What's the big mystery here? There have been published articles on the ease of hacking car remotes (and even the onboard electronics) going back at least a couple of years. For example:
Here's a video (with no commentary, unfortunately) that shows someone who has apparently decoded the signals from a car remote and is using the remote and an arduino, to toggle some LEDs:
I have little doubt that there are hackers out there who can easily build a device to remotely unlock / start cars that use keyless entry. In fact, I'd be far more surprised if there weren't.
Edit: to elaborate... when I say "What's the big mystery" I'm referring to a notion, which I interpreted from the article (rightly or wrongly), that people are totally unaware that this kind of thing is even conceptually possible. I don't claim to know the exact exploit or mechanism being used here! Just pointing out that this general class of attacks isn't something totally foreign and unknown.
Where Atmel announced a new transponder chip & microcontroller, which do, indeed, use 128-bit AES. This is from 2012 though, so I'm not sure how widely adopted this particular chip is, or if other, older chips are in widespread use that are 128-bit AES.
But even if everybody is using 128-bit AES, all that means is that the actual encryption itself is probably essentially unbreakable. But, as well all know, cryptographic systems are more than just the raw crypto algorithm. All sorts of systems which use crypto are eventually found to be insecure, so this whole thing should still come as little surprise (well, to people like us anyway. To the average cop, maybe this all sounds like black magic).
To me this looks like a Honda/Acura specific exploit to unlock the passenger side door. It doesn't look like a replay attack, nor do these guys have the ability to start and steal the car, which uses separate encryption keys from the locks.
I agree with you that this crypto system failure, not an algorithm exploit.
Or they are just really smart thieves. Better to get caught with petty theft than grand theft auto. Also, maybe keeping the crime as just theft is keeping it under the radar - the cops aren't going to throw up any road blocks for that level of crime.
"How would you describe a challenge based authentication system that uses 128-bit AES?"
How do you know at the RF level that its challenge based, and how do you know that the exploit is not operating in some .gov override mode like "I am NSA, open right now" mode.
I used to operate a computer that had a rack mount lock where its extremely well known (to some, anyway) that the mfgr shipped every unit with a tumbler that could be opened by a key cut to "XX2247"
I could encrypt the key cutting code XX2247 for you with 128 bit AES, or maybe 2048 DSA, but its not going to help very much.
It might be buggy enough that a random out of limits response might open it.
At least you have to be a hacker to boost a car these days. I remember when I was a kid my parents' car keys would open every Ford or Chevy on the block. I had a lot of fun running around the parking lot at my brother's soccer games.
That reminds me of the time my cousin lost his car keys. Luckily his parents had an extra set, so he got new copies made, and went on his merry way. A year later, I found the old set under the backseat of my car. Presumably they fell out of his pocket while he was riding with me, and got lodged up under the seat somehow.
Soooo... what to do with an extra set of keys to your buddy's car? Muwahahahaha... gaslight[1] him, of course! So me and a couple of other buddies would randomly drive to where he worked, and take his truck and do little things... change the direction it was facing, or move it about 3 spots over in the parking lot, or fiddle with the presets on his radio.
For like a month, he was spazzing out over this, while we all did our level best to keep a straight face when we were with him. He was convinced it was his brother messing with him for quite a while. Needless to say, he was a bit pissed when we finally broke down and told him and gave him his keys back. But man, what a laugh riot for a time...
In the case of challenge/response with a single 128-bit block, I think ECB would be just fine. I can't imagine a car key needing to send multiple blocks (thus necessitating CBC, etc.).
The larger point here is that most keys probably aren't using AES to start with, and there's probably some other vulnerability in the overall system.
It would be just fine, if you knew what you were doing when choosing ECB. I can think of plenty of brain dead ways you could accidentally use it if you thought that AES automatically protected you no matter how you used it.
I'm sure there are vulnerabilities all over the place, but it would make even more sense if it happened to an AES system, because people would let their guard down because super-duper industrial strength encryption will take care of everything.
