How 'Smart Keys' Have Fueled a New Wave of Car Thefts (theguardian.com) 177
"One London resident watched on CCTV as a thief walked up to his £40,000 car and drove away," reports the Observer. "Now manufacturers say they are being drawn in to a hi-tech 'arms race' with criminals."
[H]i-tech devices disguised as handheld games consoles are being traded online for thousands of pounds and are used by organised crime gangs to mimic the electronic key on an Ioniq 5, opening the doors and starting the engine. The device, known as an "emulator", works by intercepting a signal from the car, which is scanning for the presence of a legitimate key, and sending back a signal to gain access to the vehicle...
Hyundai says it is looking at measures to prevent the use of emulators "as a priority". But it is not the only carmaker whose vehicles appear to be vulnerable. An Observer investigation found that models by Toyota, Lexus and Kia have also been targeted... British motorists now face an increase in the number of thefts and rising insurance premiums... Car thefts are at their highest level for a decade in England and Wales, rising from 85,803 vehicles in the year to March 2012 to 130,270 in the year to March 2023 — an increase of more than 50%. Part of the reason, say experts, is the rise of keyless entry...
Kia did not respond to a request for comment. A spokesperson for Toyota, which owns Lexus, said: "Toyota and Lexus are continuously working on developing technical solutions to make vehicles more secure. Since introducing enhanced security hardware on the latest versions of a number of models, we have seen a significant drop-off in thefts. For older models we are currently developing solutions."
Another common attack requires entry to the vehicle first, according to the article, but then uses the vehicle's onboard diagnostic port to program "a new key linked to the vehicle..."
"Many owners of Ioniq 5s, which sell from around £42,000, now use steering locks to deter thieves."
Hyundai says it is looking at measures to prevent the use of emulators "as a priority". But it is not the only carmaker whose vehicles appear to be vulnerable. An Observer investigation found that models by Toyota, Lexus and Kia have also been targeted... British motorists now face an increase in the number of thefts and rising insurance premiums... Car thefts are at their highest level for a decade in England and Wales, rising from 85,803 vehicles in the year to March 2012 to 130,270 in the year to March 2023 — an increase of more than 50%. Part of the reason, say experts, is the rise of keyless entry...
Kia did not respond to a request for comment. A spokesperson for Toyota, which owns Lexus, said: "Toyota and Lexus are continuously working on developing technical solutions to make vehicles more secure. Since introducing enhanced security hardware on the latest versions of a number of models, we have seen a significant drop-off in thefts. For older models we are currently developing solutions."
Another common attack requires entry to the vehicle first, according to the article, but then uses the vehicle's onboard diagnostic port to program "a new key linked to the vehicle..."
"Many owners of Ioniq 5s, which sell from around £42,000, now use steering locks to deter thieves."
If you park outside.. (Score:2)
Pin to drive.
It's how I prevent relay attacks of this sort. You can open the door, but you can't drive away.
Re: If you park outside.. (Score:2)
How the FUCK is there not a public / private key exchange between can and key? This would cost like 2c in parts to implement and would be unbreakable.
Re: If you park outside.. (Score:3)
Public / private keys are not the answer to a relay problem (Iâ(TM)m not sure thatâ(TM)s what the article is about, but itâ(TM)s what the parent poster to your post described).
Time of flight calculations are.
But in any case, itâ(TM)s a solved problem, and some manufacturers are just cheap or ignorant.
Re: (Score:3)
Re: If you park outside.. (Score:3)
Apparently you havenâ(TM)t figured yet that /. is the only site on the internet that doesnâ(TM)t work. Whinging at posters is the wrong response, youâ(TM)re never going to find satisfaction that way.
Re: If you park outside.. (Score:3)
Isn't the main theme of this site targeting nerds? You know, the same kind of people who write RFCs in plain-text ASCII with fixed-width fonts. Sure, UTF8 is great and all, but even if that were supported, I still think that smart quotes are for other useless shit like fecebook. Think about it: Do smart quotes really make a big difference in your life? If smart quotes were gone tomorrow, would it really be a big setback in your life? No? Then keep it simple, stupid.
Re: (Score:2)
Public keys are half of the solution. The other half is to put the start button on the FOB. The bad guys may easily arrange proximity with the fob in your pocket or on your nightstand, but how will they get you to press the button?
A second button on the fob for the door locks. If they want to keep the convenience in-tact, that button enables the fob to transact for the doors for the next 5-10 minutes. Also enable for 10 minutes after the car was last running for easy trunk access.
