Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Keyless Remote Entry For Cars May Have Been Cracked

Soulskill posted about a year ago | from the all-your-glove-compartment-are-belong-to-us dept.

Transportation 398

WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"

cancel ×

398 comments

Sorry! There are no comments related to the filter you selected.

just now? (0)

Anonymous Coward | about a year ago | (#43917743)

I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.

Re:just now? (5, Funny)

Joce640k (829181) | about a year ago | (#43917895)

Nah, it's just a tennis ball with a hole in it.

Re:just now? (5, Informative)

jeffmeden (135043) | about a year ago | (#43917951)

I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.

See Rolling Code [wikipedia.org] for why you are under the wrong impression. There might be a recent vulnerability, but for the vast extent of their history these kinds of systems have been safe against amateur tactics like simple radio tricks, and if there is a "Backdoor" code it has been a pretty well guarded secret.

Re:just now? (3, Insightful)

thunderclap (972782) | about a year ago | (#43918309)

This wasn't an amateur attack. This is security by obscurity. SMH. So they had it set to a high level of encryption like maybe 256. Computers are powerful enough now that it can be done with a short amount of time and patience. Thats what cops don't grasp. It was never hard to break in for someone skilled. It was time consuming. Yes it took someone who could roll crypto with program writing. How do you think, Iphones were jailbroken? Android rooted? DeCSS, and Blueray broken? Same way.
Honestly. they wanted to steal without getting caught. Now They simply unlock the door and look around.
The caveats are always the same. Never store valuables in your vehicle. Never assume its safe. Always be vigilant.

Re:just now? (2)

lister king of smeg (2481612) | about a year ago | (#43918415)

it more than that now though as more and more cars come with keyless start were you just have to have fob within a certin proximity of the vehicle to start it, now that this has been cracked all that it will take for a car theif is a little bit of crypto know how and they will be able to take off with random cars off the street and no one will be the wiser as to the car it will appear as though its the correct fob so no security alert like when someone tries to hot wire it or open the lock with a coat hanger.

Re:just now? (4, Interesting)

Tuidjy (321055) | about a year ago | (#43918303)

Some are vulnerable to replay attacks, but Hondas (and Acuras, which are Hondas) most definitely should not be. There was an European study that used more than just simple replay attacks, and they found a dozen brands of remote devices that were susceptible. Hondas were not amongst them.

This said, the article is retarded. I hope it's not the police officers' stupidity, but the authors'.

1) Of course they will go for the passenger's door, you morons, that's where drivers leave their stuff, and that's where the glove compartment is. The thieves are not stealing the cars, they are burglarizing them.

2) Of course, it will not work on all cars, you morons. The remotes use different protocols, and the thieves clearly have cracked Honda's. This will not help them much with Ford's.

3) Ok... three I'll keep to myself. As a former law enforcement agent, I'm sure the officers know that one, and are keeping it close to their chest. The authors are still morons, though.

Re:just now? (4, Interesting)

Tuidjy (321055) | about a year ago | (#43918389)

Actually, now that I have had two minutes to think about it, I have a theory.

It may be that the thieves did not hack the remote, maybe they are triggering accident detection, which unlocks the doors. If I were a Honda engineer, this is what I would look at first.

Hell, maybe Honda is even blameless. I know some car dealerships push poorly thought-out mods on their customers. I would check to see whether there isn't a local dealership that is peddling a 'safety' add-on.

Re:just now? (1)

cusco (717999) | about a year ago | (#43918397)

You tease . . .

Stumped my ass (5, Insightful)

Anonymous Coward | about a year ago | (#43917757)

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Re:Stumped my ass (5, Funny)

ackthpt (218170) | about a year ago | (#43917869)

Haven't we seen proof of concept hacks of these kinds for a while?

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

Maybe the car is sentient, hates the current own and wants to be stolen.

Re:Stumped my ass (4, Interesting)

Trepidity (597) | about a year ago | (#43917879)

Yeah, the fact that it works only on certain makes/models, if anything, makes it much less mysterious. Compromises that exploit particular broken implementations of a cryptosystem are by far the most common kind of vulnerability, more common than fundamental breaks of a cryptosystem. If this device is opening only certain kinds of Hondas, it's likely Honda screwed up its implementation in at least some models.

