I have not quite understood what the benefits are of wireless car entry and ignition. You still have to carry the key with you to enable the system to work, so the only advantage seems to be that you do not have to take it out of your pocket, which seems like a very minor benefit. However, I had a female friend who said she really liked it because she uses a handbag and finding and fishing a key out of it is not as simple as with a trouser pocket.
But these things have a downside as with all things purely electronic in that the signals can be stolen out of the air. In the video below captured by security cameras, two criminals, clearly professionals, drive up to a car parked in a driveway in England and, in less than a minute, calmly manage to steal the codes from the key fob that is inside the house, get into the car, and drive off. The stolen car is a Mercedes Benz so I assume that the ignition system used is one of the best, though I am not sure if these systems are encrypted or not.
Does this mean that in order to foil such theft one should keep the key in an aluminum pouch until one is ready to use it? That seems to be a bigger hassle than simply having to insert a physical key into the door and ignition.
Faraday cage?
If only there were some way to prevent replay attacks. Some kind of shared secret and, I dunno, encryption?
All I can say is that it beats the crims having to break into your house and beat you up to hand over the keys like they would a decade ago.
Mano:
Handbags generally come with a variety of pockets on the inside, and sometimes the outside. It’s really not difficult to find anything in one, unless you toss a fucktonne of stuff in and stir. Also, most clothing makers have now cottoned on to the fact that yes, women have uses for pockets too!
Johnny Vector@#2:
If only there were some way to prevent replay attacks. Some kind of shared secret and, I dunno, encryption?
I know this is going to sound silly, but: it’s a key management problem. And the car companies generally get that stuff wrong; they’re too busy trying to make sure that everything on the car bus doesn’t interfere with everything else -- which is downright scary. Some of the early designs for data-driven vehicle controls were really, really bad. I did some after action review for a car manufacturer that had a security problem and it turned out that the whole system was a great big problem (think: the throttle settings messages also were subject to replay attacks) That was 2001; I’m sure things are better, now. Right?
As far as doing it right, they would need to have a reliable way to share a secret between the car’s computer and the fob. That’s pretty easy, you can do something like have the fob generate the secret, transmit it to the car and the car accepts it if the key is engaged in the ignition and you put it in 3rd gear and press the brake while the engine isn’t running. But one problem is that: dealers like to be able to sell replacement keys and fobs; there’s good money in that. So there is no incentive to solve the problem.
Hm. Apple’s biometric face-tracking comes to mind.
@Johnny Vector, Marcus Ranum:
As I understand it, all of the modern wireless entry systems do already block the simplest kind of replay attacks, so somebody can’t just scan you as you open the car door and then replay that message to get into the car again. (Some of the earlier ones didn’t. There’s a reason that changed.) At the minimum, there’s a rolling code so the signal that works one time won’t work the next time.
That said, it sounds like what they did here is had a system that acted like the car at first to ask the key for its response, probably multiple times to get some more data on the key’s internal state, then went back to the car and acted as the key. That’s not just a simple replay attack, that’s more of a man-in-the-middle attack with the two ends being handled separately. It requires more knowledge about how the communication is done.
A good chunk of the problem is going to be that the security/convenience trade-off of a system like this for common use is going to lean heavily to the ‘convenience’ side. Sure, people will get upset about their cars being stolen, but they’ll also get upset if their keys don’t work, and there are a lot more opportunities for that to be a problem.
Yes, this doesn’t look like a replay attack. My guess is it’s deceptively simple, but with sophisticated radio tech: passively retransmit the car to the key and the key to the car. Don’t MITM anything because the encryption will not (should not) allow it. In effect the key is no longer 30feet away — it’s 30 inches away. Doors open, start engine, drive away.
The car will eventually notice that the key is no longer inside, but by then you’re already driving it to the breaker’s yard.
Just my theory.
Temporary solution? Don’t keep your keys on the hallway table.
It seems that the only reason those thieves were able to steal so easily comes from the ‘always on’ broadcast of the key fob.
This is the reason I just recently bought a new car that still needs a key in the ignition!
starskeptic #10
hehhehheh
that’s what you think
chigau @11
it has to be true! My car told me so!
