Comments

Steve Durbin November 28, 2023 3:42 PM

The article has an odd error – Tesla did not abandon phone keys for the Model 3, it’s the standard way most people access their cars. You get keycards which are used to pair phones and then as backups. Key fobs are available, but as a purchased extra.

Anon E. Moose November 28, 2023 4:30 PM

@Brad
LOL! yup

and the irony that they wouldn’t be looking at security when replacing a device with the primary function of security is not lost but observed, acknowledged and made note to mitigate against in the future.

Clark Gaylord November 28, 2023 4:49 PM

Oh I’m sure they are. Automobile manufacturers are well known for their week thought other infosec practices. Maybe even moreso than HVAC!

Clark Gaylord November 28, 2023 4:50 PM

Oh I’m sure they are. Automobile manufacturers are well known for their well thought-out infosec practices. Maybe even moreso than HVAC!

Clive Robinson November 28, 2023 5:26 PM

@ Bruce, ALL,

Re : You know what wins every time…

“Let’s hope people are thinking about security.”

People rarely think about either security or privacy, untill they have had theirs violated enough that it causes them life changing effects.

People who think about their security or privacy befor that happens are called “paranoid” or similar.

Worse because they tend not to get violated, others tell them “there was nothing for you to worry about” or even less logical.

We are told this will be for our conveniance… When in fact the opposit is true.

I don’t use plastic only cash. If I don’t have the money then I don’t buy things. The only exception is buying a house, where the monthly mortgage was less than rent so a no brainer (sadly in the UK the young are kept off the property ladder in various ways these days).

Just today a cashier looked surprised when I held out only a little more money than my groceries totaled. And I got asked why I do not use cards…

I told them that back when they were small and Tony Blair was PM, his deputy “Two Jags” commisioned an investigation into changing the way property tax was paid by people living in an area.

The “favoured” way was to look at what people were spending by tracking their credit card etc purchases and upward averaging across a small area. Then using this inflated figure tax people some fraction of it.

In certain parts of London you will find old aged pensioners on minimum state pension who have next to no disposable income. But because they purchased their house more than half a century ago when the place was not “fashionable” they are surounded by the very wealthy, who spend tens of thousands on their plastic…

Might I remind people that Governments never let go of “bad ideas” thus at some point some idiot will push such nonsense through the parliamentary process and make it legislation. Just as Mad Maggie did with “Poll Tax” which did not end well at all.

The thing about using cash is you get a recipt. So you can prove the transaction if you need to fairly easily. However unlike using plastic where the world and his fiscal dog knows the “When, Where and What” of your life at the push of a button you can retain your privacy.

So if you have some harmless secret like a craving for “frosted jelly beans”, “Pulp Bodice Ripper Romance novels” or “pizza with banana topping” you might think others could look down on you for your weaknes, paying by plastic puts it out there for ever, cash well as long as you use a brown paper bag, who cares.

Plastic might be “convenient” but it has a bad habit of following you around long after like the “smell of something you mistakenly trod in”. Oh and plastic is also designed quite deliberately to make you fiscally irresponsible to their convenience not yours.

So getting back to phones as keys they are “a convenience you need like a hole in your foot” and sooner rather than later, in what those pushing such “convenience” will have turned into “a target rich environment” those who fell for it will become “the low hanging fruit” that gets taken.

And who will be to blaim then?

chris heinz November 28, 2023 7:55 PM

So many of the neat toys we were going to get in the future, I will never in my lifetime use because of security. Until we have computing systems designed with security on level 0, I can in no way bring myself to use the latest cool gear.

ResearcherZero November 28, 2023 9:04 PM

Probably be something propriety, implemented with a licensing deal that ensures a third party is responsible for addressing any of the typical vulnerabilities that already exist.