Re:Stumped my ass (0)

Anonymous Coward | about a year ago | (#43918093)

Seems like that is the case. Altho one of the cars in the video on this it looks like the guy is just walking down the rows as he looks like he is about to walk by the car and has to backpedal a little. I do have to say I think passenger side is just easier for the thief. They aren't stealing the car they just want anything easy to grab and sell later which means glove box and any up from pockets where a driver might throw money or a cell phone.

Re:Stumped my ass (1)

thunderclap (972782) | about a year ago | (#43918331)

All it takes is once.

Re:Stumped my ass (3, Informative)

Anonymous Coward | about a year ago | (#43917963)

Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

The linked article on Today is horrible. They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind. Better articles with more facts and less made up stuff can be found [msn.com] . It's the Long Beach Police Department, btw.

Re:Stumped my ass (5, Funny)

optikos (1187213) | about a year ago | (#43918227)

They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind.

Well, The Police did put out an album entitled Ghost in the Machine, so perhaps that qualifies as Borg-Lite.

Re:Stumped my ass (5, Interesting)

chuckinator (2409512) | about a year ago | (#43918195)

An older engineer I worked with once told me a story about a car manufacturer (don't remember which one) using the CAN bus to control the side view mirrors. Well, the CAN bus is an electrical bus without any form of authentication or security, and car thieves started to make a habit of busted off one of the side mirrors and issuing the unlock doors message on the bus. Note that the authenticity of this story is what you should expect from typical water cooler gossip.

Re:Stumped my ass (4, Interesting)

Amouth (879122) | about a year ago | (#43918311)

that was a Volvo, everything uses the same damn bus

Seems an unnecessary feature (1)

therealkevinkretz (1585825) | about a year ago | (#43917761)

Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).

Re:Seems an unnecessary feature (0)

Anonymous Coward | about a year ago | (#43917891)

If a carjacker is forcing me into my car, the last thing i want is to have to fumble for anything and agitate my assailant. My key stays in my pocket, which means it goes with me when i get out of the car, leaving the thieving dickbag stranded wherever he stops the car next. too. That, and not using a key every day (with it's metal-on-metal wear) means I never have to worry about sticky ignitions or complete failure of the key. If my fob battery runs out, the actual metal key comes out and there is a place to put it in the steering column, so I won't be stranded. Not a necessary invention, but does make my life that much easier.

Re:Seems an unnecessary feature (5, Informative)

VAXcat (674775) | about a year ago | (#43917935)

Never get into a car with a carjacker. People who do that wind up at the secondary crime scene, where the homicide (yours) takes place. Run away if you can, fight if you must, but don't get in the car.

Re:Seems an unnecessary feature (1)

therealkevinkretz (1585825) | about a year ago | (#43918009)

Not all of them have actual keys.

Re:Seems an unnecessary feature (1)

The MAZZTer (911996) | about a year ago | (#43918085)

Pretty sure they would. It's a nice reliable fallback.

You can't tell that mine has a key because it's hidden inside the fob, you have to pull a little latch and the key slides out.

Re:Seems an unnecessary feature (1)

demonlapin (527802) | about a year ago | (#43918187)

On Toyota, that key is for the door. There's a small antenna in the fob that provides just enough power to authenticate if you hold the fob up to the start button's metal ring.

Re:Seems an unnecessary feature (0)

Anonymous Coward | about a year ago | (#43918405)

It may not be as fancy as the luxury fobs, but so far, I've been content with the rather pedestrian key on my current ride. If the battery dies, I use the key on the driver's door, and the transponder for the ignition uses power from the vehicle. Separate subsystems.

For actual tweaker-resistant security, that is what reinforced strongboxes that are well bolted down in the trunk are for. A thief might have easy street getting to it, but getting it open requires more than just a long screwdriver or a crowbar.

As for burglar alarms, the only ones I've found that work at all are the ones that dump pink fog into the interior of the vehicle, because that creates a spectacle that attracts people, while a car alarm going off just makes people cheer the thief on in most cases.

Re:Seems an unnecessary feature (5, Informative)

Trepidity (597) | about a year ago | (#43917899)

As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.