If the use of ECB is appropriate (which it may well be for this application) then the fact that is was used is not an indication of "brain dead" decision making. I would be much more worried if they made the system unnecessarily complicated (and thus more vulnerable) just because they thought the presence of ECB would be bad for marketing.
> then the fact that is was used is not an indication of "brain dead" decision making.
I didn't mean using it was brain dead, i mean using it without knowing the implications might lead to (accidentally) using it in in a brain dead way. For example, I could see them implementing the protocol and testing it without crypto and then simply adding crypto on top of it without thinking about the crypto portion.
You have no proof that Honda/Acura use 128-bit AES. In fact, being familiar with some research in the security of electronic car locks, I would wager they do not use AES.
It doesn't really matter. Consider the dumbest possible encryption scheme: Car sends random 32-bit number to key. The key XORs the random number with some 32-bit number. ECU checks that the response is valid.
This is the worst possible design, and not far from what late 90's cars use. Even though it is the dumbest possible solution it still works reasonably well, because you have to have access to the key to start the car. You can clone the key in a second, but you still must get within inches of the key.
Look, your initial claim that the reporter is reasonable when saying that the protocol should be "impossible" to attack is completely unfounded. The details do matter.
For example your hypothetical protocol is grossly insecure. Keys transmit signals over dozens of feet, not inches. All an attacker would have to do to attack your hypothetical protocol would be to capture one exchange. Then he can XOR the challenge with the response to obtain the 32-bit secret, allowing him to clone the key!
Are you talking about press to unlock fobs, or proximity keys?
I was under the assumption that we are talking about proximity keys. Old ignition keys use RFID, but a broken encryption system. They are still secure because the range is a few inches. Newer cars with unlock from the pocket / push to start, use challenge based auth and strong encryption.
Click to unlock fobs use secure PRNGs. That is a separate discussion, and they are generally secure. Maybe this is what the reporter was talking about, but I assumed these cars had proximity keys. Even if this is what the reporter was talking about, they were not way off base, as this still falls in the "should be impossible" category.
I too agree that this "That code is encrypted and constantly changing" is a reasonable description of an authentication system.
However, this, "and should be hackproof", is faulty. Nothing is ever inherently secure, though it might be relatively secure at a given moment and circumstance.
It's easy to characterize this as the ignorance of American media. However, this kind of "should be X" is common for anyone, be they journalists, ordinary folk, or technologists. We all have expectations about reality and feel shocked or bitterly disappointed when the expectation falls apart.
What does it have to do with American media in general? Or were you just randomly bashing?
Versus the amazing quality of Chinese or Russian media? Brazilian media? Romanian media? Or maybe it's the French that have outstanding journalistic integrity and never make mistakes!
I'd be willing to bet that someone has stolen some universal unlock codes for a variety of manufacturers and it is now in the wild. Of course, no car company wants to admit this.
If they were using key reprogramming/hacking there's no reason to 'always use' the passenger side front door as claimed in the video. So I don't think it's clear that these thieves are using any of those techniques.
I imagine it might be stupider, like maybe there's a way to induce the unlock button or motor to trigger via induction or something. Though I'm pretty poorly informed about that kind of thing scientifically and am likely completely wrong.
If they were using key reprogramming/hacking there's no reason to 'always use' the passenger side front door as claimed in the video.
It's a fair point, but I don't know that I'd take that at face value. That could have just been a subjective assessment that got repeated as fact. Without us having access to the actual videos or the raw numbers, it's hard to say.
So I don't think it's clear that these thieves are using any of those techniques.
Sure, and I'm not saying it's 100% certain that this is exactly how the thieves are operating.. just pointing out that it's well known that modern cars are vulnerable... if there are additional, as yet unreported vulnerabilities, would anybody be surprised?
I imagine it might be stupider, like maybe there's a way to induce the unlock button to trigger via induction or something.
That actually strikes me as semi-reasonable, without having research the matter in any depth. Where were you on the night of January 12th, when a black Suburban was stolen ...
