War Texting Lets Hackers Unlock Car Doors Via SMS 128
alphadogg writes "Software that lets drivers unlock car doors and even start their vehicles using a mobile phone could let car thieves do the very same things, according to computer security researchers at iSec Partners. Don Bailey and fellow iSec researcher Mathew Solnik say they've figured out the protocols that some of these software makers use to remote control the cars, and they've produced a video showing how they can unlock a car and turn the engine on via a laptop. According to Bailey, it took them about two hours to figure out how to intercept wireless messages between the car and the network and then recreate them from his laptop. Bailey will discuss the research at next week's Black Hat conference in Las Vegas, but he isn't going to name the products they've hacked — they've looked at two so far — or provide full technical details of their work until the software makers can patch them."
Pathetic (Score:5, Insightful)
I can understand small keychain devices being breakable but with all the power you’ve got available in a cell phone to not be able to come up with a secure challenge/response system seems ridiculous.
Re: (Score:2)
Indeed, how hard would it be to have a one time pad setup? Most banks will give you a secureID fob for $5, similar techniques would make this kind of thing almost impossible. It's just pure laziness in my opinion.
Re: (Score:2)
Most banks will give you a secureID fob for $5
Not here in Canada! :(
Seriously.. anyone knows a bank in Canada (that services NS) that does this chime in! Paypal does it.. WoW does it.. why the hell won't the banks here do it!
RBC will do it if you are a corporate customer.. which is even more baffling. "We have it implemented... just not for you".
Re: (Score:2)
Honestly it is even easier than that since you can use a challenge response mechanism that the car always asks a slightly different question so that the previous answer is worthless. It's effectively an automated version of the same concept that the secureIDs provide by verifying that a valid private key is held by the device requesting authentication.
Re: (Score:2)
With some alarm systems having two-way remotes, it would be nice if more car makers just went with a cryptographically sound setup. It isn't that hard -- pairing could be done via some type of NFC communication, and the communication could be three way -- remote sends a request for a challenge ID, car sends a nonce, remote sends the command the user wants and the nonce, both signed with the remote's key. Of course the downside of this method is having to have a remote with the CPU power to deal with RSA,
Re: (Score:2)
Of course the downside of this method is having to have a remote with the CPU power to deal with RSA, especially larger keys, because the compute power to sign/decode goes up by the cube of the keylength (which means a 2048 bit key takes eight times as long to do stuff than a 1024 bit key.)
This is why it was excusable for keychain devices running off watch batteries to lack such measures. Any cell phone however could easily handle this.
Re: (Score:3)
What is ironic is that if one looks at cell phone CPUs, anything since the old TI OMAP chips almost certainly have special instructions to deal with the needs of array shifting (for AES), or for exponentiation (for RSA).
Maybe the CPU in the car might be different, but common sense says that dropping a low power ARM chip in to handle this would be the best thing for car makers.
In these days where security is actually being tried by blackhats constantly, it is inexcusable to not take reasonable measures.
Re: (Score:2)
But how many car thieves steal cars in "clever" ways? Would such measures actually reduce the theft rates and decrease the average cost (factoring risk * impact of theft etc)? Think more expensive locks, more expensive calls to locksmiths when they can't break into their own cars coz they lost or forgot the "keys" ;).
So far thieves use bricks, and/or they just tow the entire car away (or put in a truck). Or hijack the car (either directly confronting you, or by crashing into your car so that you get out).
Th
Re: (Score:2)
Very true. A thief can always chuck a brick through a car window and get in. However, a lot of European cars have deadlocking mechanisms where a thief is going to have to try to scramble in and out through the broken window... while the inside alarm is blasting at 120+ dB.
However, the thing with car remotes is that a method of compromise merely means a thief just hits the remote, locks pop open, and all items in the vehicle are theirs.
Another thing is that if there is zero signs of forced entry, insurance
Re: (Score:2)
For valuable cars, no, the thief cannot just throw a brick through a window. Even on even some American cars costing around $40k, there is a security module locked to the PCM which must be engaged before the engine will be started. You have to change the PCM and the security module (which is attached to the column which may actually have to be dropped to replace it) before you can drive such a car away, if you can't simply defeat the locking system. Luckily for thieves, there is a thriving Chinese market in
Re: (Score:1)
Re: (Score:1)
That's all well and good, but... (Score:1)
Re: (Score:2, Funny)
Your mom.
