What's the big mystery here? There have been published articles on the ease of hacking car remotes (and even the onboard electronics) going back at least a couple of years. For example:
Here's a video (with no commentary, unfortunately) that shows someone who has apparently decoded the signals from a car remote and is using the remote and an arduino, to toggle some LEDs:
I have little doubt that there are hackers out there who can easily build a device to remotely unlock / start cars that use keyless entry. In fact, I'd be far more surprised if there weren't.
Edit: to elaborate... when I say "What's the big mystery" I'm referring to a notion, which I interpreted from the article (rightly or wrongly), that people are totally unaware that this kind of thing is even conceptually possible. I don't claim to know the exact exploit or mechanism being used here! Just pointing out that this general class of attacks isn't something totally foreign and unknown.
I'd be willing to bet that someone has stolen some universal unlock codes for a variety of manufacturers and it is now in the wild. Of course, no car company wants to admit this.
If they were using key reprogramming/hacking there's no reason to 'always use' the passenger side front door as claimed in the video. So I don't think it's clear that these thieves are using any of those techniques.
I imagine it might be stupider, like maybe there's a way to induce the unlock button or motor to trigger via induction or something. Though I'm pretty poorly informed about that kind of thing scientifically and am likely completely wrong.
>What's the big mystery here?
The method that the thieves are using is unknown.
While those links to may be useful to shed light on this type of crime, they do little to confirm the method that these thieves are employing. Hence, there is mystery.
You ask what the big mystery is, and then link to a lot of unrelated hacks/exploits. Yes, the article is that someone hacked/exploited the remote door open specifically, apparently on seemingly random cars. It is a mystery how they are doing it, though it is painfully obvious that they are exploiting something.
I was intrigued by their mention of this "Jim Stickley" who was cited as a top security expert. I had never heard of him before, so did a quick search to find out a little more about him. He seems to be a pretty legit and well known security guy[1], but it surprises me that he said:
This is really frustrating because clearly they've figured out something that looks really simple and whatever it is they're doing, it takes just seconds to do," Stickley said. "And you look and you go, 'That should not be possible.
Considering, again, that there has been published research on this topic, and a presentation at Black Hat, revealing that (at least some) cars are vulnerable.
Honestly, I feel like the reporter on this article should have done a bit more background research and interviewed a few more people. Not that it changes the fundamental issue (don't leave valuables in your car, etc.) but it would have been a stronger article with some more context, IMO.
Jim Stickley is -- being kind -- a hack. He was on the Today Show showing off my hotel lock exploit without credit, and got zero details correct. Gotta respect his ability to press-whore (I tend to think I'm fairly good, but he puts me to shame), but that's about it.
I agree with your skepticism but I disagree with your analysis of Stickley. This looks like the typical security clown out there writing his own wikipedia entry. His article's main point seems to be that he found a buffer overflow. There, he's a security expert.
What security professional worth his salt says "that should not be possible"? The entire security profession is about identifying assumptions and then challenging them. He sounds more like a software developer cashing in on the "s" word because he found a buffer overrun than a security profesional assessing an attack.
They should hire someone like Dan Boneh[1] to look for cryptoanalytic attacks. Of course, I'm sure he'll find a whole bunch of attacks. That's going to be a really expensive to repair all that faulty crypto hardware.
The advice given in the article sounds ridiculous to my (brazilian) ears.
- "Don't leave valuables in the car". Really? I'd have to deal with smashed windows every single day if I left anything that could possibly be of value sitting overnight (or for a few minutes in some places). Perhaps even an empty shoe box. And that's with tinted windows so dark they are not even supposed to be street legal.
- "Keep your car registration in the wallet". Identity theft with a car registration should not be possible here, as it doesn't contain ID numbers, nor photographs and is no proof of identity (you have to display the driver's licence - which is proof of identity - and the car's documents on demand if requested by authorities). Still, it is a ridiculously bad idea to leave it sitting in a car overnight. If the car is stolen, the crooks would have a much easier time evading minor police checkpoints.
I guess some places have such a low crime rate that people just forget basic security precautions?