Automakers could have come
Re: If you park outside.. (Score:2)
A tight latency requirement would do the job fine. That would involve all of a firmware update.
Re: If you park outside.. (Score:5, Informative)
You are not reading the problem, encryption is not a solution AT ALL to the current problem.
The current problem is that the communication between the vehicle and the fob is RF (of course). Car makers assumed that'd be secure because it's distance-limited (the fobs are really low power), but thieves are using radio relay devices. Asymmetric encryption between the fob and the vehicle still passes, it's just now instead of only working 10 feet away, it can be relayed basically any distance. Keep your fob by your house door? Thieves can stand outside the door and relay the signal to your vehicle. That's not a replay attack (that proper encryption prevents), it's not even a MITM (because the thieves don't learn any information).
The solution (as already stated) is to also check timing. Require the fob to be in a specific spot next to the vehicle transceiver when pairing and learn the minimum response time (this handles the possibility that a new fob might have a different speed processor and respond faster or slower). Then require all communication for that fob to be within that learned time plus N nanoseconds, where N is the number of feet away you want to allow the fob to work.
It makes the vehicle side cost slightly more (probably a few dollars), but the fob doesn't even have to change.
Re: (Score:2)
Re: (Score:2)
Re: If you park outside.. (Score:2)
You're not understanding the proposed solution. I'm not proposing the use of encryption, I'm proposing the use of authentication. It turns out after a little googling that Teslas do more or less exactly what I described.
Re: (Score:2)
Authentication is built on encryption. It can be symmetric (with a shared secret learned at pairing) or asymmetric (with sharing of public keys at pairing). But neither does a thing to protect against relay attacks.
Part of the vehicle side of the security is built on the assumption that the fob is range-limited (push-to-start is a proximity system requiring the fob to be "in range" as well as answer an authenticated challenge response), and relay attacks break that assumption. It's the same as if I take you
Re: If you park outside.. (Score:2)
Authentication doesnâ(TM)t give you the guarantee âoethis message was sent by X, and never relayed by anyoneâ. It gives you the guarantee âoeat some time, X sent this message.â If it gave you the former gaurentee, the entire internet would fall apart, because messages could never be routed through anyone else on their way to you.
Re: (Score:2)
The current problem is that the communication between the vehicle and the fob is RF (of course). Car makers assumed that'd be secure because it's distance-limited (the fobs are really low power), but thieves are using radio relay devices. Asymmetric encryption between the fob and the vehicle still passes, it's just now instead of only working 10 feet away, it can be relayed basically any distance. Keep your fob by your house door? Thieves can stand outside the door and relay the signal to your vehicle.
Thanks for explaining.
The solution (as already stated) is to also check timing. Require the fob to be in a specific spot next to the vehicle transceiver when pairing and learn the minimum response time (this handles the possibility that a new fob might have a different speed processor and respond faster or slower).
Some manufacturers seem to already do this. My cars seem to know when a fob is inside the car (so the doors don't lock). One of my cars unlocks when a fob comes within about six feet. I'm pretty sure that car also knows when a fob is in the driver or passenger seat so it can adjust the car settings. Honestly, this seems like black magic to me. I can't see how a $100 fob (this is a BMW so that's a quite reasonable price) and expensive car can figure this out to that precision.
The other
Re: (Score:2, Informative)
Sure, the problem isn't one of encryption *per se*. The problem is coming up with a secure cryptographic protocol to authenticate the key fob that is secure from replay and man-in-the-middle attacks. Designing a reliable and secure protocol certainly requires the services of a professional cryptographer, not amateurs like us trying to dream up schemes that would thwart *ourselves*.
It's not like this is some kind of novel problem that cryptographers have never faced before. It's automakers trying to solve a
Re: (Score:3)
What I'd like to see for a solution is perhaps the vehicle ignoring range until the unlock button is pressed... and pressing the unlock button is something that can't easily be done (assuming the key fob is using a decent two way security protocol), and from there, then consider range of the fob. Once the lock button on the fob is pressed, it doesn't matter where the fob is, the doors remain locked.
Alternatively, I'd always like to see the ability to just disable the constant-remote stuff, and have the fob
Re: (Score:3)
Re: (Score:3)
You are not reading the problem, encryption is not a solution AT ALL to the current problem.
