August 04, 2015
Entertainment Systems, Keyless Fobs Making Car Stealing Easier
Keyless entry to cars is opening up a new way to steal cars. Thousands of cars were stolen in London alone last year with keyless entry hacks. Autonomous operation will add another layer of risk.
Terrorist groups might want to direct a person's car to the point of ambush or kidnapping
If you can hack into the car to tell it where to go and also to simultaneously prevent updates in destination from within the passenger compartment then the autonomous vehicle will go where you want it to go.
We need encrypted keyless entry messages that are time-based. Plus, the encryption key info should not be stored on a ROM but rather in an encryption chip.
We also need to car security ratings. How hard is it to break into GM's fobless entry vs Toyota's or Land Rover's?
Update: We really need aftermarket solutions that will let us upgrade the encryption of the fob connection. The OEMs are selling cars with lame security schemes. Does even a single manufacturer sell cars with really high quality fob security?
Randall Parker, 2015 August 04 08:28 PM
There's no particular reason why keyless entry has to be a security risk. You're right, the answer is encryption. It doesn't even have to be complicated encryption, we've got absurdly cheap huge capacity non-volatile memory now. Just go with a completely unbreakable one time pad.
The problem, I think, is that the manufacturers of all sorts of products are under official pressure to make them insecure, because the government wants the products to be vulnerable to it's own hacking.
Let's face it, the police drool over the ability to order a suspect/perpetrator's car to deliver them to the police station the next time they get in it. Just like the government doesn't want phones to have a secure privacy mode that can't be cracked.
The problem isn't technical, I think. It's political.
I'd really like to know why key fob security is so lame. Is it lame for all manufacturers?
The insight here suggests to me that putting your key fob in a Faraday Cage when you are home at night might prevent theft of your car. If that is correct we really need a power-off button on the fob.
Key fob security is lame for two reasons: First, because all the customers are presumed to be idiots, who wouldn't appreciate security anyway, so what's the point? Second, because the government wants to be able to break into your car.
I'm serious, I'm pretty sure most of the lousy security in our electronics is because No Such Agency down to your local police demand that there be backdoors THEY can exploit.
I once wrote a proposal to TRW for a DES-encrypted rolling-code system for key fob transmitters.
They weren't interested. The scheme they were using at the time was trivial to break.
The right to be secure in our “persons, houses, papers, and effects,” includes our cars. We need politicians who will make laws to effectuate that. I like a free-market solution to the technical part, but laws are needed to support the market’s right and ability to do it.
Speaking of hacking driverless cars, once again the inimitable Robert Heinlein predicted this:
"Caxton was not put through to the Secretary General, nor had he expected to be. Instead he spoke with half a dozen underlings and became more aggressive with each one. He was so busy that he did not notice it when his cab ceased to hover and left the parking level.
When he did notice it, it was too late; the cab refused to obey the orders he at once punched into it. Caxton realized bitterly that he had let himself be trapped by a means no professional hoodlum would fall for: his call had been traced, his cab identified, its idiot robot pilot placed under orders of an over-riding police frequency-and the cab itself was being used to arrest him and fetch him in, all most privately and with no fuss. [...] But he wasted no time on this futility but cleared the useless call from the radio and tried at once to call his lawyer, Mark Frisby.
He was still trying when the taxicab landed inside a courtyard landing fiat and his signal was cut off by its walls. He then tried to leave the cab, found that the door would not open-and was hardly surprised to discover that he was becoming very light-headed and was fast losing consciousness-"
Brett Bellmore, you may be right, but I think it's more probably manufacturer incompetence and inertia, combined with lack of sufficient consumer concern.
There is a lot of wickedness in the world, but vastly more incompetence. I follow Einstein's gripe that the most common element in the universe is not hydrogen but stupidity.
Key fob security? Heck, what about external keypad keyless-entry security?
The Ford I just bought has a 10-digit (actually, a 5-digit) touchscreen keypad on the doorframe glass for entry, and they program it at the factory with a permanent code that can never be changed or deleted. You can ADD another access code (and most people do), but that code does not replace the original code. Even worse, they also print the permanent code on a little sticker, and put it under the dash where anyone who knows where to look can find it and copy it down for future use. Ever had your car detailed, a new stereo installed, or perhaps a remote-start added? If you gave strangers access to your car for more that a few minutes and they found that number, your car will never be secure again (they also have your address from the install paperwork). Worse yet, if anything is ever stolen from the interior of the vehicle, the fact that there is no evidence of breaking and entering will be used to deny your insurance claim (they'll claim you either left it unlocked, or someone had a key).
That's disgusting. I want to know the next time I buy a car what is stupid about its security. If you can't change the touch keypad's security sequence and you can't disable it then, yes, you have a serious vulnerability.
What I want: a way to spend more to upgrade my vehicle access to make it more secure. Surely some car company will offer a high security car access option eventually.