Breaking a Car's Cipher

An anonymous reader alerts us to research out of Belgium and Israel that claims a practical attack on the KeeLoq auto anti-theft cipher. Here are slides from a talk (PDF) at CRYPTO 2007. From the researchers' site: "KeeLoq is a cipher used in several car anti-theft mechanisms distributed by Microchip Technology Inc. It may protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or a Jaguar. The cipher is included in the remote control device that opens and locks your car and that controls the anti-theft mechanisms. The 64-bit key block cipher was widely believed to be secure. In a recent research, a method to identify the key in less than a day was found. The attack requires access for about 1 hour to the remote control (for example, while it is stored in your pocket). The attacker than runs the implemented software, finds the secret cryptographic key, and drives away in your car after copying the key." Update: 07/23 15:27 GMT by KD : One of the researchers, Sebastiaan Indesteege, pointed out that the link to the paper was incorrect; their paper has not yet been released to the public. I also managed to mis attribute his nationality. He is Belgian, not Dutch. My apologies.

Wrong paper

[mkilmo]

The linked paper is by Bugadanov (requires the entire code book). The authors of this paper have not published their paper in the wild (yet).

So?

[Rob_Ogilvie]

If a car thief has access to your keys for an hour, aren't you going to lose your car anyway?

Re:

[MyLongNickName]

Thanks. We can now safely end this discussion. This being Slashdot though, all the cryptography "experts" will tell us how things should have been implemented.

Re:So?

[tomstdenis]

Step 1. Stop being lazy. Just turn the damn key in the door.

Step 2. Yeah, if they used 3DES or Blowfish at the time, this wouldn't be an issue.

Step 3. See Step 1.

Re:

[hjf]

But never use AES, it's a government booby trap!

Re:

[somersault]

tbh, I wouldn't mind being trapped by boobies

Re:

[mi]

I wouldn't mind being trapped by boobies

I don't think, these guys [wikipedia.org] have ever trapped anyone.

Re:

[nsayer]

Stop being lazy. Just turn the damn key in the door.

If anything, that's probably less secure [wikipedia.org].

Re:

[twistedsymphony]

I like my security system the best... I drive a PoS. Nothing deters theft more than apathy!

Re:

[jridley]

Yup, my brother's truck has no working door locks, and the ignition is an on/off switch and the starter is a pushbutton.
Nobody'd steal it though. Heck, even I check under/behind the seat before I get in; I'm always worried that some kind or animal will have started living in there and I might get bit.

Re:

[Torvaun]

A friend of mine had his minivan stolen. It was returned, three days and 8 miles later. We have never stopped giving him shit for that.

Re:

[cayenne8]

"I am not very sympathetic at this point, because I bought an affordable car that isn't popular among car thieves. It looks fine, runs great, has low maintenance costs, and never gets broken into.

If you are buying a fancy car to show off your wealth or whatever, when perfectly good alternatives exist, you deserve to be robbed.

If you can't afford to have your expensive car stolen, then can you really afford that expensive car?"

Not everyone buys an expensive car to show off....many people just like perf

Re:

[nasch]

If you are buying a fancy car to show off your wealth or whatever, when perfectly good alternatives exist, you deserve to be robbed.

If you think it's only fancy expensive cars that have remote keyless entry, you're misinformed. The rental Malibu I was stuck with had it, and if that's a fancy car then I'm a tossed salad. I'm not sure why you think the victims of car theft should be blamed for the crime, but I don't agree. The criminals are at fault, regardless of the victim's motivation for buying that particular vehicle. Why do people only deserve their property rights when they buy things you approve of, anyway?

Re:

[Spokehedz]

They are stealing high MPG cars with more and more frequency. Sure, they aren't 'pretty' but they are being stolen.

And another reason your argument is stupid: Just because I have money to buy nice things, dosen't mean I should have them stolen. Nor should I expect it.

You own a house. Lots of people don't own a house. You should be robbed/broken into just because you have a house?

Re:

[dave562]

They are stealing high MPG cars with more and more frequency. Sure, they aren't 'pretty' but they are being stolen.