PCAPing your way in with a USB “coat-hanger” capture rig will be essential for when the battery in the fob is flat, or because your dog/child locked themselves in with while sucking on the fob. Or the old fashioned way, when tools and custom FW are not available.

andyinsdca November 28, 2023 9:25 PM

Do these phone-keys require internet access to work (either in the car or on the phone?) If they do, what happens when the power or cell service goes out? I can imagine that’d really suck in an emergency, like wildfire evacuation.

JonKnowsNothing November 28, 2023 9:36 PM

@Chris, All

re: not using cool things until…

Recently I needed to do some banking that required I actually TALK to real human being. I managed to get a RL Human (I think they were RL but it might be HAIL) to review what I needed to do.

I got the following instructions:

  • We do not do this over the phone (good)
  • We do not have anyone in a branch that can do this (oh?)
  • We cannot set an appointment for a RL Banker to do it, because we no longer have RL Bankers (yikes!)
  • Your only option is to do this through our App… (expletive deleted)

Yeppers, I was definitely not cool after that exchange….

ResearcherZero November 28, 2023 9:36 PM

There was no internet anyway, and you had forgotten to download the necessary packages in case of situation like this. However you did remember to put the dongle in your backpack.

Of course you locked your backpack and laptop in the car. So you used a rock. But there were no rocks! You were off road, four wheel driving in the dunes at the time. You had to use your head (not your elbow). It’s not like you are a complete fool.

JonKnowsNothing November 28, 2023 9:51 PM

@andyinsdca, All

re: what happens when the power or cell service goes out?

If it’s power based, generally there is a battery backup.

Pays to get the battery in the car key fob checked when you have a service. If the battery dies in the key fob, the remote start doesn’t work. If there is just a bit of power left, there is a sweet-spot on the steering column where you can place the fob that might let you start the car. If not… you have to punt.

If it’s got some sort of sync, authentication on a cloud server somewhere and your battery dies or you are out of the service area or the internet goes down or the service provider closes up shop; you are SOL.

iirc(badly)

Some folks had an automatic garage door service and the provider shut down the server, the garage doors stopped working.

  • folks couldn’t get out
  • folks couldn’t get in
  • folks who had the garage door open had it stuck open

Then there was the internet pet food dispenser company that had a server glitch, and the kitties and dogs didn’t get their atomic clock timed chow and water.

  • I have never known a dog, cat, horse or cow that doesn’t know what time food shows up. They don’t need atomic clock accuracy to let you know: FEED ME SEYMOUR!

SocraticGadfly November 28, 2023 10:35 PM

No way I want a vehicle without a key. Plus, given all the data a modern car computer collects, if your smartphone is your key, who’s to say your car computer data can’t be stolen via your phone?

ResearcherZero November 29, 2023 1:17 AM

@JonKnowsNothing

You can just about set your watch to them. Cows can also serve as a lovely alarm clock, and I’m fairly sure they know a few foul words or two.

Clive Robinson November 29, 2023 4:12 AM

@ Bruce, ALL,

The question @Andyinsdca asks is,

“[W]hat happens when the power or cell service goes out?”

But he limited himself to infrastructure outside of the vehicle…

As a friend recently found out after having knee surgery and not being able to drive, things happen in the vehicle and the battery gets discharged…

Which results in,

1, The doors unlocking.
2, The battery being destroyed.
3, The vehicle is useless even if you replace the battery with a new fully charged one.

The first is due to “Safety”.

The second is due to “Design choices” that over discharges the battery, which is why in new cars the battery is seen as a “consumable”.

The third is again due to “Design choices”, there is a whole load of “data” stored in “volitile memory” that gets erased/lost when the battery voltage falls. So you have to,

1, Pay for it to be towed to your nearest “Maufacturers agent”.
2, Pay their “service charge”.
3, Pay their “lot parking charge”.
4, Pay their over inflated labour.
5, Pay their over inflated battery price.

