Stealing Cars with Laptops

Fascinating:

While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands.

Slashdot thread.

Posted on May 5, 2006 at 6:50 AM • 39 Comments

Comments

csrsterMay 5, 2006 8:24 AM

"automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car"

Security through obscurity strikes again?

BrianMay 5, 2006 8:48 AM

I'd love to know what kind of cryptography they are using for these locks. Is the problem a small key space that can be brute-forced in 20 minutes? Or some other weakness?

(And why on earth do large organizations presumably run by intelligent people still end up designing weak cryptographic systems? See also: WEP.)

Josh OMay 5, 2006 9:02 AM

Bruce, do you see that this Jim Dermitt guy is only posting so many times to increase the number of links to his blog from your site to improve his google search results? That's why all of his posts are barely on subject, and he holds a conversation with himself.

JungsonnMay 5, 2006 9:04 AM

Once more the proof that security is such a difficult topic. Organic vs Electronic security have both their flaws. a metal key or an electronic key, both can be breached using brute force.


AleMay 5, 2006 9:25 AM

@Jungsonn: "both can be breached using brute force".

In the case of crypto, it often pays much better to attack the protocol through some vulnerability that to attack the algorithm by brute force. I however agree completely with your opinion: no simple answers, no silver bullets.

JungsonnMay 5, 2006 9:38 AM

@Ale

I agree, the brute force idea was to set an example. And it depends, sometimes a brute force attack could be more sufficient. in case of a ordinary lock: brute force maybe far efficient. Normal locks can be opened quickly by hammering or weakening pins, to carefully tilt pins could take longer. But also with electronic locks (as in an earlier topic about locks) most "keycard" locks can be bruteforced with a simple power magnet. But these things deppent on the situation, and also on last resort :)

AGMay 5, 2006 9:49 AM

I don't understand why you would use a laptop to "hack" a car.
Seems like more trouble than it is worth.
Why not just take the keys?
How would a locksmith break into a BMW? I don't believe a locksmith has a laptop ready to "hack" the BMW.
My bet is there is some VERY SIMPLE unlock/reset software that is at ALL the BMW service centers and the crook has got a hold of it.
Otherwise, if someone lost the keys to their BMW you would have to junk the car.

TimMay 5, 2006 10:04 AM

@Jim Dermit: "If Google shut it down in 15 minutes, I wouldn't care one bit."

Whereas if you could just shut up for more than 15 minutes, the rest of us would breathe a sigh of relief...

GeekMay 5, 2006 10:19 AM

Well, hacking keyless entry system doesn't even need a laptop, just a plain old' palmpilot would do.

There was quite an old story on New Scientist about a group called Hack Canada who could open keyless entry systems in certain cars with a palm pilot equipped with an infra-red port.

another_bruceMay 5, 2006 11:37 AM

i don't have "the club", but if i were david beckham, after losing two cars, it's something i'd consider. low-tech and cheap works for me, and you can't disable "the club" with a laptop.

AnonymousMay 5, 2006 11:45 AM

Oooh - new product... GoogleMagic. One ad and trolls disappear.

AGMay 5, 2006 12:17 PM

I would think BMW would have an interest in making sure Beckham's car was not stolen just to avoid any negitive press.

DeebsterMay 5, 2006 12:27 PM

Jim won't be getting any google ranking because of the rel="nofollow" bit in the link.

On topic, I am also confused as to why the system is so insecure - why not just use a cryptographically proven challenge-response with attempt limiting?

David ConradMay 5, 2006 12:45 PM

I only just got my first car with remote keyless entry about a year and a half ago, and this is something I wondered about at the time. Does anyone know if it uses a challenge-response system? Is it susceptible to a replay attack?

The parts for the transmitter and the receiver must be generally available, so it seems like a moderately skilled tinkerer could mount a replay attack without too much trouble.

(I'm just talking about regular remote keyless entry, not even keyless start like in the Toyota Prius.)

Jim HyslopMay 5, 2006 1:10 PM

@David Conrad:

I've been wondering the same thing. My gut suspicion (and I could be wrong) is that the remote device is transmit-only, which would make it extremely easy to use the replay attack. The remote is extremely simple. The circuit board has eight components on it: a transistor (probably a power transistor for the transmitter), a coil, a crystal, a 24 pin IC, and four surface-mount resistors or capacitors.