Yup. In some places it actually feels best just to leave your car doors unlocked - then the thief doesn't have to smash your window before they root through your car and find it contains nothing of value.
That stuff really isn't necessary in much of the US (many non-urban areas... thought not all). I don't even always lock my car doors in some places. To someone who's not used to it, it's probably amazing how benevolent people and society really can be.
Essentially, with the newer cars keyless entry cars, it's the car that transmits the signal to the fob (so you can't get stranded with a flat battery).
The protocol itself is secure, but open to a MITM attack. The exploit works essentially like a WiFi booster.
Perp #1 places himself near the car, receiving the car's transmission. This is relayed to perp #2, who is near the owner (and the key). The key communicates with the car (via the relay) - the door opens, the car starts, and off you go.
The level of security of a car door is presumably a lot higher than that of a garage door, but the technology of using a rolling code is the same and the need to be able to (re)synchronize remote keys/fobs is also there. With the cars I own, there is a procedure in the operator's manual on how to resync your keys. Nominally, it requires physical access - an already unlocked car.
My first guess is that the bad guys figured out a timing attack that confuses the lock software if the "right" sequence of codes are sent with the "right" timing.
My alternate guess is that the bad guys figured out a way to mimic the resync mechanism without requiring physical access.
I never understood why keyfobs work in a UDP style, when communication between the remote and car would be infinitely better.
For instance, instead of just sending "12345" and having the doors open since the code was expected, What about if the remote said "hey car, whats your random number" - the car then transmits back "54321" at which point the transmitter sends a hashed reply sha512(54321 + unique-random-id-set-per-car) which the car receives then verifies matches expected output.
The takeaway being that both the car and the remote know what "unique-random-id-set-per-car" is, but nobody else does. It should be randomly set at the factory so each car and the remotes have a unique id.
My only thoughts as to why its not like this is that the logic required to do that type of operation might not be possible without a higher wattage 'processor' in the keyfob which would eat through batteries. Im totally out of the know in that area though.
Also, unrelated- but the passenger door thing is likely just coincidence because they want to get in the glove box. But, there is another thing that could explain it. On my last car (mercedes) when I wanted to reprogram a new keyfob to work with the car, I had to do a long process of certain actions to make it work. It was like "press on brake, release brake, press on brake for 3 seconds then release, open drivers window, open passenger door, close drivers window, press open button on keyfob" So the car CPU is definitely aware and can take actions specific to which door is being opened, so its possible its related.
That probably means the keyfob needs a receiver (which I suspect they don't by current design). But I agree, a two-way communication would be nice as the keyfob could then report whether the car was locked properly.
Having both a transmitter and receiver in the fob used to be a lot more expensive and bulky than having just a transmitter. It isn't really anymore thanks to advances in RF miniturization and integration, but when car keyfobs were first designed it mattered.
I wonder if they found an exploit for Bluetooth. Newer cars have this feature so the owner doesn't have to use the key. If the Bluetooth service has access to the On Board Diagnostic (OBD), it can get to a lot of the car's info and commands, such as unlock door.
I remember working on AutoPC back in the day and we tapped into the OBD and provided a feature to send a message to the car to unlock the doors. Similar to OnStar now a day.
>Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which it stores in memory. On the other end, when the receiver receives a valid code, it uses the same pseudo-random number generator to pick a new one. In this way, the transmitter and the receiver are synchronized. The receiver only opens the door if it receives the code it expects.
So, if you figure out how these are salted (VIN?) and what pseudo-random generator it uses, you can recreate the signal.
RSA Security and John Hopkins have been able to crack an RFID keyfob in 15 minutes [0] back in 2005. Rumor had it that later on it was something like 30 seconds to crack a Ford key. 40-bit RFID keyspace--combine that with 2013-era technology and this is absolutely no surprise.
How about the possibility that the thieves have simply purchased replacement remotes from eBay (or similar), and programmed them when they had access to a compatible vehicle? Maybe the thieves work at a car wash, valet or have organized a larger network of goons (think credit card skimming).
Programming a replacement remote is a simple procedure, requiring only a few moments in the vehicle with the key present... like when parking a car. Paired with an easily accessible address (registration?), you have a crime ready to take place.