I searched for Acura MDX alarm antenna location and a quick glance tells me that the antenna is located behind the glovebox. So I would guess it probably works better from that side of the car...notice they seem to have to get very close to the car.
And notice they're also touching the door handle with their bare hands. There's probably some sort of exploit dealing with theses vehicles' touch-activated car unlocking feature.
If I was a thief then I'd always hit the passenger side front door as it gives me the quickest access to the glove compartment, where valuables are likely to be stored. Not sure what the mystery is here.
Do people actually put valuable things in their glove boxes? I didn't think people put stuff besides proof of insurance and their car manuals in them. I'd think it a lot more likely that valuables were in the center console storage.
I left my checkbook in the glove compartment for like a month before realizing it. I don't write physical checks often and just forgot it was in there after needing to hide it real quick.
>What's the big mystery here?
The method that the thieves are using is unknown.
While those links to may be useful to shed light on this type of crime, they do little to confirm the method that these thieves are employing. Hence, there is mystery.
Agreed, there is a mystery about the exact details. I read TFA as suggesting that the fundamental concept of "car hacking" is unknown. I was responding more to the generalization that I felt like I observed, than to the question of exactly how this specific set of thieves is working. I should have been more clear on that point.
You ask what the big mystery is, and then link to a lot of unrelated hacks/exploits. Yes, the article is that someone hacked/exploited the remote door open specifically, apparently on seemingly random cars. It is a mystery how they are doing it, though it is painfully obvious that they are exploiting something.
You ask what the big mystery is, and then link to a lot of unrelated hacks/exploits.
I don't see how you can say that is "unrelated". Even if our "mystery" thieves aren't using those exact exploits, there is NO "mystery" that hackers have demonstrated the ability to break car remote systems. But the article and the quotes from the police make it sound like the police are just staring at the wall, drooling and going "duuuhhh huhhh huhhhh... how'd they do that.. duhhuhhhh huhhhhh." Now that's probably not literally the case, but the article makes it sound like nobody has even the slightest clue that this stuff is possible, or how it's done. And that's just not true.
The article makes it sound exactly like what it seems to be -- that the thieves are using an exploit that they don't know, and thus they want to know. One of the guys quoted makes a profession out of this and he doesn't know what they're doing. But apparently lots of people on HN do.
Nobody here has claimed to know exactly what exploit the thieves are using. But a lot of people are claiming (rightly) that general knowledge that these car systems have vulnerabilities is widespread. And that point is what seemed, to me, to be missing from TFA.
If TFA had given some more context, and said "exploits which would allow this type of access were shown at a recent hacker conference, and some cars have known exploitable vulnerabilities... but we don't know if this crop of thieves are using that or a newer, unpublished exploit" then it would, IMO, have been a better article. Instead, it leaves people with the idea that this whole concept (hacking cars) is something brand new, unknown, and unexpected. And it's not.
The general public thinks that if you open a jar and the lid goes "pop" that means it hasn't been opened before.
Of course, elementary school science is enough to figure out that if you bought a jar of apple juice from the store, replaced some of the contents with hot goat urine and shook it up before fully closing the lid again, as the air inside cooled it would pull the clicker back down. And you could return it to the store.
But if I read an article about mysterious tampering with "unopened" products in local grocery stores, I hope the police (and particularly, food packaging or food security experts) wouldn't be so baffled about it when discussing it with reporters.
But a lot of people are claiming (rightly) that general knowledge that these car systems have vulnerabilities is widespread.
So you have a device that can open random car doors in seconds? Do you know where to get one? Do you know anyone who has one?
The police apparently don't (and the police almost certainly know far more about crimes and how they are performed than you and most other HNers do). A guy who specializes in car electronics exploits doesn't.
So yes, this is a mystery. The counter-argument seems to be some variation of the too-common world-weary-haughtiness that spreads like an infection on HN.
