How some thieves broke into my car and why you're vulnerable too

How some thieves broke into my car and why you're vulnerable too(articulateventures.com)

13 points by Articulate 12 years ago | 16 comments

ergoproxy 12 years ago |

My car was parked at the grocery store during an electrical storm. Lighting hit nearby and my "keyless entry system" unlocked the doors. After that my key fob no longer opened the doors. In the next few weeks I noticed more odd behavior: My dad's key fob opened my doors, my sister's key fob opened my doors, and a couple of random stranger's key fobs opened my doors. I've had the dealership reset my security system three times now at $40 a pop, and it still don't work right. Great technology! I long for the days before keyless entry technology, when you had to use a key to open the doors.

na85 12 years ago |

Explain it?

Predictably, the car companies are stuck in the past. Much like GSM for your cell phone, keyless entry remotes are not secure and relied on security through obscurity.

The thieves simply have a small computer with an antenna that basically brute forces your keyless entry system.

It's like having 1000000 physical car keys in front of you and pushing the unlock button, key by key, until the door opens

beat 12 years ago | |

It's aggravating, because even this kind of attack is easy to defend against. If the keyless entry system receives, say, five bad signals in a second, just go to sleep for five seconds. Makes brute force impractical.

smileysteve 12 years ago | | |

The radio wave is sent from a remote to a surrounding area though.

IF many cars were on the same frequency, any time more than a few dozen people (think after sporting events) it could easily be possible that you'd get one of these delays; if you get it, and press it again you start the timer over for every car in your rf range.

Also, think of the issue @ the dealer.

Now, if two hashes were sent, the vehicle address and the next security hash, then this lockdown mode works.

gms7777 12 years ago | |

So I don't know much about either these keyless ignition systems or security and encryption, but is it really that simple? According to my not-super-legitimate internet source (http://auto.howstuffworks.com/remote-entry2.htm), typical remote entry keys work with at least 40 bit codes, and different car manufactures use different systems/#s of bits. In additon, since the codes are encrypted with different random #s every time, you can't just enumerate every possible combination.

The concept of brute forcing, and doing it successfully for many different cars in a short period of time, just doesn't pass the smell test for me.

emidln 12 years ago | | |

It's been a long time since I worked building ECUs responsible for RKE (Remote Keyless Entry) and SKIM (Security Key IMmobilizer), but IIRC, only one of the three used ciphers and systems that I recognized (it was an RC4-derivative).

They all had features to disallow brute-forcing though. The RKE system would track the number of requests for each authenticated FOB. If the FOB had too many requests or had been pressed too many times (either the stored count or the sent count being off), various features would be frozen until the FOB was repaired (by synchronizing via insertion into the key cylinder and/or successfully starting the engine).

Nobody talked about how good the encryption was or wasn't. I wasn't doing cryptography and we were just given things to implement. The protocol also wasn't really up for discussion, as we were just implementing a spec given to us.

It doesn't surprise me to learn that you can break this. We noticed a bunch of vulnerabilities during validation that required some knowledge to expoit (implementation details that you'd have to gain via fuzzing).

Another scary part is how lax ECUs talking on the CAN bus were w/parsing network messages. I'd like the opportunity to spend some time attacking various controllers on common systems (does GM still use their Common Architecture? if so that'd be a gold mine), but I'm now in a different field without funding or resources.

gnaffle 12 years ago | | |

Not sure if it was the case here, but apparently some cars can unlock automatically if the key is nearby.

To hack this, you only need a sensitive receiver that can retransmit the signal from the key, and you need two people, on in proximity to the key, and another nearby the car when it unlocks.

Broken_Hippo 12 years ago |

I am very far from alarmed. Though I can think of all of the 'scary' doom scenarios that go along with this, I figured out a long time ago that even my normal barely-running vehicles could be broken into or worse. Any doom beyond that has chances that are more rare than hurting myself while getting into the same car. So I'm not going to worry about it.

I'll continue to take reasonable precautions (don't keep valuables in the vehicle, have insurance, look into the car at night since I rarely lock it, etc). And yes, I rarely lock the car. I figure that a broken window (what I figure is the most common entry) will hurt me more financially and cause more inconvenience than anything in the car.

Technically speaking, if people can get my credit card numbers, it is unsurprising that the door lock technology can be manipulated. Locks never keep the determined out, it merely forces them to work more creatively.

beachstartup 12 years ago |

the idea that any car even could be safe from thieves is laughable. all the crypto in the world isn't going to stop someone from smashing your window with a crowbar. hell, in SF it's safer to leave your windows open and doors unlocked with nothing inside.

don't leave valuables in your car, and buy insurance against theft.

gnaffle 12 years ago | |

The point of the car alarms and crypto is to notify you if your car is broken into, that will act as a deterrent.

That aside, many car thieves will even steel airbags (very expensive), and you can't exactly go around dismantling and removing them every time you leave the car.

krapp 12 years ago |

I'm gonna be that guy...

... maybe being able to unlock a car remotely is a bad idea.