Keyless Remote Entry For Cars May Have Been Cracked 398
WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"
Re:Seems an unnecessary feature (Score:5, Informative)
As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.
Re:Seems an unnecessary feature (Score:5, Informative)
Re:just now? (Score:5, Informative)
I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.
See Rolling Code [wikipedia.org] for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.
Re:Stumped my ass (Score:3, Informative)
Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.
The linked article on Today is horrible. They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind. Better articles with more facts and less made up stuff can be found [msn.com]. It's the Long Beach Police Department, btw.
Thumb (Score:4, Informative)
Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.
What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?
As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.
You must not be familiar with keyless (Score:5, Informative)
Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.
It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.
Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.
Re:Seems an unnecessary feature (Score:3, Informative)
Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).
There are several systems involved here.
First of all you have the remote lock/alarm/window fobs. These are powered by a small watch-style battery in the fob, and allow the car to be locked/unlocked (or roll down windows) from a pretty good distance away.. sometimes as far as 50 yards or more. This is basically a coded message using a pre-shared key stored on the FOB and in the car's computer system. Unless you have a specific remote-start system added to the car (or builtin to a few luxury models) this won't actually start the car itself.
The second system involved is a Proximity based system. This also relies on the battery working, and allows a push-button unlock on the door to be used or the car to be started if the fob is inside the passenger compartment and within a few feet of the ignition. It's a similar mechanism to the remote unlock, and like the remote unlock if the battery fails it doesn't work.
Finally, you have an RFID-based anti-theft/anti-key-copying system built into the ignition. Each physical key has an RFID chip built into it, sometimes you can see them embedded in the key itself, sometimes it's hidden inside the plastic molding on the head of the key. This is not battery powered, and will not unlock the car at all. All it really does is prevent the ignition from working unless the inserted key has a functioning RFID chip.
Most fobs have a physical key that can be removed from the fob, so that if the battery stops working the key can be used physically for unlocking and starting the car- but remember the RFID will not allow the push-button unlock or the keyless ignition to work, it has to be physically inserted.
Now down to the article.
They don't bother telling us if any of those systems have remote start capability, or if they are just keyless entry and keyless start systems.
They also don't tell us how close the thieves are getting to the vehicle.
They don't come out and say it, but they are calling these thefts of the actual vehicle, not just people robbing stuff from the interior.
So what this boils down to is as follows:
If the thieves are actually stealing the cars, then we must know if the stolen vehicles had remote start or just keyless start. We must also know how close they get to the door. Once they have that information, they should be able to easily deduce which system is being compromised- the remote start or the keyless entry.
As for how they are doing it, it's most likely a weakness in how the key codes are being generated by the systems in question, or else a weakness with one particular remote start system. The initial keycodes in the fobs are generated at the factory, but can be reprogrammed at a dealership (which you have to do if you get a new key or replace a lost key). So it could be just a problem with factory default codes being too predictable. I would guess the "device" is just a normal keyless entry transmitter which has a bunch of pre-loaded codes that it runs through until it gets a "hit".
But it's also possible they're running a brute-force attack and just trying all possible combinations. These things use a pre-shared key to encrypt the remote commands, but as there are very limited number of commands and the format doesn't vary it might very well be possible to crack the crypto using other methods as well. These are all proprietary systems and they won't even tell you the key length, let alone details about how the communication works.
Re:Stumped my ass (Score:5, Informative)
Most manufacturers outside of the German cars are using systems developed by KeeLoq [wikipedia.org], so a vulnerability in that would impact a large number of vehicles. Parts of the encryption method have been attacked by researchers, with papers like How To Steal Cars [kuleuven.be]. Some of these papers point out [emsec.rub.de] that the exact security mechanisms used by manufacturers on top of KeyLoq's hardware are not public, so turning the theoretical hacks into a working device is still hard even with these issues identified. Based on that FAQ, KeeLoq itself seems secure against anything but very knowledgeable attackers with significant resources--they're quoting months of work to find a real-world vulnerability. However, we can't be sure that a specific implementation of the security approach wasn't weakened by a manufacturer mistake. I wouldn't place a large bet on that though. Someone like a car manufacturer wants to be able to say they passed the risk to someone expert in this area. If they start customizing things to add back doors, they're going to lose any ability to blame KeeLoq if there's a nasty vulnerability.
Re:just now? (Score:4, Informative)
So they had it set to a high level of encryption like maybe 256.
There is so much wrong with that statement I dont even know where to begin.
"Encryption" isnt the word you want for this, since sending a static, encrypted message would be highly vulnerable to a replay attack. You want "authentication", which if its using a rolling code can be highly secure. But assuming youre talking about a 256-bit key, thats still not something you can just throw out as a "we can crack this". How fast you can brute-force it depends on how long it takes to attempt one key; any sane system would limit it to 1 attempt per 0.5 seconds or something, which would make it utterly infeasible to brute-force.
It was never hard to break in for someone skilled. It was time consuming.
Technically all computer security is "easy" if you have an infinite length of time to work with, but we're talking about time scales in the billions of years with a lot of modern computer security. We have the ability to have perfectly secure systems, the flaws are often in the implementation. With simple systems (ie, only access through an RF signal), your chances of getting security right are a lot higher.
Most of the things you listed are irrelevant. You are the owner of the device in all of those examples, so you must necessarily have all of the keys to access the content in question. Accessing a car is different; you need more than access to "the car" to break in unless you feel like disassembling the car, disassembling the internal computer, and reverse engineering the ROM chip inside.
Re:just now? (Score:3, Informative)
The key for my 2013 Ford Escape never leaves my pocket. When I touch the door handle it unlocks; I get in, step on the brake pedal, and press the Start button on the dashboard. Put it in gear and drive away.
All you need is the key within so-many feet of the vehicle.
Re:just now? (Score:4, Informative)
I would be surprised if the majority of keyless entry was RFID. It may be that the vulnerable ones use this, but RFID is not in anyway a form of authorization. It is a form of identification. The difference is your username and your password. Anyone should be able to get the RFID and be no closer to accessing the system, just as your username is not private information and is fairly useless without the password. Their are lots of easy and inconspicuous ways to steal an RFID because it's just their saying "HEY, I'm 157951234654..." and anything can read that ID and then easily masquerade as that RFID.
A proper keyless system uses cryptography(and does so properly). This is why many FOBS are quite expensive to replace and have a battery inside. When you attempt to unlock the vehicle, the vehicle sends a challenge to the FOB, and the FOB uses a private key to sign it, the vehicle then gets that signed response and verifies it using the public key. I know that my FOB uses a 40bit key, which isn't very strong. Hopefully the vehicle has delays in place to prevent someone from trying thousands of keys a second, otherwise it could be broken with brute force given the small key size. This would still take a good while though.
It's possible that some of these vehicles are vulnerable if someone got their hands on a database of public keys(or worse private keys), from which you could spend time searching for the private keys through brute force and build up a database of the private keys, and then load that list onto a portable device the masquerades as a FOB.
There's lots of possibilities.