All CANBUS packages that are useful to drive a car should be encrypted using a public/private key that is in the owner key. Decryption chips are cheap and fast.
Maintenance is a big key management problem though: if only the owner has it, there will be problems when people inevitably lose it. If there are shared keys for service departments or databases, thieves will get access to them.
Things like time-limited on-demand keys can limit those problems but now you can’t get your car serviced when Toyota’s servers go down and they need to commit to not breaking API compatibility for multiple decades.
The manufacturer should maintain a root cert that can be used. If that root cert is compromised then they should have a way of rotating keys if the vehicle and physical keys are present. Breaches then constitute what amounts to a software recall, putting the onus on the manufacturer to report them or be held liable for thefts. The recall notice puts the liability on the driver to have their vehicle updated (for free) in a timely fashion.
My Ducati bike had immobilizers that would prevent the bike being started without the key or the per-bike code card. When it was stolen, the thieves tried all manner of things to start it, including drilling through the ignition keyhole. I managed to get it all fixed and the bike still ran. Without the immobilizer, someone else would be riding my bike.
That's no different from this proposal. You just give them the keys, or the key card (or red key) if you've lost the keys.
Some of the tools used to steal cars are the legitimate tools used to repair cars. Key programmers aren't cheap, but at under $5k for decent ones, they aren't crazy expensive either. It pays for itself in one job.
You could make these tools more difficult to obtain, but that won't stop the crime.
Immobilizers and requiring a PIN to start the car are cheap, effective ways of preventing car theft without negatively impacting our ability to repair vehicles. It would behoove government agencies to include a list of anti-theft techniques on the window sticker and it would behoove insurance companies to be very upfront with the anti-theft features they think vehicles need.
Right now many of the components of your iphone are paired to the phone through signing. It's a huge fucking pain in the ass, and it makes the whole 'right to repair' a huge can of worms.
I work in CA/PKI, particularly IOT device registration/security via TPM keys.
I cannot imagine a scenario after years working with our own infra and clients where a car manufacturer would restrict access to the vehicle with a private key decryption on the FOB tpm, (that can't be exported or copied.)
Lost/broke fob? 4000 pound paperweight, to no ones benefit. Insurance nightmare that would also be violating right to repair in many states (which is a different issue) .
There SHOULD be a standard like every person has some device or process that is also a CA, who can then generate and dictate what keypairs can access a device, car etc. But we are very very very far away form that.
It's an enormous amount of implementation effort aimed at tampering which, to some approximation, never happens. And as another poster has said elsewhere, partitioning the communications would be cheap.
That they are using the OEM software indicates that there is some authentication going on with the ECU to start the engine anyway. I bet they didn't truly plan for key rotation.
Allow me to offer a different opinion. There is little sense in applying logical security when physical security is lacking. CANBUS should not be accessible by taking apart headlights. Communication buses must be protected from physical access, i.e., trip the alarm system or disable the car upon unauthorized access. There can be no logical security without physical security.
It would be very hard to make CANBUS inaccessible from headlights, since that what controls it. However, the headlight shouldn't be able to tell the rest of the system that the key is in the car.
From what I've been seeing with Toyota and their ECU Security Key, it hasn't been cracked yet but it's close to being cracked and extracted from a running car and the private key extracted (so things that look at CAN bus messages can work again, like comma.ai)
CANbus protocol makes this hard. Payloads are limited to 64 bits, to start with. But the payload for each message could be encrypted, even though secure key exchange would be difficult.
It's so hard that (almost) every European manufacturer figured it out.
There is also FlexRay. There is nothing interesting you can do with CANbus on new mercs. Even unencrypted CANbus messages go through gateways that (could) prevent headlights from reporting key presence.
There is a reason that some cars don't have reasonable attack vectors (excluding parachuting the driver out of the car) and some can be started with a screwdriver (or slight more involved way with CANbus). It's not complexity, it's cost.
acdha|2 years ago
Things like time-limited on-demand keys can limit those problems but now you can’t get your car serviced when Toyota’s servers go down and they need to commit to not breaking API compatibility for multiple decades.
2024throwaway|2 years ago
twodave|2 years ago
Chris2048|2 years ago
The answer is, when a person "inevitably lose[s] it", they need to pay to get their electronics refit.
renewiltord|2 years ago
That's no different from this proposal. You just give them the keys, or the key card (or red key) if you've lost the keys.
mywittyname|2 years ago
You could make these tools more difficult to obtain, but that won't stop the crime.
Immobilizers and requiring a PIN to start the car are cheap, effective ways of preventing car theft without negatively impacting our ability to repair vehicles. It would behoove government agencies to include a list of anti-theft techniques on the window sticker and it would behoove insurance companies to be very upfront with the anti-theft features they think vehicles need.
sleepybrett|2 years ago
Reubachi|2 years ago
I cannot imagine a scenario after years working with our own infra and clients where a car manufacturer would restrict access to the vehicle with a private key decryption on the FOB tpm, (that can't be exported or copied.)
Lost/broke fob? 4000 pound paperweight, to no ones benefit. Insurance nightmare that would also be violating right to repair in many states (which is a different issue) .
There SHOULD be a standard like every person has some device or process that is also a CA, who can then generate and dictate what keypairs can access a device, car etc. But we are very very very far away form that.
maxerickson|2 years ago
That they are using the OEM software indicates that there is some authentication going on with the ECU to start the engine anyway. I bet they didn't truly plan for key rotation.
ngneer|2 years ago
0x457|2 years ago
skunkworker|2 years ago
K0balt|2 years ago
Even so, it would be possible, I think.
0x457|2 years ago
There is also FlexRay. There is nothing interesting you can do with CANbus on new mercs. Even unencrypted CANbus messages go through gateways that (could) prevent headlights from reporting key presence.
There is a reason that some cars don't have reasonable attack vectors (excluding parachuting the driver out of the car) and some can be started with a screwdriver (or slight more involved way with CANbus). It's not complexity, it's cost.