they let the car do it automatically. There are some things they can do to eke out more economy (or waste fuel conversely), but it's a lot less than with a stick.

For EVs, no. Having a transmission in an EV is nonsensical; just look at Teslas. Transmissions rob power, so the only reason they're used is because ICE engines have narrow powerbands and make peak torque at high speeds. Electric motors make peak torque at stall and have wider powerbands and can be sized for the speed range of a car so they don't need a transmission at all, though they probably do need a reduction gear (as the Tesla has).

Re: Nope

No, you misunderstand.

I don't see how I misunderstood you, your response doesn't quite track with any such misunderstanding. Did you misunderstand me?

As I said, by sheer chance you (or any hypothetical driver) might manage to use less gas regardless of their own driving, all it might take is a good wind in the right place. I don't see you arguing this (though you may have misapprehended my reasons for mentioning it, which was to point out that things happen without deliberate action causing them), so moving on, I also said it is somewhat of a challenge to get it regular and consistent, and you do say you had to take time to figure out the transmissions, so I think that remark is validated. You're not arguing it. You're just saying it again.

Is there some misunderstanding slipping through there? I can't quite see one.

Then my last bit was about the GP above, citing a standard process by the EPA, that is not necessarily applicable to your own usage. Do you find something objectionable to that? Can you say where I misunderstood you?

Now I suppose by being brief, you have left out some things, but then, such could be said about me. Anyway, I hardly expected you to show me a long and dedicated series of test runs in a variety of varying conditions to demonstrate your contention, let alone your margin of accomplishment, or even more importantly, perhaps, the degree of concentration and effort required. That latter would be important, I think, as it would then be measured against your attentiveness to other concerns of driving.

But to be honest, it'd be a futile effort, as I think it would have little net result on the overall picture of driving across the world, so it's really more your own idiosyncratic preferences. I suppose were I to be say, a NASCAR driver seeking to win the right race, I might care about a fuel mileage strategy, but then as Kyle Busch learned this weekend, sometimes a tire blows, and the fuel you saved doesn't help you win. Twice. Chance happens.

No, if I were concerned in the business of increasing fuel efficiency, I'd probably direct my efforts elsewhere. A couple of hundred pounds out of vehicles, or my current preference to ponder, a small electric motor added to IC vehicles that could recognize when you're in say, a holding pattern and don't need your engine running, but may want to travel at slow speed, or even get up to speed quickly.

Or we could just implement the Navitron Autodrive for everybody, and slack off anyway.

Re: Nope

[TemporalBeing]

Your points are valid, but possibly outdated. Manuals *mostly* had 4-5 forward gears. Autos had 3. Today autos have upwards of 8 gears. That alone will give autos an advantage. CVTs as you said get the 'perfect' gear all the time (with massive sacrifice of performance and feel).

Issue is not how many gears or how fast the change can be made, the issue is the additional information available and ability to use that intelligence that makes the difference.

I've driven both. I presently drive a 2005 Mazda3 with a 5-speed, and we have a 2010 Grand Caravan with an automatic and gear selector (select maximum gear). I can consistently get better gas mileage on the Grand Caravan by limiting the maximum gear versus just letting it do its thing. This kind of matches what the EPA says about mileage too - manuals tend to get 1-2 MPG better than automatics.

Re: Nope

[TemporalBeing]

Completely wrong.

First off, automatics DO engine brake downhill. My Mazda does. It sounds like you haven't driven an automatic in over a decade.

I drive a manual (2005) and an automatic (2010) on a regular basis. An automatic does not engine brake the same way a manual does; nor does it have any kind of situational awareness. It does not engine brake b/c it *knows* it is going down hill (like you do with a manual); it does it because you're not adding gas and the hill isn't enough to overcome the drag on the gear. It doesn't *know* that traffic is slowing so gearing down before the brake gets hit is good.

But your biggest flaw is assuming that automatics and manuals have identical mechanics, and identical gear ratios.

