A team of German scientists say they have cracked the encryption of a device widely used in keyless entry systems that electronically secure cars, garages and office buildings. The finding by the scientists from Ruhr University in Bochum, Germany, means it is now relatively straightforward to clone the remote control devices …
Can't be that bad
Its been in use for 20 years, and is *very* widely used with easy access to all the components, and yet they've only just got around to cracking it. And even then it isn't trivial. And it needed help from a Wiki entry. (Who posted that by the way - a rival supplier?)
For cars it'll still be easier to just steal the keys, as this will get you around all the security systems not just the KeeLoq part. (Immobiliser transponder is usually a different system to the remote locking transmitter, so wouldn't be touched by this)
As for building security, if your only security relies on a chip card then you aren't trying hard enough.
I'm sure people will use this for bad things, but I'm not sure the threat is particularly severe - at least for now.
Makes me glad...
...my car is not worth stealing.
How far is a meter? All of my meters are significantly different in size. The only one I could use for measuring distance is my metremeter and that is just over a metre long.
ok, so for around "$3,000" in equipment (what's that in real money? probably down to £50 by now?) you can have an attack that lets you sit around some types of vehicle, wait for someone to open their car, then do some analysis of the data, and then next time they leave their car there you can come back and get in, sounds like a good investment
however personally i would go for the even smarter investment, around £5 can get you a hammer, which can gain you instant access to any type of vehicle, no waiting around, no wondering if that vehicle is vulnerable to your snooping or not, you just walk up to the car, use your vehicle entry device, and get instant access - as an added bonus the hammer can also be used as a weapon if the vehicles owner should catch you in the act - and that's not all, buy now and your hammer comes complete with the ability to control construction equipment such as "the nail", this is a limited time offer so buy now to avoid being disappointed
you know where the smart money is...
Good old mechanical vehicle/garage locks have been "cracked" since the beginning of locksmithing. That does not mean that all cars get pinched.
Locking a vehicle or building just sets a barrier to entry: effort/risk/cost vs payback. When you lock a car you just make it a bit harder to steal and the crim will hopefully steal some other car or not bother that night.
Cracking Keeloq just changes the payback curve. Buying a few $K of fancy kit plus doing fancy sums is still beyond what the average thief is prepared to do.
Here in San Francisco, that's how meter is spelled . . . or is it spelt?
Have you ever tried to break a car window with a hammer? - it's harder than you might think, and attracts far more attention than you might want.
I prefer an automatic centre punch...
I thought a spark plug was the preferred tool for busting into cars.
Garage door = entry to houses.
Most people with an automatic garage door also have a door from the garage into the house. And 99% of people will leave that unlocked, since no one can open the garage door anyway, right?
It wouldn't be hard to imagine an organised burglary group implementing this. It'd make getting in easier and less obvious to neighbours. If the owner is out, then they'd even be able to park a ute in the garage and load up undetected.
Of course an alarm system foils that, but there'd be tonnes of suburban houses that have remote garage doors and no alarm.
As for the spelling of the base metric distance unit... metres is the correct spelling, and US spelling is pointless if the US residents refuse to use them.
Customers the big loosers here
Now microchip will be able to sell its customers equipment to replace what it has installed over the last 20 years.
Only the customers loose.
One time pads now practical
With flash being so cheap, one time pads are now practical (shared key sequences of random numbers).
You could generate a true random sequence of keys, burn them into both car and key) and use that.
8 bytes per key, say you open the door 1000 times a year, an 8Mb flash would last 1000 years before reusing the sequence.
Don't these guys know the basics?
Kerckhoffs' principle, presented in 1883.
If this system depends on the algorithm being a secret, it's improperly designed.
Re: One time pads now practical
"...before reusing the sequence"
Just to nit-pick, isn't the idea of a one-time pad that it is used only once?
Well, anyone who owns a Prius must be fairly miffed...
...since Toyota dispensed with keys entirely, and the car just uses the proximity of a remote unit to authorise entry and enable starting of the car. Anyone with an appopriately-programmed remote could, in theory, just walk up to the car, open the door, get in, press the Start button and drive away. Easy as that.
Wonder how many more Prius models we'll see on eBay in the next 12 months? Still, I'm glad this vulnerability came out now. I want to buy a new VW Golf next year, and I'd prefer one that can't be opened so easily...
Personally, I'm not at much risk. Not because my old Rover has an alternative means of entry - I'm just as stiffed as anyone else whose protection has been cracked. It's just that my car is probably worth less than £200 - and it has its steering wheel on the wrong side, so anyone trying to steal it must be very, very desperate. :)
You wouldn't use this to steal just ONE car...
You'd arrive early and park near a large lawyers/bankers/rich bastards' office and clone about twenty keys as people arrive in the morning. The next day, a bunch of people with caps pulled low for the cameras calmly walk in and drive off with a lot of very expensive cars.
To much work for your average herbert, but a reasonable return on your investment if you choose the right target.
Surely you mean "french yard" ... after all you insist on using "english pint" (for something that isn't!)
re: One time pads now practical
Actually, I thought that was how they worked. I remember reading an article about the technology: they had an overlap so you could press the key button a few times without getting out of sync with the car even if you were out of range; if you pressed it 50 times or so, it would stop working.