Re: (Score:1)
Pay toilets...but keep your stance narrow my friend.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
That's exactly what you want people using a public washroom doing. Losing focus on the task at hand because of what's going on around them.
Stealing a car? There's an app for that! (Score:2)
only took 2 hrs (Score:1)
Re: (Score:1)
and my brick takes a second.
I've love to see you start the engine with your brick
Re: (Score:2)
Other than wasting some fuel, what good does starting the engine do?
Re: (Score:1)
Re: (Score:2)
Nowhere did they say they could drive the car, just start the engine. My car has a remote start key fob. You can start the engine with it. Theoretically, someone else could also start the engine if they have the correct code. However, if you don't have the physical key in the ignition, as soon as you touch any control, including the brake pedal, the engine shuts off. It does no good to start the engine if you can't actually use it to move the vehicle.
Re: (Score:2)
Re: (Score:1)
YES. And the electronic ignition system won't leave idle.
Re: (Score:2)
depends on the system. With Nissan's the answer is no. the FOB doesn't need to be present that way you can use the valet key. however it will then only restart with the valet key unless you walk out and walk back into range.
Re: (Score:2)
that's OK, I didn't really want my car stolen anyway...
Re: (Score:1)
Nowhere did they say they could drive the car, just start the engine. My car has a remote start key fob. You can start the engine with it. Theoretically, someone else could also start the engine if they have the correct code. However, if you don't have the physical key in the ignition, as soon as you touch any control, including the brake pedal, the engine shuts off. It does no good to start the engine if you can't actually use it to move the vehicle.
That would take some getting used to. I always hit the brake before I turn the key. Habit, I guess.
Re: (Score:2)
Yeah, me too. I manage to kill the engine just about every time I use the remote start.
Re: (Score:2)
Re: (Score:1)
How? (Score:2)
How would a manufacturer force people to upgrade the unlock mechanism in the cars?
Re: (Score:2)
Send a Recall Notice, you make an appointment, you go back to the dealer and they update the Firmware.
Re: (Score:3)
They won't send such a notice unless they're told to by a court (or the lawsuit vs. recall formula).
Re: (Score:3)
How would a manufacturer force people to upgrade the unlock mechanism in the cars?
"If you don't upgrade your car will be a lot easier to steal."?
Re: (Score:1)
The real fix....
Insurance won't cover out of date security measures.
Re: (Score:1)
And how exactly would they know? They aren't going to waste the money in sending an agent out to actually check the car. (which is the only way to be 100% sure.)
Re: (Score:2)
And how exactly would they know? They aren't going to waste the money in sending an agent out to actually check the car. (which is the only way to be 100% sure.)
They send an agent out for every significant claim; in particular vehicles are "totaled" by an agent. If the vehicle still turns on they could find out with a simple scan tool. I believe these people are called "claims adjusters" ... ah yes, and in some places, "loss adjusters". That's a particularly more honest name for them because that's what the insurance company sees when it pays: a loss. And that's what they see you as the minute you actually need the services for which you've been paying.
Re: (Score:1)
This is completely different than the issue of anti-theft devices. It's hard to verify the software *after* the car has been stolen.
Once the insurance company has agreed to cover the car and is taking your money, they cannot show up at an accident and retroactively cancel your coverage. (esp. for something that has nothing to do with an accident -- i.e. an outdated anti-theft system.) Now, if they can prove your car was stolen because of the anti-theft junk, then they may refuse your claim.
Not surprised (Score:1)
Is there anybody that saw this "feature" and didn't immediately assume it was implemented in a really stupid and easily hackable way?
Re: (Score:2)
No, I saw the commercial with the two guys calling the guy's wife on the plane and asking for her to unlock the car with OnStar from her iPhone. I immediately thought that my wife does not have an iPhone, or a smartphone of any kind. And that I would not be able to do it until they wrote an app for my Droid.
I was passed a story on something like this a monthy ago, and was reminded of the kids in the 90s using Palm Pilots to copy and replay InfaRed signals from people remotes to steal cars.
