34 comments

[ 74.9 ms ] story [ 1154 ms ] thread
(comment deleted)
> A consequence of this is that the original keyfob gets out of sync, and will no longer function.

I always wonder about this: what is the consequence of that? Can the user reset it, or does it have to be done by a retailer or something?

Depends on the implementation. Most times you just have to click it a few times in a row. The receiver then realizes it missed a few button presses and it re-syncs. I’m not sure what that window is though, at some point it might get so out of sync that the receiver ignores it and assumes it is a wrong fob.
Why are so many car manufacturers incapable of using cryptography properly?
Cool, I was planning to get a spare car key, not anymore!

Also, glad I have one before they would ban it. It’s a neat tool that I have everything I want there, instead of having 4 fobs, one garage remote, plenty of IR remotes, it’s AIO. Plus I don’t have to pay fees to replace my lost fobs

Kind of insane that this works... Surely whoever implemented this knew it was insecure? I honestly wouldn't have thought to check for this vulnerability because... who would do that??
cool, I needed a new car, thanks
What practical use does this have? From my reading if I capture an unlock signal, the car will not unlock for the owner, so they’ll press their remote a few times.

If I capture a lock signal, presumably I can instead prevent it from locking. The only real world malicious action I can see is being viable is to block the car lock, meaning the car is still in an unlocked state, open the boot (which I’m guessing can be done from the car dash anyway) then locking it afterwards?

I sometimes imagine how much of this could be avoided if the communication signals weren't (a) broadcast or (b) a imperceptible to humans.

If it an electrical contact in the door handle, it would be very difficult for anyone to monitor or inject other signals.

If the signals were audible sound, you'd know when someone was jamming it.

In practice, my number one use of a fob from a remote distance is locking, rather than unlocking, and those two operations don't have the equivalent security risk.

(comment deleted)
I guess this attack is against the keeloq protocol. There are no known total breakage of this kind AFAIK, against the cryptography implemented in the chip. This will be interesting to understand, I mean: what they are exactly doing here.
If the attack causes the original key to no longer work, imo the major threat vector is someone sitting in a parking lot, capturing key presses, performing the attack, and forcing the user to tow+re-program the key as a nuisance, rather than stealing the vehicle
Jokes on them, I lost my key fob years ago.
You can be sure that this attack has been well known to intelligence agencies for a while.
Why isn't a link to the repo/firmware the first link in the article?
This is why keyless "start button" functions on cars is a bad idea.

The old approach of keyfob to unlock the car and a real key for the ignition is safer.

Having multiple levels of security is good.

However, having worked in the car security industry many years ago, I discovered that car manufacturers actually like it when their customer's cars are stolen - Insurance payouts often result in another sale.

Tons of the rolling key systems on the market are based on KeyLoq, and keyloq is a fairly well designed system with a big lynch pin.

It has something called a 'manufacturer key', which needs to be available to any device that allows field pairing of remotes. If that manufacturer key is known, it only takes two samples from an authenticator to determine the sequence key.

Absent the manufacturer key, jamming+replay attacks work, but brute forcing a sequence key is generally prohibitively costly.

However, since any receiver that supports field programming needs the magic "manufacturer key", one could purchase such a unit, and may be able to extract said key.

This seems difficult when you can order a Ford fleet key off Amazon and get access to most Ford trucks and vans for about $15.
Am I the only one that just hates push to start in every way? Sure, I don't need to have the "insert key and crank" to be real, but physical key seems so superior.

Feels like getting rid of the light switches in your house in favor of "smart home" stuff.

So I guess it's back to locking the door manually before I close it, and being absolutely sure I don't leave the keys in the car.
Is there a cheap device you can make yourself or buy from India? Flipper zero is not easy if not impossible to buy.

For this project let's say

> For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob's functions, including lock, unlock, and unlock trunk.

If I don't press the buttons on my keyfob am I safe from this?

The only keyfob functionality I normally use is that when it is outside the car but within about a meter of the door handle the door can be locked or unlocked by pressing a button on the door handle.

(comment deleted)
For the past 20 or 30 years, my insurer made car theft insurance conditional on having an immobilizer device installed that requires code entry through a physical keyboard.

And there were a few years this seemed onerous, but most of the time, there were popular attack in use by car thieves that were prevented (or at least made much longer and more complicated) by this.

Why don't cars use public key crypto? Is it too expensive to run on a key?