The current problem is that the communication between the vehicle and the fob is RF (of course). Car makers assumed that'd be secure because it's distance-limited (the fobs are really low power), but thieves are using radio relay devices. Asymmetric encryption between the fob and the vehicle still passes, it's just now instead of only working 10 feet away, it can be relayed basically any distance. Keep your fob by your house door? Thieves can stand outside the door and relay the signal to your vehicle. That's not a replay attack (that proper encryption prevents), it's not even a MITM (because the thieves don't learn any information).
The solution (as already stated) is to also check timing. Require the fob to be in a specific spot next to the vehicle transceiver when pairing and learn the minimum response time (this handles the possibility that a new fob might have a different speed processor and respond faster or slower). Then require all communication for that fob to be within that learned time plus N nanoseconds, where N is the number of feet away you want to allow the fob to work.
It makes the vehicle side cost slightly more (probably a few dollars), but the fob doesn't even have to change.
The problem with that is, car manufacturers will get "I'M STANDING RIGHT NEXT TO MY CAR... WHY WONT IT OPEN" from average people who have gotten used to just walking up to their car and opening the door (read: too lazy to push a button). This is a bigger issue to them and their profit than cars being stolen (that is the insurance company's problem).
Automotive security is laughable. Manufacturers will gladly release an insecure product until the point where they're forced not to by law. If various compani
Re: (Score:2)
Public / Private keys absolutely ARE a solution to this problem.
I can see the Reason TV segment now:
"...and in order to deter car thieves, manufacturers started protecting access to their vehicles with cryptographic keys. When the vehicle's FOB sent the right key, access to that vehicle and all it's features was unlocked. That seemed like a great idea, with the best of intentions. What could possibly go wrong?
It turns out that car manufacturers, in order to simplify their tracking and maintenance, installed the same keys on all their vehicles. All it took was one determ
Re: If you park outside.. (Score:2)
How would public/private keys prevent the man in the middle attack going on here?
Those prevent someone from pretending to be a host and sending a *different* message from the intended one; or from reading the contents of the message. Here, weâ(TM)re talking about pretending to be a host and send *the same* message. Usually we donâ(TM)t care if someone does that, because all we care about is the contents of the message. Here though, what we care about is the fact that the message was sent at all
Re: If you park outside.. (Score:3)
Public key cryptography also introduces a bunch of other headaches, like key exchange/revocation, root certs, etc. that are pretty tricky to get right for a product that does not connect to the Internet and is expected to be in use for up to two decades.
Re: (Score:2)
Not really. We're talking about a fob, not an actual user. The private key is embedded in the fob in a hardened chip, and never read out, kinda like how keys are kept in TPM modules. All that has to happen then is:
Fob: "Open doors please"
Car: "Sure, but first sign this datagram with the private key corresponding to one of the saved authorized public keys that I have on file."
Fob: "Here is the signed data."
Car: Nice. Proceed.
Re: If you park outside.. (Score:2)
"I lost my fob"
Re: (Score:2)
Wow look. You know how I said it can be done, and you said it can't be?
Well, it turns out how I said it should be done is *exactly* how it IS done by Telsas:
https://www.reddit.com/r/tesla... [reddit.com]
Re: (Score:2)
Car thief: Get into car using traditional keyless methods. Put car into learning mode and register new fob purchased from walmart, steal car.
Done.
Re: If you park outside.. (Score:2)
Fob: please unlock car.
Thieveâ(TM)s relay: please unlock car.
Car: okay, please sign this datagram.
Thieveâ(TM)s relay: okay please sign this datagram
Fob: okay, hereâ(TM)s the data I signed.
Thieveâ(TM)s relay: okay, hereâ(TM)s the data I signed.
Re: If you park outside.. (Score:3)
Car thefts were way down before push button start came out, (except for Hyundai/kia), it was to the point where thieves had to break into your house and steal the keys to get the car, then everyone started the push button start craze and it's a nightmare.
Programming Code (Score:2)
Re:Programming Code (Score:5, Informative)
Yes, it is irresponsible how car companies, Hyundai in particular, have deployed this technology without even rudimentary adversarial testing.
The solution isn't even that hard: The key fob just has to be designed so it doesn't send the same code each time.
There are several ways to do this:
1. Add a receiver so communication is two-way. The key fob sends a code. The car answers with a challenge. The key fob then hashes the challenge with a hidden code and sends it back. The vehicle then verifies the hash and unlocks.
2. Add a few bytes of memory. So, an internal code is incremented each time the button on the fob is pushed. This internal code is added to the hidden hash code, so a different code is transmitted each time. The car verifies the code, including a look-ahead in case the button was pushed without the car receiving it.
