Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Communications Security Transportation Wireless Networking IT

War Texting Lets Hackers Unlock Car Doors Via SMS 128

alphadogg writes "Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things, according to computer security researchers at iSec Partners. Don Bailey and fellow iSec researcher Mathew Solnik say they've figured out the protocols that some of these software makers use to remote control the cars, and they've produced a video showing how they can unlock a car and turn the engine on via a laptop. According to Bailey, it took them about two hours to figure out how to intercept wireless messages between the car and the network and then recreate them from his laptop. Bailey will discuss the research at next week's Black Hat conference in Las Vegas, but he isn't going to name the products they've hacked — they've looked at two so far — or provide full technical details of their work until the software makers can patch them."
This discussion has been archived. No new comments can be posted.

War Texting Lets Hackers Unlock Car Doors Via SMS

Comments Filter:
  • Pathetic (Score:5, Insightful)

    by Anrego ( 830717 ) * on Thursday July 28, 2011 @12:49PM (#36910840)

    I can understand small keychain devices being breakable but with all the power you’ve got available in a cell phone to not be able to come up with a secure challenge/response system seems ridiculous.

    • Indeed, how hard would it be to have a one time pad setup? Most banks will give you a secureID fob for $5, similar techniques would make this kind of thing almost impossible. It's just pure laziness in my opinion.

      • by Anrego ( 830717 ) *

        Most banks will give you a secureID fob for $5

        Not here in Canada! :(

        Seriously.. anyone knows a bank in Canada (that services NS) that does this chime in! Paypal does it.. WoW does it.. why the hell won't the banks here do it!

        RBC will do it if you are a corporate customer.. which is even more baffling. "We have it implemented... just not for you".

      • by AJH16 ( 940784 )

        Honestly it is even easier than that since you can use a challenge response mechanism that the car always asks a slightly different question so that the previous answer is worthless. It's effectively an automated version of the same concept that the secureIDs provide by verifying that a valid private key is held by the device requesting authentication.

    • by mlts ( 1038732 ) *

      With some alarm systems having two-way remotes, it would be nice if more car makers just went with a cryptographically sound setup. It isn't that hard -- pairing could be done via some type of NFC communication, and the communication could be three way -- remote sends a request for a challenge ID, car sends a nonce, remote sends the command the user wants and the nonce, both signed with the remote's key. Of course the downside of this method is having to have a remote with the CPU power to deal with RSA,

      • by Anrego ( 830717 ) *

        Of course the downside of this method is having to have a remote with the CPU power to deal with RSA, especially larger keys, because the compute power to sign/decode goes up by the cube of the keylength (which means a 2048 bit key takes eight times as long to do stuff than a 1024 bit key.)

        This is why it was excusable for keychain devices running off watch batteries to lack such measures. Any cell phone however could easily handle this.

        • by mlts ( 1038732 ) *

          What is ironic is that if one looks at cell phone CPUs, anything since the old TI OMAP chips almost certainly have special instructions to deal with the needs of array shifting (for AES), or for exponentiation (for RSA).

          Maybe the CPU in the car might be different, but common sense says that dropping a low power ARM chip in to handle this would be the best thing for car makers.

          In these days where security is actually being tried by blackhats constantly, it is inexcusable to not take reasonable measures.

          • by TheLink ( 130905 )

            But how many car thieves steal cars in "clever" ways? Would such measures actually reduce the theft rates and decrease the average cost (factoring risk * impact of theft etc)? Think more expensive locks, more expensive calls to locksmiths when they can't break into their own cars coz they lost or forgot the "keys" ;).

            So far thieves use bricks, and/or they just tow the entire car away (or put in a truck). Or hijack the car (either directly confronting you, or by crashing into your car so that you get out).

            Th

            • by mlts ( 1038732 ) *

              Very true. A thief can always chuck a brick through a car window and get in. However, a lot of European cars have deadlocking mechanisms where a thief is going to have to try to scramble in and out through the broken window... while the inside alarm is blasting at 120+ dB.

              However, the thing with car remotes is that a method of compromise merely means a thief just hits the remote, locks pop open, and all items in the vehicle are theirs.