Most professional car theft rings are stealing the cars to strip them for parts that are then resold to mechanics who use the parts to repair other vehicles. That "business model" is why the most often stolen cars are often the most common (Toyota Camry, Honda Accord, etc).

Re:So?

[Otter]

This being Slashdot though, all the cryptography "experts" will tell us how things should have been implemented.

Sorry, we can only communicate through analogies to either automobiles or door locks. Discussion of actual automotive door locks is therefore impossible, and referring to Belgium as "the Netherlands" will have to be the site's sole contribution.

Re:

[MadMidnightBomber]

But Belgium doesn't exist! [zapatopi.net].

Re:So?

[wiredlogic]

This being Slashdot though, all the cryptography "experts" will tell us how things should have been implemented.

A Beowulf cluster of keys (bound by a token ring) would make it difficult to interrogate any specific key.

Re:

[mvanvoorden]

It's not necessary to physically access the keys, and the owner of the keys doesn't have to press any buttons either, just having the keys in range will suffice. Probably the keys use something like RFID or so.

Re:

[Locutus]

what blows me away is that nobody has mentioned, nor the manufacturers implemented, a simple RF shield around the keyfob. Simply shielding the keyfob, which should have an actual key in it too, prevents someone from just sitting next to you or atleast in front of your home, and hacking away at your keyfobs security. Did the auto manufacturers think we are so lazy we can't even temporarily pop the xmitter outside the shield long enough for the car to "see" us at a distance and unlock? And the other thing the

Re:So?

[cayenne8]

"The article (or at least the summary) implies what you say, although I find it hard to believe that someone would be so retarded as to design a key that communicates at all without manual initiation by its owner. Or, to use the technical term, pushing a goddam button."

Nope..I first found this on my first corvette...a '97 C5. It had a setting through the dash display, where you could set the car to sense when you came near enough with the keys, and it would automatically unlock. You could set it to unlock either both doors, or just drivers side.

I played with it awhile, but, I found that the hook I kept my keys on near the front door...were too close to where the car was parked...and would at times unlock the car in the driveway. I turned it off after that.

Re:So?

[iggymanz]

a long time ago I had a girlfriend who liked to put her hand in my pocket and had access to my master key for hours. one day she took something from me using the key, but it wasn't my car

Re:

[varmittang]

From the description, they do not need physical access to your keys, that why they said in your pocket. That means the person next to you, or a few feet/meters away could be stealing the car keys.

Re:So?

[dkf]

That means the person next to you, or a few feet/meters away could be stealing the car keys.

So now we need tinfoil pocket protectors as well as tinfoil hats?

Re:

[morgan_greywolf]

On most newer cars, there's also an anti-theft chip in the key itself. The information stored on this chip is directly linked to the VIN number of the car. So the person would ALSO have to copy your key, as it says in TFS. These keys are around $80, and you used to have to get them from the dealer, but apparently nowadays you can get them from Wal*Mart.

Re:

[Pojut]

I hate to be a bastard, but someone has to say it.

The information stored on this chip is directly linked to the VIN number of the car

Vehicle Identification Number Number?

Re:So?

[Anonymous Coward]

You bastard.

Re:

[fredklein]

There are some acronyms that have become so well-used that they are, for all intents and purposes, words themselves. Thus, there is no 'duplication' of wording when saying (for instance):

ATM Machine
SCUBA Gear (The 'A' stands for "Apparatus")
PIN number
VIN number
etc.

Re:

[WhatAmIDoingHere]

The head of the network for my entire school district back when I was in HS called NICs "Network Interface NIC Cards"

And, for some odd reason, the schools called me and my friend before him when they had computer problems.

Re:

[Pojut]

Is that what you tell yourself so you can sleep at night?

/ducks

Re:

[BuR4N]

"From the description, they do not need physical access to your keys, that why they said in your pocket."

It sounds strange that its possible to read something from the key while not pressing any of the button on it. If it constantly sends out stuff, shouldnt the batteries go away directly then ? Or did I miss something ?

Re:So?

[Znork]

"Or did I miss something ?"