That actually doesn't matter for my point. You can have as many gears as you like in either and you'll still do better with the situational awareness that the driver brings to selecting the gear to use. This is why I said that an AI coupled with an AT can do better, but we're still 5-10 years from those really doing it well; current driver AI's are generally experimental but getting better - and there's only a couple that are good enough to manage the road.

I've never heard of an 8-speed manual in a car, but 8-speed automatics are getting to be common.

Obviously you're not aware of many sports cars which even the manuals can have 8 or 9 gears. My Mazda3 only has 5; the 2006 has 6 (the 5 really could have used the 6th gear to help keep the optimal RPM at highway speed), and newer models may even have 7 - and that's the *low* end of the market. Pick up a something higher up and you'll easily find 8 or 9 gears in a manual.

But that's beside the point because while gear count does have some impact, the primary impact is still the intelligence and situational awareness the driver brings - even an AI driver - which is why a manual will always win over an automatic.

Re: Nope

[Type44Q]

Sorry to pick on you but, you know...

The day I can't handle it is the day you need to take my 12ga and shoot me with it. Oh... and automatic transmissions fucking b>suck (speaking as someone who often gets over 25mpg highway... in an eight-person 6,600lb vehicle with a six-speed automatic)

Re: Nope

[KGIII]

I really, really prefer a manual. Even if it were worse for efficiency, I'd prefer a manual. I can see a hill coming. I know what my load is. I know what my goal is. I know what the driving conditions are. Those are just a few things that an automatic can not account for.

I've not really kept up as well as I should have but, starting in the 80s and then into the 90s, they were working on adaptive automatic transmissions that would adjust, and set memories, according to the individual driving styles. So, not only did you have profiles available but it would develop a profile for you and would learn to shift according to your driving style.

I'm not sure what's come of that. I don't think I've heard it referenced in a long time. Whilst I am into automotive things, I am not an encyclopedia nor do I make an effort to know/remember everything. As I do not prefer automatic transmissions, I've not paid much attention to them. I remember them being fairly heavily discussed in Automobile, Car and Driver, and Road & Track. (All great magazines, by the way.) I want to say that the Dodge Neon, one of the variations on that, came with such an option but I don't think it was limited to just Dodge/Chrysler/Plymouth.

I've driven a few cars with a CVT. I've yet to be impressed with them, for the most part. I've driven a lot of them and I've only moderately liked it in the A6, WRX, Maxima. The rest that I've tried (probably about another half-dozen via rentals or friends/acquaintances) did not impress me. They do seem to have one marginal advantage, if it can be considered so, in that I noticed they've all been pretty good at reducing wheel spin during heavy acceleration. Except, in most cases, I don't think that was actually the desired outcome. ;-)

Re:Insurance

BS

Re:We need to stop solving problems that don't exi

[gstoddart]

LOL, hmmm ... I wonder if the rental Jetta I just had opened the doors as well with that thing.

I'll feel like a right fool if I could have just walked up to it and opened the door instead of pulling out the fob to open the doors and then putting it back in my pocket before I got in.

Because that struck me as kind of a waste of time.

I was so baffled when I first couldn't figure out where to put the key to start the car it never even occurred to me it opened the doors as well. I spent over 5 minutes trying to figure out where to put the key (yes, I'm special like that).

Which is the problem with rental cars, by the time you figure out some of the seemingly simple things it's time to return the car. I once had to pull out the manual to figure out how to put in the gas nozzle in some Fiat thingy I'd rented, and even with the manual I found myself thinking "why the hell is this step necessary?"

Re:We need to stop solving problems that don't exi

[thegarbz]

Our lives aren't significantly enhanced by wireless keys. Are they?

Oh yes they are. Have you not heard of the Heisenberg Shopping Principle? The one that states the key to your car is always in the pocket of the hand most heavily loaded with shopping bags?

Actually funny side story I lost my keys once. I was about to go back up to my apartment and check there but then I thought I'll see what happens if I push the start button, and sure enough the keys were under my car seat.

