Assignment 5: Cars and Key Fobs (2021)

BMW has a page describing the use of UWB (Ultra Wide Bandwidth) radio in key fobs and how it helps against relay attacks. In short it&#x27;s because the wide bandwidth allows for very short pulses which lets them measure the distance between the car and the key, and using a relay will inevitably add distance and therefore time between the signal is sent and the reply is received.<p><a href="https:&#x2F;&#x2F;www.bmw.com&#x2F;en&#x2F;innovation&#x2F;bmw-digital-key-plus-ultra-wideband.html" rel="nofollow">https:&#x2F;&#x2F;www.bmw.com&#x2F;en&#x2F;innovation&#x2F;bmw-digital-key-plus-ultra...</a>

For the time being, I just store my keys in a little cast iron dutch oven, sitting on top of the fridge.<p>It&#x27;s extremely effective as a shield for the 125kHz LF wake-up signal, and I&#x27;ve been unable to elicit a response when they&#x27;re in there, even with a relay setup that reliably wakes them up from several feet away otherwise.

I have a 2021 Toyota that I lost one of two key fobs. Toyota has a strict policy that only Toyota dealerships can program key fobs for their newer cars, so buying a key fob replacement from a 3rd party was not an option. Total out of pocket expense for getting new key fob, programming that key fob to the car, and making sure the other fob still worked; cost about $550. I feel that is an absurd amount of money to spend because of a lost fob. I appreciate people looking into and exposing weaknesses of car fobs because it might expose ways to circumvent the monopolistic costs associated with replacements. Wish there was a way to retrofit my car to use Ultra Wide Bandwidth as a key.

Vulnerabilities like this lead to car thefts. Some models of cars are more susceptible than others, and the manufacturers seem unwilling to fix the problem. The insurance companies know which models are more trouble for them, and so they set higher rates for these, which punishes the driver&#x2F;owner for something outside of their control.<p>My solution? Require the manufacturers of vulnerable models to pay the insurance on behalf of the driver&#x2F;owner as long as the vulnerabilities go unfixed.

BTW, car keys (physical keys) are notoriously weak, generally susceptible to simple raking attacks. You can learn how to rake a lock in a few minutes, and the rake+tensioner itself costs around $5. And all cars include a physical key as a backup entry method. This was partially solved by adding another device that cuts off the engine, the immobilizer, which still allows the attacker to get in, but not to drive off.

The current gold standard for vehicle theft protection is:<p>IGLA system to block the CAN bus, LIN bus, and ODBII port. It also protects against key fob cloning&#x2F;relay attacks.<p>+<p>A hidden physical kill switch that cuts off the fuel pump relay (the company 41.22 makes a drop in that doesn&#x27;t require wire splicing).<p>+<p>A hidden GPS tracker with an onboard backup battery in the event the car battery is disconnected.<p>None of this stops someone with a flatbed from simply towing your vehicle away, but at least the GPS tracker will give you a window to locate them.

I have a physical key which I physically put in a hole in the steering column. This means I know exactly where it is when I come to parking the car, and you need to physically have it in contact to drive the car away.<p>I don&#x27;t get the appeal of keyless ignition.

Did a high school project on the jam and replay attack mentioned here: <a href="https:&#x2F;&#x2F;github.com&#x2F;trishmapow&#x2F;rf-jam-replay">https:&#x2F;&#x2F;github.com&#x2F;trishmapow&#x2F;rf-jam-replay</a>. Low cost SDRs have been a real game changer in letting the average Joe get started in this space. Good to see that more unis have courses with this type of hands on experimentation.

So many Range Rovers are being stolen in the UK that the manufacturer has started contributing towards insurance costs: <a href="https:&#x2F;&#x2F;www.whatcar.com&#x2F;news&#x2F;range-rover-insurance-owners-to-receive-pound1800-towards-cover&#x2F;n26788" rel="nofollow">https:&#x2F;&#x2F;www.whatcar.com&#x2F;news&#x2F;range-rover-insurance-owners-to...</a>

Code-hopping remotes have existed for a very long time, and I am really surprised that it&#x27;s not the case here. I have had cars that were made in the 90&#x27;s that used keeloq, a technology from the mid 80&#x27;s.<p>In fact, all of my door openers and car remotes have some form of code-hopping and it&#x27;s certainly not because they were specifically chosen for that aspect.<p>Sure, there are attacks for code-hopping systems as well, but it&#x27;s a completely different league.

