Feeds

back to article Police 'stumped' by car thefts using electronic skeleton key

Police in California have admitted they are baffled by a series of car thefts where robbers use a small hand-held electronic device to unlock supposedly secure car-locking systems. "This is bad in the sense we're stumped," Long Beach deputy police chief David Hendricks told NBC. "We are stumped and we don't know what this …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge

Sonic Screwdriver

Obviously...

52
0

Re: Sonic Screwdriver

This is why you should dead lock the car!

2
0
Paris Hilton

Re: Sonic Screwdriver

Deadlocking won't work if you have a device that can transmit the correct Open Sesame command to the car.

2
1
Bod

Re: Sonic Screwdriver

Need to make the lock out of wood.

3
0
Bronze badge
Holmes

Re: Sonic Screwdriver

I'm an insider and I can tell you exactly what they are doing.

Remote entry keyfobs contain programmed secure microcontrollers that transmit a rolling code sequence to the car. To open the door you need to transmit the next code in the sequence. The system is programmed to take into account missed transmissions, etc.

They thieves used a special keyfob device with a microcontroller programmed to detect and transmit rolling code sequences. It intercepts and stores the rolling code signal from the keyfob to the car, then the device calculates the next sequences of that rolling code so that later it can send that code to the car to unlock the door.

Easy to do if you have inside knowledge of the highly confidential rolling code algorithm. By design this cannot be reverse-engineered - the microcontroller actually self-destructs.

So this means the special device was built and programmed by someone with inside knowledge. This means it's someone from keyfob manufacturers TRW or Bosch. My guess is they are all using Bosch keyfobs.

However, on some cars there is a way to reset the rolling code sequence and start over, no signal interception needed. This requires intense insider knowledge.

Of course, the keyfob manufacturer can't admit that this was done by someone inside their firms, as this would affect their contracts with the car manufacturers which are worth tens of millions of dollars.

There is no defense against this except to deactivate the cars wireless control.

9
4
Coat

Re: Sonic Screwdriver

There are companies that can analyze/reverse-engineer a surprising number of "secure" chips. Here's one, for example:

http://www.flylogic.net/blog/

And, while these guys are legit, there's probably dozens of illegit or university lab students who could/can/are doing the same thing.

Dave

P.S. Yeah, I've got some experience in the computer security field, too. Can't say what exactly, though. ;-)

2
0
Silver badge

I'm an insider and I can tell you exactly what they are doing.

And did you tell the police this?

0
1
Anonymous Coward

Re: I'm an insider and I can tell you exactly what they are doing.

Don't waste your breath Stevie he's talking rubbish. There may well be a rolling code but it still has to be tied to the actual vehicle in some way otherwise a criminal gang could simple hire a BMW, take the fob apart and 'press' the button a few thousand times using a motorised switch, recording the radio code sequence generated each time. If it worked the way BillG claims you'd only have to replay one of the later sequences to open any other BMW.

1
3
Silver badge
Holmes

Re: I'm an insider and I can tell you exactly what they are doing.

"Don't waste your breath Stevie he's talking rubbish."

Did you miss the part where he said "..use a SPECIAL keyfob designed to.."?

Rhetorical question, of course.

1
1
Anonymous Coward

Re: Sonic Screwdriver

Insecure? Easy to hack? Do they run Android Automotive by any chance?

3
4
Bronze badge
Coat

Re: Sonic Screwdriver

There are companies that can analyze/reverse-engineer a surprising number of "secure" chips. Here's one, for example:

These chips can't be reverse-engineered. They will self-destruct if you:

- Clock them too fast

- Clock them too slow

- Expose them to light

- Attempt to probe any inside trace

- Expose them to extremes of heat and temperature

The chips contain false circuits and bogus code routines. And that isn't the half of it!

The gist of it is, it would be cheaper to buy a new car rather than attempt to reverse-engineer these chips.

2
2
Bronze badge
Alert

Re: I'm an insider and I can tell you exactly what they are doing.

There may well be a rolling code but it still has to be tied to the actual vehicle in some way

Exactly. Each keyfob is "seeded" with a code unique to that car/keyfob pair. The seed is transmitted when you press the keyfob button so your car knows it's being addressed, while nearby cars know to ignore your keyfob's transmission.