Re: Insurance

[Type44Q]

Are you aware of how many European models are no longer available with a manual transmission even as an option?

Re:We need to stop solving problems that don't exi

[gnupun]

you can't imagine how convenient it is to just walk up to locked car, open the door and drive away without digging out a ring of keys.

Wouldn't it be even more convenient if the doors had no locks at all? No need to worry about keys at all. The point of security and keys is to trade convenience for security... more the security, higher the inconvenience.

BTW, if you're at a gas station and outside the car but close enough for the car to detect the key, wouldn't this be enough for a thief to enter the car and drive away?

back in the days security was pathetic

[k6mfw]

That is in 1960s/1970s can easily use a slim-jim or a coat hanger (bent with small hook), stick inside door at window line, push down and up until the hook grabs the mechanism and the door lock button pops up. I remember when a friend left keys in car, called a locksmith and arrived on scene, 5 seconds later unlocked the car with a slim-jim. His reaction, "well why in the hell even lock the car in the first place!!!" Then can easily hot wire the car by reaching under and digging up the wires. For column keys, stick a heavy-duty tool and simply force it to start position.

Then later cars not so easy to steal. Protective mechanisms around door locks, column locks with more theft prevention measures, and car alarms. A side problem is increase in car jackings as need to force owner after they started the car. There is also "smash and grab" car burglaries that increased a lot in recent years as they are fast and police no longer respond (not that they can do much after the fact).

Sounds like back to the future where cars are now easily steal-able. Now what was that trick Bif used to make it so he is the only one that can start his car?

tin foil time

[hackertourist]

So, to defeat this attack, keep the key in a Faraday cage.
Maybe inside my foil-lined wallet next to my NFC cards, then.

Re:Insurance

[TechyImmigrant]

Automatic vehicles exist but not in significant numbers. Companies like Hertz laugh their asses off by hiring them out to US visitors for a small fortune.

I'm British but live in the US with a US driving license. When I go to Europe and rent from Hertz, they will bump me over to an automatic, assuming I made a mistake when I asked for a manual. So they aren't getting any more money out of me, but they do get to give me horrible cars.

I don't see any VOLVO X90 in your list

(grin) :-D

Re:We need to stop solving problems that don't exi

[Macdude]

All security is inconvenient. If it's convenient it's not secure. It's really convenient to leave your front door open so that you can just walk in, it's not very secure.

Security is a trade off, you balance your convenience with your security at whatever point you feel comfortable. Does the convenience of using just a fingerprint to access your phone justify the level of security it offers? If so then use it. If not, don't. You don't get to complain that your convenient security didn't turn out to be very secure.

Re:We need to stop solving problems that don't exi

Most cars with these systems have positional keys. They can open the doors while you're standing nearby, but they can't start the car unless the key is inside.

NO LINKS TO WIRED.COM!

[Mike+Van+Pelt]

Wired.com will not permit access unless your web browser will run every script that every malware distributor who buy ads on every one of the ad server companies they use. Oh HELL no! I do not block ads. I do run NoScript, though. I would enable wired.com, but I'm not going to blanket allow all the malware-distributing ad servers.

Happened to a co-worker

[TigerPlish]

Lexus of some sort, it was a car, not an RX wagon.

Parked at McDonald's in Miami, a white van pulls up, not a minute later a guy from the van pops the door with his hand and just drives away. Security camera recorded it.

Car was found later, no signs of forced entry.

Re:We need to stop solving problems that don't exi

you can't imagine how convenient it is to just walk up to locked car, open the door and drive away without digging out a ring of keys.

Wouldn't it be even more convenient if the doors had no locks at all? No need to worry about keys at all. The point of security and keys is to trade convenience for security... more the security, higher the inconvenience.

BTW, if you're at a gas station and outside the car but close enough for the car to detect the key, wouldn't this be enough for a thief to enter the car and drive away?

