Gone in 60 seconds--the high-tech version

(continued from previous page)

How a keyless car gets stolen isn't exactly a state secret--much of the required knowledge is Basic Encryption 101. The authors of the Johns Hopkins/RSA study needed only to capture two challenge-and-response pairs from their intended target before cracking the encryption.

In an example from the paper, they wanted to see if they could swipe the passive code off the keyless ignition device itself. To do so, the authors simulated a car's ignition system (the RFID reader) on a laptop. By sitting close to someone with a keyless ignition device in his pocket, the authors were able to perform several scans in less than one second without the victim knowing. They then began decrypting the sampled challenge-response pairs. Using brute-force attack techniques, the researchers had the laptop try different combinations of symbols until they found combinations that matched. Once they had the matching codes, they could then predict the sequence and were soon able to gain entrance to the target car and start it.

In the case of Beckham, police think the criminals waited until he left his car, then proceeded to use a brute-force attack until the car was disarmed, unlocked and stolen.

Hear no evil, speak no evil
The authors of the Johns Hopkins/RSA study suggest that the RFID industry move away from the relatively simple 40-bit encryption technology now in use and adopt a more established encryption standard, such as the 128-bit Advanced Encryption Standard (AES). The longer the encryption code, the harder it is to crack.

The authors concede that this change would require a higher power consumption and therefore might be harder to implement; and it wouldn't be backward-compatible with all the 40-bit ignition systems already available.

The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks, and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence.

Unfortunately, the companies making RFID systems for cars don't think there's a problem. The 17th annual CardTechSecureTech conference took place this past week in San Francisco, and CNET News.com had an opportunity to talk with a handful of RFID vendors. None wanted to be quoted, nor would any talk about 128-bit AES encryption replacing the current 40-bit code anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, and even fewer knew about keyless ignition cars being stolen in Europe.

Even Consumer Reports acknowledges that keyless ignition systems might not be secure enough for prime time, yet the RFID industry adamantly continues to whistle its happy little tune. Until changes are made in the keyless systems, any car we buy will definitely have an ignition key that can't be copied by a laptop.

[bobbutts]

Should be stable by the time I can afford it

I wish I was rich enough to afford a car with this tech. This is a good example of a crime where the criminal has to be smart enough that he could be holding down a real job. Meanwhile in the USA criminals are still stealing junk cars like 1980s Buicks.

[GGGlen]

Nope

FYI, Buick isn't on the list.
From the National Insurance Crime Bureau;

<a class="jive-link-external" href="http://www.nicb.org/public/newsroom/hotwheels/index.cfm" target="_newWindow">http://www.nicb.org/public/newsroom/hotwheels/index.cfm</a>

[indiasfinest]

whats wrong w. 128 bit?

so what, the ketys get a tad bigger for power, all the wireless keys rechargable, BMW, lexus, and mercedes all have rechargable keys, ever now and then recharge them, i dont see a barrier between us and 128 bit encryption.

[Jim Harmon]

Just think...

This is the same technology they want to put into passports. You think identity theft is a problem NOW? Just wait.

[westfordpete]

If it's so easy to crack, why do they charge $300 for new key?

Damn, I wish I had this key cracking software when I lost the key to my Prius this past winter. They charged me $300 for a new one.

[Bill Dautrive]

Because they can

That $300 is almost pure profit.

It has nothing to do with how easy or hard it is to crack. It is like the theater charging you $5 for $0.25 worth of popcorn.

[baswwe]

because you dumb{butt} paid it

Don't pay it. Sheesh, R U STEWPID?

[D & G Ties FTW]

bfc.ot

Beckham must have (had) the only 2 BMW S5s EVER!!!
OMGZ!!!!!!111oneone

[chris jerome]

on of my best friend's locked his key inside the car...

One of my best freinds was over at my place the other night,
getting drunk and eating here, then as the night was getting to
an end, he went to fetch his pullover from the car.