Yep. Passive RFID chips require so little energy that the reader can power them with the current the antenna produces when hit by the EM waves from the reader. Usually this means that you have to hold the chip (card, key, etc) very close to the reciever (against it, the key in the lock, etc).

However, that proximity is only necessary if you use the standard reader. There's nothing stopping someone from getting a standard reader and jacking up the power enough to activate and read the chips from a much greater distance.

Unless you get a tin-foil wallet. And tin-foil pockets. Etc.

Re:

[somersault]

Everyone has always laughed at me for the last 15 years for augmenting my clothes with tin foil. Especially those guys in the next lab with the large microwave emitter. But who's laughing NOW?

Re:

[somersault]

Is that a remotely networked kitten in your pocket, or are you just happy to see me?

--

Im in ur pockets, jackin ur keez

Re:So? CNC...

[foodnugget]

While it may be simple to break the code on the chip, you still need a copy of the key unless the car is push-button-ignition.
These days, many high-end car keys are CNC cut (my mini's key has huuuuuge tooling marks from a spindle-out-of-square), which will actually cause a bit of trouble. This isn't something you could easily do a putty-transfer on, nor does the group of people who spend a lot of time breaking cyphers typically overlap with the group of people who have and can work with CNC equipment.
In the end, I think flatbedding the car is the way to go. All the big chop shops are doing this now. If you're small-time, carjack. Alternately, get a real job.

Re:

[Magada]

A physical key is still a key, y'know? There is considerable overlap in concepts and techniques - why, putty transfer is simply a replay attack, while a rake is actually used to brute-force a lock by generating many pin position combinations in a very short time.

Re:

[MindStalker]

Have you seen the laser cut keys? You can't rake those locks.

Re:

[fredklein]

I've raked a lock open before.

Lock picking is NOT that complicated. Basically, just apply a rotation to the cylinder, while pushing each pin up until you find the one that binds. (Locks are not perfect, one pin will usually bind before the others.) Push that pin up until the shearline is at the right point, and the cylinder will rotate slightly, keeping that pin in place. Repeat to find the next pin that binds.

Now, there are some types of locks that make it harder to do this. (Through various means I won't

Re:

[theRiallatar]

Nice to see a fellow Mini driver on /.

Anyway, correct me if I'm wrong, but doesn't the Mini key communicate with the car's computer system when it's inserted?

I know when I take my car in for its 10k checkups, they just drop the key in this little scanner and pull the mileage off. Could be RF, too, for all I know. I guess one check would be to take my spare key around the car, but not use it to start/unlock the doors and then take it to the dealer and trick em.

Re:

[Muad'Dave]

Your (and my!) Mini key is made by Valeo - here are the FCC OET [fcc.gov] pages on it.

It consists of an RF transmitter to open the doors, etc, and a passive RFID chip that had to be read by the steering column before the car will start. If you look at the other products on the FCC site by Valeo, you'll see various steering column readers and door lock receivers. The transmitter is actually fairly complex - it uses rolling codes to help prevent theft by replaying/predicting codes.

No. (Re:So?)

[wsanders]

No the intro clearly states that the thief has to have access to the remote control while is it in your pocket.

So next time you let a car thief put his hands into your pocket, make sure it's only for 50 minutes.

It is just me, or a lot of exploits like this. A Thief can gain access to ANYTHING in your house once they are INSIDE! OMFG!

Re:

[somersault]

"(for example, while it is stored in your pocket)"

Missed that bit of the summary did you? Sounds like they can do it all remotely.. may someone who has RTFA could shine some light on this area

Re:So?

[Phisbut]

If a car thief has access to your keys for an hour, aren't you going to lose your car anyway?

Basically, these electronic-chips-encrypted-stuff-on-the-car-key aren't meant to make it any harder for a car thief to get your car. It's just there to manage to increase the penalty for car theft.

Car theft isn't that much of a crime nowadays. However, breaking the cipher will net you a DMCA violation and such things will carry the death penalty pretty soon.

Re:

[Bearhouse]

There are many instances of car keys being duplicated by thieves in league with garages, valet parkings and so forth.
The important thing here is that the person you *think* was guarding your key *could not* have stolen your car.
In fact, you have no way of knowing how yuo car was stolen.