If designed in, either solution costs less than $1, but will be much more expensive to add to current cars and key fobs.
Re: (Score:2)
Come on, you know that the car manufacturers can't reach the incredible sofistication of the NES CIC lockout chip
Re: (Score:2)
Even the standards for that already exist. HOTP (RFC 4226) would serve nicely. Or TOTP for higher reliability and better multi-key support. But these people could obviously not even be bothered to do some minimal research. They probably designed their approach in 5 minutes at the water-cooler.
Re:Programming Code (Score:5, Funny)
But it happened at the WATER COOLER! That means it's the BEST SOLUTION because it was done face to face in an office setting!
Re: (Score:2)
Indeed. That fundamentally superior approach MUST obviously yield the BEST results EVER!
Re:Programming Code (Score:5, Informative)
Yes, it is irresponsible how car companies, Hyundai in particular, have deployed this technology without even rudimentary adversarial testing.
The solution isn't even that hard: The key fob just has to be designed so it doesn't send the same code each time.
There are several ways to do this:
1. Add a receiver so communication is two-way. The key fob sends a code. The car answers with a challenge. The key fob then hashes the challenge with a hidden code and sends it back. The vehicle then verifies the hash and unlocks.
2. Add a few bytes of memory. So, an internal code is incremented each time the button on the fob is pushed. This internal code is added to the hidden hash code, so a different code is transmitted each time. The car verifies the code, including a look-ahead in case the button was pushed without the car receiving it.
If designed in, either solution costs less than $1, but will be much more expensive to add to current cars and key fobs.
You clearly haven't stopped and looked at how the attacks work. For the first level attack, which has been around for years, they carry an amplifier which magnifies the signals in both directions.
The communication is two way, the car does talk to the real remote, it's just sitting on the kitchen bench instead of being in the vicinity of the car. Both of your suggestions won't work to address this attack, it doesn't matter how complex you make the encryption, hashes etc. none of it is going to help. The fix has to be hardware based, either timing or using a non-RF communication method such as electromagnetic coupling.
The limit to the amplifier attack is that you can't travel very far with the car. You can rummage through the car easily but it will lose signal and stop as you drive down the road.
The newer attack uses an emulator to mimic the original key to allow them to drive away.
The attacked vehicles use a hardware chip that implements the TI DST80 cipher, this is an implementation of the widely used Feistel cipher and it includes a key rotation system similar to the one you proposed. There is an issue with the implementation that allows side channel attacks, however the true implementation issue is that the car companies didn't use the full key range when programming the chips. The emulators almost certainly use a lookup table which monitors the amplified signal for a few rounds to determine which encryption key is in use for the car in question, this allows very rapid cloning of the key.
The fix for this is just for the car companies to properly generate an encryption key using the full range of bits, that will make the space too large for a lookup table and prevent the attack. Car companies have almost certainly done this, and the reprogramming recall is probably the dealers reprograming the car and fobs to use a new key that sits on the full range.
Of course this just addresses the existing attacks, new ones could be developed. Possibly the attack drops a device in the bushes near the house that relays the radio signal across the mobile phone network to a device the attacker carries in the car. Sadly the nature of RF makes the possibilities almost endless, car companies will just be attempting to make the difficulty of the attack high enough to make it no longer profitable for the thieves. Much like immobilizer equipped vehicles are stealable but the effort makes it typically not worthwhile.
Re: (Score:3)
Hardly an unsolved problem, if this was done competently.
Re: Programming Code (Score:3)
After all that you suggested something that is not a solution. They laid out clearly they are already employing a strategy that can work equivalent to your solution, but the problem is the authenticator is always on and always ready and willing to answer any challenge.
The fundamental problem is that they verbatim retransmit packets between the car and the authorized key fob. The emulator problem is due to picking a stupidly small key space, for some reason. The emulator portion can and in some cars is bei
Re: (Score:2)
-Time the challenge response to such right tolerances that the fob must be physically within 2 meters, and relay equipment has no hope of getting the answer in time.
In the US, we use yards instead of meters so that won't work here.
Re:Programming Code (Score:5, Interesting)
You clearly haven't stopped and looked at how the attacks work. For the first level attack, which has been around for years, they carry an amplifier which magnifies the signals in both directions.
I have been personally involved in R&D to address exactly this relay attack more than 20 years ago. Car industry has been aware of that problem for all that time, but ultimately decided not to give a shit. Yes, you can avoid the relay attack very effectively by measuring signal runtime between car and key: no relay can possibly beat light speed.