Re:Seems an unnecessary feature (1)

Anonymous Coward | about a year ago | (#43917909)

The latter happened to me, I had the key in my pocket, but was the passenger. My wife dropped me off somewhere, neither of us realizing I had the key, and once she drove where she was going and shut off the car, we were both stuck. The car was fine running without the key, and didn't alert her immediately when it lost track of the key (maybe it doesn't periodically check for it once it is running?)

Re:Seems an unnecessary feature (1)

Keith Mickunas (460655) | about a year ago | (#43918193)

Did the car not notify her in some way that the key was no longer in the car? I know my Ford does this, it beeps and displays something on the dash if I get out of the car with the key and leave the car running. I'm pretty sure my BMW had a similar feature but I don't have it anymore so I can't verify that.

Re:Seems an unnecessary feature (1)

cdrudge (68377) | about a year ago | (#43917949)

The keyfob works to start or keep the car running only a matter of a few feet. If you get out of the car, or someone forces past you to get into the car when you're not in it they aren't going to start it with you standing outside the vehicle. Worst case, they might get a few feet before the car shuts down.

It's a convenience feature that isn't necessary, but some people want it. They can keep their keys in their pocket or purse and not take them out to start the vehicle.

Re:Seems an unnecessary feature (1)

klubar (591384) | about a year ago | (#43918165)

At least on the Prius once the car is running even if you move the key fob out of range, the car keeps running (actually a good safety feature as you wouldn't want the car to shutdown on a key fob failure.) On the Prius (and maybe other Toyotas), there is a metal key for mechanically unlocking the driver's side door and a electronic slot for starting the car. You can use the electronic slot if the key fob batter is completely dead so I suspect it's a passive NFC device. There is also a mode that you can disable the active detection feature and always have to use the dashboard slot. Other models probably have similar features.

Re:Seems an unnecessary feature (1)

demonlapin (527802) | about a year ago | (#43918201)

You can drive my Lexus all over creation without the key, but you can't restart it once you turn it off.

Re:Seems an unnecessary feature (1)

Hadlock (143607) | about a year ago | (#43918029)

It's a lot easier to fence a laptop, cell phone, digital projector, petty cash, company credit card or whatever other sales materials/samples a business traveler might have in their car, than driving an entire car (and it's easily traceable serial numbers) back to a chop shop. Plus you have to go back (taxi?) to the scene of the crime to get your car. The logistics just don't make sense.

Re:Seems an unnecessary feature (1)

jon3k (691256) | about a year ago | (#43918049)

I'm sure keyless start will cause carjacking rates to sky rocket.

Wait, no it won't.

Re:Seems an unnecessary feature (1)

The MAZZTer (911996) | about a year ago | (#43918071)

On the other hand, if a carjacker pulls me OUT of my running car and drives away (I keep my doors locked, but still)... the keyfob is still in my pocket and I can even hit the alarm for whatever good that will do (I don't know if the car shuts off if I get too far away, once I started it up to fill my tires but I never went too far), but more importantly he can't shut the car off or he can't start it again.

Re:Seems an unnecessary feature (2)

CAIMLAS (41445) | about a year ago | (#43918155)

I believe the key actually has to be present only for the initial start of the car, though I might be mistaken. That would be how I'd design it, at any rate. I see no point in the key needing to be present while the vehicle is in operation.

On a whole, keyless start is an irritating and stupid feature, I think. For those of us who work out of our vehicles, it's irritating to have to lock/unlock the vehicle frequently just to make sure it's not jacked.

Re:Seems an unnecessary feature (3, Informative)

Anonymous Coward | about a year ago | (#43918261)

Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).

There are several systems involved here.
First of all you have the remote lock/alarm/window fobs. These are powered by a small watch-style battery in the fob, and allow the car to be locked/unlocked (or roll down windows) from a pretty good distance away.. sometimes as far as 50 yards or more. This is basically a coded message using a pre-shared key stored on the FOB and in the car's computer system. Unless you have a specific remote-start system added to the car (or builtin to a few luxury models) this won't actually start the car itself.