But the seed isn't transmitted in the clear or separately - it's encrypted as part of the the entire transmission sequence. First decryption of the total transmission tells the car yes, it is being addressed. That triggers the second decryption which says open the door or boot, or turn on the lights, activate alarm, etc.

0
1
Anonymous Coward

Re: Sonic Screwdriver

Next time I take my car in to Honda (see above) they say they will reprogramme the key.

Which sort of suggests that they are well aware of the issue.

0
0
Bronze badge
FAIL

Re: Sonic Screwdriver

Insecure? Easy to hack? Do they run Android Automotive WindblowZE for Automobiles by any chance?

FTFY!

WindblowZE for Automobiles: "Where do want to crash today!!!"

1
0

Re: Sonic Screwdriver

might not be far off, someone could have recorded enough combinations to sell a fob/key that simply cycles through a rainbow codebook of codes quickly in the hope that one opens a nearby door. Miscreants simply watch the carpark for flashing lights and dive in.

1
1
Anonymous Coward

Re: Sonic Screwdriver

The police are stupid when it comes to many things.

In the UK they are recommending peoples locks being changed to this new type. (£75 a lock or something like that).

The person from the fire brigage who does stuff for a council that is to do with locks tested one and could get in within 10 seconds tried to tell the police what a waste of time it was and they basically ignored and kept hassling the council to pay for these new useless locks. I am sure there must be something corrupt about it. I think being a policeman attracts people who are just as bad as the criminals most of the time.

2
1
FAIL

Re: Sonic Screwdriver

There is a defense - stop using security through obscurity. History has told us a thousand times over - It NEVER works. If US defense contractors have had half their secrets spilled with their security budgets, then I'm not going to be the least bit surprised if automotive manufacturers have leaks.

And get the guys creating the "secure" systems talking to those who break them. The former don't think outside the box enough, and the latter are never taken seriously enough, or worse, they're criminalised. The entire industry needs a change of mindset- quite how automotive industries expect a proprietary secret such as a key fob switching algorithm to remain secret for the lifespan of your average car (15 years or so) would be laughable, was it not so serious.

8
0
Bronze badge

Re: Sonic Screwdriver - No surprise

I live near an auto plant, and a friend bought their latest desirable top spec sports model. Within a week it was stolen from his drive. The police told him that, that make's the worst to have round here, the local car thieves knew how to steal them before they came off the production line.

Bring back crook locks and garages with big bolts on the inside.

1
0
Gold badge

Re: Sonic Screwdriver

"I think being a policeman attracts people who are just as bad as the criminals most of the time."

I think you've got that backwards. Being a criminal makes becoming a policeman attractive. Society just has to ensure that there are checks and balances within the police force to spot people who have joined in order to be bent.

0
0
Bronze badge

Re: Sonic Screwdriver - Police

It's a command culture, a Police officer will swear yellow is green it told to by a senior officer, even if it flies in the face of common sense. Policy is policy, the police are not the only organisations that suffer from this blindness, and no policeman is an expert in everything.

1
0
Anonymous Coward

Re: Sonic Screwdriver

BillG,

You don't need to be an insider to say any of what you said; that is all known.

2
0
Anonymous Coward

Re: Sonic Screwdriver @BillG

I remember what BMW said about EWS4 first used in 2007 I think.

BMW

The electronic vehicle immobilizer 4 is an immobilizersystem that prevents unauthorized

engine start. It was used for the first time in the Car Access System 3 in the E92.

The electronic vehicle immobilizer 4 uses a new, modern encryption system. A 128 bit

long secret key is assigned to each vehicle and stored in the BMW database. This secret

key is kno wn onlyto BMW. The secret key is programmed and locked in the Car Access

System 3 and in the digital engine management.

Once entered in the control unit, the secret key can no longer be changed, deleted or

read. This therefore means that each control unit is assigned to a specific vehicle.

The electronic vehicle immobilizer 4 operates with bidirectional and redundant data

tr ansmission. The K-C AN (CAN prot ocol) and C AS-bus (K-bus protocol) are used for this

purpose.

Reprogrammers

- Programming of key is going directly in the ignition lock! No need for

additional programmers and preparations of keys!

- Support of latest technologies from BMW:

1) EWS4 Secret Key (new 128-bit synchronization with engine control unit).

BMW documentation “says” that noone can read or write it, but we can do it

through OBD-II socket! Surprise!