My friend found that all in all the bill presented was something like 10% of the new purchase price or close to 30% of the “second hand book value” even though the vehicle was still in warranty…

And people wonder why I’m happy I’m not alowed to drive for medical reasons…

Canis familiaris November 29, 2023 5:44 AM

@JonKnowsNothing

I have had a similar problem, so far unsolved, as I don’t have the relevant app. I might be able to solve it by sending a physical letter, which is a marked difference to the ‘instant solution’ in the app.

The lack of physical bank branches is also becoming an issue, as I have no places nearby where I can withdraw cash from my account without paying a fee.

The pressure to move to ‘smartphones’ and NFC/chipped cards is strong.

It is also noticeable that a lot of public transport has moved to app-based ticketing, to the extent that it is no longer possible to board a bus and buy a ticket.

An acquaintance of mine was in Berlin recently, and not only was required to use the local public transport app, but found that it required registration of a payment method, and the registration process allowed only foreign cards of a particular type (I can’t remember if it was debit cards only, or credit cards only). A tourist without a ‘smartphone’ and the right type of card would have a severe problem.

I am mildly surprised that European governments allow Apple and Alphabet to have so much control over the surveillance of their populations, and have given them the ability to turn off many, if not most of, the ‘conveniences’ of modern life.

wiredog November 29, 2023 5:58 AM

When I went to the Audi dealer online to set up a service appointment the web portal informed me that the password could be no more than 10 characters long…. So I’m sure the car manufacturers are paying close attention to security.

Clive Robinson November 29, 2023 7:13 AM

@ ResearcherZero,

Something triggered the blog “naughty word filter or similar.. So in parts,

Part 1.

“Cows can also serve as a lovely alarm clock, and I’m fairly sure they know a few foul words or two.”

They or you?

I have bad thoughts and words[0] about those who wake me when I’m not ready to be.

Because mostly I realy do have “Pleasent Deams”[1] Secondly I now have a medical condition that if you wake me at the wrong point in my sleep cycle I can become quite unwell for several hours[2].

[0] Having worked with the likes of Norwegians in the North Sea oil industry, and equivelent with Australians. I have quite a line of such words and phrases the least of which is the rather graphic “Rumpentoot”, that when you say it right you can realy put feeling behind. As for when “words are not enough” Aussies have a series of quite poetic aphorisms 😉

[1] I guess the pleasent dreams are “pay back” for having a mind that is always thinking hinky… It spends nearly all day calculating “defects” in other peoples designs, products, and systems looking for ways safety, privacy, or security can be oh so easily violated and working out how to plug the gaps effectively. Oddly as friends have noted for what should be such an unhappy view on life, I’m basically a happy and cheerful person. So I guess the hinky thinking must involve “the thrill of the chase” or some such.

Clive Robinson November 29, 2023 7:15 AM

@ ResearcherZero,

Part 2,

[2] My heart is very sensitive to certain quite natural chemicals[3]. adrenalin in local anesthetics used by detists etc causes bad heart palpitations and thus breathlessness which when younger I thought was a panic attack caused by fear of the drill. Not so, a friend who is a cardiologist told me to tell the dentist to use the adrenalin free injections… And so no real issue other than having to use more local. Apparently it’s an “evolutionary survival trait” and ment I could get to and up the tree faster than other monkeys who then became lunch. In my case it alowed me to react very quickly and in some cases appear super human like get out of a vehical run to and flip a family car over and rip the door out of the frame and get injured and unconscious people out and carry them to safety before others had realised the danger. The problem is the old “If it burns hot, the faster it burns out” hence I now have VF that is heavily medicated and an implant to keep the medicted heart from beating so slowely I pass out… There is now a sleep to wake transition phase that is best not interupted.

Clive Robinson November 29, 2023 7:21 AM

@ ResearcherZero,

Part 3,

[3] I once spent four days in hospital because of it… As some here know I drink still soft drinks like diluted tomato concentrate, slices of lemon in hot water or tea, and avoid hot chocolate, coffee, etc that have the likes of caffeine.

