back to article Police 'stumped' by car thefts using electronic skeleton key

Police in California have admitted they are baffled by a series of car thefts where robbers use a small hand-held electronic device to unlock supposedly secure car-locking systems. "This is bad in the sense we're stumped," Long Beach deputy police chief David Hendricks told NBC. "We are stumped and we don't know what this …

COMMENTS

This topic is closed for new posts.

Page:

  1. Frumious Bandersnatch Silver badge

    Sonic Screwdriver

    Obviously...

    1. Babbit55

      Re: Sonic Screwdriver

      This is why you should dead lock the car!

      1. Richard 31
        Paris Hilton

        Re: Sonic Screwdriver

        Deadlocking won't work if you have a device that can transmit the correct Open Sesame command to the car.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sonic Screwdriver

          Insecure? Easy to hack? Do they run Android Automotive by any chance?

          1. Fatman Silver badge
            FAIL

            Re: Sonic Screwdriver

            Insecure? Easy to hack? Do they run Android Automotive WindblowZE for Automobiles by any chance?

            FTFY!

            WindblowZE for Automobiles: "Where do want to crash today!!!"

        2. Babbit55

          Re: Sonic Screwdriver

          @Richard 31

          My comment was to the sonic screwdriver comment. If you watch Dr Who you know that the sonic screwdriver cannot open a "Deadlocked" lock

    2. Bod

      Re: Sonic Screwdriver

      Need to make the lock out of wood.

    3. BillG Silver badge
      Holmes

      Re: Sonic Screwdriver

      I'm an insider and I can tell you exactly what they are doing.

      Remote entry keyfobs contain programmed secure microcontrollers that transmit a rolling code sequence to the car. To open the door you need to transmit the next code in the sequence. The system is programmed to take into account missed transmissions, etc.

      They thieves used a special keyfob device with a microcontroller programmed to detect and transmit rolling code sequences. It intercepts and stores the rolling code signal from the keyfob to the car, then the device calculates the next sequences of that rolling code so that later it can send that code to the car to unlock the door.

      Easy to do if you have inside knowledge of the highly confidential rolling code algorithm. By design this cannot be reverse-engineered - the microcontroller actually self-destructs.

      So this means the special device was built and programmed by someone with inside knowledge. This means it's someone from keyfob manufacturers TRW or Bosch. My guess is they are all using Bosch keyfobs.

      However, on some cars there is a way to reset the rolling code sequence and start over, no signal interception needed. This requires intense insider knowledge.

      Of course, the keyfob manufacturer can't admit that this was done by someone inside their firms, as this would affect their contracts with the car manufacturers which are worth tens of millions of dollars.

      There is no defense against this except to deactivate the cars wireless control.

      1. Dave 32
        Coat

        Re: Sonic Screwdriver

        There are companies that can analyze/reverse-engineer a surprising number of "secure" chips. Here's one, for example:

        http://www.flylogic.net/blog/

        And, while these guys are legit, there's probably dozens of illegit or university lab students who could/can/are doing the same thing.

        Dave

        P.S. Yeah, I've got some experience in the computer security field, too. Can't say what exactly, though. ;-)

        1. BillG Silver badge
          Coat

          Re: Sonic Screwdriver

          There are companies that can analyze/reverse-engineer a surprising number of "secure" chips. Here's one, for example:

          These chips can't be reverse-engineered. They will self-destruct if you:

          - Clock them too fast

          - Clock them too slow

          - Expose them to light

          - Attempt to probe any inside trace

          - Expose them to extremes of heat and temperature

          The chips contain false circuits and bogus code routines. And that isn't the half of it!

          The gist of it is, it would be cheaper to buy a new car rather than attempt to reverse-engineer these chips.

          1. Anonymous Coward
            Anonymous Coward

            Re: Sonic Screwdriver @BillG

            I remember what BMW said about EWS4 first used in 2007 I think.

            BMW

            The electronic vehicle immobilizer 4 is an immobilizersystem that prevents unauthorized

            engine start. It was used for the first time in the Car Access System 3 in the E92.

            The electronic vehicle immobilizer 4 uses a new, modern encryption system. A 128 bit

            long secret key is assigned to each vehicle and stored in the BMW database. This secret

            key is kno wn onlyto BMW. The secret key is programmed and locked in the Car Access

            System 3 and in the digital engine management.