              Another thing is that if there is zero signs of forced entry, insurance

            • For valuable cars, no, the thief cannot just throw a brick through a window. Even on even some American cars costing around $40k, there is a security module locked to the PCM which must be engaged before the engine will be started. You have to change the PCM and the security module (which is attached to the column which may actually have to be dropped to replace it) before you can drive such a car away, if you can't simply defeat the locking system. Luckily for thieves, there is a thriving Chinese market in

      • You don't need to use computing intense algos like RSA, since this is data send over the air and not typed in by the user you simply can use a 256-bit nonce and reply which is encrypted with AES or simply hashed with SHA-256.
  • what does war sexting unlock?
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Your mom.

    • Pay toilets...but keep your stance narrow my friend.

      • Caught an episode of modern marvels about toilets and they discussed the pay toilets of new york. They actually didn't seem that bad, but then again, i don't have a smell-o-vision.
        • I think I saw that. It had a pay toilet with one-way glass for walls in the middle of a city. It allows people to see out, but people can't see in.
          • That's exactly what you want people using a public washroom doing. Losing focus on the task at hand because of what's going on around them.

  • How long until someone makes an app for that? Shouldn't be hard to work up an antenna for i* 30 pin port...
  • and my brick takes a second.
    • by Anonymous Coward

      and my brick takes a second.

      I've love to see you start the engine with your brick

      • by bws111 ( 1216812 )

        Other than wasting some fuel, what good does starting the engine do?

        • by dwreid ( 966865 )
          You can warm up your car in the winter before going out to sit in an unbearably cold car. Orrrrr.... you can waste your cheating wife by putting her drugged self in the car in the garage and then taking the train downtown. Start up the car once your alibi is established and voila... suicide. Just saying...
    • Laugh my motha fkkin a$$ off. That was funny. Sorry I don't have any more mod points.
      • its true no car thefe is gonna sit on his laptop for 2 hrs to hack the remote start. hes gonna smash and grab it and be gone in 30 seconds or less.
  • by Qwell ( 684661 )

    How would a manufacturer force people to upgrade the unlock mechanism in the cars?

    • Send a Recall Notice, you make an appointment, you go back to the dealer and they update the Firmware.

      • by Qwell ( 684661 )

        They won't send such a notice unless they're told to by a court (or the lawsuit vs. recall formula).

    • How would a manufacturer force people to upgrade the unlock mechanism in the cars?

      "If you don't upgrade your car will be a lot easier to steal."?

      • by Anonymous Coward

        The real fix....

        Insurance won't cover out of date security measures.

        • by Cramer ( 69040 )

          And how exactly would they know? They aren't going to waste the money in sending an agent out to actually check the car. (which is the only way to be 100% sure.)

          • And how exactly would they know? They aren't going to waste the money in sending an agent out to actually check the car. (which is the only way to be 100% sure.)

            They send an agent out for every significant claim; in particular vehicles are "totaled" by an agent. If the vehicle still turns on they could find out with a simple scan tool. I believe these people are called "claims adjusters" ... ah yes, and in some places, "loss adjusters". That's a particularly more honest name for them because that's what the insurance company sees when it pays: a loss. And that's what they see you as the minute you actually need the services for which you've been paying.

            • by Cramer ( 69040 )

              This is completely different than the issue of anti-theft devices. It's hard to verify the software *after* the car has been stolen.

              Once the insurance company has agreed to cover the car and is taking your money, they cannot show up at an accident and retroactively cancel your coverage. (esp. for something that has nothing to do with an accident -- i.e. an outdated anti-theft system.) Now, if they can prove your car was stolen because of the anti-theft junk, then they may refuse your claim.

  • by Anonymous Coward

    Is there anybody that saw this "feature" and didn't immediately assume it was implemented in a really stupid and easily hackable way?

    • No, I saw the commercial with the two guys calling the guy's wife on the plane and asking for her to unlock the car with OnStar from her iPhone. I immediately thought that my wife does not have an iPhone, or a smartphone of any kind. And that I would not be able to do it until they wrote an app for my Droid.

      I was passed a story on something like this a monthy ago, and was reminded of the kids in the 90s using Palm Pilots to copy and replay InfaRed signals from people remotes to steal cars.

      So the real assump

  • by djl4570 ( 801529 ) on Thursday July 28, 2011 @01:04PM (#36911086) Journal
    Hacking these features to steal cars is one possibility. How long before some vindictive prat uses this tech to brick the cars on the lot at a dealership.
    • by Anonymous Coward

      Substantially less time, now that you've published the idea. It's all your fault!! I can't believe you gave away the secret!! The password is Swordfish!!