He realised that he left his keys on the front seat of his HSV
holden, which has this feature. He came up again and said
"guess what? I've locked my bloody keys in my car!!" he said
"Gee Im so stupid!, what a dick I am!" "how in hell am I gonna
get home Chris?" I told him that I remembered hearing on the
net, whilst searching into RSA/encryption etc etc, for a software
project I had to do for work, and I came across an article about
this matter, which did concern the hell out of me, because I have
one of these bloody cars myself." so I went and did a search for
this again, and to try and find the software, and one that would
work on a PowerBook G4 laptop. as the Desktop I have would be
out of range of our units carpark. I compiled up the software,
while he watched. He said I hope this works, I bet you can do it.

Well... guess what guys... to his delight and his relief, after me
and him sitting there on fold up chair's with the PowerBook G4
on knee, it took us about 3 minutes to find the right Challenge
and reponse codes, then I hit enter and CLICK up went the
central locking on his HSV holden! He just laughed and laughed,
and yelled in the carpark "hurray for Macintosh software
developers! yeee haaaaa!" it was really quite funny, and we
laughed about this at work on monday morning..

That was a nice legit use of this knowledge to help out a
forgetful mate. I also helped read the cars manual, to change the
setting's that the car does not use it 'autolocking' feature. I
disabled that feature on my capri, for this reason!! because Im
known to be a little 'pre-occupied' at times and I wanted to
prevent this happening to me!

his car and mine has that feature and a few of the girls were I
work has it too. Did yours have that??

I hate that bloody 'auto-lock' feature!! I reccomend disabling it,
if your the forgetful type!

Chris J, in Australia.

[Ben Witherspoon]

Here's something you might want to think about

Like D &#38; G Ties FTW I also found that "BMW S5" comment
amusing... lets just hope that was a type-o, after all the the "X"
and "S" keys are pretty close. Oh, and lets not forget the fact
that X5 and S5 sound similar when you say it to your Speech-
To-Text computer. You'd think someone who types a bunch of,
well, ******** about keyless car thiefs would actually have
probably towed the cars away and parted them off. Having the
time it takes to wake in to Starbucks, drink a grande latte and
eat you scone and walk out some 10-15 minutes later to go
through a trillion 40-bit codes, the keyless chip makers
probably reailize that your more likely to have been struk by
lighting and have your social security and credit card numbers
stolen all in the same day. And if you actually watch the videos
Johns Hopkins University put out you'd see there was more than
15 minutes involved, it was well planned and it involved DST
chips, not remote keyless entry/ignition like used in say... BMWs
for one. Not to mention the fact that even with keyless ignition
you still need to break the streering lock, which from experience
can be pretty hard to do without the knowledge of the specific
car model and the proper tools.

Okay, everyone else, lets cross our fingers and hope that we
don't see someone standing next to are car with a laptop, when
we do come out of Starbucks, that comfrontation might be a
little akward. "Mind if I get my tent out of the trunk while you
finsh with that?"

[Ben Witherspoon]

Message has been deleted.

[Ben Witherspoon]

Yes, I posted it 3 times. I know...

Yes, I posted it 3 times, sould someone wonder why, instead of
giving a good excuse like my computer screwed up, lets just say I
thought more people would read it this way. :)

Oh, and that ******** is a compound word that begins with a "B"
and ends with a "T", that is, if anyone was curious.

[Jonathan Spira]

Inaccurate reporting in "Gone in 60 seconds"

The article conflates a bunch of facts and errors so it is hard to assess how real the danger is.

For starters, BMW doesn't make an S5 - Beckham had two X5s stolen from him. That would normally be a minor detail except for the fact that the X5 doesn't come with Comfort Access (n.b. BMW's new 3er, 5er, 6er, and 7er all have the Comfort Access keyless system) - even though the story positions the Beckham thefts as if they were due to Comfort Access.

I saw a similar article on leftlanenews.com days ago - also citing the X5 thefts as if they were due to Comfort Access - so it sounds as if this is just going to make the rounds despite faulty reporting by all parties.

[mileserickson]

Inaccurate accusation of inaccuracy

All sounds interesting until you google "BMW X5" and discover that the X5 actually does exist...