The second system involved is a Proximity based system. This also relies on the battery working, and allows a push-button unlock on the door to be used or the car to be started if the fob is inside the passenger compartment and within a few feet of the ignition. It's a similar mechanism to the remote unlock, and like the remote unlock if the battery fails it doesn't work.

Finally, you have an RFID-based anti-theft/anti-key-copying system built into the ignition. Each physical key has an RFID chip built into it, sometimes you can see them embedded in the key itself, sometimes it's hidden inside the plastic molding on the head of the key. This is not battery powered, and will not unlock the car at all. All it really does is prevent the ignition from working unless the inserted key has a functioning RFID chip.

Most fobs have a physical key that can be removed from the fob, so that if the battery stops working the key can be used physically for unlocking and starting the car- but remember the RFID will not allow the push-button unlock or the keyless ignition to work, it has to be physically inserted.

Now down to the article.
They don't bother telling us if any of those systems have remote start capability, or if they are just keyless entry and keyless start systems.
They also don't tell us how close the thieves are getting to the vehicle.
They don't come out and say it, but they are calling these thefts of the actual vehicle, not just people robbing stuff from the interior.

So what this boils down to is as follows:
If the thieves are actually stealing the cars, then we must know if the stolen vehicles had remote start or just keyless start. We must also know how close they get to the door. Once they have that information, they should be able to easily deduce which system is being compromised- the remote start or the keyless entry.

As for how they are doing it, it's most likely a weakness in how the key codes are being generated by the systems in question, or else a weakness with one particular remote start system. The initial keycodes in the fobs are generated at the factory, but can be reprogrammed at a dealership (which you have to do if you get a new key or replace a lost key). So it could be just a problem with factory default codes being too predictable. I would guess the "device" is just a normal keyless entry transmitter which has a bunch of pre-loaded codes that it runs through until it gets a "hit".
But it's also possible they're running a brute-force attack and just trying all possible combinations. These things use a pre-shared key to encrypt the remote commands, but as there are very limited number of commands and the format doesn't vary it might very well be possible to crack the crypto using other methods as well. These are all proprietary systems and they won't even tell you the key length, let alone details about how the communication works.

Just a thought. (4, Insightful)

Capt.DrumkenBum (1173011) | about a year ago | (#43917793)

they always seem to strike on the passenger side

Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?
My car is so old it doesn't even have door locks, so not really a problem for me.

Re:Just a thought. (1)

Anonymous Coward | about a year ago | (#43917917)

they always seem to strike on the passenger side

Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?

My car is so old it doesn't even have door locks, so not really a problem for me.

Can't speak for all cars, but several I am familiar with unlock all doors simultaneously if you touch the passenger handle instead of just the driver door if you use that handle. Could save them a few seconds if they were going to open more than one door, and they likely don't want to hang around the car for very long. But the glove box is very plausible as well (unless they are trying to steal the car itself).

Re:Just a thought. (4, Insightful)

dkleinsc (563838) | about a year ago | (#43917923)

Also, the passenger side is right next to the sidewalk if the car is parallel-parked. That makes it a lot easier than trying to break into a car while traffic is barely missing your tush.

Re:Just a thought. (2)

wile_e8 (958263) | about a year ago | (#43917995)

Also no steering wheel on that side. As long as they are just stealing valuables from the car, it's one less obstacle to pull stuff around and no chance of hitting the car horn and alerting the people in the house.

Re:Just a thought. (2)

gl4ss (559668) | about a year ago | (#43917925)

maybe they should try to find which device it is.
here's a thought though, maybe it causes induction in the lock relay itself.
a more realistic reason though is this: it's less suspicious if someone goes to a car on the passenger side, gets something and gets out again, like picking something up from the car he's supposed to be picking up.

or cars are just parked with the passenger door towards sidewalk....

Re:Just a thought. (2)

CAIMLAS (41445) | about a year ago | (#43918179)

Add to the fact that most in-vehicle theft is performed with a broken window, it's kinda stupid. I'd prefer to leave my doors unlocked so I don't have to shell out $300 for new glass - and a broken window is a much more visible sign of B&E than someone fiddling with a coat hanger or gaining access keyless.

Re:Just a thought. (1)

Col. Klink (retired) (11632) | about a year ago | (#43918365)

I just wish thieves would check to see if the door is locked before breaking the glass. I had a quarter glass shattered in my unlocked car.