2) SOPT (encryption of keys and synchronizations with engine control unit).

Now the keys can be programmed even for encrypted CAS! And even with

encrypted EWS4 Secret Key, and now it’s the first software that can do it!

0
0

This post has been deleted by its author

Re: Sonic Screwdriver

Not necessarily insider. Bosh as many others was hacked. Just some china man from "recovered information bureau" probably made some extra money on top of his salary...

0
0

Re: Sonic Screwdriver

@Richard 31

My comment was to the sonic screwdriver comment. If you watch Dr Who you know that the sonic screwdriver cannot open a "Deadlocked" lock

0
0
Anonymous Coward

Re: I'm an insider and I can tell you exactly what they are doing.

@ecofeco

BillG wrote: "special keyfob device ... [that] ... calculates the next sequences of that rolling code so that later it can send that code to the car to unlock the door."

So the only SPECIAL bit is that it acts like a NORMAL keyfob being pressed lots of times. Do please think about what you are reading.

0
0
FAIL

Only a matter of time.

Some things are best left to the old fashioned, manual way that involves physical contact.

Physical access to properties and vehicles.

In-person card purchases.

Networking.

Password storage in a well guarded, coded book, instead of password vaults on a computer.

To name but a few.

7
1
Devil

Re: Only a matter of time.

"Physical access" involves tumblers and keys. Those haven't ever been secure. Leave aside the practice of key bumping, there are so many ways to circumvent physical locks.

9
1
Silver badge

Re: Only a matter of time.

"Physical access" involves tumblers and keys. Those haven't ever been secure. Leave aside the practice of key bumping, there are so many ways to circumvent physical locks.

Tumblers are often relatively easy to deal with, but the older lever locks are not. Yes, the cheap skeleton door keys are a joke, but even a very old 5 lever lock can be difficult, and/or time consuming to open. Of course there's a phobia for using old technology so that's out, along with anything that doesn't have fashion value. The bottom line is that there is no cure for car thieves - except driving a junker.

11
0
Stop

Re: Only a matter of time.

You don't want foolproof security on your car, otherwise you just get creeper burglaries* instead which happens a fair bit now anyway, at least here in NI it does.

I believe there's also been an increase in car-jackings over the years as car security has improved.

------------------------------------------------------------

* If you don't know what a creeper burglary is:

It's easier to break into your house than your car. So they break into the house and look for the keys. So if you hide your keys? On occasion, if they really want your car, they'll boil the kettle and then bring it upstairs. They'll wake you up, hold the kettle over your head, and demand your keys.

I'd rather they took my car than poured a kettle of boiling water over my head.

6
0
Silver badge
Thumb Up

Re: Only a matter of time.

My Aunt's junker was stolen once. She found it abandoned 50m up the road!

1
0
Silver badge

Re: Only a matter of time.

""Physical access" involves tumblers and keys."

No it doesn't. Think I2C single-wire protocols. They only work when actual electrical contact is made (i.e. with the car body or door handle or a metal panel somewhere), do not transmit anything over RF (beyond electrical noise), and yet can transmit data (and power) back and forth. Then that can be use to activate car central locking.

Or, hell, even the old Ford keys (though hackable in their current form) use this. The key is a blank, really, and relies on the chip inside it to negotiate over the metal connection of the key to the ignition / door and unlock the central locking. The "key" itself does nothing but turn the lock, but there's no reason it needs to do that at all, once the communication is working (I think that was left in to make people think it was still a "secure" key... fact is that a dead key, even for the right car, is like poking a stick into the lock - no tumblers are going to move and nothing is going to open)

This has been done. Implementations of it have been hacked. But the fact is that you COULDN'T open the door without touching the car, and you couldn't tell what the car was communicating with without somehow being in the path of that electrical connection (not down the street with a radio scanner).

But people seem to want RF remote connections, despite the fact that they have to then touch the door to open it anyway.

6
0
Bronze badge

Re: Only a matter of time.

>You don't want foolproof security on your car

For your average car, you want good enough security, so that there is a good chance the car is still there when you get back to it, but also if it does go missing you want to know that it is unlikely to re-appear any time soon and so the insurance will pay out.

0
0
Anonymous Coward

Re: Only a matter of time.

They'll wake you up, hold the kettle over your head, and demand your keys.

