Gone in 60 seconds--the high-tech version

Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system.

After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well.

Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.

Elsewhere on CNET
Read more

Keep informed of latest risks at CNET.com's Security Watch

Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency.

First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away.

The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond.

Unfortunately, the companies making RFID systems for cars don't think there's a problem.

A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.)

One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide.

But can this system be defeated? Yes.

Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself.

Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their "car theft."

But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong.

Real-world examples
Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done.

Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time.

And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, custom-designed antitheft-engineered BMW X5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs.

[bobbutts]

Should be stable by the time I can afford it

I wish I was rich enough to afford a car with this tech. This is a good example of a crime where the criminal has to be smart enough that he could be holding down a real job. Meanwhile in the USA criminals are still stealing junk cars like 1980s Buicks.

[GGGlen]

Nope

FYI, Buick isn't on the list.
From the National Insurance Crime Bureau;

http://www.nicb.org/public/newsroom/hotwheels/index.cfm

[indiasfinest]

whats wrong w. 128 bit?

so what, the ketys get a tad bigger for power, all the wireless keys rechargable, BMW, lexus, and mercedes all have rechargable keys, ever now and then recharge them, i dont see a barrier between us and 128 bit encryption.

[Jim Harmon]

Just think...

This is the same technology they want to put into passports. You think identity theft is a problem NOW? Just wait.

[westfordpete]

If it's so easy to crack, why do they charge $300 for new key?

Damn, I wish I had this key cracking software when I lost the key to my Prius this past winter. They charged me $300 for a new one.

[Bill Dautrive]

Because they can

That $300 is almost pure profit.

It has nothing to do with how easy or hard it is to crack. It is like the theater charging you $5 for $0.25 worth of popcorn.

[baswwe]

because you dumb{butt} paid it

Don't pay it. Sheesh, R U STEWPID?

[D & G Ties FTW]

bfc.ot

Beckham must have (had) the only 2 BMW S5s EVER!!!
OMGZ!!!!!!111oneone

[chris jerome]

on of my best friend's locked his key inside the car...

One of my best freinds was over at my place the other night,
getting drunk and eating here, then as the night was getting to
an end, he went to fetch his pullover from the car.

He realised that he left his keys on the front seat of his HSV
holden, which has this feature. He came up again and said
"guess what? I've locked my bloody keys in my car!!" he said
"Gee Im so stupid!, what a dick I am!" "how in hell am I gonna
get home Chris?" I told him that I remembered hearing on the
net, whilst searching into RSA/encryption etc etc, for a software
project I had to do for work, and I came across an article about
this matter, which did concern the hell out of me, because I have
one of these bloody cars myself." so I went and did a search for
this again, and to try and find the software, and one that would
work on a PowerBook G4 laptop. as the Desktop I have would be
out of range of our units carpark. I compiled up the software,
while he watched. He said I hope this works, I bet you can do it.

Well... guess what guys... to his delight and his relief, after me
and him sitting there on fold up chair's with the PowerBook G4
on knee, it took us about 3 minutes to find the right Challenge
and reponse codes, then I hit enter and CLICK up went the
central locking on his HSV holden! He just laughed and laughed,
and yelled in the carpark "hurray for Macintosh software
developers! yeee haaaaa!" it was really quite funny, and we
laughed about this at work on monday morning..

That was a nice legit use of this knowledge to help out a
forgetful mate. I also helped read the cars manual, to change the
setting's that the car does not use it 'autolocking' feature. I
disabled that feature on my capri, for this reason!! because Im
known to be a little 'pre-occupied' at times and I wanted to
prevent this happening to me!

his car and mine has that feature and a few of the girls were I
work has it too. Did yours have that??

I hate that bloody 'auto-lock' feature!! I reccomend disabling it,
if your the forgetful type!

Chris J, in Australia.

[Ben Witherspoon]

Here's something you might want to think about

Like D & G Ties FTW I also found that "BMW S5" comment
amusing... lets just hope that was a type-o, after all the the "X"
and "S" keys are pretty close. Oh, and lets not forget the fact
that X5 and S5 sound similar when you say it to your Speech-
To-Text computer. You'd think someone who types a bunch of,
well, ******** about keyless car thiefs would actually have
probably towed the cars away and parted them off. Having the
time it takes to wake in to Starbucks, drink a grande latte and
eat you scone and walk out some 10-15 minutes later to go
through a trillion 40-bit codes, the keyless chip makers
probably reailize that your more likely to have been struk by
lighting and have your social security and credit card numbers
stolen all in the same day. And if you actually watch the videos
Johns Hopkins University put out you'd see there was more than
15 minutes involved, it was well planned and it involved DST
chips, not remote keyless entry/ignition like used in say... BMWs
for one. Not to mention the fact that even with keyless ignition
you still need to break the streering lock, which from experience
can be pretty hard to do without the knowledge of the specific
car model and the proper tools.

Okay, everyone else, lets cross our fingers and hope that we
don't see someone standing next to are car with a laptop, when
we do come out of Starbucks, that comfrontation might be a
little akward. "Mind if I get my tent out of the trunk while you
finsh with that?"

[Ben Witherspoon]

Message has been deleted.