            Once entered in the control unit, the secret key can no longer be changed, deleted or

            read. This therefore means that each control unit is assigned to a specific vehicle.

            The electronic vehicle immobilizer 4 operates with bidirectional and redundant data

            tr ansmission. The K-C AN (CAN prot ocol) and C AS-bus (K-bus protocol) are used for this

            purpose.

            Reprogrammers

            - Programming of key is going directly in the ignition lock! No need for

            additional programmers and preparations of keys!

            - Support of latest technologies from BMW:

            1) EWS4 Secret Key (new 128-bit synchronization with engine control unit).

            BMW documentation “says” that noone can read or write it, but we can do it

            through OBD-II socket! Surprise!

            2) SOPT (encryption of keys and synchronizations with engine control unit).

            Now the keys can be programmed even for encrypted CAS! And even with

            encrypted EWS4 Secret Key, and now it’s the first software that can do it!

      2. Stevie Silver badge

        I'm an insider and I can tell you exactly what they are doing.

        And did you tell the police this?

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm an insider and I can tell you exactly what they are doing.

          Don't waste your breath Stevie he's talking rubbish. There may well be a rolling code but it still has to be tied to the actual vehicle in some way otherwise a criminal gang could simple hire a BMW, take the fob apart and 'press' the button a few thousand times using a motorised switch, recording the radio code sequence generated each time. If it worked the way BillG claims you'd only have to replay one of the later sequences to open any other BMW.

          1. ecofeco Silver badge
            Holmes

            Re: I'm an insider and I can tell you exactly what they are doing.

            "Don't waste your breath Stevie he's talking rubbish."

            Did you miss the part where he said "..use a SPECIAL keyfob designed to.."?

            Rhetorical question, of course.

            1. Anonymous Coward
              Anonymous Coward

              Re: I'm an insider and I can tell you exactly what they are doing.

              @ecofeco

              BillG wrote: "special keyfob device ... [that] ... calculates the next sequences of that rolling code so that later it can send that code to the car to unlock the door."

              So the only SPECIAL bit is that it acts like a NORMAL keyfob being pressed lots of times. Do please think about what you are reading.

          2. BillG Silver badge
            Alert

            Re: I'm an insider and I can tell you exactly what they are doing.

            There may well be a rolling code but it still has to be tied to the actual vehicle in some way

            Exactly. Each keyfob is "seeded" with a code unique to that car/keyfob pair. The seed is transmitted when you press the keyfob button so your car knows it's being addressed, while nearby cars know to ignore your keyfob's transmission.

            But the seed isn't transmitted in the clear or separately - it's encrypted as part of the the entire transmission sequence. First decryption of the total transmission tells the car yes, it is being addressed. That triggers the second decryption which says open the door or boot, or turn on the lights, activate alarm, etc.

            1. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Sonic Screwdriver

        Next time I take my car in to Honda (see above) they say they will reprogramme the key.

        Which sort of suggests that they are well aware of the issue.

      4. Anonymous Coward
        Anonymous Coward

        Re: Sonic Screwdriver

        The police are stupid when it comes to many things.

        In the UK they are recommending peoples locks being changed to this new type. (£75 a lock or something like that).

        The person from the fire brigage who does stuff for a council that is to do with locks tested one and could get in within 10 seconds tried to tell the police what a waste of time it was and they basically ignored and kept hassling the council to pay for these new useless locks. I am sure there must be something corrupt about it. I think being a policeman attracts people who are just as bad as the criminals most of the time.

        1. Ken Hagan Gold badge

          Re: Sonic Screwdriver

          "I think being a policeman attracts people who are just as bad as the criminals most of the time."

          I think you've got that backwards. Being a criminal makes becoming a policeman attractive. Society just has to ensure that there are checks and balances within the police force to spot people who have joined in order to be bent.

        2. Otto is a bear.

          Re: Sonic Screwdriver - Police

          It's a command culture, a Police officer will swear yellow is green it told to by a senior officer, even if it flies in the face of common sense. Policy is policy, the police are not the only organisations that suffer from this blindness, and no policeman is an expert in everything.

      5. Brenda McViking
        FAIL

        Re: Sonic Screwdriver

        There is a defense - stop using security through obscurity. History has told us a thousand times over - It NEVER works. If US defense contractors have had half their secrets spilled with their security budgets, then I'm not going to be the least bit surprised if automotive manufacturers have leaks.