PS: Never, ever, lock a soft-top convertible.

Re:Just a thought. (5, Funny)

ThePeices (635180) | about a year ago | (#43918427)

Add to the fact that most in-vehicle theft is performed with a broken window

Isnt that kinda dangerous for the burglar? Walking around with a broken window to be used to break into a car is unwieldy, and they can easily cut themselves on the glass of the broken window they are carrying.

Not to mention it would look pretty suspicious walking down the street with a broken window.

kits for sale online (2, Interesting)

Anonymous Coward | about a year ago | (#43917805)

You can get a keyless universal unlocker from china for around $2000USD.

Re:kits for sale online (1)

Jonah Hex (651948) | about a year ago | (#43917871)

Someone should check Silk Road for what's available in this type of technology, isn't that where all the underground stuff is sold these days? - HEX

Re:kits for sale online (0)

Anonymous Coward | about a year ago | (#43918027)

i saw them on alibaba - also, you could save yourself 2k and use this instead - http://j-walkblog.com/images/keylessentry.png

probably not a key that is sent (3, Interesting)

roman_mir (125474) | about a year ago | (#43917813)

This is probably something that is not what is expected, like some of those steering wheel locks that can be removed by breaking them in half by hitting in the middle of them rather than trying to pick the lock. They are not breaking the encryption, they are breaking the system, going around the expected secure path, not through it.

Re:probably not a key that is sent (2)

mindwhip (894744) | about a year ago | (#43918169)

You are probably right... Either that or its a brute force attack and they just throw lots of codes at it in a short time and hope one works which is unlikely.

My guess is they have radio/microwave transmitter that is causing a computer reboot/corruption or messing with the sensor information being fed from the mechanical parts of the lock and tricking the computer into thinking the mechanical key was used which triggers the central locking to open. As for the passenger side thing it could be that side is more vulnerable due to longer/shorter wires or the actual location of the computer.

Re:probably not a key that is sent (1)

thunderclap (972782) | about a year ago | (#43918377)

Are you suggested a basic buffer overload? If so that would be ROTFLOL!

If we had the source (0)

Anonymous Coward | about a year ago | (#43917845)

Do we have the source to these remote key systems? Did they leave in backdoors? Its probably some kind of default dealership/factory key that people took when they got fired.

Or attacking the source... (1)

0x537461746943 (781157) | about a year ago | (#43917853)

And getting access to the keys and/or algorithms that generate said keyfobs. How well are the companies protecting them?

Re:Or attacking the source... (1)

h4rr4r (612664) | about a year ago | (#43918073)

Having access to the algorithms should not compromise security.

Re:Or attacking the source... (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43918213)

Having access to the algorithms should not compromise security.

Assuming that they are using some actually-competent cryptosystem, and didn't add a 'convenience feature' somewhere foolish to make it easier to create replacement fobs.

Given the historical enthusiasm in lock and key circles for 'blind codes' that are super-magical-secure and can only be turned into bitting codes with the equally super-magical-secure codebooks that Trustworthy Authorized Locksmiths are supposed to have access to, I wouldn't be 100% optimistic about the market being handled according to the standards of professional cryptoanalysts...

Re:Or attacking the source... (1)

h4rr4r (612664) | about a year ago | (#43918335)

Valid, and stupid on their part. That is why I said should.

Re:Or attacking the source... (1)

Spritzer (950539) | about a year ago | (#43918229)

Unless the algorithms are flawed and exploitable

Re:Or attacking the source... (1)

h4rr4r (612664) | about a year ago | (#43918237)

If that is the case then they lost before they started.

Short Term Investment (1, Funny)

Anonymous Coward | about a year ago | (#43917877)

Step 1: Set up lots of situations where surveillance shows a car getting "stolen." Do something no one can understand. Get it promoted to the news.

Step 2: industry professionals puzzle over this, finding and publishing some hole they end up finding.

Step 3: Steal cars using the newly published method, since most people are lazy and won't heed the software update/recall notices.

Convoluted? Sure. Plausible? Perhaps.

This tempts me to go black hat so bad. (2)

GoodNewsJimDotCom (2244874) | about a year ago | (#43917881)

This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.