So the real assump
How long before someone bricks an expensive car (Score:3, Funny)
Re: (Score:1)
Substantially less time, now that you've published the idea. It's all your fault!! I can't believe you gave away the secret!! The password is Swordfish!!
Re:How long before someone bricks an expensive car (Score:5, Interesting)
Or someone bricks your car on the highway while you're driving it because you cut them off.
Re:How long before someone bricks an expensive car (Score:5, Funny)
This. I want this. Must shutdown asshole drivers.
Re: (Score:2)
ssh <<license number>>
login: admin
password:
shutdown -h now
Re: (Score:3)
Or someone bricks your car on the highway while you're driving it because you cut them off.
Is that necessarily a bad thing?
Re: (Score:1)
I probably wouldn't want to brick any cars who JUST cut me off...
It would be much safer to brick cars that YOU just cut off...
Re: (Score:2)
Re: (Score:2)
I think you and some other commenters misunderstand my point. Bricking is not a "feature" of hardware, it's a bug that is exploited by an attacker. Of course the hardware engineers designing this tech aren't going to include a "click here to brick your car!" button.
Have you ever heard of the CAN bus? CAN stands for "Controller Area Network". It's how all the MCUs in a car talk to each other. For instance, the door lock's MCU communicates with other MCUs in the car using the CAN bus.
A malicious attacker
Re: (Score:1)
Re: (Score:2)
Or someone bricks your car on the highway while you're driving it because you cut them off.
You mean with a real brick?
Re: (Score:2)
You need to be stationary for that to properly work. Sure you'd do a bit of damage, perhaps startle the driver, but you don't have the force of a car moving at 60mph+ helping you out. You really want to be standing on the side of the road and throwing the brick into the oncoming traffic.
And I'm totally not speaking from experience. No, not at all.
Re: (Score:2)
That's the beauty of it, they don't even realise anything's wrong until hours later! You're then lost among the thousands of people who've been close enough to the car to do it.
Re: (Score:2)
add this to northstar - where remotely they can turn the engine on and off - then it gets interesting.
Re: (Score:1)
Can I just auto brick the drivers that tailgate me. Bricking the car that just cut me off seems like a bad idea. Smart4two (or whatever ya call those tiny things) think that 6 feet is enough distance when I'm doing 75 down hill between the 3.5 ton me/vehicle and a semi in front of me, I disagree with there assumption.
Re: (Score:2)
That really is a tempting idea.
New 2011+ Chevy owners beware... (Score:1)
Chevy's (GM) OnStar system provides an app for Android/Iphone that lets you start your car halfway around the world if you have their premium service....
I'm sure Chevy will release a TSB out to all their dealerships once they have a patch...
Predicted by Star Trek (Score:2)
Re: (Score:1)
Re: (Score:2)
I recall they did something similar in an episode of Enterprise when Tepal and Archer needed to steal a car. Unfortunately, I think the car was like a '70s Challenger or something that would never have had automatic locks, much less iPhone control.
Re: (Score:2)
Feature bloat vs. the KISS principle... (Score:1)
While unlocking my car with a txt msg is nifty and cool, I don't see the point. If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??
Sure, you can imagine a weird scenario where this would be useful... you locked your keys in the car, etc... but every time they add a new convenience (electric locks, electric windows) that's another failure point to deal with. Is it even possible to buy a new car without electric windows these days?
It's bad enough when t
Re: (Score:2)
If I want to unlock the car, presumably I want to drive it. For that I'm going to need a key anyway, so...??
My car doesn't have a key, just a button to press. (Volkswagon, not a Ferrari or something else fancy). It just has a fob that needs to be in range for the "start" button to be enabled. This would be more convenient if my cell phone could be the fob, but only if it can't be hacked like this.
Re: (Score:2)
Interesting, I've heard about these, but haven't used one yet. Still, one could argue that the "fob" is a key of sorts. In any case, you still need to "be there" to drive the car, and if a thief can open the door with a cell phone, he could probably drive away as well.
I wouldn't mind having a keypad/PIN-code system to use the car, but I'd want it to have at least an 8-digit password, and definitely NOT be accessible by wireless.
Re: (Score:3)
Speaking of KISS, it's hard to understand what the need for the new press a button thing on cars was supposed to be. (Fulfill a nonexistent need?)