Well I was at an event and they only had “Devil’s Brew” coffee. After just three cups I became very ill and got myself to hospital where I passed out in the corridor. It was witnessed by a doctor who could not find a pulse… So a “crash team” was called. By the time I came to, they thought I aslo had a neck injury from the witnesses description of what they had seen… Getting steadilly sicker I had no idea if they were right or wrong. Anyway there I was in an emergancy neck brace being wheeled into Accident and Energancy when the cardiac monitor kicked off and we got diverted to Resuscitation where my condition worsened. For those that have not been “poisoned” the body responds like very very bad motion sickness with the severity escalating from disorientation through nausea, evacuation of the stomach, bowels, bladder, and various internal physiological changes to do with blood preasure etc… On top of which my heart was dancing and skipping like a hip-hop break dancer on something that might not be legal[4]… Nobody knew what was wrong with me and my brain had kind of shut down in not mental but real metabolic shock.

Clive Robinson November 29, 2023 7:27 AM

@ ResearcherZero,

Part 4,

[4] A little over a decade ago the MSM Press published stories about legal highs in Hip Hop one of which realy was “Bath Salts” openly on sale on most high streets.

‘https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3550219/

Other stuff legally on sale in high streets in the cooking section is the chemical sold as a seasoning that will literaly stop your heart…

iAPX November 29, 2023 7:27 AM

Cars with contactless keys and/or smartphone keys could never be more secure than cars with physical keys…
And that’s because they still have physical locks, at least one on the driver door and another one hidden in the column wheel.

Wether you have physical keys or not doesn’t matter, your car have and will have physical locks that are as unsafe as ever.

Digital car keys just expand the attack surface without solving anything related to security.

Clive Robinson November 29, 2023 7:34 AM

@ ResearcherZero,

Part 5,

So “product safety” is a curious thing and the resulting “Warning Lables” are also used as legal loop holes for nudge, nudge, wink, wink type sales as has been seen with “beauty aids” and recently “slimming aids”,

‘ht tps://www.diabetes.c o.uk/news/2023/nov/man-arrested-on-suspicion-of-selling-unauthorised-semag lutide.html

Clive Robinson November 29, 2023 7:35 AM

@ ResearcherZero,

Part 6,

Oh and back to “bath scents” those essential oils easily purchased almost any place if put in a relaxing bath or injested… Some such as woomwood and cleary sage can have effects that have put people in longterm care. Hence the “seducers drink” –absinth– once being made illegal.

Uthor November 29, 2023 10:05 AM

@Clive Robinson:

Guess I got lucky! My BMW sat at my work parking lot for about a month when I was in the hospital and it started up and drove home okay. The car goes into “sleep” mode as the battery wears done. I learned it does this during COVID lockdowns. It disables a bunch of things (like unlocking the doors by touching the door handle) at first, then goes into really “dumb” mode when it gets really low. Had to unlock the doors with the key and nothing turned on when I got in, but the engine started when I pressed the start button.

My GM car November 29, 2023 10:52 AM

Don’t know about other manufacturers, but many GM vehicles have been remote startable and unlockable via the phone app for years.

Subscription to OnStar is required, however, it’s the OnStar app that provides these features.

Clive Robinson November 29, 2023 3:19 PM

@ Uthor, ALL,

Re : Good design v. Bad design.

“Guess I got lucky! My BMW sat at my work parking lot for about a month when I was in the hospital and it started up and drove home okay. “

Lucky or better software design?

I’m guessing the latter. But as a consumer,

How do you know?

It’s a point that is going to become more and more important as we move from complex mechanics you can take apart and look at with an experienced eye and software so complex and interwoven it becomes as it were,

“A Gordian Knot to a sightless man.”

All of our consumer protection law is predicated on the buyer in,

“Buyer Beware”

Being able atleast to have some ability to spot a con.

