All your cars are belong to us

DanRoM

Forum Addict
Joined
Feb 27, 2009
Messages
7,952
Location
Ruhr Area, Germany
Car(s)
MX-5 ND, CBF1000 & two bikes
https://aachen.ccc.de/keyless-gone/

Anyone speaking German find anything more in the articles?
Basically they used a relay attack - bridging the gap between car and key with special radio equipment (which isn't difficult to make) and relaying the signals between car and key over a distance. This allows a two-people team to steal a car: The driver stays by the car with one end of the radio bridge, the other follows the car owner with the second end. Car opens, thief enters, radio relay simulates the key being inside the car, thief drives away to safehouse.

The article mentions that they cracked every car they tried with the exception of Audis, but suspect this is only due to using the wrong radio frequency on their proof of concept.

Summary: Nothing new. "Keyless Go" systems are insecure because the principle they work on has a very obvious flaw. I don't know if and how that can be fixed by adding appropiate encryption, and the article doesn't focus on that.

My personal opinion: It's long overdue that insurance companies hit cars with "Keyless Go" features with higher premiums so people stop buying them until the carmakers close the gaping security hole.
 
Last edited:

jack_christie

Well-Known Member
Joined
Aug 1, 2006
Messages
4,134
Summary: Nothing new. "Keyless Go" systems are insecure because the principle they work on has a very obvious flaw. I don't know if and how that can be fixed by adding appropiate encryption, and the article doesn't focus on that.

My personal opinion: It's long overdue that insurance companies hit cars with "Keyless Go" features with higher premiums so people stop buying them until the carmakers close the gaping security hole.
Thanks.
 

chaos386

.sa = bad driver!
Joined
Nov 8, 2004
Messages
7,960
Location
Back in Saudia
Car(s)
SEAT Leon FR
Basically they used a relay attack - bridging the gap between car and key with special radio equipment (which isn't difficult to make) and relaying the signals between car and key over a distance. This allows a two-people team to steal a car: The driver stays by the car with one end of the radio bridge, the other follows the car owner with the second end. Car opens, thief enters, radio relay simulates the key being inside the car, thief drives away to safehouse.

The article mentions that they cracked every car they tried with the exception of Audis, but suspect this is only due to using the wrong radio frequency on their proof of concept.

Summary: Nothing new. "Keyless Go" systems are insecure because the principle they work on has a very obvious flaw. I don't know if and how that can be fixed by adding appropiate encryption, and the article doesn't focus on that.

My personal opinion: It's long overdue that insurance companies hit cars with "Keyless Go" features with higher premiums so people stop buying them until the carmakers close the gaping security hole.
If they could design the fobs to have extremely precise response times (doesn't have to be fast, just reliable, like 50 ms +/- 0.1 ?s), they could use that to calculate its real distance from the car, thus foiling any relay attacks.
 

jack_christie

Well-Known Member
Joined
Aug 1, 2006
Messages
4,134

Interrobang

Forum Addict
Joined
Mar 5, 2007
Messages
8,143
I read part of that yesterday. This is going to hurt JD in the long run.
I think putting software this restrictive into farming equipment in the first place is the thing that will hurt a company like JD in the long run ...
 

prizrak

Forum Addict
Joined
Apr 2, 2007
Messages
19,996
Location
No, sleep, till, BROOKLYN
Car(s)
11 Xterra Pro-4x, 12 'stang GT

JCE

Well-Known Member
Joined
Apr 12, 2005
Messages
2,715
Location
DFW Texas
Car(s)
2016 Dodge Charger RT / 2015 Jeep Renegade
So after all of this why the fuck do people want all this damn technology in their cars? Been screaming about this for at least 10 years but I'm really concerned people are too dumb and impressed with all the shiny stuff to see what's happening to them. LOL :)
 

GRtak

Forum Addict
Joined
Sep 6, 2008
Messages
18,351
Location
Michigan USA
Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars


Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars.

The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations.

Tom Wimmenhove, a Dutch electronics designer, has discovered a flaw in the key fob system used by several Subaru models, a vulnerability the vendor has not patched and could be abused to hijack cars.

The issue is that key fobs for some Subaru cars use sequential codes for locking and unlocking the vehicle, and other operations.

"Currently, I'm using a Raspberry Pi B+ ($25), a Wi-Fi dongle ($2) and a TV dongle ($8), but the Raspberry Pi B+ and WiFi dongle could both be replaced with a single Raspberry Pi Zero W ($10), which has WiFi on board," Wimmenhove told Bleeping.

"Then you need a 433MHz antenna ($1) and an MCX to SMA convertor ($1) to stick the antenna onto the dongle," he added. "Finally, you need something to power the thing. I'm assuming most people have some kind of Lithium-Ion power bank laying around. If not, they don't cost much either."
Several Subaru models affected

Wimmenhove tested the rig on his own 2009 Subaru Forester, but says the exploit should also work on the following models:
2006 Subaru Baja
2005 - 2010 Subaru Forester
2004 - 2011 Subaru Impreza
2005 - 2010 Subaru Legacy
2005 - 2010 Subaru Outback


Subaru is aware but has not patched the issue

The researcher also said he reached out to Subaru about his findings.

"I did [reach out]. I told them about the vulnerability and shared my code with them," Wimmenhove told Bleeping. "They referred me to their 'partnership' page and asked me to fill in a questionnaire. It didn't seem like they really cared and I haven't heard back from them."

Subaru did not respond to three requests for comment from Bleeping Computer made over 36 hours before publication.

The code needed to run Wimmenhove's attack rig, along with instructions, are now on GitHub. Bleeping Computer is not sharing the link in this article.

 

D-Fence

Mrs. IceBone
Joined
Apr 2, 2006
Messages
9,635
Location
'schland
Car(s)
John Pooper Works
Now that is quite clever. Only works once though, once they shut the car off, it will not be able to start again......as the key is physically not present to clone again. However, since all these cars will be parted out anyways, I guess it doesn't matter........
 

bone

"bangle for president"
DONOR
Joined
Jan 14, 2004
Messages
16,302
Location
belgium!!
Car(s)
Volvo V40 & Yamaha Banshee
Now that is quite clever. Only works once though, once they shut the car off, it will not be able to start again......as the key is physically not present to clone again. However, since all these cars will be parted out anyways, I guess it doesn't matter........
during the relaying, they can't store the keys fingerprint?
so the car thinks the key is present?
 

Blind_Io

"Be The Match" Registered
DONOR
Joined
Apr 5, 2006
Messages
21,418
Location
Utah, USA
Car(s)
06 Nissan XTerra Off Road, 00 VFR800, 07 ST1300
"In this shocking footage" - shows a slide show of photos
"Store your keys in a metal tin" - why? So thieves don't have to use the signal jammer? How would storing the keys in a metal box prevent someone from using a duplicate key?
That music gave me ear-cancer.
 

bone

"bangle for president"
DONOR
Joined
Jan 14, 2004
Messages
16,302
Location
belgium!!
Car(s)
Volvo V40 & Yamaha Banshee
Blind_Io;n3546978 said:
"Store your keys in a metal tin" - why? So thieves don't have to use the signal jammer? How would storing the keys in a metal box prevent someone from using a duplicate key?
it wouldn't stop them from lifting your car on a flatbed and taking off either
 
Top