Car security

Many cars use radio frequency identification chips which are designed to verify the identity of the ignition key being used to start the car engine. If thieves get into the vehicle without the right key, the engine should refuse to start.
However, it is possible electronically to listen to signals sent between the security system and the key fob via a computer programme to analyse and emulate it. Once this is done, it is possible to unmask the vehicle’s secret code very quickly and start the engine.
According to Traqueur, French leader in detecting and recovering stolen cars, some 74 per cent of the cars stolen in the first four months of this year were swiped electronically.

Did the manufacturers seriously do that?

Set the system up so that the car itself actually broadcasts its own secret signal?

Facepalm.

15 comments on “Car security

  1. According to Traqueur, French leader in detecting and recovering stolen cars, some 74 per cent of the cars stolen in the first four months of this year were swiped electronically

    Sounds like a company talking up their own services, to me. Aren’t most burglaries these days carried out in order to find car keys, because cars can’t be started without the keys any more and the DVD player is now worth £15 from Tesco’s?

  2. It is absolutely possible to design a secure handshaking protocol in which a car is tied to a key in a manner that is very hard to attack. A cryptographically secure stream cipher is something we know how to do. Good hash algorithms are things we know how to do. The crypto hardware to do it is cheap these days. The car manufacturers don’t do it because their embedded systems design people are useless at security. Most embedded systems bods are. It’s an endemic weakness in the idea that everything is going to be wireless.

  3. You recently had a post on Foprbes about the banking industry forgetting what’s gone on in the past. It seems the car industry has the same problem.

    If this story is true, too busy and didn’t read it beyond the quoted bit, then this is exactly what happened in the ’70s when remote controls first started appearing. Within days there were systems to capture the code in and transmit it when needed. IIRC they weren’t unique either so a good thief could quickly build up a store of them to try out.

  4. Well, RlJ, yes. Which shows they don’t know the first thing about crypto. The definition of a crytographically-secure pseudorandom number generator (CSPRNG) is that a) given all previous output it should be impracticable (read: computationally intractable) to predict the next output bit with greater than 50% success and b) given knowledge of the current internal state of the CSPRNG it should be impossible to reconstruct its prior output. There is no excuse for using a weak RNG. You can state with practically cast-iron certainty that the car manufacturers did their RF keyfob design in-house, whereas they should have paid a team of external security specialists to do it. Even better would be to open-source the protocol and let white hat hackers bang on it, but the average engineering manager in those sorts of places is so hidebound that you could write “NO SECURITY THROUGH OBSCURITY” in pokerwork on an axe handle and still not be able to beat any sense into him.

  5. Tim said:

    Set the system up so that the car itself actually broadcasts its own secret signal?

    Not the secret signal itself but enough parts of a known encryption process that it could be reverse engineered. A bit like one half of a DNA strand being enough to reconstitute the whole thing. The article is a bit mangled. It says

    “However, it is possible electronically to listen to signals sent between the security system and the key fob via a computer programme to analyse and emulate it. Once this is done, it is possible to unmask the vehicle’s secret code very quickly and start the engine. ”

    The researchers found three ways to start a car.

    The method described in the article is eavesdropping – listening for the signal between the car and the genuine keyfob. They found that they only had to do this twice before they had enough information to reverse engineer the secret code which allows them to programme their own fob to disarm the imobiliser.

    The second way was a lengthy (30 minutes or so) brute force attack exploiting the process by which the car and keyfob are paired.

    The third was something to do with weak cryptographic keys.

    The article glosses over how thieves get into the car in the first place. I’m guessing the most vulnerable cars are those that have both keyless ignition and automatic unlocking if you are near enough to the car. And I’m more bothered about there being a universal physical key for VAG cars.

  6. BiCR, I know nothing about crypto myself, I’m an embedded systems boy, but I have a mate who does. I shan’t tell you what he said about Oyster card “encryption”…

  7. To over-simplify things a bit, think about those simple “tell me what the 3rd, 5th, and 9th characters of your password are ?” systems.
    If you only eavesdrop one session, then you get at most 3 parts of the code. But if you can eavesdrop a few more sessions, over time you’ll get more of the code. Neither side ever transmits the secret key, but if the security system is weak then it “leaks” information that allows a skilled attacker to infer the key.

    As already said, the algorithms for secure communications, and hardware/software to run them, are neither secret nor expensive. Just like the rising time of insecure Internet or Tat”, it’s because the people actually building the systems think they know more than they do.
    I’m not a security expert – I would try building such a system because I know I don’t have the skills to do it properly. It’s not like these manufacturers don’t have the software skills available to detect when the vehicle is in an emissions test – you’d think they could find a few security experts and avoid such epic fails !

    Incidentally, some years ago at a previous job, one of our sales reps had his car stolen. Brand new BMW, stopped outside a customer shop, reached into the boot for some catalogues, and a bit like the cartoon where the removals van drives off leaving one of their men sat on the plank tied to the roof-rack of a parked car, the car drove off from around the box of catalogues he was holding.
    At the time we all thought it must have been a dealer insider job, but with the later revelations about security and the fact that it was probably early generation keyless, it probably started and drove off based on proximity to the key that was in his pocket.

  8. I once met a former car thief from Wolverhampton. He told me the there was no anti-theft device that was 100% foolproof, but the best he could recommend was a 12″ screwdriver ground to a sharp point and placed vertically under the driver’s seat.

  9. “Did the manufacturers really do that?”

    Probably.

    After all, they connected the engine management system to the in-car entertainment system which in turn is connected to the mobile phone network (see under Jeep, remote control hack).

    They really have no idea at all about systems security – or, more probably, they’re doing everything on the very very cheap and ignoring their skilled staff who warn them about these things.

    Another reason to look forward to autonomous vehicles – not.

  10. The problem is that embedded and control systems have historically been totally self-contained so security wasn’t an issue. Combined with the fact that due to the testing/reliability requirements they typically run at what someone once described to me as the cutting edge of obsolescence (only certified for 10 year old hardware/software type of thing) and you have a recipe for disaster once real world features (wireless connection/infotainment etc.) start being added. You see the same thing with industrial systems having hard coded and/or standard passwords to database part of system etc.
    Mind you I remember an old TR7 which could be opened and started with any key of the same size and working at a car lot it wasn’t uncommon to grab the wrong key and still be able to open the car.

  11. Does seem odd in the days of ubiquitous SSH that the fine engineers of the auto industry cannot get this right.

    AFAIK, this is simples.
    Public / private key encryption.
    Fob has private encryption key, car has public encryption key.
    Fob pings car, car encrypts ‘mary had a little lamb’ or somesuch and send encrypted message.

    Fob decrypts the nursery rhyme because it has the private key, returns the unencrypted ‘mary had a little lamb’ to car.

    Car knows for sure that the fob has the private key, else could not decrypt the nursery rhyme, opens the car door.

    It all hangs on public/private key encryption, and that’s fairly robust, programmers are doing that sort of thing all the time. It’s astonishing that the auto engineers have messed this up.

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.