Several correspondents argue that this is not that useful or easily used security hole, e.g. Mike points out this is "an attack that lets you sit around some types of vehicle, wait for someone to open their car, then do some analysis of the data, and then next time they leave their car there you can come back and get in". Doesn't the article say that once you crack it you can do it for any *model*?
So you while away a few hours in a Tesco car park after which you can open *any* Ford Focus/Honda Accord/generic Toyota... sounds alright to me.
Is that a good looking female sheep, about a metre long?
So $300, or €80 to break into a lot of cars without damage or being too suspicious. Sounds like a good investment if you're that way inclined. Especially as the price will fall if it's worked on a bit more.
My cars a Fiat so the remote never works anyway............
"I'm not sure the threat is particularly severe"
Well no, but the words "master keys", "posted on Interwebs" and "within 1 week" come to mind.
Let's have some redistribution of income here...
Serves them right for being so greedy
When I were a lad your car key was made of one slim piece of metal and if you lost it you had another one cut for 2/6d. Now it's a chunky lump of plastic and a new one costs 200 quid. You're over a barrel too if you want to get back into your motor. I hope someone does flog off cheap replacements that you can reprogram yourself.
What colour, oh sorry, color shirt have you got on, did you buy that aluminium, sorry again aluminum foil I asked for :p
@Keith T - while we're being picky....
The customers lose! They don't loose.
Loose = opposite of tight.
Lose = opposite of find.
Why would you cycle to the next key if there was no response from the car at all? That just causes problems.
re: One time pads now practical
Cars come with two keys, so would they have separate sequences, or try and sync up somehow? I guess they'd go for separate. It would mean if you lost a key, the stealership would just need to reprogram the car's part for a new key - or more likely open up some module and replace the corresponding chip/board for the new one - pretty expensive, but then people shouldn't lose keys!
@Oliver, AC and Dan
Keyless entry in the Prius is not an option on the UK models.
@AC(@Dan) - Septics have a smaller pint than us hardy Brits. So when one of them brags to you he drank 5 pints of beer in one night, he actually means only 4 pints of shandy.
@Dan - It's spelled 'metre' since it's based on the Greek 'metron'. Ask 100%-accurate Wikipedia if you don't believe me. A meter is what I use to counter-argue my extortionate gas-bill. That's that gaseous form of gas, and not the liquid-form you favour over there...
@AC (American language pedant)
Aluminium is actually pronounced aluminum; the boffins (a phrase popular with El Reg) some time ago decided that the name didn't look right on the periodic table next to Plutonium, Caesium, Francium, and other elements. They decided to add the extra "i" to make it look pretty.
$3000 dollars worth of equipment?
...or if you buy them from China, about $150, or some other ridiculously small price.
Also in your cart : GPS/mobile jammer. For innocent purposes only.
@Oliver and Mr Cheese
I believe the latest model Micras use this sort of keyless entry, although I think it applies to starting the car, not sure about opening the door though.
So does cracking the encryption on a DVD: <click-click>
My car fob only reaches about 10 feet, so I'll keep an eye out for hackers with laptops leaning on my motor's bonnet.
"I believe the latest model Micras use this sort of keyless entry, although I think it applies to starting the car, not sure about opening the door though."
Renault have been using card keys for a while, and I dare bet you'll find a fair few Laguna owners who aren't that keen on the idea (let's just say that the keycard system had a few, erm, issues when it first came out)
Makes me glad I'm running a 10yo Clio - even if someone was taken with an urge to nick it, and had the keys, they'd more than likely give up before the immobiliser decided to disarm itself :-)
@Ash - aluminium
that article you link to states the following:
"Davy proposed the name aluminum for the metal and later agreed to change it to aluminum. Shortly thereafter, the name aluminum was adopted to conform with the "ium" ending of most elements, and this spelling is now in use elsewhere in the world"
which makes no sense at all - they've spelt it wrong there somewhere, but which one?
and anyway - the point is not the pronouciation of the end of the word, it's the begining bit that the sceptics have trouble with. it's not aloo-minum, it's al-u-min-um(ium whichever)
<<My car fob only reaches about 10 feet, so I'll keep an eye out for hackers with laptops leaning on my motor's bonnet.>>
But, I bet your motor doesn't use a Yagi/high-gain/Pringles antenna to pick up the signal....
....we really need a "bleeding obvious" icon....
Can anybody think of a reason why my alarm refuses to set near the police station?! Not that I think anybody would steal my 10 year old brick.
By your "Pringles" etc. comment you appear to assume that the keyfob is transmitting in the 2.4 GHz. Not every consumer electronics uses the same 2.4 GHz band. My keyfob, like most, isn't 2.4 GHz. It is, like many, in the 300-something MHz band. Makes your high gain antenna pretty unweildy. Your Pringles can WiFi antenna would have to be replaced with a garbage can size keyfob-compatible antenna.
So, beware hackers loitering on the sidewalk and aiming tripod-mounted garbage cans in your direction while fiddling with their laptop.