Re:This tempts me to go black hat so bad. (1)

Starteck81 (917280) | about a year ago | (#43917985)

This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.

Have you thought about trying a wiffle ball bat with a thin lay of foam on it? Sure you have run up and down the row or vehicles to make it work but it's 100% reliable and much cheaper.

Re:This tempts me to go black hat so bad. (2)

h4rr4r (612664) | about a year ago | (#43918055)

That sets off car alarms, most cars do not have them.

He wants to trigger the panic button, which just uses the normal horn and pretty much all cars with keyless entry have.

Not code cracking but some other mechanism? (2)

cruff (171569) | about a year ago | (#43917885)

What if the preference (or requirement) for doing this on the passenger side is due to the physical location of some wiring or other device that is susceptible to some kind of electronic signal or noise conduction into other circuitry that ends up causing the unlock?

Re:Not code cracking but some other mechanism? (0)

Anonymous Coward | about a year ago | (#43917979)

Yeah, that was my thought too - if the car circuit parses things really fast, not bounded by the expected transmission rate from the key, high frequency noise could be a very reasonable attack vector. Why brute force when randomness can do it for you?

It isn't an EMP. The guy walking down the street in the Illinois clip appears to be fishing for vehicles it unlocks - he is already past the door when that sedan opens, acts surprised and goes back. Thus whatever this is, it can transmit continuously... though seemingly only in a fairly local region.

Re:Not code cracking but some other mechanism? (1)

bobbied (2522392) | about a year ago | (#43918181)

No, doesn't make much sens to use EMP. Generating enough of a pulse to trigger something at 5 feet is going to take a pretty big device.

My money is on them having broken a backdoor code or are able to capture/replay when the driver "locks" the door.

Re:Not code cracking but some other mechanism? (2)

bobbied (2522392) | about a year ago | (#43918203)

OR.... They simply are opening unlocked doors..... (See post from jklovanc below)

Re:Not code cracking but some other mechanism? (1)

Dynedain (141758) | about a year ago | (#43918355)

Good guess. All you need to do is trigger the relay which could be electronic/magnetic instead of digital.

Seems to be "Honda-Specific" (2)

bradgoodman (964302) | about a year ago | (#43917961)

They sited Hondas and Acuras. As Acura is made by Honda - it seems like they're exploiting a bug or vulnerability in a specific device.

Re:Seems to be "Honda-Specific" (0)

Anonymous Coward | about a year ago | (#43918281)

They're not just made by Honda -- they *are* Hondas. Well, everywhere outside of Japan anyway. Maybe it's just North America. Anyway, they started that as a marketing gimmick because we Americans were too stupid to accept the fact that Honda can actually make high quality luxury cars. Or they figured they could charge more money under a different marque. Whatever, point is we're idiots.

Also, cited, not sited :)

I have an exploit that works on all cars (1)

h4rr4r (612664) | about a year ago | (#43917965)

I have an exploit that works on all cars and I am willing to share it!

Step 1. Apply brick swiftly to car side window.
Step 2. Unlock car.
Step 3. Gain entry.

On some models Step 1 will need to be repeated several times before progressing to Step 2.

Re:I have an exploit that works on all cars (1)

bancho (621456) | about a year ago | (#43918131)

Bricks are heavy. I believe an old spark plug works in place of the brick, and has the added benefit of fitting in a pocket.

Re:I have an exploit that works on all cars (1)

h4rr4r (612664) | about a year ago | (#43918161)

I demand you cease and desist. This spark plug method is clearly just a method of infringing on my Brick + Window Intellectual Property. Please have slashdot remove your post and contact me for information on where you may send the settlement check.

Re:I have an exploit that works on all cars (0)

Anonymous Coward | about a year ago | (#43918209)

Here the procedure appears to be:
1. use brick on some car
2. remove "emergency break window hammer" that many people keep in car
3. use said hammer on next cars to cleanly and quickly smash windows.

Re:I have an exploit that works on all cars (1)

chrismcb (983081) | about a year ago | (#43918137)

Step 1. Apply brick swiftly to car side window.

That doesn't always work either.