Were there people crying out they were unable to start their cars with keys?
And the dead simple and foolproof way of turning the engine off if you need to? Now it's hold for 3 seconds to turn off?
High tech twist on ancient KISS (Score:2)
Long ago on cars you didn't have to fumble with keys, you cranked the car.
Then came self-starters. You turned a key to enable the ignition system, then pushed a starter button. Key-as-starter-button came much later.
This goes back to the old time, simply push the starter button. Only now the key is high-tech wireless and you don't even have to insert or turn it, just have it in your pocket.
Re: (Score:2)
Speaking of KISS, it's hard to understand what the need for the new press a button thing on cars was supposed to be. (Fulfill a nonexistent need?)
The advantage isn't so much in being able to start the car, but to unlock the doors without even having to touch your key (which is useful if your hands are full, especially in bad weather). That feature was then extended to starting without the key in the ignition (the "no turn" interlock on the ignition switch is disabled by the proximity of the key). This then led to the completely useless push-button start.
The reason push-button start is useless is that you still need the other features of the ignitio
Re: (Score:1)
The steering lock is a solenoid -- or at the most basic, turning off the power steering. The ACC position is a matter of pushing the start button without touching the break.
My VW (traditional key) has no "ACC". If you want the radio on with the car off, simply trurn it on. (it'll run for about an hour and shutoff again.) The windows / sunroof won't work without the key in the run position -- or you can use the open/close trick with the key in the door lock.
Re: (Score:2)
>The advantage isn't so much in being able to start the car, but to unlock the doors without even having to touch your key
Yeah, the thing that keeps popping into my head is car jackings:
A guy's waiting somewhere in the 5-acre Walmart parking lot. When you get near your car, he opens the door and hustles you inside, too. He can open the door because the car so helpfully just unlocked everything when you walked by.
Scenario #2: You've got your laptop (or something else) on the passenger seat. You so much as
Re: (Score:2)
Scenario #2: You've got your laptop (or something else) on the passenger seat. You so much as walk near your car, and the guy opens the door and grabs your stuff and runs.
All the cars I have seen with proximity keys allow you to config what happens when you get close (nothing, unlock driver, unlock all), so this shouldn't be a problem with the correct config.
The worse problem is the relay of the signal. If you know a car has no option other than a proximity key, you simply have your confederate follow the driver into the mall, and the two-way radios you each have will extend the distance of the key signal. Then, you climb in the car and drive away to the chop shop.
Re: (Score:2)
The start buttons are just cool. That's all the reason you need.
Re: (Score:1)
I've thought about the same thing with my hybrid. Everything about the car is computer controlled... steering is electric assist (without that motor, you aren't driving), breaks are electronic (mechanical if you push them all the way to the floor), accelerator 100% electronic, transmission 100% electronic... it's one rogue program away from driving itself around the neighborhood. (and with the parking sensors, it can avoid people.) Killing the car requires getting in the trunk and pulling the big orange p
Re: (Score:2)
It's like this: would your trust driving a car on software you wrote yourself?
Yeah, ok, so the guys who write embedded are a different breed of programmer, never make mistakes, etc.
The problem is, we're losing all concept of fail-safe.
And with the new push for touch-screen games on windows (!), and in-dash either entertainment or navigation plus the inevitable iPhone and Android integration, we're setting ourselves up for car viruses. The funny this, most people will just shrug and say you should've updated
Re: (Score:1)
That used to be true. Today, on average, they're just as horrible and short sighted as everyone else -- fast and cheap are the rule. (and I started out in that world... writing assembly. but in those days, every byte and every cycle mattered, because you had very little of either.) Even NASA and medical systems are starting to show fault.
Re: (Score:2)
nah its just like your computer, there is a hidden switch in the trunk
Re: (Score:2)
yea that fob is just a signal being broadcast to anyone with a 434Mhz receiver and usually ends up being less secure than that wheel lock thing that came on your free airline rewards bag.
good night!
Re: (Score:2)
I've seen a commercial for this and the way they presented it was as a means of letting a teenager to use the car, but requiring them to request permission to unlock and start it.