[Ben Witherspoon]

Yes, I posted it 3 times. I know...

Yes, I posted it 3 times, sould someone wonder why, instead of
giving a good excuse like my computer screwed up, lets just say I
thought more people would read it this way. :)

Oh, and that ******** is a compound word that begins with a "B"
and ends with a "T", that is, if anyone was curious.

[Jonathan Spira]

Inaccurate reporting in "Gone in 60 seconds"

The article conflates a bunch of facts and errors so it is hard to assess how real the danger is.

For starters, BMW doesn't make an S5 - Beckham had two X5s stolen from him. That would normally be a minor detail except for the fact that the X5 doesn't come with Comfort Access (n.b. BMW's new 3er, 5er, 6er, and 7er all have the Comfort Access keyless system) - even though the story positions the Beckham thefts as if they were due to Comfort Access.

I saw a similar article on leftlanenews.com days ago - also citing the X5 thefts as if they were due to Comfort Access - so it sounds as if this is just going to make the rounds despite faulty reporting by all parties.

[mileserickson]

Inaccurate accusation of inaccuracy

All sounds interesting until you google "BMW X5" and discover that the X5 actually does exist...

[KarenSaid]

Thanks for the catch

We've changed the article to note that the cars were actually X5s and to say they were custom designed. We appreciate your interest and close reading of our stories.

[Hernys]

No need to decrypt

If the thieves want to steal the car, there's no need to decrypt the code. And 128 bit (or 1024 for that matter) won't help. They only need to do a Man in the Middle attack.
How? Since the key doesn't need any action from the user to open the car, they are active all the time waiting for a signal from the car. And since the keys are passive, the car is always sending that signal. So if someone wanted to just open the car, the only thing that's needed is a two way wireless amplifier or repeater. Just put one end of the repeater pair near the car, and the other end near the owner witht he keys in starbucks. The car broadcasts its signal, it gets relayed by the amplifier to the repeater at starbucks and that unit sends the signal to the keys in the owner's pocket. The key, hearing a call from the car, responds its signal which is then relayed to the car, which opens the door an unlocks everything.
From there, the tieve should be able to start the engine with a traditional key (which should not be a problem for an expert car thieve).
This whould work regardless of the protocol, technology or code bit lenght. It would fail only if the key was extremely time sensitive, but since we are talking about nanosecond delays and this is digital cryptography this is unlikely.
Of course, then the thieves, after getting away with the car, need to replace the necessary electronics in order to be able to start the car again, but they could do so from the safety of their hideouts.
The only way to prevent this is to use keys that require that the user presses a button for the security to be disengaged. Laziness never pays.

[sanenazok]

the other way

would be to force the car to ensure that a chip-equipped key is in the ignition at all times. I think that's what my Camry does. It verifies the key not just on ignition but at set intervals. There's no reason not to do that, too, since it's not like you're eating the key battery.

[alek_nedic]

start the engine

http://www.analogstereo.com/mercedes_cl_class_owners_manual.htm

[Hernys]

No need to decrypt

If the thieves want to steal the car, there's no need to decrypt the code. And 128 bit (or 1024 for that matter) won't help. They only need to do a Man in the Middle attack.
How? Since the key doesn't need any action from the user to open the car, they are active all the time waiting for a signal from the car. And since the keys are passive, the car is always sending that signal. So if someone wanted to just open the car, the only thing that's needed is a two way wireless amplifier or repeater. Just put one end of the repeater pair near the car, and the other end near the owner witht he keys in starbucks. The car broadcasts its signal, it gets relayed by the amplifier to the repeater at starbucks and that unit sends the signal to the keys in the owner's pocket. The key, hearing a call from the car, responds its signal which is then relayed to the car, which opens the door an unlocks everything.
From there, the tieve should be able to start the engine with a traditional key (which should not be a problem for an expert car thieve).
This whould work regardless of the protocol, technology or code bit lenght. It would fail only if the key was extremely time sensitive, but since we are talking about nanosecond delays and this is digital cryptography this is unlikely.
Of course, then the thieves, after getting away with the car, need to replace the necessary electronics in order to be able to start the car again, but they could do so from the safety of their hideouts.
The only way to prevent this is to use keys that require that the user presses a button for the security to be disengaged. Laziness never pays.

[kevinem316]

not that simple.

My cousin was showing me his 2006 corvette c6 with an rfid in his key fob. It can detect if the key is inside or outside the car and then that effects the permissions you have with the car. if the key isnt in the car. it wont start. if the key is in the car and you remove it, the car turns off. While i dont know the tech in the rest of the cars with rfid, chevy at least has the right idea

[skeptik]

LOL

Here in Detroit, when we want to jack a car, we use a gun. There are a few owners who attempt to circumvent our technology by saying "No"... but we get their car anyway.
;)

[209979377489953107664053243186]

hackers will follow the technology

Hackers have been affecting the digital business market for years, so it's no surprise that as technology extends to always on communication within the consumer market that hackers will find the same security lapses and take advantage. Business is just now taking security seriously, (statistics on http://www.essentialsecurity.com/educationalfacts.htm) so how long will it be before consumer manufacturers decide to?