[HN Gopher] Hackers Can Clone Millions of Toyota, Hyundai, and K...
___________________________________________________________________
Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
Author : elorant
Score : 71 points
Date : 2020-03-06 17:09 UTC (1 days ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| jaclaz wrote:
| Garcia is a professor at the UNI of Birmingham, he already made a
| paper on similar topic that in 2012 was blocked by a Court:
|
| https://www.theguardian.com/technology/2013/jul/26/scientist...
| amluto wrote:
| IMO this is what class action lawsuits are for.
| cosmodisk wrote:
| Ceo's BMW X5 was stolen last year.He watched the CCTV later
| on.The guy came to the car with a laptop and drove away after a
| minute or so. Police found the car dumped somewhere on a road,as
| the car ran out of fuel and apparently it had some security
| feature that prevented the thieves from refiling it.
| ryanlol wrote:
| Sounds like you're describing a range extender attack on the
| keyless start. Almost(I don't know any that aren't) all cars
| with the feature are vulnerable to this.
| ohmaigad wrote:
| Latest BMW, Audi, VW and Ford (or at least some models from
| these manufacturers) key fobs stop transmitting after X
| amount of time (based on motion).
| maxerickson wrote:
| Can they do Honda, please?
| aluminussoma wrote:
| My reaction: Great! Reproducing these keys costs hundreds of
| dollars and a trip to the dealer. Maybe it can finally be
| affordable again.
|
| I'm less concerned about someone stealing my car. The local
| police department takes it seriously, no less because stolen cars
| are used to commit other crimes.
| gambiting wrote:
| Wait, what are you advocating? Return to keys without an
| immobiliser??? You do realise that that's the feature that has
| single-handedly destroyed car theft that was so rampant by the
| 90s? That is what made cars so difficult to steal, but also
| what makes keys cost what they do and require an approved
| dealer to code the keys. Return to the old keys where you only
| had the key and nothing else would be......crazy, really.
| Dylan16807 wrote:
| Yeah, if they're overcharging then it would probably be
| better to go after that directly. It doesn't need to cost
| more than $20.
| notlukesky wrote:
| The essential problem is that static credentials are transmitted
| and can be copied. If they used a randomly generated code to
| unlock the cars (needs to be generated offline) then that would
| solve this issue.
|
| There are plenty of offline hardware based solutions already on
| the market especially for unlocking computers with MFA. It needs
| to be offline generation for computers for NIST DFARS 800-171
| compliance.
| _iyig wrote:
| >The essential problem is that static credentials are
| transmitted and can be copied. If they used a randomly
| generated code to unlock the cars (needs to be generated
| offline) then that would solve this issue.
|
| Not necessarily. Relay attacks are very hard to defeat,
| regardless of your crypto scheme:
|
| https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can...
| forkexec wrote:
| It should be a construction approximately: first DHE and then
| the car challenging the fob to MAC a unique message.
| Exponential backoff after every failed attempt for that token
| (fob).
| nym375 wrote:
| Exponential backoff could DoS someone from opening their own
| car.
| Russtopia wrote:
| Great! The dealership charges inordinately for a new key so I
| would love to be able to do it myself.
| 1123581321 wrote:
| I am married to someone who has lost her keys several times so
| far. Upgrading from a car with a $50 fob to one with a $200 fob
| was not fun.
| webninja wrote:
| https://www.thetileapp.com/en-us/store/tiles/pro
|
| If she loses her keys just once it pays for itself many times
| over.
| 1123581321 wrote:
| Yeah, that would have been a good call. Though as noted
| below, we don't always know generally where they were lost.
| I'll take a look at the peer-to-per discovery.
| code_duck wrote:
| I assume this person must be losing their keys in public or
| somewhere unknown. Otherwise their house must have quite
| the bonanza of keys waiting for them.
| jjeaff wrote:
| Those types of systems like tile work in public as well,
| they use a network of other users that will inevitably
| walk by the lost item.
