What's the big mystery here? There have been published articles on the ease of hacking car remotes (and even the onboard electronics) going back at least a couple of years. For example:<p><a href="http://content.usatoday.com/communities/driveon/post/2011/01/car-theives-can-eaisly-hack-remote-keyless-systems-swiss-research-discovers/1#.Ua9oK-lMY7w" rel="nofollow">http://content.usatoday.com/communities/driveon/post/2011/01...</a><p><a href="http://www.schneier.com/blog/archives/2012/07/hacking_bmws_re.html" rel="nofollow">http://www.schneier.com/blog/archives/2012/07/hacking_bmws_r...</a><p><a href="http://reviews.cnet.com/8301-13746_7-20085131-48/remote-unlock-and-start-for-cars-hacked/" rel="nofollow">http://reviews.cnet.com/8301-13746_7-20085131-48/remote-unlo...</a><p><a href="http://news.consumerreports.org/cars/2011/03/researchers-cars-electronics-can-be-hacked-remotely.html" rel="nofollow">http://news.consumerreports.org/cars/2011/03/researchers-car...</a><p>Here's a video (with no commentary, unfortunately) that shows someone who has apparently decoded the signals from a car remote and is using the remote and an arduino, to toggle some LEDs:<p><a href="http://www.youtube.com/watch?v=doELL4g4cS0" rel="nofollow">http://www.youtube.com/watch?v=doELL4g4cS0</a><p>I have little doubt that there are hackers out there who can easily build a device to remotely unlock / start cars that use keyless entry. In fact, I'd be far more surprised if there weren't.<p>Edit: to elaborate... when I say "What's the big mystery" I'm referring to a notion, which I interpreted from the article (rightly or wrongly), that people are totally unaware that this kind of thing is even conceptually possible. I don't claim to know the exact exploit or mechanism being used here! Just pointing out that this general class of attacks isn't something totally foreign and unknown.
I was intrigued by their mention of this "Jim Stickley" who was cited as a top security expert. I had never heard of him before, so did a quick search to find out a little more about him. He seems to be a pretty legit and well known security guy[1], but it surprises me that he said:<p><i>This is really frustrating because clearly they've figured out something that looks really simple and whatever it is they're doing, it takes just seconds to do," Stickley said. "And you look and you go, 'That should not be possible.</i><p>Considering, again, that there has been published research on this topic, and a presentation at Black Hat, revealing that (at least some) cars are vulnerable.<p>Honestly, I feel like the reporter on this article should have done a bit more background research and interviewed a few more people. Not that it changes the fundamental issue (don't leave valuables in your car, etc.) but it would have been a stronger article with some more context, IMO.<p>[1]: <a href="http://en.wikipedia.org/wiki/Jim_Stickley" rel="nofollow">http://en.wikipedia.org/wiki/Jim_Stickley</a>
The advice given in the article sounds ridiculous to my (brazilian) ears.<p>- "Don't leave valuables in the car". Really? I'd have to deal with smashed windows every single day if I left anything that could possibly be of value sitting overnight (or for a few minutes in some places). Perhaps even an empty shoe box. And that's with tinted windows so dark they are not even supposed to be street legal.<p>- "Keep your car registration in the wallet". Identity theft with a car registration should not be possible here, as it doesn't contain ID numbers, nor photographs and is no proof of identity (you have to display the driver's licence - which is proof of identity - and the car's documents on demand if requested by authorities). Still, it is a ridiculously bad idea to leave it sitting in a car overnight. If the car is stolen, the crooks would have a much easier time evading minor police checkpoints.<p>I guess some places have such a low crime rate that people just forget basic security precautions?
Probably the attack from two years ago: <a href="http://www.technologyreview.com/news/422298/car-theft-by-antenna/" rel="nofollow">http://www.technologyreview.com/news/422298/car-theft-by-ant...</a><p>Essentially, with the newer cars keyless entry cars, it's the <i>car</i> that transmits the signal to the fob (so you can't get stranded with a flat battery).<p>The protocol itself is secure, but open to a MITM attack. The exploit works essentially like a WiFi booster.
Perp #1 places himself near the car, receiving the car's transmission. This is relayed to perp #2, who is near the owner (and the key). The key communicates with the car (via the relay) - the door opens, the car starts, and off you go.
Sounds a lot like the Chamberlain garage door gaping security hole:
<a href="http://en.wikipedia.org/wiki/The_Chamberlain_Group,_Inc._v._Skylink_Technologies,_Inc" rel="nofollow">http://en.wikipedia.org/wiki/The_Chamberlain_Group,_Inc._v._...</a>.<p>The level of security of a car door is presumably a lot higher than that of a garage door, but the technology of using a rolling code is the same and the need to be able to (re)synchronize remote keys/fobs is also there. With the cars I own, there is a procedure in the operator's manual on how to resync your keys. Nominally, it requires physical access - an already unlocked car.<p>Ref: <a href="http://www.programmingkey.com/" rel="nofollow">http://www.programmingkey.com/</a><p>My first guess is that the bad guys figured out a timing attack that confuses the lock software if the "right" sequence of codes are sent with the "right" timing.<p>My alternate guess is that the bad guys figured out a way to mimic the resync mechanism without requiring physical access.