        And get the guys creating the "secure" systems talking to those who break them. The former don't think outside the box enough, and the latter are never taken seriously enough, or worse, they're criminalised. The entire industry needs a change of mindset- quite how automotive industries expect a proprietary secret such as a key fob switching algorithm to remain secret for the lifespan of your average car (15 years or so) would be laughable, was it not so serious.

      6. Otto is a bear.

        Re: Sonic Screwdriver - No surprise

        I live near an auto plant, and a friend bought their latest desirable top spec sports model. Within a week it was stolen from his drive. The police told him that, that make's the worst to have round here, the local car thieves knew how to steal them before they came off the production line.

        Bring back crook locks and garages with big bolts on the inside.

      7. Anonymous Coward
        Anonymous Coward

        Re: Sonic Screwdriver

        BillG,

        You don't need to be an insider to say any of what you said; that is all known.

      8. scud

        Re: Sonic Screwdriver

        Not necessarily insider. Bosh as many others was hacked. Just some china man from "recovered information bureau" probably made some extra money on top of his salary...

    4. Caff

      Re: Sonic Screwdriver

      might not be far off, someone could have recorded enough combinations to sell a fob/key that simply cycles through a rainbow codebook of codes quickly in the hope that one opens a nearby door. Miscreants simply watch the carpark for flashing lights and dive in.

  2. Gert Leboski
    FAIL

    Only a matter of time.

    Some things are best left to the old fashioned, manual way that involves physical contact.

    Physical access to properties and vehicles.

    In-person card purchases.

    Networking.

    Password storage in a well guarded, coded book, instead of password vaults on a computer.

    To name but a few.

    1. masterdebate
      Devil

      Re: Only a matter of time.

      "Physical access" involves tumblers and keys. Those haven't ever been secure. Leave aside the practice of key bumping, there are so many ways to circumvent physical locks.

      1. Ole Juul Silver badge

        Re: Only a matter of time.

        "Physical access" involves tumblers and keys. Those haven't ever been secure. Leave aside the practice of key bumping, there are so many ways to circumvent physical locks.

        Tumblers are often relatively easy to deal with, but the older lever locks are not. Yes, the cheap skeleton door keys are a joke, but even a very old 5 lever lock can be difficult, and/or time consuming to open. Of course there's a phobia for using old technology so that's out, along with anything that doesn't have fashion value. The bottom line is that there is no cure for car thieves - except driving a junker.

        1. I like noodles
          Stop

          Re: Only a matter of time.

          You don't want foolproof security on your car, otherwise you just get creeper burglaries* instead which happens a fair bit now anyway, at least here in NI it does.

          I believe there's also been an increase in car-jackings over the years as car security has improved.

          ------------------------------------------------------------

          * If you don't know what a creeper burglary is:

          It's easier to break into your house than your car. So they break into the house and look for the keys. So if you hide your keys? On occasion, if they really want your car, they'll boil the kettle and then bring it upstairs. They'll wake you up, hold the kettle over your head, and demand your keys.

          I'd rather they took my car than poured a kettle of boiling water over my head.

          1. Roland6 Silver badge

            Re: Only a matter of time.

            >You don't want foolproof security on your car

            For your average car, you want good enough security, so that there is a good chance the car is still there when you get back to it, but also if it does go missing you want to know that it is unlikely to re-appear any time soon and so the insurance will pay out.

          2. Anonymous Coward
            Anonymous Coward

            Re: Only a matter of time.

            They'll wake you up, hold the kettle over your head, and demand your keys.

            Do you know how quickly some people can bolt right up out of bed and shove the creep along with a faceful of boiling water all over the back wall of the bedroom?

            I'm going to love it when that happens the first time, if it hasn't already. I hope it ends up on Youtube.

          3. The Vociferous Time Waster

            Re: Only a matter of time.

            Are you from South Africa?

            1. This post has been deleted by its author

          4. Maharg
            Unhappy

            Re: Only a matter of time.

            I always thought there were more car thefts in NI because PSNI landrovers can’t go round corners fast, or for that matter in straight lines fast, I assumed it had gone down now they use Astra’s and only pull out the landrovers in July.

            My dad tells a story of noticing a burning car during one of the usual spots of bother back in the 70s, and ringing my nan to confirm that yes, his car was no longer parked outside her house.

          5. Stevie Silver badge

            I'd rather they took my car than poured a kettle of boiling water over my head.

