34 comments

[ 3.5 ms ] story [ 73.1 ms ] thread
Oh dear. Seriously, 24-bit and 40-bit crypto of any variety?

Was it really so hard in the year 2013 to put at least a 128-bit AES key in the card?

With a sufficient directional panel antenna you could impersonate a car and query pocketed fobs in whole crowds of somewhat wealthy individuals. Aim the antenna and rig at the seating area of a trade show for middle/upper management types in the technology industry, for instance.

The obvious choice is to sort of skip the crypto entirely. The key fob can hold more than enough 128-bit random numbers to last the life of the car. Think about how much we can put on a little USB device these days. Cross off codes as they are used. This only requires a 1-way signal and a transmit button.

If the car can just ask for a code, without a button being pressed, then you have the problem of a foe tunneling the keyfob signal over a long-distance repeater link. Dealing with that requires timing measurements to measure the distance that the signal has traveled.

Exactly (the last part). There's a fundamental weakness here. Fixing the obvious weakness in the single sided authentication and weak crypto isn't enough to fundamentally solve it. Not sure there's _any_ way to fully make this secure. AFAIK, Model 3 doesn't have this feature & vulnerability.
Proposal for expensive cars that don't require a button press:

The key fob and car contain identical pre-shared random data. (could be gigabytes) Each transaction uses 4 tokens, 2 going in each direction, with each token being 128 bits.

Upon a button press, the key fob selects and destroys the next 1-time-use token it contains. It begins to transmit.

First the key fob sends a token. The car must respond with the correct token, which is checked by the key fob. Failure causes radio silence. After a few padding bits to allow for that checking, the car sends another token. The key fob XORs this one with the key fob's second token, which is then transmitted. The car takes note of the latency.

Each 100 ns delay (a single bit at 10 megabit/second) is worth about 30 meters at the speed of light. The car can use this to exclude key fobs that are excessively distant.

Now consider the repeater attack. The key fob is somehow mistakenly activated. The attacker forwards the signal over a microwave relay to the car, and does likewise for the signal going back to the key fob. Responses arrive late, causing rejection.

You don't much need crypto here. It's just XOR with a 1-time pad. Cheaper cars should just to that alone, with 1-way transmission. Expensive cars should do 2-way and measure the timing, but they don't need fancier crypto.

This is not a bad idea but I can think of two problems in real world execution:

a) Car companies won't want to hand out fobs that have any sort of writable memory, takes battery, and risks write memory wearout. Never seen a fob or smartcard that has memory which is written with every individual transaction. Having the fob do a computation on every transaction means it will need a lot more battery (in Wh per year) compared to a regular remote-unlock key fob for an ordinary passenger car.

b) High precision RF travel/distance timing, onboard computer system in the car capable of reliably determining to within 100ns timing interval, taking into account randomness in the real world environment such as reflections from nearby low-e class windows, metal structures, and such, may not be cheap or easy to implement.

I think the battery/memory/computation issues work out fine. Remember, the normal alternative is heavy-duty crypto like AES or a public-private key pair. This is just XOR.

Write memory wearout is not an issue. You can do this with write-once memory, so you don't even need flash. Manufacture the device with FF bytes, load keys into it by clearing bits, and then dispose of keys by clearing the rest of the bits. The same could apply to the car, or that could be different. Billions of keys could fit on a key fob.

Wearing out the car door hinges will happen long before wearing out the key fob storage.

Timing... well I don't know, but common ethernet chips have registers that tell the OS how long the cable is. Cars also ship with radar that has much tighter time measurement requirements.

> Never seen a fob or smartcard that has memory which is written with every individual transaction.

Actually every SIM card does this. At least when used by a phone to join a mobile network, a SIM writes some timestamp or counter to persistent internal memory. This caused a funny case of SIM cards with very limited lifetime for a German provider (I think it was Congstar), who had a problem in its network that caused frequent authentications of handsets, thereby having them chew through the write cycles of their SIM cards way faster than projected for normal use. The cards became "dead" afterwards.

If I remember correctly, all chip enabled payment cards also have a transaction counter that is updated on every successful transaction.

They could use MRAM memory for the first option. Low capacity MRAM is quite practical and it has very high endurance.
There is no reason why FIDO U2F wouldn't work here. Encryption was likely invented to guarantee vendor lock-in - you wouldn't want anyone buying a relatively cheap fob instead of your premium key.

Don't invent crypto.

There's no excuse in 2018 for using a 40-bit key. Hopefully Tesla gives its customers the upgraded fobs for free.
These cars were made ~5 years ago, but there's still no excuse for using a 40-bit key (which is transformed into a 24-bit response, lol) ~5 years ago.
There was really no excuse even in 2009, nevermind 2013, if you were doing some sort of proximity card public/private key crypto...
Actually, a very good excuse was provided precisely in 2009 - https://xkcd.com/538/
That doesn't really apply in this situation though, since the crypto can be defeated without taking a wrench to the owner's face.
I don't disagree with the premise of that cartoon, but it's more about the concept of putting full disk encryption on your laptop, crossing the border into Uzbekistan, and then refusing to give up the password.

By that logic, anything that is protected by crypto, if you threaten the owner with violence, it can be stolen from them. Which is just about everything on earth, if you're willing to apply sufficient violence.