Bank closes at night like always. The next morning the manager arrives and finds everything seemingly as it was, but when they look in the safe all of the money missing. Would that qualify as a mystery? Even though people have been robbing banks for centuries, even breaking into safes? Yes, of course it would, though I'm sure there'll be that guy who'll point out the obvious that somehow someone got in the safe.
You've been at this "random car" thing over the whole thread.
But there no indication that these thieves can steal random cars in the sense of any car they choose. Thieves have stolen particular cars and the cops might not know the connecting thread but there's no situation where the thieves passed a "show us a random car and we'll use our device to steal it" challenge and that would be the kind of hard evidence you'd need for a "these guys can steel any car" rhetoric.
So you have a device that can open random car doors in seconds? Do you know where to get one? Do you know anyone who has one?
No, and I haven't claimed to do so. You're just setting up straw-men and attacking them now, and I don't know for what purpose. I've already said that I was talking in terms of a general sentiment that I think I detected in TFA, and not the specifics of this batch of incidents.
I agree. The technique described differs from anything OP linked. The fact that thieves are smashing windows to get at diagnostic ports suggests that this method of entering the vehicle is fairly novel.
Exploits have been demonstrated by researchers, but are mostly pretty make/model specific.
Certainly, I'd bet that every car with bluetooth/wifi integrated has some sort of flaw whereby it might be possible to use that to bridge to the cars Canbus and request a door unlock. That doesn't mean that these are easily exploitable by individuals willing to commit petty theft.
I was intrigued by their mention of this "Jim Stickley" who was cited as a top security expert. I had never heard of him before, so did a quick search to find out a little more about him. He seems to be a pretty legit and well known security guy[1], but it surprises me that he said:
This is really frustrating because clearly they've figured out something that looks really simple and whatever it is they're doing, it takes just seconds to do," Stickley said. "And you look and you go, 'That should not be possible.
Considering, again, that there has been published research on this topic, and a presentation at Black Hat, revealing that (at least some) cars are vulnerable.
Honestly, I feel like the reporter on this article should have done a bit more background research and interviewed a few more people. Not that it changes the fundamental issue (don't leave valuables in your car, etc.) but it would have been a stronger article with some more context, IMO.
Jim Stickley is -- being kind -- a hack. He was on the Today Show showing off my hotel lock exploit without credit, and got zero details correct. Gotta respect his ability to press-whore (I tend to think I'm fairly good, but he puts me to shame), but that's about it.
I agree with your skepticism but I disagree with your analysis of Stickley. This looks like the typical security clown out there writing his own wikipedia entry. His article's main point seems to be that he found a buffer overflow. There, he's a security expert.
What security professional worth his salt says "that should not be possible"? The entire security profession is about identifying assumptions and then challenging them. He sounds more like a software developer cashing in on the "s" word because he found a buffer overrun than a security profesional assessing an attack.
You're right, actually. I was trying to be charitable though, and I didn't feel like I had time to do a serious deep dive into this background and credentials. Nor am I necessarily qualified to pass any serious judgement on his knowledge.
A quote from somebody like Bruce Schneier, or tptacek, would have been a lot better.
Well we criminalized (DMCA) this kind of "hacking," so as far as this "security professional" knows it is impossible because he hasn't heard of it. Maybe if we stop preventing security researchers from talking about vulnerabilities we could know about these things before the thieves.
They should hire someone like Dan Boneh[1] to look for cryptoanalytic attacks. Of course, I'm sure he'll find a whole bunch of attacks. That's going to be a really expensive to repair all that faulty crypto hardware.
The advice given in the article sounds ridiculous to my (brazilian) ears.
- "Don't leave valuables in the car". Really? I'd have to deal with smashed windows every single day if I left anything that could possibly be of value sitting overnight (or for a few minutes in some places). Perhaps even an empty shoe box. And that's with tinted windows so dark they are not even supposed to be street legal.
- "Keep your car registration in the wallet". Identity theft with a car registration should not be possible here, as it doesn't contain ID numbers, nor photographs and is no proof of identity (you have to display the driver's licence - which is proof of identity - and the car's documents on demand if requested by authorities). Still, it is a ridiculously bad idea to leave it sitting in a car overnight. If the car is stolen, the crooks would have a much easier time evading minor police checkpoints.