I never understood why keyfobs work in a UDP style, when communication between the remote and car would be infinitely better.<p>For instance, instead of just sending "12345" and having the doors open since the code was expected, What about if the remote said "hey car, whats your random number" - the car then transmits back "54321" at which point the transmitter sends a hashed reply sha512(54321 + unique-random-id-set-per-car) which the car receives then verifies matches expected output.<p>The takeaway being that both the car and the remote know what "unique-random-id-set-per-car" is, but nobody else does. It should be randomly set at the factory so each car and the remotes have a unique id.<p>My only thoughts as to why its not like this is that the logic required to do that type of operation might not be possible without a higher wattage 'processor' in the keyfob which would eat through batteries. Im totally out of the know in that area though.<p>Also, unrelated- but the passenger door thing is likely just coincidence because they want to get in the glove box. But, there is another thing that could explain it. On my last car (mercedes) when I wanted to reprogram a new keyfob to work with the car, I had to do a long process of certain actions to make it work. It was like "press on brake, release brake, press on brake for 3 seconds then release, open drivers window, open passenger door, close drivers window, press open button on keyfob" So the car CPU is definitely aware and can take actions specific to which door is being opened, so its possible its related.
I wonder if they found an exploit for Bluetooth. Newer cars have this feature so the owner doesn't have to use the key. If the Bluetooth service has access to the On Board Diagnostic (OBD), it can get to a lot of the car's info and commands, such as unlock door.
I remember working on AutoPC back in the day and we tapped into the OBD and provided a feature to send a message to the car to unlock the doors. Similar to OnStar now a day.
>Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which it stores in memory. On the other end, when the receiver receives a valid code, it uses the same pseudo-random number generator to pick a new one. In this way, the transmitter and the receiver are synchronized. The receiver only opens the door if it receives the code it expects.<p>So, if you figure out how these are salted (VIN?) and what pseudo-random generator it uses, you can recreate the signal.
RSA Security and John Hopkins have been able to crack an RFID keyfob in 15 minutes [0] back in 2005. Rumor had it that later on it was something like 30 seconds to crack a Ford key. 40-bit RFID keyspace--combine that with 2013-era technology and this is absolutely no surprise.<p><a href="http://www.jhu.edu/news/home05/jan05/rfid.html" rel="nofollow">http://www.jhu.edu/news/home05/jan05/rfid.html</a>
How about the possibility that the thieves have simply purchased replacement remotes from eBay (or similar), and programmed them when they had access to a compatible vehicle? Maybe the thieves work at a car wash, valet or have organized a larger network of goons (think credit card skimming).<p>Programming a replacement remote is a simple procedure, requiring only a few moments in the vehicle with the key present... like when parking a car. Paired with an easily accessible address (registration?), you have a crime ready to take place.<p>This would confirm why multiple vehicles in the same driveway were targeted. Families use the same service providers. It could also make sense of why the "device" occasionally did not work. Maybe they got the remotes / addresses mixed up, the programming did not take or their mule is selling them unprogrammed remotes.<p>I think this is more logical of a solution considering the facts. Any thoughts?
Recent rental car in Italy - get the keys, head to parking lot, and search out car based on license plate on keys. Writing is dodgy, could mistake an 8 for a 9. Find car, electronic control unlocks it, yet key will not start car.<p>Head back to desk, slam keys down (person behind desk had previously shown a serious attitude to renters), get startled look and say "car doesn't work". After a bit of shock due to slammed keys and firm voice person says "colleague should be there" (he wasn't), pointed out "nope", responded with "oh, in 5 minutes".<p>Wander back out to car, electronic lock locks/unlocks care, but still doesn't start. "Colleague" shows up. Points out diff between 8 and 9. I mention "uh, car unlocked". He shrugged. Turns out the car was in a completely different/not visible (for the company) part of the parking lot. Both electronic locks and key worked in that vehicle.<p>Having an electronic system for duplicate cars (1 off in license plates) seems like a bad idea.
They didn't release all of the details. We would need to know which makes and models and years this does/does not work on. In the videos they only showed Honda products (Acura) (The MDX was a 2000-2006 model) but does not work on GM or Ford. So this is most likely is manufacturer specific.
Seems like this might be relevant. <a href="http://www.autosec.org/pubs/cars-usenixsec2011.pdf" rel="nofollow">http://www.autosec.org/pubs/cars-usenixsec2011.pdf</a>
Why is this so baffling a shocking?
I think we all knew this was possible before anybody actually did it. It's not like their using proper crypto.
It's the equivalent of a bad house lock give me some good lock picks and 60 seconds and I'm in so why is this so surprising?
I read a recent 2600 article that said it's fairly easy to procure (from overseas) a jammer to prevent the lock signal from reaching the car. It would not open the doors but instead stop them from locking so the would-be thief would later manually open the unlocked doors.
You can Google the phrase "car learning keyless remote control" and see tons of sites selling these for "legit" purposes as replacement remotes. I am sure not all of them work on all cars but I am sure the thieves simply figured out which ones work on which cars and just target those. And I agree, this is nothing new, a story about it pops up on the news every so often and the it seems like each time the Police are baffled. Maybe there needs to be a web site for the police that provides them with such information. If there isn't one already, there is an app opportunity for someone perhaps.
> and should be hackproof<p>I always chuckle when I read something like this because if something has been made by men it can be cracked by men. It's simple as that.
assuming the car remote is using some kind of asymmetric encrytion algo, doesn't this simply mean either
A) somebody leaked the private key from the manu?
B) encryption was done with lower enough bits so that it is brute-force breakable<p>They could have just asked any CS prof or student for the possiblities...
wow, i really disliked the way that news report was presented.
i think it was because the narrator ended each sentence as if it was the last sentence in the story.