In an interesting varient, thieves also hire cars, dup the keys, then just drive 'em away after rental return...

So yes, it's important that they can crack the crypto, so can duplicate...

Re:

[robbiethefett]

I just like the fact that when someone steals my Jag, they don't have to break the window, or even damage the door lock.. All I have to do is wait for Lo Jack to track down my unscathed car and thank the police when they return it. Sweet. Technology really is making life better for everyone.

Re:

[BosstonesOwn]

Except for that fact that Lojack doesn't work in all parts of the us.
http://www.lojack.com/where/lojack-coverage-areas. cfm [lojack.com]

if it can't get a signal it can't send. since it rides traditional communications services.
http://www.lojack.com/lojack-faqs/index.cfm [lojack.com]

They can remove the transponders rather quickly if they are experienced car thieves.

I had a 2004 Dodge Ram that was stolen for the gear in the bed of the truck since it was a capped truck with a security system it was easier for them to take the whole tru

Lojack anecdotes

[robbiethefett]

Wow, I'm actually surprised they found the thing at all. My only experience with Lojack was pretty funny.. A friend of mine had this big passenger van he used for work. One night we went out to get drunk in Brooklyn, and parked the van on the street. Long story short, we got far too drunk, couldn't find the van, and ended up calling it in as stolen. The next morning the van was located using Lojack, and it happened to be about 2 blocks from where we *thought* we left it. The funny bit is that he had no

Re:

[Oktober Sunset]

and the police then find the torn apart husk of your car in a ditch after it has been dismantled for parts in an underground garage.

Re:

[Raistlin77]

Geez you guys are morons. I AM THE ORIGINAL AC (20329975/20330347).

Original comment (by Rob_Ogilvie): If a car thief has access to your keys for an hour, aren't you going to lose your car anyway?
My reply (AC 20329975): Valet, car wash, there are many places that you may leave your keys unattended for enough time for this to occur. And after you've been to the same valet or car wash a few times, it's not hard for an employee/thief to figure out where you live (and where your car sits overnight).

What

Re:

[somersault]

No.. I'm the original Anonymous Cowardus!

Obligatory

[Billosaur]

KITT: Michael, someone's trying to hack into my operating system! Help me Michael!

Re:

[Shotgun]

KITT: Michael, someone's trying to hack into my operating system! Help me Michael!

Allow or deny?

they Still can't simply drive away with your car

[atheos]

There's still a mechanical lock preventing the ignition from being engaged, and they would also have a steering wheel lock to work around. This is effectively bypassing the imobilizer that comes equipt on most modern cars. If someone wants your car bad enough now-a-days, they just take your keys from you.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cayenne8]

"Some of these cars could quite possibly contain that whole "key in range push button to start" option. My cousin has that option on her car, though I forgot the make/model..."

I believe the Prius does that....I seem to remember a friend of mine showing me this 'feature'.

Not really

[dachshund]

There's still a mechanical lock preventing the ignition from being engaged, and they would also have a steering wheel lock to work around. This is effectively bypassing the imobilizer that comes equipt on most modern cars. If someone wants your car bad enough now-a-days, they just take your keys from you.

I just purchased a new car that doesn't have a mechanical ignition system. There's an place to attach the key (doesn't have metal teeth or anything), and a big "Start/Stop" button. The steering wheel lock is also electronic, and is controlled by the electronic signal from the key. I have no idea if my car uses KeyLoq--- I sure hope not.

Mechanical locks are on their way out, largely because they're ineffective against even moderately sophisticated criminals. That's the whole reason Immobilizer systems were rolled out in the first place. This attack effectively stips the immobilizer out of the car and rolls the security back to pre-Immobilizer levels. You only need to look at theft rates among models with and without immobilizers to see what impact that has.

Finally, for those who say that 1-hr access to the key is unreasonable: remember that the attack here is _key copying_, not theft. The immobilizer systems are designed to prevent copying, so that your valet or repair person can't make a copy of your key and steal it later. This attack takes a lot longer than other attacks which are out there (example [wikipedia.org]), but it's still not out of the question.