Every car I've had with this functionality can tell if the fob is inside the car or not. So no, you can't just hop in the car with the fob in the user's pocket outside the car and drive away.

Re:Insurance

[barc0001]

You don't even need to get that deep. I used to have a car that was sadly very easy to steal, you could use a screwdriver to start it. So after it got stolen once, when I got it back I got into the habit of pulling the coil wire out and taking it with me for the night when I got home. 2 times I came downstairs to find the ignition in the 'on' position, but the car was not moved. Car thieves aren't generally going to stick around to try and diagnose the car they're trying to steal if it doesn't start in 10 seconds of cranking, so popping a coil wire off in 5 seconds is a quick and easy way to safeguard your car against 99.9999% of the thieves out there.

Re:and if it happens to your rental discover will

And why should they? They only cover for collision according to the story..

Re:We need to stop solving problems that don't exi

[Bing+Tsher+E]

I'm the same. My keys are kept on a spring coil of wire, commonly referred to as a key ring.

Also, my vehicle is old enough (one of the last of the line, actually) to have just a regular key with nothing electronic about it. A duplicate key costs about $1.75. It's underpowered and plain looking enough ('stripped' is what car fanatics call it) that nobody is likely to steal it.

Re:Insurance

[goose-incarnated]

You don't even need to get that deep. I used to have a car that was sadly very easy to steal, you could use a screwdriver to start it. So after it got stolen once, when I got it back I got into the habit of pulling the coil wire out and taking it with me for the night when I got home. 2 times I came downstairs to find the ignition in the 'on' position, but the car was not moved. Car thieves aren't generally going to stick around to try and diagnose the car they're trying to steal if it doesn't start in 10 seconds of cranking, so popping a coil wire off in 5 seconds is a quick and easy way to safeguard your car against 99.9999% of the thieves out there.

Until recently I'd just pull the distributor rotor off, it's small enough to fit in my pocket with my keys so I can do it when going out as well as overnight at home.

Re: Insurance

[DrXym]

Not many I would expect. Most vehicles come in 2 or 3 trim levels and have automatic as an option which adds a upwards of €1200 / £1000 to the price. So manual gears would still be the main seller, probably selling 5 for every 1 automatic. In addition, if you sit your driving test in an automatic then in some EU countries your license only covers you to drive automatic cars. So there is a tendency in legislation and price to favour manuals.

I'm sure automatics are more popular in certain niches. Some electric vehicles are entirely automatic so perhaps the future will see manuals disappear. Personally I don't mind driving automatic or manual.

Re:Insurance

[nukenerd]

You don't even need to get that deep. .... I got into the habit of pulling the coil wire out ... Car thieves aren't generally going to stick around it doesn't start in 10 seconds of cranking

You don't even need to go that deep (... under the hood; I would not fancy pulling the coil wire off in my best suit.)

I added a key switch inside the car that cuts the power to the starter motor relay. Car thieves are even more discouraged if the car does not even crank.

more convenient than I thought, hands full of baby

[raymorris]

> WTF, are people incabable of pushing a button on their fob any more?

I would have said the same thing until I tried it. My latest car came with a proximity key. I've come to appreciate it, especially when my hands or full or it's raining.

I need to have my car "key" (fob) on a keychain with two access cards, each credit card sized, so digging the whole thing out of my pocket is a bit of a hassle (the cards turn sideways and hang on the pocket). It's not something I would pay $300-$400 to add aftermarket, but it's a convenience. Avoiding digging out the wad of a keychain and trying to find the right button in the dark also helps when I'm trying to be smooth on date night. :)

Re:Insurance

[pixelpusher220]

They used to religiously turn off the engine even at stop lights. (cue arguments about starter wear n tear) but that's the mantra - now I haven't been across the pond in years but my experience in multiple Euro countries was basically this.

So while automatics might get better mileage it's only if all cars are running the entire time, and manuals lots of time aren't running the same amount of time.

If your gas cost 8-10x US prices, you might too....