This would confirm why multiple vehicles in the same driveway were targeted. Families use the same service providers. It could also make sense of why the "device" occasionally did not work. Maybe they got the remotes / addresses mixed up, the programming did not take or their mule is selling them unprogrammed remotes.
I think this is more logical of a solution considering the facts. Any thoughts?
Recent rental car in Italy - get the keys, head to parking lot, and search out car based on license plate on keys. Writing is dodgy, could mistake an 8 for a 9. Find car, electronic control unlocks it, yet key will not start car.
Head back to desk, slam keys down (person behind desk had previously shown a serious attitude to renters), get startled look and say "car doesn't work". After a bit of shock due to slammed keys and firm voice person says "colleague should be there" (he wasn't), pointed out "nope", responded with "oh, in 5 minutes".
Wander back out to car, electronic lock locks/unlocks care, but still doesn't start. "Colleague" shows up. Points out diff between 8 and 9. I mention "uh, car unlocked". He shrugged. Turns out the car was in a completely different/not visible (for the company) part of the parking lot. Both electronic locks and key worked in that vehicle.
Having an electronic system for duplicate cars (1 off in license plates) seems like a bad idea.
They didn't release all of the details. We would need to know which makes and models and years this does/does not work on. In the videos they only showed Honda products (Acura) (The MDX was a 2000-2006 model) but does not work on GM or Ford. So this is most likely is manufacturer specific.
Why is this so baffling a shocking?
I think we all knew this was possible before anybody actually did it. It's not like their using proper crypto.
It's the equivalent of a bad house lock give me some good lock picks and 60 seconds and I'm in so why is this so surprising?
From what they describe, it sounds like the locking systems use a system that works like a VPN key (this was actually surprising to me). Those seem pretty tough to crack, so why would this be any different?
I read a recent 2600 article that said it's fairly easy to procure (from overseas) a jammer to prevent the lock signal from reaching the car. It would not open the doors but instead stop them from locking so the would-be thief would later manually open the unlocked doors.
If you loose your fob, the workaround is re-programming via the OBDII or other diagnostic ports. Yes, that has a backdoor. But typically there is no remote backdoor.
You should be able to pull the fuse for the door locks; the mechanical lock buttons and key will continue to work. To find out which fuse, just Google "[car make] [model] [year] fuse diagram" and look for door lock actuators or similar.
Yes, you don't mount the mechanism that opens the doors when installing the alarm (or cut the wires afterwards).
Store bought alarms have a lot of crap the electrician never hooks up so what's the difference not mounting this one.
You can Google the phrase "car learning keyless remote control" and see tons of sites selling these for "legit" purposes as replacement remotes. I am sure not all of them work on all cars but I am sure the thieves simply figured out which ones work on which cars and just target those. And I agree, this is nothing new, a story about it pops up on the news every so often and the it seems like each time the Police are baffled. Maybe there needs to be a web site for the police that provides them with such information. If there isn't one already, there is an app opportunity for someone perhaps.
All of the remotes I've seen require physical access to an unlocked car to initiate the re-synchronization procedure between the new remote and the car. This involves complex things like starting the car 5-10 times and pressing buttons on the remote at the same time
[+] [-] mindcrime|12 years ago|reply
http://content.usatoday.com/communities/driveon/post/2011/01...
http://www.schneier.com/blog/archives/2012/07/hacking_bmws_r...
http://reviews.cnet.com/8301-13746_7-20085131-48/remote-unlo...
http://news.consumerreports.org/cars/2011/03/researchers-car...
Here's a video (with no commentary, unfortunately) that shows someone who has apparently decoded the signals from a car remote and is using the remote and an arduino, to toggle some LEDs:
http://www.youtube.com/watch?v=doELL4g4cS0
I have little doubt that there are hackers out there who can easily build a device to remotely unlock / start cars that use keyless entry. In fact, I'd be far more surprised if there weren't.
Edit: to elaborate... when I say "What's the big mystery" I'm referring to a notion, which I interpreted from the article (rightly or wrongly), that people are totally unaware that this kind of thing is even conceptually possible. I don't claim to know the exact exploit or mechanism being used here! Just pointing out that this general class of attacks isn't something totally foreign and unknown.