I once hardwired a cordless doorbell transmitter to a 12v battery on my bicycle years ago, so if the bike was nicked (small town) I could find it again with the doorbell. Side effect unexpectedly was that it jammed car door opener buttons within 10-20 metres of the bike. Perhaps there is something similar at the cop shop?
@JeffyPooh - Good Point!
Actually, good point, I didn't think of that.
<<So, beware hackers loitering on the sidewalk and aiming tripod-mounted garbage cans in your direction while fiddling with their laptop.>>
So, I'd need to equip myself with an RFID-enabled, (recycled) tinfoil-lined Wheelie bin, and wear a donkey jacket and some wellies to appear in "Mufti".
'Course, I'd need to choose the 'correct' day of the week^H^H^H^H fortnightly collection day for me to get away with it, but, hell your 10-year old Lada's maybe worth it! (if all I can afford is a donkey jacket). Er, did they have radio in them thar days?
</Joke!> Have a good weekend! -Andy
(Mine's the jacket in the wheelie bin. Yep, the one that smells a bit. Ta Muchly.)
must've watched "Gone in 60 Seconds" too many times. The "new" version and the original.
Social engineering cracks thru fancy encoded key security for cars as well as passwords for PC's.
As for the hammer guys, there's an even easier (lazier) way to get thru even the most advanced auto security, deployed by west coast and east coast "gangstas" for years: the carjacking. Let the owner disable the security system then threaten to kill them if they don't get out of the car. Modern variations by "undocumented" gangs on the West Coast includes shooting them even after they get out of the car just to prove brutality.
At least in the states
A $50 pistol will get you most auto's. Unless the owner is stooopid.
Thanks for the explanation.
I was worried here, trying to deduce what the customers had loosed upon us all.
I, for one, was ready to greet our new customer overlords, but now I see there's no need.
Also, didn't Burt Reynolds appear in a pair of films about the metre?
Shooting people after they get out wouldn't be terribly bright, as people would realize pretty soon that they're just as well off clobbering the throttle as obeying the carjacker.
Gangstas may be mean, but they're not dumb.
In other news... Jimmy entry with Wikipedia? A touch of class, Reg. Well-played.
@AC - One Time Pad
If you use a one-time-pad more than once, it isn't a one-time pad.
Yep - I have similar problem with my >10 year old motor. Under certain circumstances, when parked in particular locations, the "lock" button refuses to work. Move ten metres (or is that meters.. hehe!), and it works fine. Personally, I suspect that it is Wi Fi networks interfering with my key / receiver.
As regards the original article / exploit: I imagine this will be very useful to organised cirminals trying to gain access to large properties / expensive cars, but not much use to anybody else. Anything that requires the villian to hang around with a few kilos of electronic equipment just in order to clone the key is going to be worthless to the average car thief or burglar: they can just break a window. I imagine that the manufacturers of high end home security systems and executive motors are already using security far more sophisticated than this, so this makes this discovery a non-problem.
Nice to see boffins are still doing their jobs well but personally, I'm still more worried about some scally smashing my window for my radio, than some techie sitting in the bushes with a laptop.
There is a strong suspicion that the new Police Tetra radio system can upset car door locks and fancy ignition systems if set up carelessly.
There is probably a Tetra base station at your Police Station.
I don't think I would want a car that unlocked/locked depending on the proximity of a keyfob. I suspect I would soon have a flat battery and worn out locking mechanism, as it is parked just outside the window!
People don't use these kinds of locks because they don't want their car stolen. They use them because they think they're cool. To prevent theft of your car, you pull a spark plug wire when you leave it. If you're really serious, pull the fuel line too. That worked in the old days and I'm sure it works even better nowadays when everybody is a nerd and nobody is a mechanic.
But what will be particularly annoying...
...will be to come back to an emptied car, then have the insurance company monkey tell you that in the absence of any signs of forced entry, it can only be that you forgot to lock it, so it's not their problem.
Lots of car jackings result in the owner being shot even after they have surrendered the vehicle - a simple search will return hundreds of news entries for the U.S. alone.
Criminals don't have to be bright, victims just have to be stupid(er). This pansified country that is the U.S. has turned self-defense into a crime too, so the peasants are afraid to defend themselves.
South Africa is even worse, they don't even count the car jackings that result in murder anymore because it is so common - they even have a thriving industry built around preventing car jacking: http://transportation.frost.com/prod/servlet/market-insight-top.pag?docid=JSAA-5NCK62&ctxixpLink=FcmCtx25&ctxixpLabel=FcmCtx26.
Touch the tip of your key to your head when you press the button. You melon acts as an antenna and increases the range significantly.
Enter Mexico City.
From midnight to 5am, it is perfectly legal to run red-lights. Why, you may ask? Because standard procedure is that if you see some strange dude coming to your car at a stoplight, you just floor it and take off, no matter what color the stoplights on.
Carjackings over here very often involve violence, gunshots, or "express kidnappings" consisting in said carjackers taking you for a nice city tour, withdrawing cash from your credit and debit bankcards. Oh, and occasionally you'll get shot even if you do comply.
Dead vulture after getting mugged in the Buenos Aires neighborhood.