The basic lesson of all these attacks is that manufacturers need to use strong cryptography rather than custom, homebrewed ciphers. Hopefully with fabrication prices dropping, this will be the last generation of truly ridiculous authentication systems.

Re:New Prius

[Technician]

There's an place to attach the key (doesn't have metal teeth or anything), and a big "Start/Stop" button.

I like my Prius also. I have an older one that still uses a chip in the key. When you hack my remote, you also have to hack my key. The Prius does not have a 12 volt starter at all. The throttle is fly by wire. The EV transmission is a computer controlled motor/generator set. Unless you can convince the computer to operate, there is absolutely no way to drive it off with nothing but the data from t

Still better than just a key

[ACMENEWSLLC]

My old car just had a plain old key. No chip, nothing. When I bought it, all I got was one valet key and one original. I went into a locksmith store and asked for a copy of the original.

I assumed he'd just take the original and copy it, like most box stores. Not this guy. He said no thanks, went out to my car, and without my keys he made a working key in about 5 minutes.

I wouldn't have believe it possible unless I saw it with my own eyes. He filed a blank key until it worked, feeling the lock. I thin

Re:

[MyLongNickName]

Agreed. And when you factor in that the average car loses half of its resale value in 3 to 5 years (if well maintained), you can easily get a newer car for cheap. Less insurance cost. Less worries. Less money.

My strategy is to but cars in the 6-8 year old range that are maintained. Continue to do routine maintenance, but as soon as the car has big problems, it gets scrapped or sold cheap. When my wife and I shared a car, I budgeted $220, which covered gas, maintenance and buying another car. With two I thin

Re:

[Bert64]

I do similar, but i buy an older car (one that has already lost all of its value) that is still legally roadworthy...
Then i do the absolute minimal servicing on it, and insure it third party only (the minimum legal level of insurance) and drive it around until it either stops working, or becomes unroadworthy... Then it gets scrapped.
Ofcourse, i am also a member of a breakdown organization!
A side effect of driving a junk car, is that noone will want to steal it. One of the cars i had didn't even lock, and ye

Re:

[ivan256]

In many places you are required to purchase auto insurance that covers theft. This is almost universally true if you finance the vehicle.

My wife and I each have a car. Mine uses this KeyLoq chip, and a couple other security devices, and hers does not. We both have a perfect driving record. My car cost almost double hers when new, and my car is only a year old, while hers is four years old. Yet due to the anti-theft devices, insurance for her car costs more than double what it costs for mine.

It is annoying t

Re:

[Bert64]

There are plenty of older cars with fun toys and reasonable performance...
They tend to be very cheap nowadays, because:
They guzzle gas, people dont want gas guzzlers anymore
They were posh cars for rich people, rich people will buy new cars not drive old ones

Thus, there are plenty of old cars from the likes of rolls royce, jaguar, mercedes etc available very cheaply, and most of them have sizeable engines and lots of goodies to play with.

Re:

[ivan256]

Thus, there are plenty of old cars from the likes of rolls royce, jaguar, mercedes etc available very cheaply, and most of them have sizeable engines and lots of goodies to play with.

If you use the words "Jaguar" or "Mercedes" in the same sentence as "cheap" you obviously haven't owned one for very long...

When I transitioned from old "cheap" cars to fancy-ish new cars was the first time I had six consecutive months of the maintenance costs on my Eldorado (Which I bought for $2500) being higher than the pa

Re:

[ivan256]

I don't doubt your story at all, but you were pretty lucky. You must have either found one of the rare little-used but well-maintained cars that are out there, or were just plain fortunate that you had nothing major fail. If I could be sure I'd have an experience like that, I'd go that way every time.

Re:Old reliability data

[Technician]

It's simply not worth it to have to deal with electronics that break, batteries that die, etc.

That has turned out to be FUD now that they are getting lots of miles now. The battery pack is easier to change than a typical transmission and now costs less. In addition it has been proven more reliable. (Google search Prius Battery Failures). The little 12 volt battery is a much higher failure rate item needing a 3-5 year replacement cycle just like their conventional counterparts.