Yes, it would have cost some extra money to build this into a car key, and in the end their calculation was: people won't care. So here we are: some folks make a rabble about increased car theft, but it's a small minority which won't affect sales.
The attacked vehicles use a hardware chip that implements the TI DST80 cipher, this is an implementation of the widely used Feistel cipher and it includes a key rotation system similar to the one you proposed.
Devious me uses an evil piece of software, which emulates the SSH protocol 100%. *Evil grin* will this give me access to all servers in this world?
There is an issue with the implementation that allows side channel attacks, however the true implementation issue is that the car companies didn't use the full key range when programming the chips.
Ah, here we go! I can't perform my evil SSH hack, because server operators don't restrict themselves to 3 character passwords and 16 bit private keys.
I had this discussion with a car key maker some 20 years ago: "We use 128 but keys, they're uncrackable!" - "How do you generate the initial random numbers?" - "We use a 16 bit timer from the micro controller" - "But then you have 16 bit keys ... ?" - "No, we take this 16 bit number and run it through an 128 bit hash, so we have 128 bits" - "No, you have 16 bits of real randomness" - "We checked the 128 bit hashes and they're nicely spread out, so we're good"
I kid you not, they really thought they had a good solution here, and I am quite sure these systems shipped as is for more than one large reputable car maker. Looking at that I am not surprised one bit, that car keys are as easy to crack as they are, and given how long this has been going on: don't expect change soon. You do realize, that car makers don't exactly frown, if their cars disappear and are replaced by new ones ....
Generating a large key from a small key (Score:5, Interesting)
There's a certain class of Sega arcade games that have the code in ROMs encrypted using an 8KiB (yes, 8192 byte) key. The key is stored in battery-backed RAM inside the CPU, with anti-tamper measures that will erase it if you try to exfiltrate it.
That would be virtually impossible to crack. However, they generated the keys with a linear pseudo-random number generator with a 24-bit seed. If that isn't bad enough by itself, they usually used the build date in YYMMDD binary coded decimal as the seed.
Since you know that the first few instructions at the reset vector are going to disable interrupts and start initialising hardware, you can just try decrypting the first 16 bytes of ROM code with every possible 24-bit seed, and print candidates that give plausible sequences of instructions. Then you look for candidates that look like dates around the right time and try them first.
What should have been almost unbreakable security became trivially cracked due to flawed key generation.
Re: (Score:2)
The limit to the amplifier attack is that you can't travel very far with the car. You can rummage through the car easily but it will lose signal and stop as you drive down the road.
That's not the case with most cars, at least not in Europe. They won't stop because that would be dangerous, if say the battery in the fob died during a trip and the car decided to come to a halt on the motorway, or on train tracks.
One other mitigation you didn't mention is to put an accelerometer in the fob. If it hasn't moved for a minute, disable it. That will prevent thefts that take place at night with the key inside the house.
Re: (Score:2)
Re: (Score:2)
My car starts honking and flashing very quickly if the fob isn't in the vehicle. It will still drive but it's going to get a LOT of attention.
Re: (Score:2)
The communication is two way, the car does talk to the real remote, it's just sitting on the kitchen bench instead of being in the vicinity of the car.
Why would the key respond, or even be listening, if the button isn't depressed?
Re: Programming Code (Score:2)
Because they market the ability to leave the key fob in your pocket at all times. So the fob is constantly ready and willing to answer challenges. Most car models in the last decade are "no button press needed".
Re: (Score:2)
Sometimes security through better hardware is the way to go. There's no software-based attack that will be effective if the key fob isn't powered on.
The counter to any relay attack is to put accelerometers in the fob. When it stops moving for a few minutes, it powers down. When the owner picks it up, it wakes up.
Re: (Score:2)
Though even that would be limited. For example, I am walking around inside and it's in my pocket. The accelerometer *still* drives it to stay on. It would mitigate, by handling the "it's in a drawer" or "it's on my purse on the counter" scenarios, but folks don't always do that.
An answer would be expiring the challenge within 15ns, in which case relay attacks can't overcome the speed of light. This might have to be 15ns over a very tight deterministic fixed interval, but ultimately there would need to be n
Re: (Score:2)
I love how you proclaim to be an expert with a solution, and yet your solution and your understanding of the problem would be shown as irrelevant with a rudimentary Google search.
