Latest Samy Kamkar Hack Unlocks Most Cars 97
msm1267 writes: Samy Kamkar has built a new device called Rolljam that is about the size of a wallet and can intercept the codes used to unlock most cars and many garage doors. The device can be hidden underneath a vehicle and when the owner approaches and hits the unlock button on her key or remote, the device grabs the unique code sent by the remote and stores it for later use. The device takes advantage of an issue with the way that vehicles that use rolling codes for unlocking produce and receive those codes. Kamkar said that the device works on most vehicles and garage doors that use rolling, rather than fixed codes.
Or just use the key (Score:1, Interesting)
I have never had a car with a remote lock/unlock device. I suppose it might be handy at night, but I don't have any trouble using a key by feel, either. So it seems to me the easiest way to prevent a problem is just not to use the electronic unlock.
Or don't worry about it. What are the odds that some bad guy will target your vehicle?
Re:Or just use the key (Score:5, Insightful)
The real question is, what are the odds that a car thief is going to spend the money (likely more than $30 if they're buying from someone who knows how to make one) or the time to learn how to make one of these? The barrier to entry just to get one of these working (having to have technical knowledge to put one together, having to hide it under the car and get the owner to open it first and potentially notice the device when it jams their unlock signal) means that thieves will stick to the tried-and-true $5 wrench method rather than try one of these.
Re: (Score:1)
That's exactly how it works. Just leave it under the car, and it will always have a code ready for you to use. Every time the owner unlocks the car, it replays the previous code and stores the latest one.
Re: (Score:2)
For cars, it would need to be a regular location. Stake out a place of business for a few days, stick transmitter under a target vehicle. The next day, steal the car.
But it's still more trouble that other methods, so it isn't likely to happen.
Re:Or just use the key (Score:5, Interesting)
A thief will just smash a window or pop a lock. A detective, OTOH, will find this quite appealing, if they need to do a "sneak and peek". Want to search someone's car and leave no sign that you did?
Re:Or just use the key (Score:5, Interesting)
The second best theft is one where the victim doesn't know when they were stolen from.
The ability to quickly gain access to a locked place without leaving any sign that one gained access would be incredibly useful, especially in environments where valuables are routinely left in cars. Laptops and technical service tools would be big targets in-general, and some people in certain occupations would also be excellent targets for the privileged information that might be in a briefcase in an otherwise-securely-locked trunk.
Then there's the issue of people that leave things in their cars, like copies of their housekeys, that could let a thief in to somewhere else that's more lucrative, or those that leave extra vehicle keys in vehicles so that once a locksmith would let them back-in to the car after they lose their primary keys, they could drive away.
I can see this being an incredibly big problem depending on proliferation. It should at least require people to stop keeping expensive things in trunks that might have been somewhat safe through being hidden.
Re: (Score:1)
WRONG.
Oh, so very, very wrong.
The best thief is one who not only convinces their victim to give them the item, but also that doing so rights some sort of long-standing wrong and the victim should be ashamed of themselves for ever having had said item in the first place.
"Citizen, having this locked up is a blow for TERROR, but if you unlock it for me I will ignore it -- just this once."
That's how you do it, sonny.
Re: (Score:2)
I disagree. A car with no visible signs of forced entry will sell better on the black market.
Re: (Score:1)
Most cars on the black market are on the black market as car parts.
Since the manufacturers discovered that at retail, a consumer will pay three to four times (or more) for a part than could be charged when attached to an entire vehicle, the parts market is ideal. You discard the parts that carry serial number identification or just damage the serial numbers, and convert a car into twice or thrice it's former value.
Only chumps sell stolen cars assembled. Without a plan, it's far too easy to trace the entir
Re: (Score:2)
No, that is just damage, the same as any other damage to a used car. Stolen cars are rarely sold, they're usually driven by the thief for a few days and abandoned. There is almost no "black market" for stolen cars. Most of them get parted out, and the parts are then sold on the "grey market" because individual parts are not traceable and don't require paperwork. Cars that are sold on the black market have to have all their numbers changed, which requires a "chop shop" that is actually just a regular auto sh
Re: (Score:2)
There is actually a market for stolen cars - cars expensive enough to ship overseas after being stolen. Those cars are stolen with tow trucks, however. Tow trucks are rarely questioned - sometimes the spouse will even open up the garage door.
I hear the practice is common enough that a Ferrari that is lifted to a certain angle (without a security code first being entered) will blow e-fuses and need carefully tracked replacement parts. (I have no idea how that works out in hilly areas, making me wonder how
Re: (Score:2)
All you need to detect tow condition is an attitude sensor. Anti-roll will engage when a modern vehicle is pulled onto a tow truck while in gear, based on the wheel movement; if the car can detect the vehicle angle then it can easily note that it is "rolling" uphill and engage an anti-theft fuse or other lock-out.