I guess some places have such a low crime rate that people just forget basic security precautions?
Yup. In some places it actually feels best just to leave your car doors unlocked - then the thief doesn't have to smash your window before they root through your car and find it contains nothing of value.
a lot of smash and grab guys use something called a "ninja rock" which is a chunk of porcelain from a spark plug. throw it against the window and it explodes. if you have tint, it is like tape on the glass, so it doesn't break apart as easily and makes the smash and grab operation take longer.
I've jerry-rigged one of those onto the bottom of a pepperspray canister. This "device" works wonders with drivers who think they can just run a cyclist off the road.
That stuff really isn't necessary in much of the US (many non-urban areas... thought not all). I don't even always lock my car doors in some places. To someone who's not used to it, it's probably amazing how benevolent people and society really can be.
I lived in a town where if someone was running into a store for only a few minutes, they would probably just leave the car unlocked, with the keys in it, and the engine running.
It varies from jurisdiction to jurisdiction. You can indeed be financially liable for leaving your keys in the ignition, if the car is taken and a crime is committed.
You don't have to live in a place like that for it to happen to you.
This is happened to me in the nice parts of town that are close to public transit. They smash a few windows run across the street and jump on the train. . .
Well, that can't happen where there isn't public transportation. Also, where I live, if you're trespassing in people's yards, you might get shot. And yet it's a super-safe place to live. Who would have thought?
Essentially, with the newer cars keyless entry cars, it's the car that transmits the signal to the fob (so you can't get stranded with a flat battery).
The protocol itself is secure, but open to a MITM attack. The exploit works essentially like a WiFi booster.
Perp #1 places himself near the car, receiving the car's transmission. This is relayed to perp #2, who is near the owner (and the key). The key communicates with the car (via the relay) - the door opens, the car starts, and off you go.
The level of security of a car door is presumably a lot higher than that of a garage door, but the technology of using a rolling code is the same and the need to be able to (re)synchronize remote keys/fobs is also there. With the cars I own, there is a procedure in the operator's manual on how to resync your keys. Nominally, it requires physical access - an already unlocked car.
My first guess is that the bad guys figured out a timing attack that confuses the lock software if the "right" sequence of codes are sent with the "right" timing.
My alternate guess is that the bad guys figured out a way to mimic the resync mechanism without requiring physical access.
Source? I've never encountered that. Every time I've ever reprogrammed a wireless entry remote, I've had to reprogram all of them at the same time. Garage door openers can store multiple keys, but I've never run into a car that will.
For example, from my Grand Prix's owner's manual:
> Each remote keyless entry transmitter is coded to
prevent another transmitter from unlocking your vehicle.
If a transmitter is lost or stolen, a replacement can
be purchased through your GM dealer. Remember to
bring any additional transmitters with you when you
go to your dealer. When the dealer matches the
replacement transmitter to your vehicle, any remaining
transmitters must also be matched. Once your dealer
has coded the new transmitter, the lost transmitter
cannot unlock your vehicle. The vehicle can have a
maximum of four transmitters matched to it.
And from the shop manual:
> Once the keyless entry receiver enters the programming/diagnostic mode, the programming of the first transmitter erases all previous transmitter programming information. You must then program all of the transmitters.
I never understood why keyfobs work in a UDP style, when communication between the remote and car would be infinitely better.
For instance, instead of just sending "12345" and having the doors open since the code was expected, What about if the remote said "hey car, whats your random number" - the car then transmits back "54321" at which point the transmitter sends a hashed reply sha512(54321 + unique-random-id-set-per-car) which the car receives then verifies matches expected output.
The takeaway being that both the car and the remote know what "unique-random-id-set-per-car" is, but nobody else does. It should be randomly set at the factory so each car and the remotes have a unique id.