I think people like you were the ones who designed these security systems in the first place.
Re: Programming Code (Score:2)
Yeh, your solution doesnâ(TM)t work, because thatâ(TM)s not how the thieves are breaking in. When the key fob is in your house, theyâ(TM)re picking up the RF signal your car sends and retransmitting it in the direction of the house. Theyâ(TM)re then using a more sensitive radio than the car to pick up the fobâ(TM)s response, and retransmitting it to the car.
Re: (Score:2)
Indeed. And qualification requirements and liability. The half-assing has gone far too long and it is doing too much damage. The very reason for electrical codes, plumbing codes, etc. is that not doing it right is "cheap" in short term, but is a lot more expensive in the end than doing it right from the start.
Re: Programming Code (Score:3)
Re: (Score:2)
Re: (Score:2)
Except i can copy your key with a phtograph from any smart phone. Phiscial keys have dozens of easy ways to bypass them. That is why car thefts have dropped like a rock when fobs came on the scene. the fobs prevent easy theft when done correctly.
As for no one caring about correct implenmentation insurance companies care. And are charging higher rates to owners of bad cars because of it that lowers their resale, lowers their overall sales and takes 15 years to dig out of.
Re: (Score:2)
You'd be surprised how much security is present in a simple key. Once had trouble starting my 1995 volkswagen polo. Garage told me to wipe the key clean. Apparently it transmits a digital code as well when you start the car. If it is nog recognized, the car starts and then stalls the engine.
Our anc
Re: (Score:2)
What's the cost of your special key vs just doing security properly on a wireless fob which is also preferred by most buyers?
Re: (Score:2)
i can copy your key with a phtograph from any smart phone.
Yes, but you can't copy the immo code that way, which is why key+immo is pretty good security as long as the immo is in the pcm, and the pcm is hard to get to. Like on an A8 where it's under the hood in a plastic box. Then you have to raise the hood to swap the PCM in order to swap the immo out. Supposedly though the immo system on our Sprinter (which has an external security module) can be bypassed with a piece of wire to jump a relay, from inside the vehicle. Whoops!
Re: (Score:2)
Re: (Score:2)
https://www.youtube.com/@lockp... [youtube.com]
Of course, he never did any cars!
The dude seems legit at first glance.
I seem to remember that at some point car manufacturers put a device that would insure the "key" was still in place after you started the car so you had to come up with a setup that would make that device think it's still there after you picked the lock.
Re: (Score:2)
Lol, and that device connects to a physical switch you can turn with a screwdriver.
Re: (Score:2)
It's long past time that companies can be allowed to just dump new tech out there without sufficient testing to ensure it is safe, reliable and does what it is intended to do without any unexpected side effects. The same way we regulate drugs.
At the risk of going off topic, nothing is absolutely safe. There are always tradeoffs between time-to-market, safety, cost, and functionality. I can make a perfectly secure car but it'll be powered off, encased in lead, and launched towards Alpha Centuri at near the speed of light.
Given the glacial pace new drugs get released, I'm pretty sure we don't want to regulate car keys the same way we regulate drugs. Do you really want it to take 10 years to update the OTA protocols between a car and a fob? Do you
I was totally fine just having a remote (Score:4)
Re:I was totally fine just having a remote (Score:5, Insightful)
I was totally fine just having a physical key to unlock my vehicle. Stick the key in the door, turn it, and boom you're unlocked. Get in the car, stick the key into the ignition, turn it, and drive away...
Re: (Score:3)
But what if I want to use my car when I'm not physically present?!
Oh, wait...
(Someone will be along in a moment to justify restoring the previously near-totally-solved problem of vehicle theft because they want to remotely turn on a seat warmer on a cold morning or something.)
Re: (Score:3)
I was totally fine just having a physical key to unlock my vehicle. Stick the key in the door, turn it, and boom you're unlocked. Get in the car, stick the key into the ignition, turn it, and drive away...
Me too. In fact I'm fine with both my 2001 Honda Civic EX and 2002 Honda CR-V EX having physical keys for the doors and ignition. I never carry the door fobs and, in the 20+ years, have rarely used them except maybe if I have to run out from the house to the car in heavy rain. Given the increasing propensity for only key-less entry/ignition in new cars, I'd pay extra to get physical keys installed for the doors and ignition instead in any new car I may eventually get, but that will probably never be an op
Re: (Score:2)
It's no use to you so it's no use to anyone.
I was able to talk to other people just fine on my rotary phone. I don't know why we needed all those buttons that made it easier to call the wrong person.
