This has bene known in the automtive/security world forever, you can google replay attacks and people demonstrate this.
German cars do have a rolling code, especially BMW with EWS2 around 1996'and it's a nicely documented system to break.
With that said, it would be fun to dump older car firmware to see how simple the security was, previous to 1996, most cars ECU firmware were litereally on eproms.
There are also communities and such dedicated to bypassing this, not for theft but for engine swapping and car modification - having an annoying security system that can disable the starter or fuel pump sucks when you engine swapped your car.
The news here is the fact that this very old and well-known attack works on cars in the 2020/2021 model years. This is pretty surprising, since the appropriate countermeasures have been widely-deployed even in inexpensive cars for well over a decade. Modern “keyless” vehicles have largely moved on to dealing with relay attacks, which is at least a more challenging class of attack than this one.
It also really sux when you have to repair those security systems. I honestly would forgo the entire encryption fob thing in favor of a decent mechanical key for starting the car. Sure, they can be bypassed, but if someone is under your hood crossing wires then you have bigger problems.
Or better yet, an S&G digital safe lock. If it is good enough for missile launch codes it is good enough for my civic. Replacing an S&G lock body is far cheaper than any car immobilizer.
As far as I understand even physical car keys tended to be on the low end. With a decent chance that you could find a different car by the same manufacturer that you could at least unlock with your key.
"Rice Paddy" is also redundant, since the English paddy comes from the Malay padi, "rice plants".
And while "original rice paddy" is a correct if painfully literal translation, something like "Mainfield" probably captures the essence better. In Japanese, a field defaults to rice and there's a separate word (畑 hatake) for non-rice fields, with a little fire radical 火 added to the rice field 田 to show that this is a burned (dry) field instead of a wet one.
Remote start is a safety issue, not just a security one. It doesn't take much to imagine replaying the start command while a vehicle is in an attached garage.
I agree about the remote start, but I’m dubious about the remote unlock being an issue for assaults in practice. I think if someone is planning to violently attack someone, going through the window is going to be the most common path taken.
It’s like home invasions. Perhaps someone might pick your weak lock or hack your smart lock, but in practice they usually just break a window or kick the door in.
Fwiw, on current Hondas the engine will only run for a set period, I believe 10 mins, unless the fob is used to reset the timer or the driver enters the cabin with the fob and presses the brake and start button.
Carbon monoxide being present is an assumption in the perspective of the building codes. This is why attached garages must have ventilation to outside, doors with gaskets, etc. There’s some danger, but the codes were made for the case where people forget and leave their car running, which isn’t all that uncommon.
Yup. A Land Rover was stolen right near my house in broad daylight and I live in a very good neighbourhood. Cops came by and asked me if I had home cameras, but they explained to me this is very common. High-end SUVs are targeted and this is run by organized crime. Cars are overseas within days to be re-sold.
The thief just hangs around the target, waits for the fob to be used, clones the signal and can steal the car within 3 minutes.
The problem is so pervasive that Land Rover offers discounts to previous customers who are victims of theft:
Ford has a key cloning issue too. Focus and Fiesta STs are prime targets in the UK to the point where you'd be crazy not to remove or lock the ODBII port on those vehicles. Luckily it's not as bad in the states. Criminals can clone a key in about 30 seconds with special tools.
With rolling codes, if you (or a toddler) press your remote button too many time while out of range of the car, will the remote and car get out of sync? More than 60 or 255 presses or something like that?
I guess there must be a mechanism for the car to resync somehow?
This sucks, of course, but the alternative has downsides as well. Volvo, for example, has rolling codes. But, if you lose your keys/fob the car has to be present to make new ones. At $500+ each.
Does this attack work if you do not push any of the key fob buttons i.e. if you unlock the car by touching the front door handle with the key in your pocket; starting the car by pushing the engine start button with the key in your pocket?
This is my question. I've been keeping my key fob in a faraday box for almost a year because I heard that keyless entry and keyless start can be pinged during a night-time drive-by when the owner is likely to be home.
Obviously not a replay attack, but still seems to be a huge vulnerability.
Hello, I am the creator of this attack. I was very impressed by the traffic this URL drove to my Github. After reading closely:
No, it isn't fake. I'd love to show you more videos!
This attack does require the target to use their FOB, the range that is required is quite long! This can be performed from great distances away. Though recreation of this part of the attack, we know it's possible to convert a "lock" command (or any command at all) into any other command, and unlike the rolljam attack, these codes will work forever (until the key gets reset by a dealer).
"Vehicle ignition" should be a physical switch with 3 wires, and thats it. I don't want anything more complicated... perhaps put a relay inline if some other system really needs a kill switch.
Is a keyfob / "remote start" / "added security" really worth the trouble? How many people buy these things when its an option they have to wait for vs something already there to bulk up the price?
I'll always remember driving my dads car home from the airport (he was staying on vacation longer) and cranking it and cranking it until I remembered the little fuel pump security switch under the front seat... Ah that civic was truly a POS.
Honda (and any well established OEM) has rolling code on their newer models for sure. There are 2 scenarios possible here regarding this article.
1st - message is recorded while key is outside of the vehicle range.
Rolling Code does not help here since the vehicle never received the original signal from the key.
The point of rolling code is that same signal cannot be used twice to open the vehicle.
There is no protection against this with unidirectional RF keys, but requires physical access to the key and your recorded message needs to be first one sent to the vehicle.