ChrisMay 5, 2006 2:02 PM

"It’s difficult to steal cars with complex security"

Someone forgot that the more complex the security, the more potential problems.

BrianMay 5, 2006 2:56 PM

@StupotUK

Is the attack the thieves are using different than the RFID analysis you linked to? That attack seemed to require eavesdropping on a transmitter from relatively close distances.

Either the thieves got pretty close to Beckham (did they ask for an autograph?) or they are using a different attack.

boy wonderMay 5, 2006 4:22 PM

Brute force is the way to go - a big enough crowbar opens ALL locks.

Automobile ignitions are a different matter - a lot of new ones can't be hot-wired because of electronics built right into the key-switch. So don't lose your last key.

RoyMay 6, 2006 5:02 AM

@AG: "My bet is there is some VERY SIMPLE unlock/reset software that is at ALL the BMW service centers"
That would be very unusaual - because of the danger of this software leaking out (which would lead to a "gold key" for evey XYZ) mostly the method to go is open with force (drilling th lock/?) and changing parts (lock, keys, control unit etc.)

@boy wonder:
"big enough crowbar opens ALL locks" - no, just make the lock strong enough that the crowbar gets too heavy to hold ;)

Seriously, it's usually not about keeping everyone out for all the time, but keeping an attacker with a ceratin toolset (screwdriver, crwobar, blow-torch, ...) busy for a certain amount of time.
Drastically said, with a good padlock, you can't stop a tank but perhaps the neighbour's kids with a screwdriver.

I assume the algorithms are kind of "home-brewn", the units used also don't have too much prcessing power.
Remember the Russians in 191?, they encrypted their tactical messages weak and knew it but assumed it would take a few weeks to crack them, the information would have rendered useless. Unfortuately, the Germans deciphered the messages within hours.
I guess we see something similar happen here. Nobody cares if the locks could be circumvented in a few months or so, but i someone brings this time down to 20 minutes, you have a problem.

Roy

StupotUKMay 7, 2006 7:12 AM

@Brian

Indeed this is exactly how the guys at RSA and MIT bruteforced the weak 40bit bespoke cipher made by TI for the car key. Read in detail old fellow, the communication with the car isn't an interception/replay attack, however the weak crypto/contactless is the meat and patatoes of the issue.

Also Ross Andersons lot have written a good paper (Jan 2005'ish), as did some Israel Uni student on practical proxying/intercetpion of contactless smart cards and rfid type devices for very low cost. Just search via google.


TTFN

BennyMay 8, 2006 4:57 PM

@ StupotUK:

Just a minor nitpick: it was Johns Hopkins University that worked with RSA to analyze TI's cipher, not MIT.

JasonMay 19, 2006 2:25 AM

I am a locksmith, i specialize in automotive.... you wont steal a car with a laptop.. and a CLUB is useless i can pick them in seconds.. and YES if you loose keys for a BMW... MERCEDES PORCH you nead to replace the pcm/ power train control module... the only transponder/ chiped keys cars i have ever managed to bypass are ford and honda.. anything else isent going to move... and ford/mazda is the same thing

The BoxJune 30, 2006 10:52 AM

Jason, your not to smart. Take the XLR for example you dont need a key to start it just a transponder in your pocket.

Laptops can and do aid in car theft. Much diagnostic equipment pulls the code out of the pcm in seconds.

PaulJuly 8, 2006 11:59 PM

Jason:
You are a locksmith, how can I get into my wifes 04 BMW X5 with out damaging it. I lost her key and she says that the spare and the valet key are inside the vehicle. Is there anyway a mechanicaly inclined guy like myself can get into the X5? Any info would help a great deal, I don't want to pay someone to come out and do it & rob me for something that I can do.
Thank You
Paul

thiefOctober 13, 2006 8:36 AM

Does anybody know what the software was called the Hack Canada team used, and where they are located....

I know a lil bit about stealing cars, Wasting your time on the door lock is useless, unless you have time to spare, but most of the time you dont. Before you hit a car do your homework, find out the exact model, order a new ignition from autoparts or whatever.

Buy a dent puller from a hardware store
get some gloves.....