Re: (Score:3)
Except well, they sucked.
The locks used are the lowest quality lock you can get on the market. They are wafer locks - which are generally considered to be very weak locks - useful only for the locks in say, your desk drawer. Yes, your car and your desk drawer use the same quality of lock.
Your house, using p
Re: (Score:2)
When you have multiple kids to handle, just being able to push a button is actually quite nice.
Re: (Score:3)
I actually prefer the middle road. My car can be remotely locked and unlocked (which is great when it's raining, for example) but requires the physical key in the ignition to start.
Re: (Score:2)
My car has a spot to put the key fob as a last resort if the wireless breaks. You could just as easily have an optional car setting to require the key fob be in place.
Re: (Score:2)
I was totally fine just having a physical key to unlock my vehicle. Stick the key in the door, turn it, and boom you're unlocked. Get in the car, stick the key into the ignition, turn it, and drive away...
In colder climates a frozen lock could easily give you five or even ten minutes of frustration. Remember door lock de-icers? They came in a range of types, and with remotes the need for them thankfully disappeared. I'm quite happy to have left physical keys behind.
Re: (Score:3)
I can unlock my car remotely as mentioned a little higher up. Doesn't help when the DOOR HANDLE has frozen, or the door itself has frozen tight to the doorframe.
Re: (Score:2)
I can unlock my car remotely as mentioned a little higher up. Doesn't help when the DOOR HANDLE has frozen, or the door itself has frozen tight to the doorframe.
Yeah, even in the old days I had many more issues with frozen handles and doors than I ever had with frozen keyholes (although I do remember that happening once or twice too).
Re: (Score:2)
Car Manufacturers making excuses (Score:2)
Re:Car Manufacturers making excuses (Score:4, Interesting)
The rot sits deeper: Obviously, these keys could have been made reasonably secure. But that costs money and you need actual experts in that field. They probably just asked their own EEs do design "something" that then could be sold as "smart". Essentially the time-honored combination of greed, arrogance and incompetence at work.
Need physical barrier to theft (Score:2)
At this point if you have to leave a car outside for any reason, it seems like you would be smart to physical disable the ability of the car to function.
Maybe that means pulling out all the spark plug connections just enough so they look in place but do nothing.
Maybe it means taking the battery inside with you (heavy but what thief is going to randomly carry a battery with them)? Also a downside is probably some modern cars would go insane being without power more than a few minutes.
Or maybe it means booti
Re: Need physical barrier to theft (Score:2)
Iâ(TM)ve got insurance. Thatâ(TM)s good enough defense for me; thereâ(TM)s a facelift model of my car coming out this year, so I wouldnâ(TM)t mind if mine was stolen.
Then again, Audis have slightly better tech than Hyundais do, so I may just be out of luck!
Re: (Score:2)
IÃ(TM)ve got insurance. ThatÃ(TM)s good enough defense for me
That philosophy only makes sense if your time has no value.
Re: (Score:2)
Re: (Score:2)
Maybe a cutoff rocker/toggle switch under the dash between the Start button and control circuit.
Re: Need physical barrier to theft (Score:2)
I assume if you pull a fuse, you can get the same functionality.
Re: (Score:2)
Yes, but consider your own convenience. Do you really want to have to open an electrical box, possibly under the hood, to start your car every time, then remember to remove it when you're done, or just flip a switch hidden somewhere?
If the thief has to go looking for your hidden switch, they're likely to just abandon your vehicle and try the one two doors down.
Re: (Score:2)
Why bother? If the car is smart enough to have wireless entry it's smart enough to have GPS and an active internet connection to tell people where it is at all times. At this point modern high tech cars are more honeypots for law enforcement agencies than a risk.
Of course that would require the Met to actually do something.
Re: (Score:2)
Of course that would require the Met to actually do something.
I have to laugh, as this was my exact thought while reading your first paragraph.
The use of repeaters and other such fun things indicates that these are sophisticated car thieves. They probably steal a couple cars a day. IE busting one ring could reduce car theft for the nation noticeably. But they can't be arsed to do so.
Re: (Score:2)
My last car had a steering wheel lock mechanism where a bolt dropped into place in the steering column and stayed there until the proper physical key was used to turn on the car.
And then it turns out that mechanism fails after about 35k miles leaving countless owners with an unwarranted $1200 fix. After revisions A-D, they finally gave up and the revision E cars didn't have the security bolt.