I&#x27;m confused why this is still an unsolved problem. A simple cryptographic challenge with pre-shared keys + button press ought to make key fobs perfectly secure for all practical purposes. Is there something I&#x27;m missing here?

Broke a few of these for my old work -- HiTag2 and Megamos, some of the code&amp;knowledge used for the attack is online&amp;published, but neither can be used to actually break the ciphers as-is [1][2]. The issue used to be that the cipher employed needed to be low-power, fast, and reliable. With current technology, one could easily use AES, and no serious auto maker should be using HiTag2&#x2F;Megamos. They were hand-rolled ciphers. The way AES is used (i.e. the protocol itself) could still be wrong, of course, e.g. allowing for replay attacks, etc.<p>[1] Doesn&#x27;t have some features which you need to use to actually attack HiTag2: <a href="https:&#x2F;&#x2F;github.com&#x2F;msoos&#x2F;grainofsalt">https:&#x2F;&#x2F;github.com&#x2F;msoos&#x2F;grainofsalt</a><p>[2] Used for various pre-processing that is useful (but not neccessary) to break Megamos, but _far_ from the actual attack: <a href="https:&#x2F;&#x2F;github.com&#x2F;meelgroup&#x2F;bosphorus&#x2F;">https:&#x2F;&#x2F;github.com&#x2F;meelgroup&#x2F;bosphorus&#x2F;</a>

This is both very relevant and a bit off topic, but for me, quite timely.<p>Today my Polestar app wasn&#x27;t updating properly. Some things were, but the widget was stuck on manual refresh, and the odometer and location in the app were from the <i>previous</i> location I&#x27;d been, not including the trip home.<p>I <i>stupidly</i> deleted the cache and data for the app. Then tried to reconnect to the car.<p>This process requires putting all of the fobs (for me, two) in the car, and then getting to the right step in the car as well as the app.<p>But... here the car claims it cannot find both fobs. While in other parts of the car software, it indicates it <i>can</i> find both fobs. Because of this, I cannot pair the phone and car, and have any of the app features working again.<p>I would, naturally, factory reset, but this also requires both fobs, and also claims it cannot find them. (I&#x27;ve tested each fob and they both fully work otherwise - just in these two instances, the car acts as if it cannot find them.)

This is an old article and whilst there are undoubtedly still vulnerable vehicles, with the advent of UWB it seems to be a solved problem.<p>My car has UWB, there&#x27;s a LED on the fob that blinks when it is in range and if it&#x27;s stationary for a short time, it inactivates as well. Some experimentation suggests you need to be within about 5m of the car to open the doors.<p>The localisation seems to be very accurate, even if you can open the car from a distance it won&#x27;t start unless the fob is physically within it. If I sit in the driver seat the fob has to be less than 10mm away from the outside of driver&#x27;s window, otherwise it refuses to start.

I HATE to say it, but &#x27;enter your password to unlock your car&#x27; is the only reasonable alternative when &#x27;something you have&#x27; is pseudo-secure.

Why can&#x27;t it be very simple and secure. Car and fob share a secret key.<p>When you click on the open button on the fob, you send<p>SHA256(key)<p>Car responds with a random challenge<p>RND<p>Fob sends<p>SHA256(key XOR RND)<p>Car does the same calculation and compares.

Only two lecture slide decks?<p>Did the professor get tired of uploading the material for students to review post lecture?

This was a great class when I took it! Hope you’re doing well Dr. Pauly!

We should just GPS track the cars and arrest the thieves.

For a good modern day automobile security system, at least in the US, get a car with a manual transmission.

One thing I would’ve liked about an Apple car is the security. Imagine FaceID, secure enclaves and MFA. An iPhone on wheels would be immune to most, if not all, of these attacks.