For those of you not in the loop, these "keyless" systems let you walk up to your car and open your door without getting your key out of your pocket. There is a proximity sensor under the door handle (similar to proximity sensor on your smartphone). When the proximity sensor is triggered, it searches for a nearby key fob and then instantly unlocks. You can also usually start the car (with a push-button start) without getting out the key. And you can lock the doors (from outside the car) by pressing a button on or near the door handle with the fob in proximity. Basically, you never have to get your keys out for any reason.
Anyway, fortunately, I can never find street parking near my apartment for my Prius anyway. But I'm still going to find a small faraday cage I can leave by my bed to put my keys in before I go to sleep...
I'm not quite satisfied with the explanation in the article -- maybe someone with radio signal experience can help me out?
Assuming that the unlock is accomplished over 2-way communication (car calls to key, key responds), I can understand how an amplifier could boost the car signal to a key that was far away, but how does it boost the key's response to accomplish the second half of the process?
A different type of problem with electronic keys, mainly for motorcyclists, is if you have the key laying nearby in, say, a garage, hop on and ride off (there are some bikes with keyless start), you just stranded yourself wherever you end up shutting the ignition off.
Harder to do with a car unless you forgot your keys and someone playing a joke on you had an amplifier near your car.
This is a case when I'd literally like an SSH2 key for my car. With time-proven code, perfect forward security, proof against replay attacks, and so on.
Could be a small but lucrative business!
Does the freezer really act like a Faraday cage?
Quick Google search suggests it isn't really effective:
http://mentalfloss.com/article/51597/does-refrigerator-make-...
Fixing this issue would probably only happen in newer models of vehicles... the keys for existing cars don't often change, and I'm not sure a recall would ever be issued for something like this.
Here's another article from four years back; the tactic is likely older than that: https://news.ycombinator.com/item?id=2079289
I am not a hardware dev but I think this attack could be defeated by having the car measure the amount of time the key takes to respond to the call outs. If it takes more time than it should for the signal to travel a few feet, then it shouldn't unlock. If they embraced this method then existing cars could be protected with a software update instead of new hardware.
So only cars that "self unlock" are affected right?
If you have remote but no self-unlock it should be okay, for now.
Toyota has a way to turn on and off certain features from the lock system by reprogramming using a pattern of opening and closing the driver door and inserting/removing the key. Same way you add/remove fobs.
So it might be possible to turn off self-unlock. You'd have to find the dealer manual though.
added, or google it: http://thepoch.com/2013/automatic-door-locking-and-unlocking...
http://www.toyota.com/t3Portal/document/om/OM33856U/pdf/sec_...
Oh if only they had read wikipedia...
https://en.wikipedia.org/wiki/Distance-bounding_protocol
Apparently a solution was available in 2010.
Free version: https://archive.today/WyCdu
This is why I despair at all these new keyless cars. I would pay money to have a normal key over one of those, because it's more secure.
Also, one huge reason I would never want a keyless car: I can't check if it's locked before I walk off; I just have to trust that it will lock once I'm far enough away and before someone else jumps into it and drives off.
Convenience and radio waves will be the death of us all. Why do car companies not have expert security and RF guys on staff? This is so predictable.
I always check my car doors are locked before walking away, even though I have a more conventional remote central locking system. For the last few years in South Africa, crooks have been using things like garage door openers to block the signals of remotes. Once the driver walks away from the car they steal its contents.
And this is why I'll get myself a VW T4 again once I have the cash. Unlike T5, easily repairable by yourself and not much electronic bullshit that is vulnerable to hacking or just general wear (I'm looking at you, Renault).
Only thing I'm gonna add is a Raspberry Pi for general monitoring, webcam and a 3G uplink with GPS.
Cocktail shaker would be a good alternative to a freezer.
http://thelede.blogs.nytimes.com/2013/06/25/why-snowdens-vis...
The one about the BMWs was a flaw where you could access the Obc port and get the car to program itself a new key. In the 1 series there is an alarm dead spot where the Obc port is. So the thieves would cut the glass, insert a cable, program a blank key and then open the door and drive away.
I find it very funny that for such expensive cars there are no security considerations.
I hope to god those contactless credit cards can't be just cloned with a long range rfid reader or else this is gonna be a very funny few years
I wonder how many combinations they use. For old school keys there was always a small chance the key would work in a different car. Would be a pain if you shared a combo with a nearby neighbor.
There’s one place already selling “military spec” faraday cages for this exact purpose: http://www.carkeycage.com
I remember someone around 2001 describing vulnerabilities in keyless entry to me. It sounded technically feasible, but I was surprised that I never read about it or heard about it happening to anyone. I guess I wasn't reading Jalopnik, but you'd think that this would have gotten more attention earlier.
Who knows, maybe I'm just not paying attention.
Ok so this allows them to unlock the car, maybe start it, though the article doesn't really get into that, but then what? After they drive beyond the range of the amplified key transceiver?
So this is basically a MITM attack. When is TLS comming to car keys?
I can see the high frequency signal being boosted but how is the low frequency response from the key being boosted back to the car as it can usually only go a few inches
I know people that has rewired some fundamental part of the car like the fuel pump or something like that. There is a combination of the car buttons that must be pressed to start the car, if not you may start it but the engine will stop after some minutes. It must be done by someone that knows electronics, but doesn't seem that dificult to implement(although probably expensive), and it's very hard to detect and avoid by thieves if done properly.
this opens a new era in the car-sharing business!
You need key party mode where you can have the key populate itself with (old) callbacks of other cars, and the key urn can be a triangulating honeypot and general alert to when your model has new vulns (locksmith key mode choice timeout attack...) out. Or yes, a reed switch with alternate magnetic circuits to latch onto. Or the cocktail shakers that are good Faraday cages.
There’s one place already selling “military spec” faraday cages for this exact purpose: http://www.carkeycage.com
I wonder if the Apple Pay system is vulnerable to a similar attack?
The article is unfortunately something that's been happening in Europe for some time. It's just now that the tooling and toys is starting to become prevalent in the US. Europe has the "advantage" of being able to simply drive a car to its ultimate destination in Africa or Russia, and getting cars out of England doesn't require much more effort.
"How much worse could it be in Europe?"
Last month, Range Rovers in posh areas of London were being stolen so often that police were instructed to pull over any Range Rover in the vicinity to confirm it was being driven by its owner, the paper reported—which seems to be an extraordinary measure.
It’s problematic enough that Scotland Yard has published bulletins on it, and has a website about the kinds of thefts and how to prevent it: http://content.met.police.uk/Site/keylessvehicletheft
For those a bit more interested on the topic, The Sunday Times did a neat overview: http://www.driving.co.uk/car-clinic/six-ways-thieves-can-bre...