    • by DeadCatX2 ( 950953 ) on Thursday July 28, 2011 @01:32PM (#36911582) Journal

      Or someone bricks your car on the highway while you're driving it because you cut them off.

      • by MacGyver2210 ( 1053110 ) on Thursday July 28, 2011 @01:53PM (#36911950)

        This. I want this. Must shutdown asshole drivers.

      • Or someone bricks your car on the highway while you're driving it because you cut them off.

        Is that necessarily a bad thing?

      • by Anonymous Coward

        I probably wouldn't want to brick any cars who JUST cut me off...

        It would be much safer to brick cars that YOU just cut off...

      • If the car's system has a way to completely shut down the car while you're driving at high speed then they have bigger problems than people figuring out the protocol they used.
        • I think you and some other commenters misunderstand my point. Bricking is not a "feature" of hardware, it's a bug that is exploited by an attacker. Of course the hardware engineers designing this tech aren't going to include a "click here to brick your car!" button.

          Have you ever heard of the CAN bus? CAN stands for "Controller Area Network". It's how all the MCUs in a car talk to each other. For instance, the door lock's MCU communicates with other MCUs in the car using the CAN bus.

          A malicious attacker

          • by djl4570 ( 801529 )
            Your thoughts are along the lines of my original comment. I don't know all the bits of the technology, only that someone who does know will eventually hack the equivalent of root access to the technology. This access could be used for theft or just to annoy owners by reprogramming the radio presets or temperature controls to bricking the electronics by corrupting the firmware.
      • Or someone bricks your car on the highway while you're driving it because you cut them off.

        You mean with a real brick?

        • You need to be stationary for that to properly work. Sure you'd do a bit of damage, perhaps startle the driver, but you don't have the force of a car moving at 60mph+ helping you out. You really want to be standing on the side of the road and throwing the brick into the oncoming traffic.

          And I'm totally not speaking from experience. No, not at all.

    • Can I just auto brick the drivers that tailgate me. Bricking the car that just cut me off seems like a bad idea. Smart4two (or whatever ya call those tiny things) think that 6 feet is enough distance when I'm doing 75 down hill between the 3.5 ton me/vehicle and a semi in front of me, I disagree with there assumption.

    • by Dan541 ( 1032000 )

      That really is a tempting idea.

  • Chevy's (GM) OnStar system provides an app for Android/Iphone that lets you start your car halfway around the world if you have their premium service....

    I'm sure Chevy will release a TSB out to all their dealerships once they have a patch...

  • An episode of Star Trek (I think it was on Voyager) has them end up on then-present-day Earth and when they need it, they steal a car this way. Anybody remember which one?
    • Didn't they also do this in Gone in 60 Seconds (the modern Nicholas Cage version). Sometimes truth is stranger than fiction.
    • I recall they did something similar in an episode of Enterprise when Tepal and Archer needed to steal a car. Unfortunately, I think the car was like a '70s Challenger or something that would never have had automatic locks, much less iPhone control.

      • I hate myself for remembering this, but they actually stole a truck, and a pretty modern one. So it is reasonable.
  • While unlocking my car with a txt msg is nifty and cool, I don't see the point. If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??

    Sure, you can imagine a weird scenario where this would be useful... you locked your keys in the car, etc... but every time they add a new convenience (electric locks, electric windows) that's another failure point to deal with. Is it even possible to buy a new car without electric windows these days?

    It's bad enough when t

    • by ilo.v ( 1445373 )

      If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??

      My car doesn't have a key, just a button to press. (Volkswagon, not a Ferrari or something else fancy). It just has a fob that needs to be in range for the "start" button to be enabled. This would be more convenient if my cell phone could be the fob, but only if it can't be hacked like this.

      • Interesting, I've heard about these, but haven't used one yet. Still, one could argue that the "fob" is a key of sorts. In any case, you still need to "be there" to drive the car, and if a thief can open the door with a cell phone, he could probably drive away as well.

        I wouldn't mind having a keypad/PIN-code system to use the car, but I'd want it to have at least an 8-digit password, and definitely NOT be accessible by wireless.

      • Speaking of KISS, it's hard to understand what the need for the new press a button thing on cars was supposed to be. (Fulfill a nonexistent need?)

        Were there people crying out they were unable to start their cars with keys?