Re:I have an exploit that works on all cars (1)

h4rr4r (612664) | about a year ago | (#43918141)

On which cars?
Even armored vehicles should just take longer. Possibly a lot longer.

Re:I have an exploit that works on all cars (1)

thunderclap (972782) | about a year ago | (#43918413)

It will on 97% if thrown correctly. The key word is correctly.

Thumb (4, Informative)

jklovanc (1603149) | about a year ago | (#43917987)

Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?

As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.

Re:Thumb (4, Insightful)

workactnumberfive (2778027) | about a year ago | (#43918089)

The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

He is walking by cars, hitting the button on his device. If you watch it again, you'll see that as he walks by, the lights in the car go on before he touches it...just like they do when you hit your unlock button on the keyfob. When that happens, he then backs up to enter the vehicle, as it is now unlocked.

Re:Thumb (2)

jklovanc (1603149) | about a year ago | (#43918175)

His hand is on the door handle as he walks by. The inside lights come on when the door is unlatched as well as when the remote is used.

Re:Thumb (1)

Anonymous Coward | about a year ago | (#43918103)

I watched the video again and sure enough, they're just opening unlocked doors. I was sure the backpack guy was past the door, but no. His hand was still on the handle when the dome light came on. Mr Home Security Camera forgot to lock his door.

Re:Thumb (0)

Anonymous Coward | about a year ago | (#43918107)

Interior lights came on before the door was tried.

Re:Thumb (1)

AmiMoJo (196126) | about a year ago | (#43918123)

Maybe the guy was just looking for a car vulnerable to this attack, trying each car in turn. It seems to be very short range. Trying the handle might just be the device not working the first time and having to trigger it again. The video quality is too poor to really see anything.

If there is no-one in my Mitsubishi it locks itself after about a minute. Unless you leave something heavy on a seat so it thinks there is someone sitting there it is impossible to leave it unlocked.

Re:Thumb (1)

jklovanc (1603149) | about a year ago | (#43918199)

Hence the fact it works on some cars and not others. Opening an unlocked door does not work on cars that automatically lock their doors.

You must not be familiar with keyless (5, Informative)

1800maxim (702377) | about a year ago | (#43918135)

A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.

Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.

It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.

Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.

Re:You must not be familiar with keyless (1)

jklovanc (1603149) | about a year ago | (#43918235)

Very few cars have that right now and I doubt any of those in the video do.

Re:You must not be familiar with keyless (0)

Anonymous Coward | about a year ago | (#43918307)

You must not be familiar with slashdot. The summary and the article don't match.

The article describes a hack for "remote keyless entry", which is where the user is required to push a button on an "electronic key fob" to unlock the car door.

But you and the summary are describing "smart key systems", which is where the user can often start the car just by having an electronic smart key in the car.

Further, you are confused because you seem to thing that because some models of the smart key system have the auto-unlock feature you describe, you seem to think that therefore all models have an auto-unlock feature. You are incorrect.

Re:Thumb (1)

bobbied (2522392) | about a year ago | (#43918211)

Where are my mod points....

Mod this post UP folks..

Re:Thumb (1)

Hadlock (143607) | about a year ago | (#43918247)

You still need to physically open the door? Presumably the device can be activated with the off hand.

I almost expect... (1)

SmurfButcher Bob (313810) | about a year ago | (#43918017)

unlock = true;
try {
if (!rxkeycode()) { unlock = false; }
} catch { }
if (unlock) { unlock_the_door(); }

Short of having found a "master keycode", I'd suspect something analogous to the above. Pretty much find any type of problem in the hypothetical rxkeycode() and you win, if that's how it's implemented. The cars it doesn't work on... either the triggered bug doesn't happen, or the logic starts with "unlock=false" blah blah blah.

Would be interesting to know, not that they'll ever tell.

I had my car robbed once. (0)

Anonymous Coward | about a year ago | (#43918047)

It had nothing in it.

Trollin the trolls.

Re:I had my car robbed once. (0)

Anonymous Coward | about a year ago | (#43918407)

I had a 80 something ford Fiesta and usually left it unlocked. In the back was an $10 air compressor that was broken. I don't know when the person took it out of my car, but I found it in a field near my house.