I got them to pay for it twice and ate the $1200 once then dumped the car.
"Smart" is the new "dumb".... (Score:5, Insightful)
It seems to be rare for anything "smart" to be actually done halfway competent these days.
Re: (Score:2)
Exactly. KISS (Keep it simple) is and will remain the key overriding principle for all secure, reliable and safe engineering. Apparently keeping it simple is too difficult for most people though. "Smart" is only a good idea if it has significant advantages over the conventional solution and reaches at the very least the same levels of security and safety.
Give Me A Dumb Key (Score:2)
Re: (Score:2)
How about that? With the antitheft device/chip in the key. Those seemed to work quite well. Oh but then you wouldn't be able to push button. So sad.
No mod points, but this is the solution. I have an old vehicle and I have no desire ever to buy new again. The last new car I bought was in 1998 and the transmission failed after 270000 miles (~40000km).
Since then, I buy used, my latest one, the local gas station rebuilt the engine and I got it for less than 10% of the price of a new car. If it lasts 10 years (had it for 5), I make out great. So far no major issues.
And yes, it has the type of key you describe plus it has a manual transmission, so I doub
The Club is back! (Score:3)
The Club [amazon.com] is back, baby, just like it's 1985 again!
The more things change... (Score:2)
...the more they stay the same.
Get the Club!
https://www.youtube.com/watch?... [youtube.com]
The only smart part is the replacement cost. (Score:2)
My guess is that at least half the reason car manufacturers deliver super "smart" keys is so that they can force you to pay their excessive fees to get replacement or reprogramming. Having the keys actually work for the task is probably secondary or tertiary on their priority list.
Let's just get it working. (Score:5, Insightful)
Happy with my d.a. start (Score:2)
I wonder how much it would cost to retrofit a phys (Score:2)
And then retrofit a physical key into the ignition circuit of the vehicle? Most of the car thieves are too young to have ever needed to pick a lock or hotwire a car so you could create a situation of security through obsolescence.
Re: (Score:2)
Or maybe newer cars shouldn't use ranged wireless technology at all. Would it be the worst thing in the world to have to press an electronic key against a contact plate? That would be a hell of a lot more difficult to intercept and still be more convenient than a mechanical lock that can be damaged by water and ice exposure over time. Put a little cubby hole in the dash to dump the key in for driving.
smart vs small vs cheap (Score:2)
The trouble with smart keys for my car:
1. Too big to fit in my pocket.
2. Costs $300 to replace.
My other car has a dumb key. No one has tried to steal it in the past 17 years, even though it is one of the most popular models among the stealing set.
Instead of smart keys, we need smart legislators who will put car thieves in prison and keep them there.
Faraday pouch (Score:3)
I started using a Faraday pouch in my pocket long ago because I knew this day was coming. This security vulnerability was demonstrated years ago but it never got attention of the media until these devices became available on the dark web and cars actually started disappearing off the streets. The insurance industry has since finally woken up and so will be your insurance rate.
I bought a Faraday pouch and trimmed it down so it fits neatly in my pocket where i drop my keyfob into it and have a chain connecting to my other keys. Its easy to extract and put back in the pouch when not in use. The only time it is actually exposed and its signal able to be intercepted is when I am driving. They would have to follow me around until I park someplace, or intercept the signal there using a yagi antenna setup, and then steal the car. They would have to be very dedicated to stealing my specific car to pull it off, and this would not be worth it with so many other cars on the road just like mine that are more much more vulnerable.
The Faraday pouch is cheap enough, you just need to remember that your door is not opening for you by grabbing the handle until you fish out your keyfob. It makes it more of a pain to open the trunk when carrying groceries but that is the price of convenience. Walking out into a parking lot with no car to be found is a lot less convenient. A pouch is a good investment.
Re: (Score:2)
Because key locks are a mysterious, arcane artifact.
That is certainly one aspect. The other may be "They want HOW MUCH for a pen-test???" and then the semi-idiot in charge of the keys would have to report they are after all not that cheap and easy to make. Hence that test (or any other type of competent security evaluation) does not happen. With predictable results.
Re: (Score:2)
Security doesn't even factor into i. It's not even an after-thought.
Yeah, except for the whole implementing encryption thing with rotating key signals, standard use of unbalanced Feistel ciphers in all the cars being discussed.
What next? You're going to claim the inventor of the SHA-1 hash and every software which used it over the years was an idiot who didn't think about security even as an afterthought simply because that one is broken too? Could you be any more clueless?