Future! Technology! Newer is better!
This is also why the tech industry is full of people trying to figure out how to apply {$NEW_TECH_FAD} to {$UNRELATED_PROBLEM}.
Oddly enough, this is exactly the engineering work I’ve been doing for the past couple years. I’m not an expert, but I have experts who work for me.
This is a known exploit, nothing really new to the engineer’s in the business. And it is known that there are black market devices which can be purchased to do exactly what the thieves did.
However, the problem is not quite as bad as it seems.
First, the FOB you carry in your pocket uses two different types of signals for different purposes. The typical FOB functions, like lock/unlock doors, panic, or remote start use a (typically) 434 MHz signal to transmit the desired function to the vehicle. There are some fairly simple security features to ensure that only your vehicle responds to these requests, but they are not particularly sophisticated because none of them allow the vehicle to be driven. Even remote starting the vehicle and unlocking the doors does not unlock the transmission and steering wheel, meaning that some other action must be taken to allow the vehicle to be driven.
The authentication process, which does allow the vehicle to be driven uses a different method with a low-frequency signal, in the 150 kHz range. This signal is weak and typically you need to be either within the car or within 50 cm of the car (some models require -85 dBm, but in a typical household environment a meter is usually sufficient and 2 meters is more than enough.
Like I wrote above, security can be improved and we’ve proposed various improvements. But there is a concern among the OEMs that additional security will also mean additional problems and complaints. This is a case where if there are half-a-dozen cars stolen each year it may be preferable to hundred, or thousands, of customers complaining (and having parts replaced in warranty) because sometimes their FOBs don’t work like they expect. Additional security will increase the possibility that a FOB doesn’t operate properly in all situations. It is better to have a reliable system with weak security than an unreliable system with super security. At least I’m certain woman who walk alone in parking garages would think so.
Yes, cost is a factor. But it’s not the only one. Oddly enough, safety, functionality and reliability are also considered.
Oh, and even cars with keys usually have a little transponder embedded in the key to help improve security. If you have an identical key, without the transponder, you can turn the ignition but the car will not start. This started in the late 1990’s so even if you have a car with a key, you still are likely using an RF system for additional security.
Hmm. I seem to have dropped a line somehow in my comment. At the end of the paragraph with begins “The authentication process”, after “models” I continued with the note that some vehicles require less than 20 cm of distance. And then with a new sentence I noted that while theoretically all you would need is a better antenna to get a greater distance, practically you need a noise floor of less than -85 dBm to pick up the LF signal at a range of greater than 2 meters. We do test these levels.
flex @#14,
Thanks for that very informative comment. While I agree with you that “It is better to have a reliable system with weak security than an unreliable system with super security”, is that just a temporary trade-off until engineers can design a system that has both super security and reliability? Or are they intrinsically irreconcilable?
That depends on who you ask, and how you ask the question.
With the current RF designs as you add security you will slow down the system. So there are some engineers who say that some improvements are possible but that a truly robust system will cause more problems than an end-user wants. (Who wants to wait even 5 seconds in the rain while their car decides it can unlock itself?) But there is no reason why the current designs need to be continued indefinitely. There will be incremental change in the designs to increase security, and there may be new designs which incorporate some of the security which has been developed from the computer security field. There is some cross-pollination there. The current RF designs were developed in the mid-2000’s and probably won’t last another 10 years.
My wife and I have cars with keyless ignitions. I like it, but admittedly it’s as much for the novelty as the convenience. Without knowing much about the security behind these systems, I’ve always just assumed the car’s manufacturers know what they’re doing. Quite possibly that’s just naïvety on my part.
While my car was in the shop recently, I had to borrow my mother’s car. Her car has a remote for unlocking the doors, but still uses a traditional key for the ignition. Every single time I got in the car, I would press the button on the remote to unlock the door, then return the key to my pocket, only to realize I needed it to start the car.
I hope the only way to update an automobile’s firmware is through direct contact with maintenance equipment. If it is done through wireless communication that could be another route to gain entry.
Flex@14
“…if you have a car with a key, you still are likely using an RF system for additional security.”
Point is -- that car isn’t going anywhere without a key in the ignition.