Re:We need to stop solving problems that don't exi

[imboboage0]

No, Couldn't tell you exactly how they triangulate it, but the cars with fobs are fairly intelligent about whether or not the key is actually IN the car vs. just outside the car.

Re:Insurance

[Grishnakh]

These days, a lot of new cars have stop-start technology (they automatically shut down at stoplights, and restart when you step on the gas).

Re:We need to stop solving problems that don't exi

[imboboage0]

I've been an auto tech for six years and have had this happen exactly on a couple occasions - "It must be in here, the car turns on." Saved me looking all over the shop, but didn't keep me from having to pull the center console to get it out of the emergency brake.

Re:Insurance

[pixelpusher220]

yep, another reason that autos will start making the fuel economy gap smaller.

Re: Insurance

I shopped around for a car recently and everything I looked at had manual as stock option and automatic costing around 1k Euro additionally.

But I only really looked at cars costing less than 30k. In the higher price segments you are right some of the big SUVs like the Q7 are not available with manual. But these do not make up a majority on our roads, so "most cars are manual" is still true and at least in Germany almost everyone learns to drive on one.
You are allowed to do your licence test on an automatic but then you get a notice in your licence that you are not allowed to drive manuals and very few people opt for that.

Scare mongering.

Yet another car hacking story. It is all done in a controlled setting by 'researchers'. I have yet to hear of a real world car theft using these stupid hacks.

Re: Insurance

That's only on a few niche models (e.g. hybrids). Mass-market models still come with manual gearboxes by default more or less universally.

Re:Insurance

There are very few current models where the automatic option has a better rated fuel economy than the same car with a standard gearbox. I am not aware of any.

Re:Insurance

Technically, they stop when you shift into neutral and they start again when you the declutch in neutral.

Re:Insurance

[Grishnakh]

That's because you aren't looking.

http://www.autoblog.com/2010/0...

http://www.edmunds.com/fuel-ec...

http://www.cartalk.com/blogs/t...

Bring back the Club

[kmoser]

The Club, and other physical devices, have always been and will always be a good belt and suspenders.

Re:Insurance

[vandamme]

I've got no problem with a manual car, but shifting with my left hand gets me all dyslexic. Bad enough I have to drive on the wrong side.

Re:Insurance

Interesting reading, although the first article is cheating by calling DSGs automatics, while they are conceptually just clever automated manual gearboxes and most of the second article is really not applicable outside of North America (where automatics are very common).

However, I still haven't found a model where the automatic option gets better fuel economy in the official NEFC. I've looked at many common cars, but I haven't found any yet. Even DSG often uses slightly more fuel per 100km. In the end, that is not so surprising: even a perfect automatic or automated manual gearbox has to work with far less information than the driver has access to. It may gain a bit by reacting quicker and performing the shift quicker, but it will never know what the driver is going to do next.

Re:Insurance

[Grishnakh]

They listed a bunch in there. Two I know of offhand are the Ford Focus and the Mazda3.

No, DSGs do not use more fuel. Citation needed. You're just making things up to fit your bias.

Re:Insurance

They listed a bunch in there. Two I know of offhand are the Ford Focus and the Mazda3.

From Ford's brochure (page 52):
1.0 EcoBoost (125PS) 6-speed manual 4.7 L/100km combined
1.0 EcoBoost (125PS) 6-speed auto 5.5 L/100km combined
1.5 EcoBoost (150PS) 6-speed manual 5.5 L/100km combined
1.5 EcoBoost (150PS) 6-speed auto 6.1 L/100km combined
1.5 EcoBoost (182PS) 6-speed manual 5.5 L/100km combined
1.5 EcoBoost (182PS) 6-speed auto 6.1 L/100km combined
1.5 Duratorq TDCi (120PS) 6-speed manual 3.8 L/100km combined
1.5 Duratorq TDCi (120PS) 6-speed auto (PowerShift) 4.2 L/100km combined
2.0 Duratorq TDCi (150PS) 6-speed manual 4.0 L/100km combined
2.0 Duratorq TDCi (150PS) 6-speed auto (PowerShift) 4.4 L/100km combined

I'm just quoting the numbers for the hatchback, but it is the same picture for the estate. For all angines that are offered with an automatic gearbox option, the automatic consumes more fuel, typically around 10%.