[KarenSaid]

Thanks for the catch

We've changed the article to note that the cars were actually X5s and to say they were custom designed. We appreciate your interest and close reading of our stories.

[Hernys]

No need to decrypt

If the thieves want to steal the car, there's no need to decrypt the code. And 128 bit (or 1024 for that matter) won't help. They only need to do a Man in the Middle attack.
How? Since the key doesn't need any action from the user to open the car, they are active all the time waiting for a signal from the car. And since the keys are passive, the car is always sending that signal. So if someone wanted to just open the car, the only thing that's needed is a two way wireless amplifier or repeater. Just put one end of the repeater pair near the car, and the other end near the owner witht he keys in starbucks. The car broadcasts its signal, it gets relayed by the amplifier to the repeater at starbucks and that unit sends the signal to the keys in the owner's pocket. The key, hearing a call from the car, responds its signal which is then relayed to the car, which opens the door an unlocks everything.
From there, the tieve should be able to start the engine with a traditional key (which should not be a problem for an expert car thieve).
This whould work regardless of the protocol, technology or code bit lenght. It would fail only if the key was extremely time sensitive, but since we are talking about nanosecond delays and this is digital cryptography this is unlikely.
Of course, then the thieves, after getting away with the car, need to replace the necessary electronics in order to be able to start the car again, but they could do so from the safety of their hideouts.
The only way to prevent this is to use keys that require that the user presses a button for the security to be disengaged. Laziness never pays.

[sanenazok]

the other way

would be to force the car to ensure that a chip-equipped key is in the ignition at all times. I think that's what my Camry does. It verifies the key not just on ignition but at set intervals. There's no reason not to do that, too, since it's not like you're eating the key battery.

[Hernys]

No need to decrypt

If the thieves want to steal the car, there's no need to decrypt the code. And 128 bit (or 1024 for that matter) won't help. They only need to do a Man in the Middle attack.
How? Since the key doesn't need any action from the user to open the car, they are active all the time waiting for a signal from the car. And since the keys are passive, the car is always sending that signal. So if someone wanted to just open the car, the only thing that's needed is a two way wireless amplifier or repeater. Just put one end of the repeater pair near the car, and the other end near the owner witht he keys in starbucks. The car broadcasts its signal, it gets relayed by the amplifier to the repeater at starbucks and that unit sends the signal to the keys in the owner's pocket. The key, hearing a call from the car, responds its signal which is then relayed to the car, which opens the door an unlocks everything.
From there, the tieve should be able to start the engine with a traditional key (which should not be a problem for an expert car thieve).
This whould work regardless of the protocol, technology or code bit lenght. It would fail only if the key was extremely time sensitive, but since we are talking about nanosecond delays and this is digital cryptography this is unlikely.
Of course, then the thieves, after getting away with the car, need to replace the necessary electronics in order to be able to start the car again, but they could do so from the safety of their hideouts.
The only way to prevent this is to use keys that require that the user presses a button for the security to be disengaged. Laziness never pays.

[kevinem316]

not that simple.

My cousin was showing me his 2006 corvette c6 with an rfid in his key fob. It can detect if the key is inside or outside the car and then that effects the permissions you have with the car. if the key isnt in the car. it wont start. if the key is in the car and you remove it, the car turns off. While i dont know the tech in the rest of the cars with rfid, chevy at least has the right idea

[skeptik]

LOL

Here in Detroit, when we want to jack a car, we use a gun. There are a few owners who attempt to circumvent our technology by saying "No"... but we get their car anyway.
;)

[209979377489953107664053243186]

hackers will follow the technology

Hackers have been affecting the digital business market for years, so it's no surprise that as technology extends to always on communication within the consumer market that hackers will find the same security lapses and take advantage. Business is just now taking security seriously, (statistics on <a class="jive-link-external" href="http://www.essentialsecurity.com/educationalfacts.htm" target="_newWindow">http://www.essentialsecurity.com/educationalfacts.htm</a>) so how long will it be before consumer manufacturers decide to?