In the trade of of mechanical parts for electronic, most mechanical high failure items on the Prius has been eliminated.

Here is a short list..
No belts, not even for a water pump or AC.
No Hydraulics hoses or lines except the brakes.
No leaky AC rubber hoses or shaft seals.
No clutches, pressure plates, bands, or hydraulics of any kind in the transmission

Here is how the improvements work.
The AC is a sealed electric unit like a home refrigerator. The compressor is body mounted eliminating Leaky shaft seals, belts, clutch, and hoses.

The transmission has 7 moving parts. None of them is any kind of friction, shift, or hydraulic part. It's built like and as reliable as a differential. The battery pack is composed of 7.2 volt modules. A module failure does not equal a battery pack replacement.

The Power steering is a linear electric motor for assist. This eliminates the power steering pump, hoses, and power steering fluid issues.

The power brakes use a compressor so it is a trade off for the vacuum module for a compressor.

The cooling system is powered by electric pumps. It traded belt driven problems for electric pump problems. I haven't seen reliability reports on these pumps yet which is a good thing.

Even the starter moter with it's brushes, solonoid bendix gear and other failure items has been eliminated. The brushless AC Motor/Generator set in the transmission starts the engine.

I studied all these issues before I bought a Prius. TCO is an important number to me.

For me personally, Here are some of my stats.

I have 120,000 on my Prius. At 20,000 and 80,000 miles I changed tires (the originals don't wear well). At 70,000 miles I had to change the 12 volt battery in late 2005 so it lasted almost 4 years.
At the last tire change, I had the brakes checked. I have 80% remaining. Other than give it gas and regular oil changes, it has required zero repairs except a rock chip in the windshield.

Most other cars I drove with over 100,000 miles were getting into needing starters, alternators, brakes, belts, power steering, Air Conditioner, and transmission service.

Re:they Still can't simply drive away with your ca

[Jeff DeMaagd]

Some cars have a system where there is no mechanical key. MB & MBW have it, I hear Toyota has some too, presumably Lexus too. Basically, you have a card or fob in your pocket and you press a button to start the car.

oh brudder

[e-scetic]

Another reason to carry around an RFID jammer.

Quick, someone create Faraday pants, or should I line my pockets with tinfoil?

So...

[spiritraveller]

After following me around the mall for an hour with this little device, they would run the software, get into my Honda Civic, and then...

Hotwire it.

How easy is that? I think they'd just carjack someone before going through the trouble.

Re:So...

[RandoX]

All you need is the correct sequence on the parking brake.

The mythical Honda override exists: It's a series of presses and pulls of the emergency brake. Each car, it seems, has a unique override code, which correlates to the VIN. [wired.com]

Re:

[spiritraveller]

There are some newer vehicles that the ONLY key is a fob that you never need to even take out of your pocket / purse.

The ONLY key? What do you do when that little battery runs out and you are stuck in the middle of nowhere? Sounds like a really bad idea.

I have a 2006 Honda Civic. It came with a key.

Re:

[Bert64]

You usually get at least 1 spare with the car...
The battery will typically last a couple of years, and gets changed by the garage when you service it, which presumeably you do more often than every couple of years so you should never notice it going flat.
Even so, the manufacturer keeps a record of the codes allocated to each car and can produce you more keys easily enough.

As for copying these proximity systems, all you need is somewhere that people are likely to be in one place for more than an hour (restau

learn to read, you insensitive clod

[Anonymous Coward]

OK, what part of "Katholieke Universiteit Leuven, Belgium" looks like "researchers in The Netherlands"??

In other news: The Canadian president George W. Bush invaded Iran because of the 9/11 attack on the World Trade Center of Chicago.

Re:

[phoenixwade]

In other news: The Canadian president George W. Bush invaded Iran because of the 9/11 attack on the World Trade Center of Chicago.

Why did you post anonymously? This is a variation on a classic Slashdot +5 funny!

I'm American; There is no way I'd mod this down.