[+] [-] jrochkind1|12 years ago|reply
American media at it's best!
[+] [-] inafield|12 years ago|reply
[+] [-] Glyptodon|12 years ago|reply
I imagine it might be stupider, like maybe there's a way to induce the unlock button or motor to trigger via induction or something. Though I'm pretty poorly informed about that kind of thing scientifically and am likely completely wrong.
[+] [-] iblaine|12 years ago|reply
While those links to may be useful to shed light on this type of crime, they do little to confirm the method that these thieves are employing. Hence, there is mystery.
[+] [-] corresation|12 years ago|reply
[+] [-] piqufoh|12 years ago|reply
[+] [-] mindcrime|12 years ago|reply
This is really frustrating because clearly they've figured out something that looks really simple and whatever it is they're doing, it takes just seconds to do," Stickley said. "And you look and you go, 'That should not be possible.
Considering, again, that there has been published research on this topic, and a presentation at Black Hat, revealing that (at least some) cars are vulnerable.
Honestly, I feel like the reporter on this article should have done a bit more background research and interviewed a few more people. Not that it changes the fundamental issue (don't leave valuables in your car, etc.) but it would have been a stronger article with some more context, IMO.
[1]: http://en.wikipedia.org/wiki/Jim_Stickley
[+] [-] daeken|12 years ago|reply
[+] [-] droopybuns|12 years ago|reply
What security professional worth his salt says "that should not be possible"? The entire security profession is about identifying assumptions and then challenging them. He sounds more like a software developer cashing in on the "s" word because he found a buffer overrun than a security profesional assessing an attack.
[+] [-] narrator|12 years ago|reply
[1]:http://en.wikipedia.org/wiki/Dan_Boneh
[+] [-] outworlder|12 years ago|reply
- "Don't leave valuables in the car". Really? I'd have to deal with smashed windows every single day if I left anything that could possibly be of value sitting overnight (or for a few minutes in some places). Perhaps even an empty shoe box. And that's with tinted windows so dark they are not even supposed to be street legal.
- "Keep your car registration in the wallet". Identity theft with a car registration should not be possible here, as it doesn't contain ID numbers, nor photographs and is no proof of identity (you have to display the driver's licence - which is proof of identity - and the car's documents on demand if requested by authorities). Still, it is a ridiculously bad idea to leave it sitting in a car overnight. If the car is stolen, the crooks would have a much easier time evading minor police checkpoints.
I guess some places have such a low crime rate that people just forget basic security precautions?
[+] [-] incision|12 years ago|reply
Yes.
I've lived most of my life within 25 miles of where I was born in the US.
Within that area there are places where your windows will be smashed for $0.74 in a cupholder and others where people don't even lock their doors.
I grew up in the former and even though I've lived in the latter for a long time I don't think I'll ever get used to it.
[+] [-] Pxtl|12 years ago|reply
[+] [-] btbuildem|12 years ago|reply
[+] [-] javert|12 years ago|reply
[+] [-] kweks|12 years ago|reply
Essentially, with the newer cars keyless entry cars, it's the car that transmits the signal to the fob (so you can't get stranded with a flat battery).
The protocol itself is secure, but open to a MITM attack. The exploit works essentially like a WiFi booster. Perp #1 places himself near the car, receiving the car's transmission. This is relayed to perp #2, who is near the owner (and the key). The key communicates with the car (via the relay) - the door opens, the car starts, and off you go.
[+] [-] gvb|12 years ago|reply
The level of security of a car door is presumably a lot higher than that of a garage door, but the technology of using a rolling code is the same and the need to be able to (re)synchronize remote keys/fobs is also there. With the cars I own, there is a procedure in the operator's manual on how to resync your keys. Nominally, it requires physical access - an already unlocked car.
Ref: http://www.programmingkey.com/
My first guess is that the bad guys figured out a timing attack that confuses the lock software if the "right" sequence of codes are sent with the "right" timing.
My alternate guess is that the bad guys figured out a way to mimic the resync mechanism without requiring physical access.