Do you know how quickly some people can bolt right up out of bed and shove the creep along with a faceful of boiling water all over the back wall of the bedroom?

I'm going to love it when that happens the first time, if it hasn't already. I hope it ends up on Youtube.

2
3

Re: Only a matter of time.

Are you from South Africa?

6
0
Anonymous Coward

Re: Only a matter of time.

So why don't people have remotes for their homes to open the door? (with a key backup of course).

What has happened is over time the car makers decided to forget trying to make a car more difficult to get into and focus on making the car impossible to start without the right key.

There are two reasons why people want to get into your car, 1. Steal contents, 2. Steal car. Most people don't leave anything valuable in their car these days.

So the immobiliser has been very useful in stopping cars from being stolen. It stopped hotwiring or mechanical lock picking/bypass as the way to steal cars. But all this has done is force the car thieves to change tactics, so they now look for more hi-tech solutions (or carjack).

What seems to be the problem is there is obviously some dealership backdoors or tricks that are known about. Just like I remember hearing how you could bypass password security on laptops by connecting a few pins together on the parallel port (a reset procedure).

0
0

Re: Only a matter of time.

I have a remote to open my front door

http://www.yale.co.uk/en/yale/couk/ProductsDB/?groupId=4292&productId=59002

0
0

Re: Only a matter of time.

Wondering about which time warp you fell through regarding locks and cars, the shitty wafer locks are long gone.

It isn't a lock problem it's a nature of cars problem, they have windows, doors made of folded sheet metal and often a fabric roof. 'Tumblers are easy to deal' what a glorious almost politician like generalisation with well lets see you deal with an Assa Flexcore with anything other than a power drill or breaking the door in question

In the UK immobilizers have been compulsory for years (and most of Europe) unless you have something very old (or shit) nobody is stealing it unless they have the keys or something that attaches to the management port and even then it's only for entry (unless they have fucked up real bad)

Even Ford started using the Tribbe system in the early 90s, yeah you can punch the lock out but the immobiliser takes stops the car from moving (as I suffered back in 95 but the car didn't move)

If a car hasn't an alarm then they just spread the door, it's the work of seconds, but the car is still not going anywhere (if it has an immobiliser)

Hence you end up with a house break in and potential torture (as described by another comment)

A fair example of the tools available for car entry are shown here http://shop.multipick-service.com/?language=en and you will find that the electronic options are limited to particular mfgr / mode / and date of manufacture

0
3
Bronze badge
Thumb Up

Re: Only a matter of time.

Well I don’t know, I sure I remember hearing about the South African car alarms that included flame throwers, and then you have James Bonds BMW that electrocuted would be thieves (Tomorrow never Dies I think, the one where he drives it using his phone), funny how the real life instance of the protection is much more scary, stupid and ridiculous then the one they thought only James Bond could have

1
0
Bronze badge
Unhappy

Re: Only a matter of time.

I always thought there were more car thefts in NI because PSNI landrovers can’t go round corners fast, or for that matter in straight lines fast, I assumed it had gone down now they use Astra’s and only pull out the landrovers in July.

My dad tells a story of noticing a burning car during one of the usual spots of bother back in the 70s, and ringing my nan to confirm that yes, his car was no longer parked outside her house.

0
0

This post has been deleted by its author

Anonymous Coward

Re: Only a matter of time.

Ahhh the old "South Africans have flame throwers" chestnut.

1. It was not linked to the alarm. It was a manual anti-hijack device.

2. It was not a flame thrower. It was gas-driven and ignited a squirt of gas (not gasoline, but actual gas) to scare off the attacker.

3. It was an experimental design that did not pass legal muster, so it certainly is not in use.

0
0
Bronze badge
Mushroom

Re: SP

Just had a quick Google

1) Yep, manual anti-highjack device, not car alarm

2) “The Blaster was a liquefied petroleum gas flamethrower installed along the sides of the vehicle under the doors.” - http://en.wikipedia.org/wiki/Blaster_(flamethrower)

3) It was legal, but demand was low and the cost to high so it was discontinued.

0
0
Silver badge
Thumb Up

@Lee D Re: Only a matter of time.

Wish I could upvote that a hundred times over. Why, why, WHY do people see any advantage in a wireless "key" rather than a contact "key"? Same as paying more for notebooks lacking a wired network socket, I guess.