For the Mazda3:

105PS SKYACTIV-D speed manual 3.8 L/100km combined
105PS SKYACTIV-D speed automatic 4.4 L/100km combined
120PS SKYACTIV speed manual 5.1 L/100km combined
120PS SKYACTIV speed automatic 5.6 L/100km combined

So those two cars apparently not, but I'd like to hear other examples.

No, DSGs do not use more fuel. Citation needed.

Here, for example, although apparently, there is no or a negligiable difference with some of the petrol engines.

You're just making things up to fit your bias.

You made things up, I didn't. I merely pointed out that you were wrong (with references). And for the record, I rather like DSG, but I've never driven an automatic.

Re:Insurance

[TechyImmigrant]

I've got no problem with a manual car, but shifting with my left hand gets me all dyslexic. Bad enough I have to drive on the wrong side.

When I lived in the UK and was travelling to mainland Europe often on business, I got used to flipping back and forth. The most important thing being to pay a little conscious attention at junction so you know the right lane to aim for. If you are on mental autopilot it's easy to go to the wrong side. So you need to make it a conscious thing.

Re:Insurance

[Grishnakh]

No, I'm not wrong:

http://www.fueleconomy.gov/feg...

For the 2.0 engine on the Focus, the manual gets 26/36, the AM-S6 auto gets 26/38, and the AM6 auto gets 27/40.

http://www.fueleconomy.gov/feg...

For the Fiesta, the manual gets 28/36, the auto gets 27/37.

http://www.fueleconomy.gov/feg...

For the Mustang, the 2.3L gets 22/31 with manual, 21/32 with auto. With the 3.7L V6, it gets 17/28 manual, 19/28 auto. With the 5.0L V8, it gets 15/25 manual, 16/25 auto.

http://www.fueleconomy.gov/feg...

For the Chevy Cruze, the manual gets 29/41 and the auto 30/42.

http://www.fueleconomy.gov/feg...

For the Camaro, the 2.0L turbo manual gets 21/30 and auto gets 22/31. On the 3.6L V6, the manual gets 18/27 and auto gets 19/28. On the 6.2L V8, the manual gets 16/25, and the auto gets 17/28.

http://www.fueleconomy.gov/feg...

For the Honda Civic 2.0L, the manual gets 26/38, the auto gets 30/41.

http://www.fueleconomy.gov/feg...

Fro the Subaru BRZ, the manual gets 22/30 and the auto gets 25/34.

So yes, you're full of shit, and I've proven YOU wrong with references.

Re:Insurance

None of those are official UNECE NEDC numbers and they clearly contradict what manufacturers themselves state in their brochures and websites (which, by law, have to be NEDC results from tests performed by an independent third party). You may have a point that some automatics may perform better in some tests, but in the official test, none do, as far as I could find. Moreover, sites such as Sprintmonitor and AutoWeek Verbruiksmonitor confirm that the automatic version of every car where the sample size is sufficient uses more fuel in actual driving than its manual counterpart.

Re:Insurance

[Grishnakh]

In don't have any idea what the UNECE NEDC is. Those are the official mpg figures for US cars, and they're entirely valid in the USA, using a US testing regime.

Re:Insurance

The NEDC is the official test cycle used in Europe and many other countries to determine the fuel efficiency and emissions. Manufacturers are only allowed to report fuel efficiency measured in conforming tests performed by independent test agencies, in order for customers to be able to compare different cars easily. The USA probably has a different system, which will give different figures. I also wouldn't be surprised if American-market cars have different gearing because of different conditions and market preferences.

Car hackers

Very simple lads....wrap your key in a bit of tinfoil.Blocks the signal!!