[+] [-] cheald|12 years ago|reply
[+] [-] DanBlake|12 years ago|reply
For instance, instead of just sending "12345" and having the doors open since the code was expected, What about if the remote said "hey car, whats your random number" - the car then transmits back "54321" at which point the transmitter sends a hashed reply sha512(54321 + unique-random-id-set-per-car) which the car receives then verifies matches expected output.
The takeaway being that both the car and the remote know what "unique-random-id-set-per-car" is, but nobody else does. It should be randomly set at the factory so each car and the remotes have a unique id.
My only thoughts as to why its not like this is that the logic required to do that type of operation might not be possible without a higher wattage 'processor' in the keyfob which would eat through batteries. Im totally out of the know in that area though.
Also, unrelated- but the passenger door thing is likely just coincidence because they want to get in the glove box. But, there is another thing that could explain it. On my last car (mercedes) when I wanted to reprogram a new keyfob to work with the car, I had to do a long process of certain actions to make it work. It was like "press on brake, release brake, press on brake for 3 seconds then release, open drivers window, open passenger door, close drivers window, press open button on keyfob" So the car CPU is definitely aware and can take actions specific to which door is being opened, so its possible its related.
[+] [-] martin-adams|12 years ago|reply
[+] [-] jevinskie|12 years ago|reply
[+] [-] makomk|12 years ago|reply
[+] [-] WiseWeasel|12 years ago|reply
[+] [-] Dnguyen|12 years ago|reply
[+] [-] klinquist|12 years ago|reply
[+] [-] clavalle|12 years ago|reply
So, if you figure out how these are salted (VIN?) and what pseudo-random generator it uses, you can recreate the signal.
[+] [-] darkarmani|12 years ago|reply
[+] [-] astral303|12 years ago|reply
http://www.jhu.edu/news/home05/jan05/rfid.html
[+] [-] RyanBrantley|12 years ago|reply
Programming a replacement remote is a simple procedure, requiring only a few moments in the vehicle with the key present... like when parking a car. Paired with an easily accessible address (registration?), you have a crime ready to take place.
This would confirm why multiple vehicles in the same driveway were targeted. Families use the same service providers. It could also make sense of why the "device" occasionally did not work. Maybe they got the remotes / addresses mixed up, the programming did not take or their mule is selling them unprogrammed remotes.
I think this is more logical of a solution considering the facts. Any thoughts?
[+] [-] jmspring|12 years ago|reply
Head back to desk, slam keys down (person behind desk had previously shown a serious attitude to renters), get startled look and say "car doesn't work". After a bit of shock due to slammed keys and firm voice person says "colleague should be there" (he wasn't), pointed out "nope", responded with "oh, in 5 minutes".
Wander back out to car, electronic lock locks/unlocks care, but still doesn't start. "Colleague" shows up. Points out diff between 8 and 9. I mention "uh, car unlocked". He shrugged. Turns out the car was in a completely different/not visible (for the company) part of the parking lot. Both electronic locks and key worked in that vehicle.
Having an electronic system for duplicate cars (1 off in license plates) seems like a bad idea.
[+] [-] jordan_clark|12 years ago|reply
[+] [-] _jackwink|12 years ago|reply
[+] [-] Fuxy|12 years ago|reply
[+] [-] dclowd9901|12 years ago|reply
[+] [-] fragmede|12 years ago|reply
[+] [-] runamok|12 years ago|reply
[+] [-] progrock|12 years ago|reply
What happens in the event that you loose your fob?
[+] [-] astral303|12 years ago|reply
[+] [-] axus|12 years ago|reply
[+] [-] wmeredith|12 years ago|reply
[+] [-] Fuxy|12 years ago|reply
[+] [-] zw123456|12 years ago|reply
[+] [-] Zarathust|12 years ago|reply
[+] [-] NameNickHN|12 years ago|reply
I always chuckle when I read something like this because if something has been made by men it can be cracked by men. It's simple as that.
[+] [-] nakedrobot2|12 years ago|reply
https://www.google.com/search?q=car+key+duplicator+alibaba
:-)