2nd - it's fake. This I say because the key gets out of the frame in the video when the signal is replayed...
It is not fake, and Honda does NOT have rolling codes. This assumption is why the problem was never found. Even I assumed they had rolling codes until I performed a rolljam attack on a Honda and found that the keys NEVER expired, meaning they DO NOT ROLL.
[+] [-] rootsudo|4 years ago|reply
German cars do have a rolling code, especially BMW with EWS2 around 1996'and it's a nicely documented system to break.
With that said, it would be fun to dump older car firmware to see how simple the security was, previous to 1996, most cars ECU firmware were litereally on eproms.
There are also communities and such dedicated to bypassing this, not for theft but for engine swapping and car modification - having an annoying security system that can disable the starter or fuel pump sucks when you engine swapped your car.
[+] [-] matthewdgreen|4 years ago|reply
[+] [-] sandworm101|4 years ago|reply
Or better yet, an S&G digital safe lock. If it is good enough for missile launch codes it is good enough for my civic. Replacing an S&G lock body is far cheaper than any car immobilizer.
[+] [-] josefx|4 years ago|reply
[+] [-] bane|4 years ago|reply
[+] [-] dharmab|4 years ago|reply
This should be "paddy" rather than "patty". Note that Honda is a family name (after founder Soichiro Honda).
[+] [-] Clewza313|4 years ago|reply
And while "original rice paddy" is a correct if painfully literal translation, something like "Mainfield" probably captures the essence better. In Japanese, a field defaults to rice and there's a separate word (畑 hatake) for non-rice fields, with a little fire radical 火 added to the rice field 田 to show that this is a burned (dry) field instead of a wet one.
[+] [-] hunter2_|4 years ago|reply
[+] [-] cestith|4 years ago|reply
Remote unlock is a safety issue for assaults.
Thankfully according to https://owners.honda.com/Linked-Content/PDF/RemoteEnginestar... the remote engine stop doesn't work if the engine was started with the ignition key rather than the remote.
[+] [-] ashtonkem|4 years ago|reply
It’s like home invasions. Perhaps someone might pick your weak lock or hack your smart lock, but in practice they usually just break a window or kick the door in.
[+] [-] markbnj|4 years ago|reply
[+] [-] nomel|4 years ago|reply
Carbon monoxide being present is an assumption in the perspective of the building codes. This is why attached garages must have ventilation to outside, doors with gaskets, etc. There’s some danger, but the codes were made for the case where people forget and leave their car running, which isn’t all that uncommon.
[+] [-] vdqtp3|4 years ago|reply
Remote unlock actually doesn't work on [most?] Honda vehicles if the engine is running.
[+] [-] wallaBBB|4 years ago|reply
[+] [-] RyJones|4 years ago|reply
[0]: https://gist.github.com/ryjones/73739f6a7e662b9ed9ba64d9141f...
[+] [-] xur17|4 years ago|reply
[+] [-] waterside81|4 years ago|reply
The thief just hangs around the target, waits for the fob to be used, clones the signal and can steal the car within 3 minutes.
The problem is so pervasive that Land Rover offers discounts to previous customers who are victims of theft:
https://www.landrover.ca/en/ownership/protection-program/veh...
[+] [-] post_break|4 years ago|reply
[+] [-] mkj|4 years ago|reply
I guess there must be a mechanism for the car to resync somehow?
[+] [-] tyingq|4 years ago|reply
[+] [-] quadyeast|4 years ago|reply
[+] [-] baking|4 years ago|reply
Obviously not a replay attack, but still seems to be a huge vulnerability.
[+] [-] arein3|4 years ago|reply
[+] [-] tersers|4 years ago|reply
[+] [-] HackingInHeart|4 years ago|reply
No, it isn't fake. I'd love to show you more videos! This attack does require the target to use their FOB, the range that is required is quite long! This can be performed from great distances away. Though recreation of this part of the attack, we know it's possible to convert a "lock" command (or any command at all) into any other command, and unlike the rolljam attack, these codes will work forever (until the key gets reset by a dealer).
[+] [-] ggerganov|4 years ago|reply
https://www.youtube.com/watch?v=JomewN_1OdE
[+] [-] londons_explore|4 years ago|reply
That's why I never use the remote and always use key-in-hole.
[+] [-] shadilay|4 years ago|reply
[+] [-] j_walter|4 years ago|reply
Looks like maybe a custom case, but 99% sure it's this hardware that has been customized.
edit: Actually you can find the exact model they are using on eBay...just google the first line of text in this comment.
edit: ok, direct link https://www.ebay.com/itm/224339096828?chn=ps&mkevt=1&mkcid=2...
[+] [-] yborg|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] h2odragon|4 years ago|reply
Is a keyfob / "remote start" / "added security" really worth the trouble? How many people buy these things when its an option they have to wait for vs something already there to bulk up the price?
[+] [-] jen20|4 years ago|reply
[+] [-] calvinmorrison|4 years ago|reply
[+] [-] wallaBBB|4 years ago|reply
1st - message is recorded while key is outside of the vehicle range. Rolling Code does not help here since the vehicle never received the original signal from the key. The point of rolling code is that same signal cannot be used twice to open the vehicle. There is no protection against this with unidirectional RF keys, but requires physical access to the key and your recorded message needs to be first one sent to the vehicle.
2nd - it's fake. This I say because the key gets out of the frame in the video when the signal is replayed...
[+] [-] HackingInHeart|4 years ago|reply