[HN Gopher] Hackers Can Clone Millions of Toyota, Hyundai, and K... ___________________________________________________________________ Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys Author : elorant Score : 71 points Date : 2020-03-06 17:09 UTC (1 days ago) (HTM) web link (www.wired.com) (TXT) w3m dump (www.wired.com) | jaclaz wrote: | Garcia is a professor at the UNI of Birmingham, he already made a | paper on similar topic that in 2012 was blocked by a Court: | | https://www.theguardian.com/technology/2013/jul/26/scientist... | amluto wrote: | IMO this is what class action lawsuits are for. | cosmodisk wrote: | Ceo's BMW X5 was stolen last year.He watched the CCTV later | on.The guy came to the car with a laptop and drove away after a | minute or so. Police found the car dumped somewhere on a road,as | the car ran out of fuel and apparently it had some security | feature that prevented the thieves from refiling it. | ryanlol wrote: | Sounds like you're describing a range extender attack on the | keyless start. Almost(I don't know any that aren't) all cars | with the feature are vulnerable to this. | ohmaigad wrote: | Latest BMW, Audi, VW and Ford (or at least some models from | these manufacturers) key fobs stop transmitting after X | amount of time (based on motion). | maxerickson wrote: | Can they do Honda, please? | aluminussoma wrote: | My reaction: Great! Reproducing these keys costs hundreds of | dollars and a trip to the dealer. Maybe it can finally be | affordable again. | | I'm less concerned about someone stealing my car. The local | police department takes it seriously, no less because stolen cars | are used to commit other crimes. | gambiting wrote: | Wait, what are you advocating? Return to keys without an | immobiliser??? You do realise that that's the feature that has | single-handedly destroyed car theft that was so rampant by the | 90s? That is what made cars so difficult to steal, but also | what makes keys cost what they do and require an approved | dealer to code the keys. Return to the old keys where you only | had the key and nothing else would be......crazy, really. | Dylan16807 wrote: | Yeah, if they're overcharging then it would probably be | better to go after that directly. It doesn't need to cost | more than $20. | notlukesky wrote: | The essential problem is that static credentials are transmitted | and can be copied. If they used a randomly generated code to | unlock the cars (needs to be generated offline) then that would | solve this issue. | | There are plenty of offline hardware based solutions already on | the market especially for unlocking computers with MFA. It needs | to be offline generation for computers for NIST DFARS 800-171 | compliance. | _iyig wrote: | >The essential problem is that static credentials are | transmitted and can be copied. If they used a randomly | generated code to unlock the cars (needs to be generated | offline) then that would solve this issue. | | Not necessarily. Relay attacks are very hard to defeat, | regardless of your crypto scheme: | | https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can... | forkexec wrote: | It should be a construction approximately: first DHE and then | the car challenging the fob to MAC a unique message. | Exponential backoff after every failed attempt for that token | (fob). | nym375 wrote: | Exponential backoff could DoS someone from opening their own | car. | Russtopia wrote: | Great! The dealership charges inordinately for a new key so I | would love to be able to do it myself. | 1123581321 wrote: | I am married to someone who has lost her keys several times so | far. Upgrading from a car with a $50 fob to one with a $200 fob | was not fun. | webninja wrote: | https://www.thetileapp.com/en-us/store/tiles/pro | | If she loses her keys just once it pays for itself many times | over. | 1123581321 wrote: | Yeah, that would have been a good call. Though as noted | below, we don't always know generally where they were lost. | I'll take a look at the peer-to-per discovery. | code_duck wrote: | I assume this person must be losing their keys in public or | somewhere unknown. Otherwise their house must have quite | the bonanza of keys waiting for them. | jjeaff wrote: | Those types of systems like tile work in public as well, | they use a network of other users that will inevitably | walk by the lost item. | code_duck wrote: | I see, that's interesting and good to know. I thought it | was something that only worked in local range. | gambiting wrote: | Key insurance is a thing if this is a legitimate issue for | you. | 1123581321 wrote: | I didn't know about this. Any idea how typical premiums | run? I may have to start the quote process to find that | out. | gambiting wrote: | I had mine for on a 3 year policy for about PS100, would | cover up to 3 replacements in that time. Made sense as | the key was about PS400, but I never ended up using it. | neuralRiot wrote: | Call me old but what is so great about the smart key? Not having | to pull it out of your pocket? I know this is an old rant already | but car have reached the crappyfication curve, when something | cannot improve its main purpose anymore it starts adding unneeded | features to be able to push a "new" product. | slovette wrote: | I disagree, when you've got 4 kids and both arms full of | groceries, when the doors open automatically or even unlock on | their own it's a godsend. I'd even say it's probably saved some | lives as the kids race to get in and out of the parking lot | instead of waiting on me to shuffle around for the keys, | dropping bags in the process, and then chasing each other | around in blind traffic. | Krasnol wrote: | How much of an inconvenience would it be if your car gets | stolen having 4 kids and both arms full of groceries in | contrast to placing the bags on the floor for a second? | | I have this smart key thingy too and I keep it in one of | those RFID pouches. Since I don't have to use the key to | start the