        And the dead simple and foolproof way of turning the engine off if you need to? Now it's hold for 3 seconds to turn off?

        • Long ago on cars you didn't have to fumble with keys, you cranked the car.

          Then came self-starters. You turned a key to enable the ignition system, then pushed a starter button. Key-as-starter-button came much later.

          This goes back to the old time, simply push the starter button. Only now the key is high-tech wireless and you don't even have to insert or turn it, just have it in your pocket.

        • Speaking of KISS, it's hard to understand what the need for the new press a button thing on cars was supposed to be. (Fulfill a nonexistent need?)

          The advantage isn't so much in being able to start the car, but to unlock the doors without even having to touch your key (which is useful if your hands are full, especially in bad weather). That feature was then extended to starting without the key in the ignition (the "no turn" interlock on the ignition switch is disabled by the proximity of the key). This then led to the completely useless push-button start.

          The reason push-button start is useless is that you still need the other features of the ignitio

          • by Cramer ( 69040 )

            The steering lock is a solenoid -- or at the most basic, turning off the power steering. The ACC position is a matter of pushing the start button without touching the break.

            My VW (traditional key) has no "ACC". If you want the radio on with the car off, simply trurn it on. (it'll run for about an hour and shutoff again.) The windows / sunroof won't work without the key in the run position -- or you can use the open/close trick with the key in the door lock.

          • >The advantage isn't so much in being able to start the car, but to unlock the doors without even having to touch your key

            Yeah, the thing that keeps popping into my head is car jackings:

            A guy's waiting somewhere in the 5-acre Walmart parking lot. When you get near your car, he opens the door and hustles you inside, too. He can open the door because the car so helpfully just unlocked everything when you walked by.

            Scenario #2: You've got your laptop (or something else) on the passenger seat. You so much as

            • Scenario #2: You've got your laptop (or something else) on the passenger seat. You so much as walk near your car, and the guy opens the door and grabs your stuff and runs.

              All the cars I have seen with proximity keys allow you to config what happens when you get close (nothing, unlock driver, unlock all), so this shouldn't be a problem with the correct config.

              The worse problem is the relay of the signal. If you know a car has no option other than a proximity key, you simply have your confederate follow the driver into the mall, and the two-way radios you each have will extend the distance of the key signal. Then, you climb in the car and drive away to the chop shop.

        • The start buttons are just cool. That's all the reason you need.

        • by Cramer ( 69040 )

          I've thought about the same thing with my hybrid. Everything about the car is computer controlled... steering is electric assist (without that motor, you aren't driving), breaks are electronic (mechanical if you push them all the way to the floor), accelerator 100% electronic, transmission 100% electronic... it's one rogue program away from driving itself around the neighborhood. (and with the parking sensors, it can avoid people.) Killing the car requires getting in the trunk and pulling the big orange p

          • It's like this: would your trust driving a car on software you wrote yourself?

            Yeah, ok, so the guys who write embedded are a different breed of programmer, never make mistakes, etc.

            The problem is, we're losing all concept of fail-safe.

            And with the new push for touch-screen games on windows (!), and in-dash either entertainment or navigation plus the inevitable iPhone and Android integration, we're setting ourselves up for car viruses. The funny this, most people will just shrug and say you should've updated

            • by Cramer ( 69040 )

              the guys who write embedded are a different breed of programmer...

              That used to be true. Today, on average, they're just as horrible and short sighted as everyone else -- fast and cheap are the rule. (and I started out in that world... writing assembly. but in those days, every byte and every cycle mattered, because you had very little of either.) Even NASA and medical systems are starting to show fault.

        • by Osgeld ( 1900440 )

          nah its just like your computer, there is a hidden switch in the trunk

      • by Osgeld ( 1900440 )

        yea that fob is just a signal being broadcast to anyone with a 434Mhz receiver and usually ends up being less secure than that wheel lock thing that came on your free airline rewards bag.

        good night!

    • I've seen a commercial for this and the way they presented it was as a means of letting a teenager to use the car, but requiring them to request permission to unlock and start it.

    • by Osgeld ( 1900440 )

      "Is it even possible to buy a new car without electric windows these days"

      yea look at kia, they have better gas mileage more airbags, more horse power, and can cost as little at 10 grand brand new, but for that price you not only give up power windows and locks but also power steering, AC and sometimes a radio

    • by vonart ( 1033056 )

      Is it even possible to buy a new car without electric windows these days?