Likely the only thing missing out of that car. Literally drove it till it fell apart. The body at least, that engine wasn't even close to dead.

Keypad (3, Insightful)

bhcompy (1877290) | about a year ago | (#43918057)

My 1986 Nissan Maxima had a keypad. I keyed in a code(of my choosing, plugged in at the dealership) and it unlocked my driver door, all my doors, my trunk, etc. I loved it because I could stash my keys in the trunk when I was doing something where I didn't want to keep my keys with me(like going to the gym) and just punch my key in when I wanted access. Sadly, this never caught on. I like it much better than fobs(other than remote start in cold weather).

Re:Keypad (1)

Punchcardz (598335) | about a year ago | (#43918333)

My folks had the same car when I was a kid. It was great because we never had to beg the parents for the keys if we wanted to go wait in the car when we were somewhere, we just had the code.

the theives read that paper (0)

Anonymous Coward | about a year ago | (#43918087)

www.calcshop.com/images/Analysis_Keyless-entry.pdf

Practical application of the 2007 hack? (0)

Anonymous Coward | about a year ago | (#43918127)

Someone found a way to weaponize the 2007 attack? http://redtape.nbcnews.com/_news/2007/08/28/6345961-researchers-say-theyve-hacked-car-door-locks?lite

Yawn (1)

dhun (1910390) | about a year ago | (#43918143)

Boring...

Acura = Honda (0)

Anonymous Coward | about a year ago | (#43918151)

Guys guys, Acura is a Honda brand. If it's working on Acura, it likely works on all Honda cars, trucks, vans, bikes, etc.

In fact, watching the video ... all those cars mentioned are Honda brands.

Okay so that tells us the device works on Honda. Now what is in common with Honda that isn't with other brands? What is the significance of the passenger side?

If you have ever had a keyless fob, you'll know there's usually four things
1. Unlock drivers side door
2. Unlock all doors
3. Unlock trunk
4. Light/Alarm/Honk (to locate it in a parking lot)

Note there isn't a "unlock passenger side only"

Now look on youtube at how to program a remote. Clearly the car can be told to learn a new remote code without a dealer.

So this suggests to me that some of the following might be true:
a) The thieves are transmitting a code that the car already has, eg a "master key"
b) The thieves are transmitting something to make the car "add" their fob code
c) The thieves are transmitting a "debug" code or "dealer" code that isn't in a normal key fob
d) The thieves are transmitting codes something like the buffer-overflow bug in Honda brands's keyless entry systems to unlock the passenger side
e) The thieves are transmitting something to a component in the door that then unlocks
f) The thieves transmit something that makes the car itself unlock the door as part of the reset process

or g) The thieves cloned the transmitter.

As for why the passenger side and not the drivers side. Drivers side's often have tones or signals (eg door is ajar) where as the passenger side does not until a key is in the ignition.

Hella Old News (1)

redshirt (95023) | about a year ago | (#43918157)

BMW Hacking [wired.com]

Second Click.... (1)

David_Hart (1184661) | about a year ago | (#43918167)

I know with my Nissan, and I believe that all cars are the same, you need to press on the unlock button twice to unlock the passenger doors. Perhaps there is something in that sequence that allows them to create a shortcut sequence that opens the passenger doors.

For example, maybe there is something in the "lock" code that is sent to lock all of the doors that triggers the start of the "unlock passenger doors" sequence and all it is waiting for is the extra code from the second key press.

Factory fobs - 3rd party security systems still ok (0)

Anonymous Coward | about a year ago | (#43918315)

DSI - one of the largest manufacturers of 3rd party Security and Remote start equipment fobs are still fine.

Passenger side. (0)

Anonymous Coward | about a year ago | (#43918423)

They probably go for that side because the glove box is on that side.

NXP seems to be the common factor (1)

burne (686114) | about a year ago | (#43918435)

NXP, google it yourself, don't believe me. NXP's Mifare is insecure, used in Oyster, OV-Chip and a few other very large deployments. Similar weak chipsets are found inside key fobs. Similar problems. Trivially exploitable. Just listening and some knowledge of the platform is enough to predict the next 'secure' exchange. And steal the car. Embarrassing: the next car could as well be a extremely expensive Mercedes Benz S-class.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?