You could probably add that aftermarket to most modern vehicles if you can get the anti-roll activation off the data bus.
Re: (Score:1)
The attacker doesn't have to open the car right away. The car can drive around for days, being opened and closed multiple times by the owner. The device remains attached to the car. Whenever the owner presses the button, the device plays the previous code and stores the latest one, so it always has a usable code ready for the attacker to use.
Re:Or just use the key (Score:5, Insightful)
The real question is, what are the odds that a car thief is going to spend the money (likely more than $30 if they're buying from someone who knows how to make one) or the time to learn how to make one of these? The barrier to entry just to get one of these working (having to have technical knowledge to put one together, having to hide it under the car and get the owner to open it first and potentially notice the device when it jams their unlock signal) means that thieves will stick to the tried-and-true $5 wrench method rather than try one of these.
Considering most cars are stolen to be parted out, if it only costs $30 to get $5000 odd of parts, even the dumbest crims will figure the economics of that one out.
This is a bigger problem in Europe where the car can simply be driven over the border and resold. It may cost 600 Euro to put a new lock and immobiliser system in, but you can sell it for thousands of euro in a variety of places in eastern Europe (not to mention the illegal car export industries that exist in these places).
If you honestly dont believe that this technology will find its way into the mainstream criminals hands, just look at the number of card skimmers out there.
Re: (Score:2)
Or 1 smart ringleader gets a few of these and gives them to his street thugs.
Re: (Score:2)
This method has the advantage of not looking suspicious. The thief simply acts as if they were the car's owner and can rob it in broad daylight, and no-one will blink an eye. Car park security won't react like they would if the window was smashed. No car alarm going off. It's definitely attractive.
Having said that, in the UK there have been a spate of thefts where people steal car body parts at night. They come along in the early hours of the morning, pop the bonnet open and simply remove the entire front o
Re: (Score:2)
I have a mid-nineties GM with a remote. Despite changing the batteries in the remote I can only get about 30' range at the max on a good day. On a bad day I'm damn near standing next to it to get it to unlock the doors or open the trunk. Honestly it's a little too short.
Re: (Score:2)
I lock remotely a lot, but I almost never unlock without using this mechanism. Slip your hand
Re: (Score:2)
I've never had a car where I regularly used the key that the lock didn't end up freezing on me. Even recent cars have this issue. If you're anywhere that regularly receives freezing weather a remote can be the fastest way into your car.
Even with remote entry I've had both front door locking mechanisms freeze up. Thankfully I could get in the back door. Even once I got to work (with the heat blasting the whole time) I had to get out the back.
Re: (Score:2)
You can get these little torches that fit on your key ring too. If you can't do it by touch. If you don't have a torch in your normal day-sack anyway (I do ; I'm a caver, I learned that lesson long ago).
Far the bigger use of the remote (by my wife) is locating the car in the car park, because the remote also causes the car to flash it's lights. Then again, it's over 20 years since I had a car stolen or broken i
Re: (Score:2)
Nothing Novel Here (Score:1)
This appears to be a long known attack, bundled up with a cute name and small hardware package. Nothing to be (newly) concerned about. Here's a blog post from a year and a half ago, for example: http://spencerwhyte.blogspot.ca/2014/03/delay-attack-jam-intercept-and-replay.html
Aside: I don't know any professional or academic security researcher who takes Samy seriously. His work is almost entirely of this style, packaging prior knowledge and selling it with panache.
Well you still need some sort of key. (Score:2)
Re: (Score:2)
Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.
Most cars have a manual method of switching to neutral. This is necessary because it simply doesn't make sense to cause thousands of dollars of damage to a car while towing simply because of an electrical problem.
Re: (Score:3)
Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.
Most cars have a manual method of switching to neutral. This is necessary because it simply doesn't make sense to cause thousands of dollars of damage to a car while towing simply because of an electrical problem.
Even if you can't get the car in neutral, it only takes a few seconds to jack up the car and put dollies under the wheels.
Re: (Score:2)
And you need to unlock car to do this exactly why?
If you're a legitimate tow truck driver, you try to open the car because you're too lazy to get the dollies off the truck and there's a small additional risk if you don't strap them on securely. If you're an illicit driver, then if you can you partner to unlock the car and get it in neutral, you don't even need to get out of the truck to hook it up, just set the wheels on the wheel lift and go - no need to help him lift the car and set the dollies.
Re: (Score:2)
Most cars now have active (chipped) keys that will not let you start or sometimes even turn the key unless it sees the signal from the key. Those keys may also be necessary to put the car in neutral for towing.
Most cars have a manual method of switching to neutral. This is necessary because it simply doesn't make sense to cause thousands of dollars of damage to a car while towing simply because of an electrical problem.
Even if you can't get the car in neutral, it only takes a few seconds to jack up the car and put dollies under the wheels.