My only thoughts as to why its not like this is that the logic required to do that type of operation might not be possible without a higher wattage 'processor' in the keyfob which would eat through batteries. Im totally out of the know in that area though.
Also, unrelated- but the passenger door thing is likely just coincidence because they want to get in the glove box. But, there is another thing that could explain it. On my last car (mercedes) when I wanted to reprogram a new keyfob to work with the car, I had to do a long process of certain actions to make it work. It was like "press on brake, release brake, press on brake for 3 seconds then release, open drivers window, open passenger door, close drivers window, press open button on keyfob" So the car CPU is definitely aware and can take actions specific to which door is being opened, so its possible its related.
That probably means the keyfob needs a receiver (which I suspect they don't by current design). But I agree, a two-way communication would be nice as the keyfob could then report whether the car was locked properly.
Having both a transmitter and receiver in the fob used to be a lot more expensive and bulky than having just a transmitter. It isn't really anymore thanks to advances in RF miniturization and integration, but when car keyfobs were first designed it mattered.
I think that's part of how Mifare (NFC) was cracked; the entropy of the card's random number generator was very low. When implemented correctly it's a safe method though.
I wonder if they found an exploit for Bluetooth. Newer cars have this feature so the owner doesn't have to use the key. If the Bluetooth service has access to the On Board Diagnostic (OBD), it can get to a lot of the car's info and commands, such as unlock door.
I remember working on AutoPC back in the day and we tapped into the OBD and provided a feature to send a message to the car to unlock the doors. Similar to OnStar now a day.
>Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which it stores in memory. On the other end, when the receiver receives a valid code, it uses the same pseudo-random number generator to pick a new one. In this way, the transmitter and the receiver are synchronized. The receiver only opens the door if it receives the code it expects.
So, if you figure out how these are salted (VIN?) and what pseudo-random generator it uses, you can recreate the signal.
RSA Security and John Hopkins have been able to crack an RFID keyfob in 15 minutes [0] back in 2005. Rumor had it that later on it was something like 30 seconds to crack a Ford key. 40-bit RFID keyspace--combine that with 2013-era technology and this is absolutely no surprise.
How about the possibility that the thieves have simply purchased replacement remotes from eBay (or similar), and programmed them when they had access to a compatible vehicle? Maybe the thieves work at a car wash, valet or have organized a larger network of goons (think credit card skimming).
Programming a replacement remote is a simple procedure, requiring only a few moments in the vehicle with the key present... like when parking a car. Paired with an easily accessible address (registration?), you have a crime ready to take place.
This would confirm why multiple vehicles in the same driveway were targeted. Families use the same service providers. It could also make sense of why the "device" occasionally did not work. Maybe they got the remotes / addresses mixed up, the programming did not take or their mule is selling them unprogrammed remotes.
I think this is more logical of a solution considering the facts. Any thoughts?
Recent rental car in Italy - get the keys, head to parking lot, and search out car based on license plate on keys. Writing is dodgy, could mistake an 8 for a 9. Find car, electronic control unlocks it, yet key will not start car.
Head back to desk, slam keys down (person behind desk had previously shown a serious attitude to renters), get startled look and say "car doesn't work". After a bit of shock due to slammed keys and firm voice person says "colleague should be there" (he wasn't), pointed out "nope", responded with "oh, in 5 minutes".
Wander back out to car, electronic lock locks/unlocks care, but still doesn't start. "Colleague" shows up. Points out diff between 8 and 9. I mention "uh, car unlocked". He shrugged. Turns out the car was in a completely different/not visible (for the company) part of the parking lot. Both electronic locks and key worked in that vehicle.
Having an electronic system for duplicate cars (1 off in license plates) seems like a bad idea.
They didn't release all of the details. We would need to know which makes and models and years this does/does not work on. In the videos they only showed Honda products (Acura) (The MDX was a 2000-2006 model) but does not work on GM or Ford. So this is most likely is manufacturer specific.
Why is this so baffling a shocking?