| code_duck wrote:
| I see, that's interesting and good to know. I thought it
| was something that only worked in local range.
| gambiting wrote:
| Key insurance is a thing if this is a legitimate issue for
| you.
| 1123581321 wrote:
| I didn't know about this. Any idea how typical premiums
| run? I may have to start the quote process to find that
| out.
| gambiting wrote:
| I had mine for on a 3 year policy for about PS100, would
| cover up to 3 replacements in that time. Made sense as
| the key was about PS400, but I never ended up using it.
| neuralRiot wrote:
| Call me old but what is so great about the smart key? Not having
| to pull it out of your pocket? I know this is an old rant already
| but car have reached the crappyfication curve, when something
| cannot improve its main purpose anymore it starts adding unneeded
| features to be able to push a "new" product.
| slovette wrote:
| I disagree, when you've got 4 kids and both arms full of
| groceries, when the doors open automatically or even unlock on
| their own it's a godsend. I'd even say it's probably saved some
| lives as the kids race to get in and out of the parking lot
| instead of waiting on me to shuffle around for the keys,
| dropping bags in the process, and then chasing each other
| around in blind traffic.
| Krasnol wrote:
| How much of an inconvenience would it be if your car gets
| stolen having 4 kids and both arms full of groceries in
| contrast to placing the bags on the floor for a second?
|
| I have this smart key thingy too and I keep it in one of
| those RFID pouches. Since I don't have to use the key to
| start the engine, I feel the whole thing became more of a
| problem than it was before. You at least always knew where
| the key is and where to put it. Now it sometimes slids down
| the seat, or is in my jacket that I wanted to leave in the
| car or the engine/electric is not on/off because pushing the
| button does several things. It became an inconvenience and
| the few times I really used the automatic open feature after
| deliberately taking out the key out of the pouch to profit
| from it are negligible.
| frandroid wrote:
| > when you've got 4 arms arms full of groceries
|
| Damnit, speaking of unwanted features...
| Dylan16807 wrote:
| Isn't the solution to that situation a shopping cart?
| ronnier wrote:
| Today's it's mostly smart keys. Tomorrow it will all be driven
| from your phone. I can't wait when I never have to carry a key
| again. This is a stepping stone.
| tialaramex wrote:
| The keys this article is talking about aren't (necessarily)
| keys you don't have to "Pull out of your pocket". What's
| "smart" about them is that the car's immobilizer technology
| talks to them before agreeing to let the vehicle be driven.
|
| Hence the article says thieves would be able to "hot wire" a
| car after using this attack. You can't (if manufacturer's did
| their job properly) "hot wire" modern cars like you see in a
| movies, the computer overseeing things doesn't let it be driven
| anywhere just because somebody jammed a screwdriver in a hole
| and taped some wires together.
|
| Keyless entry and keyless ignition are entirely _different_
| technologies that have a different problem (relay attacks)
| which has been covered a long time ago and has numerous quite
| different solutions from this.
|
| _This_ article is about the all-to-common situation where
| somebody cut too many corners and left themselves open to a
| pretty easy cryptographic vulnerability. (Some) Car
| manufacturers did a crap job of making the "smart" key that
| disables the immobilizer actually secure, and bad guys can use
| that to clone such a key and drive off in your car. If they
| didn't also copy the mechanical shape of the key (which would
| be more effort) they can smash the lock just as they would have
| in the 1980s to steal a car. Some of them might even remember
| stealing cars in the 1980s and not need to learn a new
| technique.
| aetherspawn wrote:
| The smart key is literally the best feature in the second hand
| Lexus I picked up a few years ago.
|
| I no longer have to pry the key out of my jeans, or go looking
| for it in all my bags when I'm travelling.
