All your cars are belong to us

BBC Watchdog report mentioned above
starts about 17m 30s
[video=youtube;dKr3nXC-tB8]http://www.youtube.com/watch?feature=player_detailpage&v=dKr3nXC-tB8[/video]
 
I got a promo call from o2 today, trying to sell me the o2 Car Connection. A GSM-enabled dongle plugged directly to the ODB-II port? What could possibly go wrong?
 
I wonder, when we?ve reached the time when a Car using an physical Key and a physical lock can be considered safer than the Cars with "smart" keys. At some point the number of car-thieves actually being able to "work" a lock will be smaller than those using computers.
 
Maybe someone can give us a good translation of the important bits:

[*]link[*]

It?s a bad article full of implications and speculations, so I will not bother. They?ve been to a security-expo in poland and half the article is spend going "not all of the people here at the Expo seem like registered professionals from the security-buisness" *wink**wink*. Then they are speculating about a libanese company not showing one of their products that claims to open any car locked with a smart-key at the expo.

No new information in there.
 
Additionally, some of the actual tech-level facts are plain wrong. They go on about keyless entry systems being particularly weak (plausible) because the key is constantly sending signals (bullshit). The relay tech they talk about might work, but not in the way they describe it.
 
Last edited:
An in-depth analysis of the BMW hack reveals some quite shocking details:
At least the messages sent to a vehicle are checked with regard to which car they are addressed to. This check is done with a VIN (Vehicle Identification Number) included in the message. If the VIN does not match the car in question, it will not execute the command it is sent. This is no hurdle to a potential attacker, though, since the Combox is very helpful in this regard: If it does not receive a valid VIN, it actually sends back an error message that contains the correct VIN in order to identify the sender of the message.
 
The designers and engineers need to go to a social hacks 101 class so bad.
 
Regular keys aren't any better at keeping out thieves, I'm afraid.

Depending on which type of mechanism it is, it can at least take longer - assuming they don't just break the glass. :p
 
Regular keys aren't any better at keeping out thieves, I'm afraid.
At least it takes an effort every time you steal a car that way, and not just once for making an electronic master key opening and starting practically every car of a particular brand like with (some) current keyless entry systems (what a fitting term).

I'm certainly not able to program a secure electronic entry system myself, but I'm pretty sure the mistakes I'd make would at least be more sophisticated...
 
A key difference :drums: is that picking a lock or breaking the glass at least appears suspicious. Unlocking a car remotely as if it were unlocked from the keyfob doesn't even have a chance of raising suspicion.

- - - Updated - - -

I'm certainly not able to program a secure electronic entry system myself, but I'm pretty sure the mistakes I'd make would at least be more sophisticated...

A start would be open algorithms up for peer review, and using unique keys/certificates - doing things the way regular old encryption on the web would do.
That might require more sophisticated hardware though, and potentially a need to charge your keyfob instead of swapping the batteries at a service to support that hardware. Combined with induction charging at home and in the car though that could be worked around.

Hell, go install an sshd on the car, store public keys of your keyfobs on there, and have your keys run ssh with a private key in each fob. Want to run any commands, such as unlocking? Log in first. If it's good enough to be exposed to the web, it's good enough to be exposed to a supermarket car park.
 
Last edited:
I would like to see the insurance companies raise hell over this. Like sueing BMW (and other carmakers, where applicable) for installing sub-standard security in their cars, leaving them to be stolen much too easily. Or refusing to insure cars with remote unlocking systems that haven't don't use open, proven-to-be-secure (as per state-of-the-art) technology.
Won't happen, of course.
 
I would like to see the insurance companies raise hell over this. Like sueing BMW (and other carmakers, where applicable) for installing sub-standard security in their cars, leaving them to be stolen much too easily. Or refusing to insure cars with remote unlocking systems that haven't don't use open, proven-to-be-secure (as per state-of-the-art) technology.
Won't happen, of course.

You're right, they won't sue. At least over here, what's about to happen is that the insurance rates for theft and comprehensive on such vehicles will skyrocket as a result of this. When the customers complain, they will be told why and this will put pressure on the sales of BMWs etc., so hopefully the manufacturers in question will then be compelled to fix the problem.
 
Last edited:
Something must be done!

Ban cars. (Would be a UK Politician's classic fix. ...)

Too much cheap beer is being bought in supermarkets - enforce price controls.

Supermarkets must charge for bags - for the environment. ...

Etc, etc. ...
 
Last edited:
You're right, they won't sue. At least over here, what's about to happen is that the insurance rates for theft and comprehensive on such vehicles will skyrocket as a result of this.
I also don't have a problem with that less radical solution. As long as the car makers are forced to put some security worth calling it that on their cars.
 
Top