YMMV though, I've seen some weird mod's over the years. Like the American political system, I think there are problems with the Slashdot mod system, but it's better than anything else I've seen. And I really believe that the only way to fix it is to get people to understand that the reason for modding at all is to establish how interesting, relevant, or readable a comment is, ra

Re:

[pla]

OK, what part of "Katholieke Universiteit Leuven, Belgium" looks like "researchers in The Netherlands"??

The part that starts with wierd non-English words, and ends with somewhere (probably somewhere smallish) in Northwestern Europe.

Like it or not, most Americans parse it exactly that way. "Belgium? Nah, I prefer the regular kind of waffles, thanks."



/ self-debasing, here, not trolling
// also not really kidding, unfortunately

Summary

[Anonymous Coward]

According to their slides, all you need is proximity to one of these devices for an hour, and the master key for the manufacturer can be found - which is simply XORd to the vehicle ID to authenticate. They were relying on a vast keyspace instead of a secure encryption method - security through obscurity.

Break one key device, break them all.

Daewoo? more like Daew00t.

[that IT girl]

It may protect your car if you own a Chrysler, Daewoo,...

That's okay. If you own a Daewoo, you could hand the key to a thief and they still wouldn't steal it. Nothing to see here, move along.

Symmetric Key Exchange

[Doc Ruby]

Why don't remote keys resync symmetric, unbreakable keys with the car every time they're physically inserted into the ignition?

When someone patents that device, just point to this post as prior art. If it's patent free, anyone can use it, and there's no excuse for not securing cars (and homes, and bikes, and ...) properly.

You're welcome.

Re:

[DangerTenor]

Because when my wife used her key to start the car, it wouldn't work...

Re:

[Doc Ruby]

Why doesn't your car have a different symmetric password for each physical key? Make it easier to secure the car after losing a key. And to restore her personal settings for seat position, mirrors, stereo, etc.

Re:

[Doc Ruby]

For one, the US PTO has been granting patents on just ideas for years. That's perhaps its main problem.

For another, descriptions of the inventions, even in fiction, are indeed deemed enough "prior art" to challenge an applicaiton's required "novelty". So no, their patent isn't valid if I publish the idea before they "invent" it.

Broken Cipher, you say

[Hoplite3]

Well, that's very interesting, but I have to go.

I'm headed to the annual "Vegan food and wifi jamboree" at the co-op where I expect to "win" a new Prius.

  Of course I have to bring my laptop. Don't worry, just because I'm sitting at the table next to you doesn't mean I'm using my machine to crack the crypto on your key while we enjoy our roasted yams. I'm just writing my tract about municipal wifi and organic gardening.

Oh, yeah? You own a Prius? In red? I always liked red. Man, you have the only red one here...

Beware the unbreakable anti-theft system

[jimicus]

No such thing as a truly unbreakable anti-theft system.

1. What happens if someone genuinely loses their keys? There needs to be some way for the manufacturer to sort them out.
2. Car theft won't stop overnight. But it will cause more things like carjackings (rather more violent and distressing) and key theft.
3. In any major city, there are enough tow trucks that nobody will bat an eyelid if they see a car being lifted onto the back of one. It's brazen, but by the time it dawns on the driver that their

daggum furriners

[dR.fuZZo]

As an American, I'll gladly admit that I don't know the difference between Dutchland and Belgia.

This is news WHY?

[gurps_npc]

OK, so in one hour with close proximity (measured in feet) to the controller, they can crack it. Give a guy (valet parking anyone?) your keys and he can copy it in 5 seconds. This is not news at all. You want to impress/scare me? Tell me they can do it without the remote.

Breaking a Car's...

[halcyon1234]

... window is a much easier way in.

It's not that hard...

[sjames]

If the manufacturers ACTUALLY gave a crap about security they could easily enough make the system secure. Instead they're more interested in patentable special sauce and NIH.

The thing is, cryptography is at the same time very easy or very hard. It's very easy to utilize one of several freely available strong systems in order to be secure. It's very easy to invent a system from scratch that YOU don't know how to crack. It's very hard to invent your own system that nobody else will know how to crack. It's very easy to introduce a serious flaw when re-implementing someone elses crypto. If you haven't devoted your professional career to cryptography, the best bet is to utilize someone elses.