Also most cars are 2 wheel drive. Even most "all wheel drive" cars are just front wheel drive with a transfer box that is disengaged until the electronics detect the front wheels slipping. So all you do is jack up the front and take the handbrake off.
I don't understand. (Score:1)
Why don't these electronic keys use a public/private key authentication system with nonce signing to avoid replay attacks?
This is simple to implement and is very strong against this kind of attack.
Re: (Score:2)
So I guess it's time.... (Score:3)
For automobile manufacturers to start factoring in the time of day and keeping the "key" hidden...
It works this way... You have an pre-shared key and you encrypt an ever changing sequence of messages, say something related to the current time of day or the "rolling code" thing they use now only the code rolls over time not when it's used. Then the "code" that worked 5 seconds ago, won't work in the future. That ends the "record and playback" messages from being seen as valid and all you need to have is a reasonably accurate scheme to advance time on both the car and the key fob. I imagine that regular resyncing of the clocks might be necessary, but I'm sure we can work something out where you "program" your key fob by inserting it into a port on your car or by using some RF backscatter power process the fob and the car can get into sync.
It doesn't stop brute force attacks to recover the key, but it does make it time consuming and unlikely to be accomplished by some thief walking though the parking lot.
Re: (Score:2)
Re: (Score:2)
Exactly!
Re: (Score:2)
For automobile manufacturers to start factoring in the time of day and keeping the "key" hidden...
A much more secure method would be a challenge/response protocol, the car sends an encrypted random challenge to the key, the key decrypts it, calculates a response to the challenge and sends the response back to the car. The car checks the response and if valid, it unlocks.
There is no way to replay messages as long as the challenge is randomized, and the car obviously should not unlock if it receives a response to something other than the last challenge. There is no way to get the encryption key since i
Re: (Score:2)
I agree, the solution you suggest would be MUCH safer, but as you point out, this makes the fob a whole lot more complex (and power hungry).
In fact both of the suggested solutions are not new concepts, but have been used in networks for years.
Must slow down... (Score:2)
I need to slow down reading stuff... I quickly scanned the headline and saw:
Latest Sammy Hagar track unlocks most cars...
Can it get past engine-kill too? (Score:2, Informative)
If not, then ho-hum...
Breaking into cars is easy... driving off with one without a proper key, when they have sophisticated anti-theft systems in place is considerably less so.
Re: (Score:2)
So you are inside the car, now what? You can't start it. Are you going to steal the radio and loose change?
Re: (Score:2)
So you are inside the car, now what? You can't start it. Are you going to steal the radio and loose change?
You do know that a lot of these immo codes have been broken wide open, right? For example the defeat on the one on the Bosch ME7 series is well-known. You don't need to log in or anything, you can get access to the flash without doing that, without even cracking the case. So an educated attacker, or someone carrying a tool made by an educated attacker who knows their way around an ELM327 can recode the immobilizer on a whole range of vehicles, including a lot of very spendy (if now somewhat older) VAG produ
Re: (Score:2)
Re: (Score:2)
My alarm has remote locking. I disabled the unlock function so one still needs the key to get in. Go ahead and chirp the alarm all you want. In fact, this will screw up Kamkar's system as it will have expended its one good code. Yes, the alarm is off and a thief could just break a window. But having a system behave in a manner that they don't expect is probably enough to discourage them.
My Honda CRX SI 86's superior security is immune (Score:1)
No power locks, no power windows (cranks), no power steering, no power...
Re: (Score:2)
but hey, if you tried driving my 86 Mustang GT with bearings instead of bushings and the not so friendly motor, I wouldn't be surprised if you brought it back. especially with the headliner in the way of the mirror.
"Nah man, you can keep this one."
Schematics? (Score:2)
The only reason that works (Score:2)
Most? (Score:3)
Latest Samy Kamkar Hack Unlocks Most Cars
There are still plenty of old cars on the road. Do more than 50% of them have remote locking?
Re: (Score:2)
The hack also requires that the car's owner uses the keyfob to unlock the car too. I wonder how many people don't use them? I bought my car used and the previous owners had managed to lose all the keyfobs. I never bothered with replacing them and just use the key.
Bah (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2)
Jamming... (Score:2)
Because this requires jamming the original signal, this is detectable, otherwise, it is MITM. Jamming is typically very easy- you just have to generate enough energy to overcome the incoming signal- the difficult part is being able to intercept the signal in the presence of your own noise. There are ways to cancel out the noise (like noise cancellation headphones)- but it is a really hard problem, even if you know the exact "noise" you're putting out.
This may push us faster into better types of keys, such
yet another invention of the wheel (Score:1)
How many wheels do you really need to invent? Such devices were for sale for professional auto thieves at Warsaw marketplace a decade ago. They don't always work though if remote has separate buttons for lock and unlock.
Public/Private Key (Score:1)
This is getting toward being considered ancient tech in the IT world - surely car companies have techies who can achieve this.