Driving a junker works well. Someone recently radio-unlocked my 12-year-old car - presumably the tech to break 12-year-old radio security is now available for less than the cost of a new key? Anyway, they couldn't find anything much worth stealing, neither car nor contents.

0
0
Silver badge
Pint

@masterdebate

Those haven't ever been secure.

Apart from the issue of different available locks (as mentioned by others) there is another aspect to consider. Making a mold from a car lock will be a lot more suspicious than simply trying to pick up electronic signals using a "blackbox".

Or: "Uhm, I lost my keys and the assurance doesn't cover it, so I'm trying to make a duplicate key?"

vs.: "Yeah, coverage is a biatch these days; I can hardly get any signal here, that's why I'm standing so close to your car sir.".

0
0
Anonymous Coward

Multi layered security

Like good IT security, cars should have multiple systems. Some the South African anti car jacking systems are very handy. Also include a tracker. The more systems you have the less likely they'll bother. Remember loss of a car is still a hassle even if you are insured.

0
0
Silver badge

I'd rather they took my car than poured a kettle of boiling water over my head.

Anyone trying to carry a kettle of boiling water through our house in the dark is risking a broken leg *and* a self scalding.

Besides, I challenge anyone to get the controls on that never-to-be-sufficiently-damned cooker right first time by moonlight, and the leaky kitchen faucet aerator will spray water all over them. Also: our kettle is like unto a bell. Filling it is not a silent process. God help the poor bastard if he wakes the wife before me.

A thought occurs (ow!). Why not forestall this grisly scenario that troubles you so much by simply alarming your kettle in some way?

Or replacing your real kettle with one with holes in it so the Headboiling Burglar of Olde Londone Towne ends up leaving in disgust (and possibly wet clothes)?

Or hiding your real kettle and leaving another with a snake sleeping inside it (and holes in case the burglar susses that the snake isn't venomous)?

Or hiding your real kettle and replacing it with one housing one of those disgusting plate-sized spiders, so the burglar will awaken you with his unmanly shrieks of terror? Add holes for backup fun.

Or hiding your real kettle and replacing it with one with the insulating stuff removed from the handle so the burglar will burn his hand when he picks it up, again alerting you with his shrieks of agony (bonus scalding if he drops the kettle here)?

Or hiding your real kettle and replacing it with one with a hole drilled in the bottom that you fill with a gallium plug so the burglar fills the kettle, boils it only to have the water flood all over the place?

Or hiding your real kettle and replacing it with one fitted with an internal steel reed whistle (like the ones you can get to ram up your neighbour's car's exhaust pipe) so the whole house is alerted to a headboiling in progress?

Or hiding your only kettle eg in the fridge and have one high-level kitchen cabinet rigged to drop noisy cans, small bells, whatever you have onto the person who opens it? Rig is simple on an Ikea-style cabinet. You remove the shelf and the little pin bracket thingy from each side. Drill through the cabinet so the pin thingy hole is a through-hole. Insert nail through hole from outside, replace shelf and load with light but resonant crap. close door (reinforce latch with rare earth magnets for best effect). with door held closed, remove nail to drop shelf front and load door with crapolanch-in-waiting. Warn family.

I came up with these in about a minute and they are all doable with stuff I can get easily.

7
1
Anonymous Coward

Re: SP

And I guess the locals didn't look too much different after a blast or two....

0
0
Silver badge

Re: I'd rather they took my car than poured a kettle of boiling water over my head.

So, Stevie, how are you going to guard the iron? The waffle-iron? The cast-iron skillet? The 8" chef's knife? The scissors? The screwdrivers? The wine/beer bottles? The hair curler? The knitting needle? The fireplace poker? Etc?

I could have shot the one intruder we have had here at chez jake, but when I got down to the kitchen, where he was, instead I calmly put down my Kimber & picked up the phone & called the non-emergency police line. When they arrived, I called off the dogs & he was transported to the hospital to stop the bleeding (and bleating, I might add!), and then on to booking & jail time. Stupidity should hurt! ;-)

Dogs are Gawd/ess's gift to humanity.

0
1
Silver badge

Re: Only a matter of time.

> My Aunt's junker was stolen once. She found it abandoned 50m up the road!

I hope that was a written apology and a box of chocolates on the driver's seat!

0
0

Page:

This topic is closed for new posts.