I was referring mostly to the concept of "A crypto nerd's imagination".

Seriously, it is unlikely someone would put the money and R&D effort required to replicate the researcher's solution with the goal of stealing these camera systems on the wheels that can be disabled remotely.

So I'd rather advocate for Tesla to continue using inexpensive and secure enough solution to unlock doors. And focus their efforts on making the thing actually safer, like not accelerating into and colliding with concrete barriers.

I can totally see people stealing Teslas, if you bring $100 worth of jamming equipment with you, it won't be disabled remotely. The cellular frequencies that a Tesla uses for M2M connections back to the mothership are not rocket science to jam.

At least not before it's driven into a warehouse somewhere and cut apart to be cannibalized for repair parts, then parts shipped overseas.

Repair parts for what? Who will purchase these?
All the people who have been waiting for months+ for a body shop to find Tesla-approved replacement parts, presumably.
Presumably, the same wholesalers/auto parts trading places I've seen in third-world countries with suspiciously sourced grey market Toyota Land Cruiser/Lexus repair parts.

Or people who want $20,000 worth of 100kWh 18650 battery conveniently packaged with connectors and cooling system.

Fair enough, I think I mentally substituted "Model 3" for some reason. I wonder if these fobs were designed 20+ years ago when the US crypto export control situation was a bit goofier.
No amount of perfect encryption will protect against a relay attack.
You should use a key exchange protocol like Diffie Hellman
Doesn't help one iota. The relay attack uses a two way amplifier to effectively increase the reach of the frob. This way the evildoers can steal the car while you are sleeping.

As tropo suggests above, it would have to measure the distance (signal propagation), but I suspect that would drive the cost of the frob up significantly.

EDIT: to be clear, this isn't the attack discussed in the article, but a more serious problem that is already in use today.

Sorry, I mistook your point.

The critical issue for rf keys is the lack of a button to lock/unlock the door.

This is even worse than a relay attack, since AFAIK those require being near the fob and there are other mitigations (even simple things like timing how long it takes to get a response). This attack essentially lets you clone key fobs permanently, not just start a car while the owner is on the other side of a parking lot. And the encryption would work a heckuva lot better if the attacker had to precalculate every challenge and response with, for example 256 bit AES keys instead of 40 bit keys with 24 bit responses.
Yikes!

  0xFFFFFFFFFF :: 1,099,511,627,776
A 5 character password protects these vehicles.
Not just Model S:

"We have only been able to verify our attack on a Tesla Model S in practice. However, Tesla did not design this system themselves but purchased it from Pektron. ... Pektron also designed keyless entry solutions for manufacturers such as McLaren, Karma and Triumph. ... This leads us to believe that the attack described here also affects the other manufacturers."

It seems odd to make that claim about other companies without actually checking. It could be true, but it also wouldn't surprise me at all if Tesla were cutting corners here in a way that McLaren doesn't for the really obvious reason that they're selling £185k cars, not £70k cars.
Most keyless systems are insecure in several other ways to a surprising degree for this decade.

Even in more recent years, most of them seemingly do not implement

(1) Time of flight checks, e.g. that a radio relay isn't being used to get to the keyfob many more meters away in the house using a relay/amplifier. This is a commonly exploited theft method currently. The Apple watch implements this to unlock your MacBook Pro(!) This has also been shown to be a viable attack method on many contactless payment terminals.

(2) Replay protection - another possible common attack is to receive the rolling code from transmitter, jam it so the car can't hear it and wait for the remote to transmit a second one. Then you jam that also, store that code, but then re-transmit the first code and the car unlocks and now you have a second code to use to unlock the car later. It's possible to both receive and jam the code by using a very precise tuned receiver, and jam in the surrounding the frequencies which in most cases the actual receiver (e.g. car) won't have filtered out. This works particularly well on most garage doors.

(3) Let alone having some kind of recoverable/brute forcible ID scheme, which as we can see here, is also true. I'm sure these aren't the only ones.

It's kindof silly really. I'd be curious to know if any manufacturers have been fixing this in the last couple of years.

> Time of flight checks, e.g. that a radio relay isn't being used to get to the keyfob many more meters away in the house using a relay/amplifier.

That one's surprising. What's to stop someone following you into a supermarket after you've parked your Porsche, standing next to you with a relay device transmitting via the cell network, and someone else in the car park with the equivalent receiver/relay?

A couple of relevant tweets from one of the authors on twitter:

"Tesla responded to this by upgrading key fobs’ encryption in June and adding an optional PIN to cars last month. If your Model S is older than June, you can get a new key fob, turn on a PIN, or disable passive (no-click) unlocking" https://twitter.com/a_greenberg/status/1039202487822106624

"Just one more thing. Everybody is making fun of Tesla for using a 40-bit key (and rightly so). But Tesla at least had a mechanism we could report to and fixed the problem once informed. @McLarenAuto, @KarmaAutomotive, and @UKTriumph use the same system and ignored us." https://twitter.com/TomerAshur/status/1039245324441792513

I thought software was supposed to be Tesla's killer advantage. It seems like they are doing a lot of amateur hour stuff on their vehicles.
(comment deleted)