I think we all knew this was possible before anybody actually did it. It's not like their using proper crypto.
It's the equivalent of a bad house lock give me some good lock picks and 60 seconds and I'm in so why is this so surprising?
From what they describe, it sounds like the locking systems use a system that works like a VPN key (this was actually surprising to me). Those seem pretty tough to crack, so why would this be any different?
Even if you use practically unbreakable encryption keys, there are a million things that you can fail in the whole cryptosystem and any one of them will make you vulnerable.
How are keys generated? What is the source of randomness? How are keys reset if needed? What are the manufacturer/service/guvmint backdoors in the keys? etc.
I think you're on to something with the backdoor.
Backdoors have to be extra secure because if you hack that you have access to all of them.
Hell they shouldn't even exist it's like asking to be exploited.
I read a recent 2600 article that said it's fairly easy to procure (from overseas) a jammer to prevent the lock signal from reaching the car. It would not open the doors but instead stop them from locking so the would-be thief would later manually open the unlocked doors.
If you loose your fob, the workaround is re-programming via the OBDII or other diagnostic ports. Yes, that has a backdoor. But typically there is no remote backdoor.
You should be able to pull the fuse for the door locks; the mechanical lock buttons and key will continue to work. To find out which fuse, just Google "[car make] [model] [year] fuse diagram" and look for door lock actuators or similar.
Yes, you don't mount the mechanism that opens the doors when installing the alarm (or cut the wires afterwards).
Store bought alarms have a lot of crap the electrician never hooks up so what's the difference not mounting this one.
You can Google the phrase "car learning keyless remote control" and see tons of sites selling these for "legit" purposes as replacement remotes. I am sure not all of them work on all cars but I am sure the thieves simply figured out which ones work on which cars and just target those. And I agree, this is nothing new, a story about it pops up on the news every so often and the it seems like each time the Police are baffled. Maybe there needs to be a web site for the police that provides them with such information. If there isn't one already, there is an app opportunity for someone perhaps.
All of the remotes I've seen require physical access to an unlocked car to initiate the re-synchronization procedure between the new remote and the car. This involves complex things like starting the car 5-10 times and pressing buttons on the remote at the same time
assuming the car remote is using some kind of asymmetric encrytion algo, doesn't this simply mean either
A) somebody leaked the private key from the manu?
B) encryption was done with lower enough bits so that it is brute-force breakable
They could have just asked any CS prof or student for the possiblities...
I have no source but I recall seeing a story where people were able to fake a BMW remote by plugging directly into the OBDII port on the cars and running a quick program on an attached arduino. As for remote access I'm sure its equally plausible to crack if you know the right steps to take.
But that was a clear mistake in the ODB port programming on new BMW, which was fixed by the manufacturer. Not something that can be easily done on any car.
So how long would it take to remotely crack or brute force or otherwise gain access to a brand new BMW? I'm interested in the cost on AWS compute or GPU compute.
wow, i really disliked the way that news report was presented.
i think it was because the narrator ended each sentence as if it was the last sentence in the story.
http://content.usatoday.com/communities/driveon/post/2011/01...
http://www.schneier.com/blog/archives/2012/07/hacking_bmws_r...
http://reviews.cnet.com/8301-13746_7-20085131-48/remote-unlo...
http://news.consumerreports.org/cars/2011/03/researchers-car...
Here's a video (with no commentary, unfortunately) that shows someone who has apparently decoded the signals from a car remote and is using the remote and an arduino, to toggle some LEDs:
http://www.youtube.com/watch?v=doELL4g4cS0
I have little doubt that there are hackers out there who can easily build a device to remotely unlock / start cars that use keyless entry. In fact, I'd be far more surprised if there weren't.
Edit: to elaborate... when I say "What's the big mystery" I'm referring to a notion, which I interpreted from the article (rightly or wrongly), that people are totally unaware that this kind of thing is even conceptually possible. I don't claim to know the exact exploit or mechanism being used here! Just pointing out that this general class of attacks isn't something totally foreign and unknown.