            Anyone trying to carry a kettle of boiling water through our house in the dark is risking a broken leg *and* a self scalding.

            Besides, I challenge anyone to get the controls on that never-to-be-sufficiently-damned cooker right first time by moonlight, and the leaky kitchen faucet aerator will spray water all over them. Also: our kettle is like unto a bell. Filling it is not a silent process. God help the poor bastard if he wakes the wife before me.

            A thought occurs (ow!). Why not forestall this grisly scenario that troubles you so much by simply alarming your kettle in some way?

            Or replacing your real kettle with one with holes in it so the Headboiling Burglar of Olde Londone Towne ends up leaving in disgust (and possibly wet clothes)?

            Or hiding your real kettle and leaving another with a snake sleeping inside it (and holes in case the burglar susses that the snake isn't venomous)?

            Or hiding your real kettle and replacing it with one housing one of those disgusting plate-sized spiders, so the burglar will awaken you with his unmanly shrieks of terror? Add holes for backup fun.

            Or hiding your real kettle and replacing it with one with the insulating stuff removed from the handle so the burglar will burn his hand when he picks it up, again alerting you with his shrieks of agony (bonus scalding if he drops the kettle here)?

            Or hiding your real kettle and replacing it with one with a hole drilled in the bottom that you fill with a gallium plug so the burglar fills the kettle, boils it only to have the water flood all over the place?

            Or hiding your real kettle and replacing it with one fitted with an internal steel reed whistle (like the ones you can get to ram up your neighbour's car's exhaust pipe) so the whole house is alerted to a headboiling in progress?

            Or hiding your only kettle eg in the fridge and have one high-level kitchen cabinet rigged to drop noisy cans, small bells, whatever you have onto the person who opens it? Rig is simple on an Ikea-style cabinet. You remove the shelf and the little pin bracket thingy from each side. Drill through the cabinet so the pin thingy hole is a through-hole. Insert nail through hole from outside, replace shelf and load with light but resonant crap. close door (reinforce latch with rare earth magnets for best effect). with door held closed, remove nail to drop shelf front and load door with crapolanch-in-waiting. Warn family.

            I came up with these in about a minute and they are all doable with stuff I can get easily.

            1. jake Silver badge

              Re: I'd rather they took my car than poured a kettle of boiling water over my head.

              So, Stevie, how are you going to guard the iron? The waffle-iron? The cast-iron skillet? The 8" chef's knife? The scissors? The screwdrivers? The wine/beer bottles? The hair curler? The knitting needle? The fireplace poker? Etc?

              I could have shot the one intruder we have had here at chez jake, but when I got down to the kitchen, where he was, instead I calmly put down my Kimber & picked up the phone & called the non-emergency police line. When they arrived, I called off the dogs & he was transported to the hospital to stop the bleeding (and bleating, I might add!), and then on to booking & jail time. Stupidity should hurt! ;-)

              Dogs are Gawd/ess's gift to humanity.

              1. Steve Mann

                Re: I'd rather they took my car than poured a kettle of boiling water over my head.

                "So, Stevie, how are you going to guard the iron? The waffle-iron? The cast-iron skillet? The 8" chef's knife? The scissors? The screwdrivers? The wine/beer bottles? The hair curler? The knitting needle? The fireplace poker? Etc?"

                The iron is in the basement o' crap, good luck finding it since none of us have seen it in months.

                Waffle iron broke and was tossed.

                The scissors are always AWOL but on the off chance the bloody kid put 'em back in the drawer she undoubtedly put 'em back open with the points sticking out. If my experience is anything to go by the screaming of the pig-stuck burglar will alert us.

                If he opens the cupboard with the hair care electronics in it he will precipitate a crapolanche the likes of which hasn't been seen since that mountain in Iceland blew up.

                The beer and wine is in the basement: see comments re: iron.

                No-one knits in this house.

                We don't have a fireplace.

                The etc? is a problem but I feel up to the task of defeating anyone with my own counter etc? etc?

                Which leaves the 8" kitchen knife. My only hope is that he will knock over the butcherblock because he will have a leaky snake-filled kettle in one hand. I always do when trying to get a cutting implement one-handed.

                In all fairness I feel you are being disingenuous. The specific fear here was the Headboiling Intruder and I have shown how to deal with him.