For example, Blowfish is completely free of encumberance and has several fully public domain implementations available in C. RSA is (now) equally free. It is well understood, has years of successful use behind it and years of analysis demonstrating that it would cost WAY more to crack the key than any car is worth (not to mention that it would take longer than the typical lifetime of a car). There are plenty of years old CPUs out there that have more than enough "oomph" to handle RSA and are well suited to embedded use. They might cost a dollar more, but this sort of system is not used in "bargain basement" cars.

They spend the extra cash on fine leather seats and steering wheel covers but use Yugo quality locks to protect it?

Master key

[owlstead]

Ok, interesting post, but why wasn't the master key posted? I want to make a legit copy of the key of my neighb^h^h^h^h^h^hjaquar. Without it, no 65 minute crack...

Re:

[spectrokid]

Let me rephrase that a little more politely to dodge the "Flamebait". This is develloped at the Katholic University in Leuven. This is in Belgium, not Holland. It is one of the oldest universities in the world, known for the "rape of belgium" http://en.wikipedia.org/wiki/World_War_I#Rape_of_ B elgium [wikipedia.org] and, more geeky, the AES encryption algorithm. Now with all the British always joking about "name a famous Belgian", pardon us if we protest when credit due is sent across the border instead.

Re:Belgium not The Netherlands

[Daimanta]

This is in Belgium, not Holland.

It's the Netherlands, not Holland.

Re:

[spectrokid]

Ok, it is not in the Netherlands, it is not in Holland (a part of the Netherlands), and it is not in Honolulu either...

Re:Belgium not The Netherlands

[AVee]

It is however an understandable mistake to make, as most Dutch know very well, you can't expect Belgians to figure these things out.


But than again, it's not like linking to a .be domain is a dead giveaway is it?

Re:

[MitchInOmaha]

The new keys are not like fobs that you have to push a button on ... they are transponders. The car pings them as you get close, and they respond with a code that unlocks the car. Basically, the car is pushing the transmit button. -- Mitch

Re:

[mystik]

An attack is even easier if the key passively responds --

merely construct a repeater, and hide it near your target car owner. Walk up to the car with the other end of the repeater, and blam, free entry into the car.

Re:

[PPH]

Well, that's what you get for convenience. If drivers can't even be bothered to push a button on a remote, they deserve to get their car stolen.

What happens if I park my car in the carport and lock it and then, some time later, walk by it on the way to the mailbox with keys in my pocket? The neighbor kid sees the locks pop open and helps himself to my CDs, GPS, etc.

Re:

[Tweekster]

Who actually uses a valet key though?
honestly, I dont even know where mine is.

Re:

[Khazunga]

Older ones, yeah. They're just pseudo-random generators, with the seed in sync with the car. The car accepts the next 15 numbers in the pseudo-random sequence, and when a valid number is used, it locks/unlocks and re-syncs the pseudo-random generator seed. My car manual comes with instructions on how to manually re-sync car and key if it stops working (for example, a kid clicks the key more than 15 times when the key is away from the car).

Note, however, that having past numbers reveals nothing about the

Re:

[owlstead]

Read the article. There is a master key that takes a lot of time to be found, but once found, you can easily deduct the derived key for the car - that is, if you obtain enough plain text. The reason that this can be done is because they are using a XOR based cipher, which is as insecure as hell. If they had used 3DES or AES, or any relatively safe cipher, this cannot happen. Problem is that these chips are designed to be cheap and to use next to n power. Hope this clears it up.

Re:

[morgan_greywolf]

They use your stolen coins and mints to help supplement their black budget.

So that's what's been happening to all my spare change. And all this time I thought it was my wife.

Re:

[Tweekster]

a valet would be perfect cover.
set a device that could steal many keys underneath the box they store keys in...

you also do not need to be in physical control of the key. Merely near it.

Re:

[PitaBred]

"Man, AC sure was nice to lend me his truck... it's kinda hot though... WTF?!?@!#@"