engine, I feel the whole thing became more of a | problem than it was before. You at least always knew where | the key is and where to put it. Now it sometimes slids down | the seat, or is in my jacket that I wanted to leave in the | car or the engine/electric is not on/off because pushing the | button does several things. It became an inconvenience and | the few times I really used the automatic open feature after | deliberately taking out the key out of the pouch to profit | from it are negligible. | frandroid wrote: | > when you've got 4 arms arms full of groceries | | Damnit, speaking of unwanted features... | Dylan16807 wrote: | Isn't the solution to that situation a shopping cart? | ronnier wrote: | Today's it's mostly smart keys. Tomorrow it will all be driven | from your phone. I can't wait when I never have to carry a key | again. This is a stepping stone. | tialaramex wrote: | The keys this article is talking about aren't (necessarily) | keys you don't have to "Pull out of your pocket". What's | "smart" about them is that the car's immobilizer technology | talks to them before agreeing to let the vehicle be driven. | | Hence the article says thieves would be able to "hot wire" a | car after using this attack. You can't (if manufacturer's did | their job properly) "hot wire" modern cars like you see in a | movies, the computer overseeing things doesn't let it be driven | anywhere just because somebody jammed a screwdriver in a hole | and taped some wires together. | | Keyless entry and keyless ignition are entirely _different_ | technologies that have a different problem (relay attacks) | which has been covered a long time ago and has numerous quite | different solutions from this. | | _This_ article is about the all-to-common situation where | somebody cut too many corners and left themselves open to a | pretty easy cryptographic vulnerability. (Some) Car | manufacturers did a crap job of making the "smart" key that | disables the immobilizer actually secure, and bad guys can use | that to clone such a key and drive off in your car. If they | didn't also copy the mechanical shape of the key (which would | be more effort) they can smash the lock just as they would have | in the 1980s to steal a car. Some of them might even remember | stealing cars in the 1980s and not need to learn a new | technique. | aetherspawn wrote: | The smart key is literally the best feature in the second hand | Lexus I picked up a few years ago. | | I no longer have to pry the key out of my jeans, or go looking | for it in all my bags when I'm travelling. | smcnally wrote: | I'm with you and not a good representative of the target market | for keyless fobs. slovette and aetherspawn give good use cases | for some benefits. I still ask how much of a real-world problem | to be solved was sticking a physical key into a steering | column? What were the stated goals for developing NFC ignition | fobs en re drivers, manufacturers, and the automotive | industry?(1) | | Apart from inevitable consequences like from this article, are | benefits outweighing other intended, unintended, and inevitable | consequences like these for most people? - | Forgetting car keys more often per new learned behaviors | - Fob batteries dying - Replacing lost / broken fobs is | more costly in time, money, and hassle - Leaving fobs in | the car more often | | (1) Understood keyless entry / alarm / remote starting are | clear benefits | intopieces wrote: | Not having the key scratch your smartphone, for one. For | another, it just reduces the steps to get you from point A to | point B. All these little things add up. | Dylan16807 wrote: | Keys shouldn't be hard enough to scratch phone glass. | blankobj wrote: | I live in the city and it's extremely common for cars to be | broken into and/or stolen because of key fobs. It's a common | topic on our FB neighborhood group. We store our keys in a | Faraday box by the front door now, instead of leaving them out. | Not surprised the attack vectors keep growing here. | unnouinceput wrote: | Quote: "By contrast, the cloning attack the Birmingham and KU | Leuven researchers developed requires that a thief scan a target | key fob with an RFID reader from just an inch or two away." | | Story time: Back in 2005/2006 when I worked for Siemens | Automotive on Immobilizer feature (was involved in Mazda and Ford | projects) I got my hands on the highly secret crypto source...and | much to my surprise I've seen they implemented a Vigenere style | of cipher. I was astounded by this. Having some crypto background | as pet projects on previous years I knew this class of ciphers | are at least 1.5 centuries obsolete and they are thought only | from historical perspective. Therefore I prepared and called a | panel of higher-ups (managers, group leaders and even including | the hardware department chief) showing to them that the source | code implementation is very dangerous and that for a criminal | group to mass steal cars would be very easy. Including telling | them exactly what the article is talking about - put an RF | recorder under the handle door (how many car owners will check | there?), record sessions of radio communications between key fob | and the car, analyze that, extract the crypto key and steal the | car with a duplicate no more then maximum a week after. Their | reply? : "standard in industry call that we also allow mechanical | keys to open doors/start the car, so a criminal group can do them | as well much easier", and that was the end of that meeting. | tialaramex wrote: | Are you sure you aren't misremembering? | | DST40 | https://en.wikipedia.org/wiki/Digital_signature_transponder | used in Fords of that period is a Feistel cipher not a Vigenere | cipher. Now, I wouldn't choose a Feistel cipher for this | problem today but it certainly is not 1.5 centuries obsolete, | this type of encryption wasn't even invented until the mid 20th | century and a very famous example would be DES. | optimiz3 wrote: | Hopefully that's in writing somewhere for when the lawsuits | happen. Financial consequences tend to motivate large companies | to change their ways. | unnouinceput wrote: | It's not. Was an internal meeting and around 2008 Siemens | also sold its entire Automotive division. Also they are the | original inventors of Immobilizer feature back in late 80's, | and their code "stood" the test of time. You have no idea how | much opposition you get to touch even a line of code in | Automotive industry when codebase is a decade old, not to | mention an entire feature. So I am not surprised this is now | all over the place in all auto-makers. | robomartin wrote: | One related and another unrelated though... | | First: Auto manufacturers ought to get together and agree on one | common key + entry system standard. It can be a combination of | physical key and remote key if necessary. | | The problem: If you have multiple vehicles (and many families do) | you end-up with a keychain full of horrendously large and | unnecessarily inconvenient keys, key-fobs, whatever. Some | manufacturers seem intent on making the larges and most | inconvenient boxes they can possibly imagine. This is entirely | unnecessary. In this day and age one ought to be able to have a | universal programmable entry system that gets programmed for your | vehicles and that's that. One device to rule them all. | | Second: Auto manufacturers ought to get together and agree on | placing the fuel tank port on the same side. | | The problem: Today you have cars and trucks with fuel tank refill | ports on the left and the right. It can be an absolute nightmare | to go to a gas station where most of the cars have ports on the | left and you show-up with one on the right. This is one of the | reasons for which I hated driving our BMW. Going to the gas | station was always a game of chicken with cars entering in the | other direction. | maxerickson wrote: | Phone as fob is more or less here. Probably watches too. | close04 wrote: | > fuel tank port on the same side | | I want to believe this is to be able to spread the use around | both sides of the pump without pulling the pump hose | over/around the car. In some gas stations there's no easy way | to turn the car around the pump. | garaetjjte wrote: | >was always a game of chicken with cars entering in the other | direction | | Uh, other direction? Almost always there are hoses from both | side of pillar. Is it some regional thing? | Dylan16807 wrote: | There are hoses on both sides of the line of pillars, but at | the same time cars can approach the line from either end. No | matter what side your port is on, you can use any spot. | modeless wrote: | Phone as key is the future. I was skeptical at first given the | general unreliability of Bluetooth but Tesla managed to do it. | It's been flawless for me. Key card as backup makes perfect | sense although I believe upcoming NFC standards will make even | this unnecessary with the ability to have the phone act as a | passive NFC tag even when the battery is dead. | | The key fob is still available if you want it. Tesla even | allows adding and removing keys at home. It's an underrated | part of the Model 3. Phone key could have been a disaster but | they nailed it. | zenlot wrote: | And those who steal cars can clone pretty much any car keys. No | sensation here. | Scoundreller wrote: | ... except you don't need physical or visual access to clone an | electronic key, just proximity. | | Which is straightforward when you want to steal a particular | vehicle because you know where it is and can easily follow its | patterns. | zyztem wrote: | And folks with access to Mentor (Advanced Orion) likely can | clone keys from other side of the planet | PopeDotNinja wrote: | The LockPickingLawyer has done a few recent videos on RFID locks | and how one can bypass them. They were pretty interesting to me: | | "[1052] Defeating a RFID System With The ESPKey" => | https://youtu.be/0SEHUqkbIjU | | "[1056] This Black Box Reads RFID Cards in Your Pocket" => | https://youtu.be/dTObKtHzroM | tialaramex wrote: | The lesson in 1052 sort of misses the point. LPL (his videos | are a lot of fun by the way and I recommend them to anyone who | is curious about lock picking) says: | | > So, if you are installing an access control system like this | it is really important to use one that only transmits encrypted | data | | This would defeat the ESPKey demonstrated, but of course that | product exists precisely because it's all you need for common | systems today. If "encrypted data" was common the ESPKey's | successor would probably be a product that sits next to the | reader and gets its own copy of the raw RFID signal. Not as | convenient, and less fun for doing cool demos, but still plenty | effective enough for crooks. | | What you actually need to do to defeat this is a bit more | expensive. You need the token (keyfob, card, etcetera) to be | smart enough to use the tiny surge of power to do local | computation, and then produce one-time-only access codes. That | would actually fix the problem, because to get the current code | a bad guy needs to steal the token and that's an ordinary | physical security consideration that humans are used to dealing | with. This way an ESPKey gets the one-time code you just used, | but neither replaying it nor copying it to a card to try later | will do anything useful. | | Unfortunately this smarter token would be significantly more | expensive. We saw with EMV cards (payment cards) that the smart | and secure option (DDA with changing cryptograms) is expensive | enough that providers would often rather take a risk and give | you an insecure cheaper alternative which looks identical, | especially if they believe regulators, courts etc. won't | realise they took the cheap option and so the risk actually | lands on their customers not on them. ___________________________________________________________________ (page generated 2020-03-07 23:00 UTC)