Re: (Score:2)
"Is it even possible to buy a new car without electric windows these days"
yea look at kia, they have better gas mileage more airbags, more horse power, and can cost as little at 10 grand brand new, but for that price you not only give up power windows and locks but also power steering, AC and sometimes a radio
Re: (Score:1)
Is it even possible to buy a new car without electric windows these days?
My brand new GMC Sierra pickup has manual windows, manual door locks and no cruise control. If you look around, you can find things without easily enough.
Re: (Score:2)
Bad assumption. You still need a physical 'key' to drive the car (the key may be a chip on your keyring in your pocket, but it still needs to be there).
Re: (Score:2)
Would have to be a rather old car, modern emission systems don't put out enough carbon monoxide to kill you.
Re:somewhere cold (Score:2)
Not at the moment, but I grew up in Iowa, so I know all about cold winters. But I never thought it was that big a deal to run out and fire up the engine. Chances are you're going to have to scrape the windows anyway, so that's plenty of time to get the heater working. It might not be "toasty" in such a short time, but it'll be a lot better than being outside.
For that matter, what if it's so cold that your car doesn't start on the first try? Does it retry on its own, or do you have to send it another text ms
Car & Hacker insurance? (Score:1)
Re: (Score:2)
No, it means when a your anti-theft device is compromised via a hack and your care is stolen, the insurance company will not believe you and will tell you that you are trying to defraud the insurance company by faking a theft - since the anti-theft device is, by their analysis, "unbreakable". There is already precedence for this.
--jeffk++
Re: (Score:1)
That anti-theft devices do nothing to stop someone from pulling your car onto a low-boy and hauling it away. (Repo men do this every day.)
Re: (Score:2)
If an insurance company can't correctly assess risks on their internal books, then they're out of business. But they can still do whatever they want to try and weasel out of things.
Old news. (Score:1)
I remember in the early unencrypted days of this a client of mine looking particularly smug when he showed me how he could start his car with his remote keychain back when starting cars without being in them was all the rage. He waxed poetic about how bleeding edge he was, and while I let him have his epeen hard-on, I pointed my pda out the window and turned off his engine, promptly wiping the smug off his face.
Replay attack? (Score:3)
From TFA:
Without knowing the details, this sounds a lot like a replay attack. Or possibly a version of one of the attacks used against ATMs, back when ATMs were new and relatively unguarded. You could tap into an ATM line and basically send commands like, "eject five $20 bills" over and over again, without too much trouble.
I have a 2010 Camaro SS, which has the older version of the OnStar firmware that is not compatible with their mobile app. Now I'm relatively happy about that. One less attack vector to worry about.
Re: (Score:1)
From TFA:
So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
Re: (Score:2)
I have a 2010 Camaro SS, which has the older version of the OnStar firmware that is not compatible with their mobile app. Now I'm relatively happy about that. One less attack vector to worry about.
Yeah isn't it great? Actually, I've got a little older model, it looks and runs like the same car from The Flintstones, and doesn't have any of those fancy electro-gizmos like an "engine". Just good ol' feet power my baby, so they they want to come along and steal it, they're welcome to!
Well, it looks like (Score:2)
downloading a car is now possible!
I don't understand. (Score:2)
This article seems to technical. Can someone summarize using a car analogy?
Copyright Infringement and Cars (Score:2)
So, whenever there's a debate on Slashdot about "piracy" or copyright infringement, SOMEONE always makes the tired analogy about "stealing your car", and then someone else always corrects them about COPYING your car, leaving your original car behind.
Well now the pirates *can* steal your car!
And when the technology improves, there will be an app to COPY your car! And when anyone can COPY a car, what dinosour business model with the car manufacturers be forced into? Suing their own customers like the RIAA?
Wha
Anti theft device (Score:2)
My car has an anti theft device that is nearly foolproof. Its a knob on the dashboard labeled 'Choke'. If you don't know what to do with it (and most people with no business on my lawn don't) that car isn't going anywhere. Heck, kids these days are stopped cold attempting to carjack a stickshift.
Only two hours? (Score:2)
In other news ... (Score:2)
... is an excessively constricted form of the problem. A less-wrong form would be :
No, seriously ; if you can do anything, then the bad guys can do it too. The only hope of preventing the bad guys from doing it is to make it more ex
3 Guesses (Score:1)