Yet how many purchased on what we now know as rigged test results of fuel economy. Of the software detecting the vehicle was on a rolling road test bed and changing how the engine managment software worked…

If software can be made to cheat tests by very experienced testers, what hope for the common man puting down a years income for a new car?

Good engineering is about designing out corner cases that would harm you in near exceptional circumstances.

As those with “Auto Pilot” are finding out, an 18 wheeler jumping a crossing is a near exceptional circumstance, that has happened and the vehicle drove under it and had it’s top ripped off, as for the driver he might have been in two minds about it if it were not for his head being in the roof and the rest of his body several feet away in the body of the car…

https://www.carscoops.com/2023/11/reasonable-evidence-that-tesla-musk-knew-about-autopilot-defect-judge-finds/

As they say “food for thought”.

toni b November 29, 2023 6:54 PM

@ SocraticGadfly,

No way I want a vehicle without a key.

I find the headline odd, because haven’t people already had “digital car keys” for decades? Relay attacks made the news in 2015, and weren’t new then. (Be sure to wrap your fob in tinfoil and not leave it too close to the edge of your home.) My parents have a car—not new or fancy—with this feature: there are no physical locks visible, and they press a keyfob button to lock or unlock the doors.

So, what happens if the fob stops working? They found that out in a dark parking lot one night. The cause was a dead battery, but could’ve just as well been interference or something. Press the button, nothing happens. A cellphone web search revealed that the keyfob contains a tiny key, which would fit into a hitherto-unknown lock: the car’s one physical lock, hidden under a plastic cover on the driver’s door-handle. So, take apart the fob, kneel beside the door in the dark, do some unseen manipulation… and then of course the alarm sounds. The fob was actually still able to start the engine (which turned off the alarm), perhaps via RF power. After a short trip, one person stayed in the running car while the other bought an overpriced battery at a late-night drug store.

Yay, technology. Nobody was really clamoring for this feature—or, anyway, so aesthetically bothered by keyholes so as to reject the obvious compromise of having those and optional radio-unlocking. But it’s a trend one can hardly escape, like difficult-to-remove cellphone batteries. That said, I think everyone who parked in huge lots (as at Disney theme parks or regional malls) in the 1980s and 1990s heard stories like “I unlocked the door, got in, and the engine wouldn’t start. Then I realized it wasn’t my car.” So obviously the manufacturers were half-assing the door locks, but somehow not the engine locks which took the same keys.

Antonio December 7, 2023 11:46 AM

Hi Bruce,

the effort to secure digital key has been significant for car makers and their suppliers, especially now that the UN R155 (via ISO/SAE 21434) is mandatory in many countries.

So there are many people thinking about security on the topic, and the specifications for digital keys are available to everyone.. despite that, weaknesses in the design or in the implementations will always exist.

https://carconnectivity.org/digital-key/

Best
Antonio

Steve December 15, 2023 11:06 AM

I think for this to work, they would have to do a mechanical retrofit on my rather dated Toyota.

That being said, I once owned a Mazda I bought used from a large dealer. It had a rotary engine that was always being blamed for various maladies. One constant problem I had was with the battery running down. If I let it sit idle for a weekend (i.e. I come home from work on Friday, park it, and then don’t use the car again until I need it to drive to work on Monday), on Monday morning it often only had enough reserve to turn the motor over 1-2 times, then I had to get jumper cables and start from another family member’s car. If I let the car sit for a whole week, it would need time on the charger before it would start.

Troubleshooting the problem, I used my trusty VOM, and measured current drain from the battery with everything ‘off’. There was a 1.5 mA drain. Seems hardly enough to matter. But what solved the problem was to buy an aftermarket knife switch that connects inline at the battery terminal, and when I park the car in-between uses, I’d just I’d just switch it off, and the battery stayed charged. My best guess was that the drain was for the auto-winder in the mechanical dash clock.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.