Keyless Remote Entry For Cars May Have Been Cracked

WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"

kits for sale online

[Anonymous Coward]

You can get a keyless universal unlocker from china for around $2000USD.

probably not a key that is sent

[roman_mir]

This is probably something that is not what is expected, like some of those steering wheel locks that can be removed by breaking them in half by hitting in the middle of them rather than trying to pick the lock. They are not breaking the encryption, they are breaking the system, going around the expected secure path, not through it.

Re:Stumped my ass

[Trepidity]

Yeah, the fact that it works only on certain makes/models, if anything, makes it much less mysterious. Compromises that exploit particular broken implementations of a cryptosystem are by far the most common kind of vulnerability, more common than fundamental breaks of a cryptosystem. If this device is opening only certain kinds of Hondas, it's likely Honda screwed up its implementation in at least some models.

Re:Stumped my ass

[chuckinator]

An older engineer I worked with once told me a story about a car manufacturer (don't remember which one) using the CAN bus to control the side view mirrors. Well, the CAN bus is an electrical bus without any form of authentication or security, and car thieves started to make a habit of busted off one of the side mirrors and issuing the unlock doors message on the bus. Note that the authenticity of this story is what you should expect from typical water cooler gossip.

Re:just now?

[Tuidjy]

Some are vulnerable to replay attacks, but Hondas (and Acuras, which are Hondas) most definitely should not be. There was an European study that used more than just simple replay attacks, and they found a dozen brands of remote devices that were susceptible. Hondas were not amongst them.

This said, the article is retarded. I hope it's not the police officers' stupidity, but the authors'.

1) Of course they will go for the passenger's door, you morons, that's where drivers leave their stuff, and that's where the glove compartment is. The thieves are not stealing the cars, they are burglarizing them.

2) Of course, it will not work on all cars, you morons. The remotes use different protocols, and the thieves clearly have cracked Honda's. This will not help them much with Ford's.

3) Ok... three I'll keep to myself. As a former law enforcement agent, I'm sure the officers know that one, and are keeping it close to their chest. The authors are still morons, though.

Re:Stumped my ass

[Amouth]

that was a Volvo, everything uses the same damn bus

Re:just now?

[Tuidjy]

Actually, now that I have had two minutes to think about it, I have a theory.

It may be that the thieves did not hack the remote, maybe they are triggering accident detection, which unlocks the doors. If I were a Honda engineer, this is what I would look at first.

Hell, maybe Honda is even blameless. I know some car dealerships push poorly thought-out mods on their customers. I would check to see whether there isn't a local dealership that is peddling a 'safety' add-on.

Re:Keypad

[organgtool]

My friend had a keypad on his garage door opener with a four-digit code. One day he invited me and another friend over, but he didn't answer the door when we got there. Calling his house line also proved futile. We figured he fell asleep before we got there (which turned out to be the case). However, while we were waiting, the friend who was stuck outside with me started punching numbers on the garage keypad. I tried telling him that there were 10,000 possible combinations, but that didn't dissuade him. After a few seconds, the garage door opened up. I asked him how he knew the code and he pointed out that four of the numbers on the keypad were very worn. I did the math and realized that his observation took the number of possible combinations from 10,000 to 24! The point is, be careful with those keypads and change the numbers periodically if possible.

Thinking out of the box - Jamming the close signal

[quilombodigital]

A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.

Re:Stumped my ass

[guruevi]

I have wondered myself recently too if it were at all possible. Someone was trying to open a rather expensive car in a parking lot (forgot keys or whatever, security was helping too so not a burglary) - I thought, if you can just pop the hood (you can open a hood with simple tools) and connect to one of the busses, can't you just tell the car to unlock by sending a message on it. It's most likely on a CAN or I2C bus, something open-y enough that you can just get a generic system for most cars. An Arduino could probably do it.

Re:Stumped my ass

[girlintraining]

Maybe the car is sentient, hates the current own and wants to be stolen.

That, or the guy carrying the backpack in the video has something big enough in it to need a backpack; like a large coil, battery, and circuit board. People seem to forget that every electronic device is both a radio transmitter and receiver. With a powerful enough transmitter, any signal can be induced in any part of a circuit. Of course, physics also demands that any signal induced would be strongest along parallel wires -- power cables, to be specific.

The reason why they're targetting passenger-side doors is probably because the control logic is in the driver side door, and the doors on the right-hand side would have the longest run of cable between the control board and the door's selenoid. of course, you don't run power cable from one side of the car to the other, you run a signal wire; which depending on what kind of logic gate is on the other side, may only require a tenth to a half volt of voltage across it to trigger.

The equipment to generate a short, broadband pulse at a right angle should be sufficient to induce the required voltage, thus causing the door to unlock. Never attack the crypto system when you can go after the control interface. This is, for all intents and purposes, a side channel attack. It would only work on makes and models of cars that have a sufficiently long run of signal cable running along the longitudal axis of the vehicle. The attacker would need to be within about 5 feet to do this, and to not be obvious the car would need to be equipped with a lock that is along the window-frame or make an audible noise during unlock -- otherwise an attacker would have to visually inspect the interior of the car first, and the suspicious behavior of doing so in a parking lot filled with cars could attract law enforcement.

Anyway, that's my suspicion for what's going on. To detect this, you'd need to be able to detect a sudden increase in broadband EMR, and triangulate its location, and the emission would only last a few milliseconds, if that. The police won't have the resources to find this, but the FCC might if the attacks are happening within a single metropolitan area... or if you had one of those multimillion dollar semitruck rigs with millimeter wave x-ray tech like what they use in airports to scan people (and their backpacks) for the tell-tale metal loop, which would be optimally placed around the circumference of the bag.

Mind you, all of this ignores potential 4th amendment issues, along with all manner of other legal obstacles, including the fact that you'd be irradiating innocent people who are also unaware of your activities while in public. Failing that, you're tasked with swarming an area with officers and detaining anyone with a backpack within a certain radius, that radius being defined as the response time between signal acquisition and having boots on the ground.

As to profiling them, you're probably looking for a van without windows, SUV, or similar vehicle where stolen goods can be dropped off and the attacker picked up quickly and removed from the area... statistically, he'll be within a few blocks. The equipment needed to generate a powerful enough EM pulse would take up most of the backpack and be very bulky -- even with high energy density batteries... it probably wouldn't have enough room to store much in the way of stolen items, necessitating a nearby collection point.