| smcnally wrote:
| I'm with you and not a good representative of the target market
| for keyless fobs. slovette and aetherspawn give good use cases
| for some benefits. I still ask how much of a real-world problem
| to be solved was sticking a physical key into a steering
| column? What were the stated goals for developing NFC ignition
| fobs en re drivers, manufacturers, and the automotive
| industry?(1)
|
| Apart from inevitable consequences like from this article, are
| benefits outweighing other intended, unintended, and inevitable
| consequences like these for most people? -
| Forgetting car keys more often per new learned behaviors
| - Fob batteries dying - Replacing lost / broken fobs is
| more costly in time, money, and hassle - Leaving fobs in
| the car more often
|
| (1) Understood keyless entry / alarm / remote starting are
| clear benefits
| intopieces wrote:
| Not having the key scratch your smartphone, for one. For
| another, it just reduces the steps to get you from point A to
| point B. All these little things add up.
| Dylan16807 wrote:
| Keys shouldn't be hard enough to scratch phone glass.
| blankobj wrote:
| I live in the city and it's extremely common for cars to be
| broken into and/or stolen because of key fobs. It's a common
| topic on our FB neighborhood group. We store our keys in a
| Faraday box by the front door now, instead of leaving them out.
| Not surprised the attack vectors keep growing here.
| unnouinceput wrote:
| Quote: "By contrast, the cloning attack the Birmingham and KU
| Leuven researchers developed requires that a thief scan a target
| key fob with an RFID reader from just an inch or two away."
|
| Story time: Back in 2005/2006 when I worked for Siemens
| Automotive on Immobilizer feature (was involved in Mazda and Ford
| projects) I got my hands on the highly secret crypto source...and
| much to my surprise I've seen they implemented a Vigenere style
| of cipher. I was astounded by this. Having some crypto background
| as pet projects on previous years I knew this class of ciphers
| are at least 1.5 centuries obsolete and they are thought only
| from historical perspective. Therefore I prepared and called a
| panel of higher-ups (managers, group leaders and even including
| the hardware department chief) showing to them that the source
| code implementation is very dangerous and that for a criminal
| group to mass steal cars would be very easy. Including telling
| them exactly what the article is talking about - put an RF
| recorder under the handle door (how many car owners will check
| there?), record sessions of radio communications between key fob
| and the car, analyze that, extract the crypto key and steal the
| car with a duplicate no more then maximum a week after. Their
| reply? : "standard in industry call that we also allow mechanical
| keys to open doors/start the car, so a criminal group can do them
| as well much easier", and that was the end of that meeting.
| tialaramex wrote:
| Are you sure you aren't misremembering?
|
| DST40
| https://en.wikipedia.org/wiki/Digital_signature_transponder
| used in Fords of that period is a Feistel cipher not a Vigenere
| cipher. Now, I wouldn't choose a Feistel cipher for this
| problem today but it certainly is not 1.5 centuries obsolete,
| this type of encryption wasn't even invented until the mid 20th
| century and a very famous example would be DES.
| optimiz3 wrote:
| Hopefully that's in writing somewhere for when the lawsuits
| happen. Financial consequences tend to motivate large companies
| to change their ways.
| unnouinceput wrote:
| It's not. Was an internal meeting and around 2008 Siemens
| also sold its entire Automotive division. Also they are the
| original inventors of Immobilizer feature back in late 80's,
| and their code "stood" the test of time. You have no idea how
| much opposition you get to touch even a line of code in
| Automotive industry when codebase is a decade old, not to
| mention an entire feature. So I am not surprised this is now
| all over the place in all auto-makers.
| robomartin wrote:
| One related and another unrelated though...
|
| First: Auto manufacturers ought to get together and agree on one
| common key + entry system standard. It can be a combination of
| physical key and remote key if necessary.
|
| The problem: If you have multiple vehicles (and many families do)
| you end-up with a keychain full of horrendously large and
| unnecessarily inconvenient keys, key-fobs, whatever. Some
| manufacturers seem intent on making the larges and most
| inconvenient boxes they can possibly imagine. This is entirely
| unnecessary. In this day and age one ought to be able to have a
| universal programmable entry system that gets programmed for your
| vehicles and that's that. One device to rule them all.
|
| Second: Auto manufacturers ought to get together and agree on
| placing the fuel tank port on the same side.