      My brand new GMC Sierra pickup has manual windows, manual door locks and no cruise control. If you look around, you can find things without easily enough.

  • When I bought my last car in 2008 the insurance company guy asked me if it had anti-theft devices in the car. I said yes, it has a microchip in the key. So he says I get a discount because of it. Great news in my mind a discount. But now does this mean I go to buy my next car will I not get a discount because I will have to buy Car Hacker insurance? Or will I have to LoJack it too.
    • No, it means when a your anti-theft device is compromised via a hack and your care is stolen, the insurance company will not believe you and will tell you that you are trying to defraud the insurance company by faking a theft - since the anti-theft device is, by their analysis, "unbreakable". There is already precedence for this.

      --jeffk++

      • by Cramer ( 69040 )

        That anti-theft devices do nothing to stop someone from pulling your car onto a low-boy and hauling it away. (Repo men do this every day.)

      • If an insurance company can't correctly assess risks on their internal books, then they're out of business. But they can still do whatever they want to try and weasel out of things.

  • by Anonymous Coward

    I remember in the early unencrypted days of this a client of mine looking particularly smug when he showed me how he could start his car with his remote keychain back when starting cars without being in them was all the rage. He waxed poetic about how bleeding edge he was, and while I let him have his epeen hard-on, I pointed my pda out the window and turned off his engine, promptly wiping the smug off his face.

  • by Lord Grey ( 463613 ) on Thursday July 28, 2011 @01:43PM (#36911760)

    From TFA:

    With these mobile car apps, the phone connects to a server that then sends secret numerical keys to the car in order to authenticate itself, but the iSec researchers figured out ways to get around this by looking at the messages sent between the server and the car over the mobile network, Bailey said in an interview. "We reverse-engineer the protocol and then we build our own tools to use that protocol to contact that system," he said.

    Without knowing the details, this sounds a lot like a replay attack. Or possibly a version of one of the attacks used against ATMs, back when ATMs were new and relatively unguarded. You could tap into an ATM line and basically send commands like, "eject five $20 bills" over and over again, without too much trouble.

    I have a 2010 Camaro SS, which has the older version of the OnStar firmware that is not compatible with their mobile app. Now I'm relatively happy about that. One less attack vector to worry about.

    • by gv250 ( 897841 )

      From TFA:

      With these mobile car apps, the phone connects to a server that then sends secret numerical keys to the car in order to authenticate itself,

      So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

    • I have a 2010 Camaro SS, which has the older version of the OnStar firmware that is not compatible with their mobile app. Now I'm relatively happy about that. One less attack vector to worry about.

      Yeah isn't it great? Actually, I've got a little older model, it looks and runs like the same car from The Flintstones, and doesn't have any of those fancy electro-gizmos like an "engine". Just good ol' feet power my baby, so they they want to come along and steal it, they're welcome to!

  • downloading a car is now possible!

  • This article seems to technical. Can someone summarize using a car analogy?

  • So, whenever there's a debate on Slashdot about "piracy" or copyright infringement, SOMEONE always makes the tired analogy about "stealing your car", and then someone else always corrects them about COPYING your car, leaving your original car behind.

    Well now the pirates *can* steal your car!

    And when the technology improves, there will be an app to COPY your car! And when anyone can COPY a car, what dinosour business model with the car manufacturers be forced into? Suing their own customers like the RIAA?

    Wha

  • My car has an anti theft device that is nearly foolproof. Its a knob on the dashboard labeled 'Choke'. If you don't know what to do with it (and most people with no business on my lawn don't) that car isn't going anywhere. Heck, kids these days are stopped cold attempting to carjack a stickshift.

  • It only took them two hours to figure out how to open the car with a laptop? And that's more frightening than the old fashioned way that takes 2 seconds with a brick?
  • Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things,

    ... is an excessively constricted form of the problem. A less-wrong form would be :

    [Anything] that lets [anyone] [do anything] and even [anything else] using [anything] could let [anything] thieves do the very same things,

    No, seriously ; if you can do anything, then the bad guys can do it too. The only hope of preventing the bad guys from doing it is to make it more ex

  • My selection bias suggests the two targets identified will be General Motors, Ford, or Chrysler. I wouldn't rule out Mazda or Toyota either.

Successful and fortunate crime is called virtue. - Seneca

Working...