How some thieves broke into my car and why you're vulnerable too
articulateventures.comMy car was parked at the grocery store during an electrical storm. Lighting hit nearby and my "keyless entry system" unlocked the doors. After that my key fob no longer opened the doors. In the next few weeks I noticed more odd behavior: My dad's key fob opened my doors, my sister's key fob opened my doors, and a couple of random stranger's key fobs opened my doors. I've had the dealership reset my security system three times now at $40 a pop, and it still don't work right. Great technology! I long for the days before keyless entry technology, when you had to use a key to open the doors.
Explain it?
Predictably, the car companies are stuck in the past. Much like GSM for your cell phone, keyless entry remotes are not secure and relied on security through obscurity.
The thieves simply have a small computer with an antenna that basically brute forces your keyless entry system.
It's like having 1000000 physical car keys in front of you and pushing the unlock button, key by key, until the door opens
It's aggravating, because even this kind of attack is easy to defend against. If the keyless entry system receives, say, five bad signals in a second, just go to sleep for five seconds. Makes brute force impractical.
The radio wave is sent from a remote to a surrounding area though.
IF many cars were on the same frequency, any time more than a few dozen people (think after sporting events) it could easily be possible that you'd get one of these delays; if you get it, and press it again you start the timer over for every car in your rf range.
Also, think of the issue @ the dealer.
Now, if two hashes were sent, the vehicle address and the next security hash, then this lockdown mode works.
This is easily (and almost certainly already) solved with pairing the key to the car, so that the car can safely ignore any unlock attempt by another (legitimate) key.
So I don't know much about either these keyless ignition systems or security and encryption, but is it really that simple? According to my not-super-legitimate internet source (http://auto.howstuffworks.com/remote-entry2.htm), typical remote entry keys work with at least 40 bit codes, and different car manufactures use different systems/#s of bits. In additon, since the codes are encrypted with different random #s every time, you can't just enumerate every possible combination.
The concept of brute forcing, and doing it successfully for many different cars in a short period of time, just doesn't pass the smell test for me.
It's been a long time since I worked building ECUs responsible for RKE (Remote Keyless Entry) and SKIM (Security Key IMmobilizer), but IIRC, only one of the three used ciphers and systems that I recognized (it was an RC4-derivative).
They all had features to disallow brute-forcing though. The RKE system would track the number of requests for each authenticated FOB. If the FOB had too many requests or had been pressed too many times (either the stored count or the sent count being off), various features would be frozen until the FOB was repaired (by synchronizing via insertion into the key cylinder and/or successfully starting the engine).
Nobody talked about how good the encryption was or wasn't. I wasn't doing cryptography and we were just given things to implement. The protocol also wasn't really up for discussion, as we were just implementing a spec given to us.
It doesn't surprise me to learn that you can break this. We noticed a bunch of vulnerabilities during validation that required some knowledge to expoit (implementation details that you'd have to gain via fuzzing).
Another scary part is how lax ECUs talking on the CAN bus were w/parsing network messages. I'd like the opportunity to spend some time attacking various controllers on common systems (does GM still use their Common Architecture? if so that'd be a gold mine), but I'm now in a different field without funding or resources.
Not sure if it was the case here, but apparently some cars can unlock automatically if the key is nearby.
To hack this, you only need a sensitive receiver that can retransmit the signal from the key, and you need two people, on in proximity to the key, and another nearby the car when it unlocks.
That's not really the case. Some of them unlock via low frequency RF, but to my knowledge they still use encryption that uses their button click count as one of the variables plus a shared secret.
Yes, but the point of this scheme is that the car "believes" the key is in close range. If that is enough to get it to open the car, the thieves don't have to break any encryption, they just need to relay the RF signal. The faulty assumption on the part of the car manufacturers is that "RF signal present" equals "keyfob nearby".
No system I've been exposed to was defeated by a simple replay attack. You needed the shared secret and the click count (plus proprietary algorithm), which would be incorporated into the OTA message. Most LF systems are pretty low-bandwidth as well, and lock out quite quickly.
To clarify, I'm not talking about a replay attack. It's a _relay_ attack where they use the RF signal transmitted by the actualy car/key, just over a bigger distance than you would normally expect.
I am very far from alarmed. Though I can think of all of the 'scary' doom scenarios that go along with this, I figured out a long time ago that even my normal barely-running vehicles could be broken into or worse. Any doom beyond that has chances that are more rare than hurting myself while getting into the same car. So I'm not going to worry about it.
I'll continue to take reasonable precautions (don't keep valuables in the vehicle, have insurance, look into the car at night since I rarely lock it, etc). And yes, I rarely lock the car. I figure that a broken window (what I figure is the most common entry) will hurt me more financially and cause more inconvenience than anything in the car.
Technically speaking, if people can get my credit card numbers, it is unsurprising that the door lock technology can be manipulated. Locks never keep the determined out, it merely forces them to work more creatively.
the idea that any car even could be safe from thieves is laughable. all the crypto in the world isn't going to stop someone from smashing your window with a crowbar. hell, in SF it's safer to leave your windows open and doors unlocked with nothing inside.
don't leave valuables in your car, and buy insurance against theft.
The point of the car alarms and crypto is to notify you if your car is broken into, that will act as a deterrent.
That aside, many car thieves will even steel airbags (very expensive), and you can't exactly go around dismantling and removing them every time you leave the car.
I'm gonna be that guy...
... maybe being able to unlock a car remotely is a bad idea.