|
| The problem: Today you have cars and trucks with fuel tank refill
| ports on the left and the right. It can be an absolute nightmare
| to go to a gas station where most of the cars have ports on the
| left and you show-up with one on the right. This is one of the
| reasons for which I hated driving our BMW. Going to the gas
| station was always a game of chicken with cars entering in the
| other direction.
| maxerickson wrote:
| Phone as fob is more or less here. Probably watches too.
| close04 wrote:
| > fuel tank port on the same side
|
| I want to believe this is to be able to spread the use around
| both sides of the pump without pulling the pump hose
| over/around the car. In some gas stations there's no easy way
| to turn the car around the pump.
| garaetjjte wrote:
| >was always a game of chicken with cars entering in the other
| direction
|
| Uh, other direction? Almost always there are hoses from both
| side of pillar. Is it some regional thing?
| Dylan16807 wrote:
| There are hoses on both sides of the line of pillars, but at
| the same time cars can approach the line from either end. No
| matter what side your port is on, you can use any spot.
| modeless wrote:
| Phone as key is the future. I was skeptical at first given the
| general unreliability of Bluetooth but Tesla managed to do it.
| It's been flawless for me. Key card as backup makes perfect
| sense although I believe upcoming NFC standards will make even
| this unnecessary with the ability to have the phone act as a
| passive NFC tag even when the battery is dead.
|
| The key fob is still available if you want it. Tesla even
| allows adding and removing keys at home. It's an underrated
| part of the Model 3. Phone key could have been a disaster but
| they nailed it.
| zenlot wrote:
| And those who steal cars can clone pretty much any car keys. No
| sensation here.
| Scoundreller wrote:
| ... except you don't need physical or visual access to clone an
| electronic key, just proximity.
|
| Which is straightforward when you want to steal a particular
| vehicle because you know where it is and can easily follow its
| patterns.
| zyztem wrote:
| And folks with access to Mentor (Advanced Orion) likely can
| clone keys from other side of the planet
| PopeDotNinja wrote:
| The LockPickingLawyer has done a few recent videos on RFID locks
| and how one can bypass them. They were pretty interesting to me:
|
| "[1052] Defeating a RFID System With The ESPKey" =>
| https://youtu.be/0SEHUqkbIjU
|
| "[1056] This Black Box Reads RFID Cards in Your Pocket" =>
| https://youtu.be/dTObKtHzroM
| tialaramex wrote:
| The lesson in 1052 sort of misses the point. LPL (his videos
| are a lot of fun by the way and I recommend them to anyone who
| is curious about lock picking) says:
|
| > So, if you are installing an access control system like this
| it is really important to use one that only transmits encrypted
| data
|
| This would defeat the ESPKey demonstrated, but of course that
| product exists precisely because it's all you need for common
| systems today. If "encrypted data" was common the ESPKey's
| successor would probably be a product that sits next to the
| reader and gets its own copy of the raw RFID signal. Not as
| convenient, and less fun for doing cool demos, but still plenty
| effective enough for crooks.
|
| What you actually need to do to defeat this is a bit more
| expensive. You need the token (keyfob, card, etcetera) to be
| smart enough to use the tiny surge of power to do local
| computation, and then produce one-time-only access codes. That
| would actually fix the problem, because to get the current code
| a bad guy needs to steal the token and that's an ordinary
| physical security consideration that humans are used to dealing
| with. This way an ESPKey gets the one-time code you just used,
| but neither replaying it nor copying it to a card to try later
| will do anything useful.
|
| Unfortunately this smarter token would be significantly more
| expensive. We saw with EMV cards (payment cards) that the smart
| and secure option (DDA with changing cryptograms) is expensive
| enough that providers would often rather take a risk and give
| you an insecure cheaper alternative which looks identical,
| especially if they believe regulators, courts etc. won't
| realise they took the cheap option and so the risk actually
| lands on their customers not on them.
___________________________________________________________________
(page generated 2020-03-07 23:00 UTC)