If door is locked just smash the window at 3 in the morning, get into car if alarm goes off pop hood and disconnect battery, the alarm may have a remote battery hidden some where in the car, usually hidden in the trunk

Use the dent puller to remove old ignition and hook the wires p to the new one and bam ur gone


This only works on cars that don't have keychipped and new technononlgies built in, there must be a way to bypass chips in new cars using both bruteforce, and new methods, who knows...

not locksmithOctober 18, 2006 12:41 AM

Jason -

As a locksmith, you should know about layered security. A club lock is merely one layer, and it is a visual deterrence at best, I agree - but often a valuable one, as a thief will likely just choose one of the many cars WITHOUT the club lock.

Why you find it relevant to mention that you can pick the Club lock in seconds (no big achievement)? Any car theif is going to remove the thing by brute force alone.

Car theft, and burglary in general does not involve lockpicking - moreoften it involves a brick through a window, or kicking/forcing a door open, in slightly more sophisticated cases, maybe drilling or pulling cylinders.

As a locksmith, I would presume you are fully aware of all of this(?). So why does it matter that you can pick a Club lock in moments? So can I. I cannot see theives going to the lengths of learning to pick even these simple locks, when other quicker, more reliable (but destructive) means are open to them.

The crime statistics only add weight to my assertions - burglaries and car thefts are in general perpetrated by people who only know one means - force.

I also suggest you update your training.
The gear needed to set yourself up is very expensive, but you can certainly service a lot more than Ford and Honda chipped ignitions if you have decent kit.

And more on topic - given the kit is available for locksmiths, it can only be a matter of time before such technology falls into the hands of (more) criminals.

It is sickening how many times one has to read this statement, but : Security through obscurity just doesn't work.

I am NOT a locksmith.

KevinDecember 13, 2006 6:07 PM

Does anyone have any expert knowledge if it is possible to steal a car without showing any visible signs in the ignition. Example is it possible to use a "close" key obtained from the serial number of the car?

artJanuary 16, 2007 8:52 PM

brute force does not always work. the new vw audi bmw porche etc. locks are clutch operated. to much force and they just spin. even if they didn't they each have a rolling code transponder system. so even if you did read the chip the next time the owner starts the car the info you have is outdated, as in it changes on each start and at some other time in the run cycle. also the chips on most cars only have a range of about 5cm and are directional. you cannot use the john hopkins tools in a covert manner.

S-15February 5, 2007 10:24 PM

Speaking of stealing cars, not that I have any experience in doing so, I keep quite a selection of keys available. This makes unlocking various vehicles quite easy especially on chevrolet' s. The old gmc' s and chevy' s (from late 70's to mid 90's) are by far the easiest to start. After you get into the vehicle, grab the plastic ring on the base of the steering column and push HARD towards the dash. **POP!** There are two metal rods and some wires. One rod controls the headlights and the other, the ignition. Simply push the ignition rod down firmly to start the vehicle. This applies to camaro' s, s-10' s, corvette' s, and all vehicles with that type steering column. Oh, simply align the snaps and pull the ring back into place to cover your work.

A little off topic I know, but, is there a way to modify a stock ford key-fob to open most ford keyless entry out today?

S-15February 5, 2007 10:27 PM

Speaking of stealing cars, not that I have any experience in doing so, I keep quite a selection of keys available. This makes unlocking various vehicles quite easy especially on chevrolet' s. The old gmc' s and chevy' s (from late 70's to mid 90's) are by far the easiest to start. After you get into the vehicle, grab the plastic ring on the base of the steering column and push HARD towards the dash. **POP!** There are two metal rods and some wires. One rod controls the headlights and the other, the ignition. Simply push the ignition rod down firmly to start the vehicle. This applies to camaro' s, s-10' s, corvette' s, and all vehicles with that type steering column. Oh, simply align the snaps and pull the ring back into place to cover your work.

A little off topic I know, but, is there a way to modify a stock ford key-fob to open most ford keyless entry out today?

grayson.May 26, 2008 12:59 AM

S-15...

NOT SO SIMPLE CAMAROS... VETTES from the mid 80's and UP GM used VATTS and then letter PASS lock 2


if you dont have a few resister packs made up and in your pocket your pretty much fudged...

there are 15 combos of resistance and if you dont get it right on the 3rd keyed on your BCM will lock out for anywhere from 10 mins to 3 hours .. cutting off all fuel systems

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..