                In point of fact anyone entering the Steviemanse will be deafened by the alarm system, designed for maximum disorientation and annoyance. Unless they have the power to ghost through walls.

                Then I'm f*cked.

            2. JeffyPooh Silver badge
              Pint

              Re: I'd rather they took my car than poured a kettle of boiling water over my head.

              Our household has some that are up until as late (early?) as 6 am, and others that wake up at about 5 am (roughly). Most of the time there's no gap. Odds are high that it would end very badly for any late night 'creepers', especially if they ran into Grandpa in the wee hours (raised in the jungles of Asia, wrestles carabao, juggles knives, etc.).

        2. LaeMing Silver badge
          Thumb Up

          Re: Only a matter of time.

          My Aunt's junker was stolen once. She found it abandoned 50m up the road!

          1. Destroy All Monsters Silver badge

            Re: Only a matter of time.

            > My Aunt's junker was stolen once. She found it abandoned 50m up the road!

            I hope that was a written apology and a box of chocolates on the driver's seat!

        3. Rob Crawford

          Re: Only a matter of time.

          Wondering about which time warp you fell through regarding locks and cars, the shitty wafer locks are long gone.

          It isn't a lock problem it's a nature of cars problem, they have windows, doors made of folded sheet metal and often a fabric roof. 'Tumblers are easy to deal' what a glorious almost politician like generalisation with well lets see you deal with an Assa Flexcore with anything other than a power drill or breaking the door in question

          In the UK immobilizers have been compulsory for years (and most of Europe) unless you have something very old (or shit) nobody is stealing it unless they have the keys or something that attaches to the management port and even then it's only for entry (unless they have fucked up real bad)

          Even Ford started using the Tribbe system in the early 90s, yeah you can punch the lock out but the immobiliser takes stops the car from moving (as I suffered back in 95 but the car didn't move)

          If a car hasn't an alarm then they just spread the door, it's the work of seconds, but the car is still not going anywhere (if it has an immobiliser)

          Hence you end up with a house break in and potential torture (as described by another comment)

          A fair example of the tools available for car entry are shown here http://shop.multipick-service.com/?language=en and you will find that the electronic options are limited to particular mfgr / mode / and date of manufacture

        4. Maharg
          Thumb Up

          Re: Only a matter of time.

          Well I don’t know, I sure I remember hearing about the South African car alarms that included flame throwers, and then you have James Bonds BMW that electrocuted would be thieves (Tomorrow never Dies I think, the one where he drives it using his phone), funny how the real life instance of the protection is much more scary, stupid and ridiculous then the one they thought only James Bond could have

          1. Anonymous Coward
            Anonymous Coward

            Re: Only a matter of time.

            Ahhh the old "South Africans have flame throwers" chestnut.

            1. It was not linked to the alarm. It was a manual anti-hijack device.

            2. It was not a flame thrower. It was gas-driven and ignited a squirt of gas (not gasoline, but actual gas) to scare off the attacker.

            3. It was an experimental design that did not pass legal muster, so it certainly is not in use.

            1. Maharg
              Mushroom

              Re: SP

              Just had a quick Google

              1) Yep, manual anti-highjack device, not car alarm

              2) “The Blaster was a liquefied petroleum gas flamethrower installed along the sides of the vehicle under the doors.” - http://en.wikipedia.org/wiki/Blaster_(flamethrower)

              3) It was legal, but demand was low and the cost to high so it was discontinued.

              1. Anonymous Coward
                Anonymous Coward

                Re: SP

                And I guess the locals didn't look too much different after a blast or two....

            2. Anonymous Coward
              Anonymous Coward

              Re: certainly not in use

              Not caring if it's legal or not, a friend's spouse fits them to cars in his commercial garage. Yes, it is the manual kind that you use when you are being car jacked to light ignite the attacker.

      2. Lee D Silver badge

        Re: Only a matter of time.

        ""Physical access" involves tumblers and keys."

        No it doesn't. Think I2C single-wire protocols. They only work when actual electrical contact is made (i.e. with the car body or door handle or a metal panel somewhere), do not transmit anything over RF (beyond electrical noise), and yet can transmit data (and power) back and forth. Then that can be use to activate car central locking.

        Or, hell, even the old Ford keys (though hackable in their current form) use this. The key is a blank, really, and relies on the chip inside it to negotiate over the metal connection of the key to the ignition / door and unlock the central locking. The "key" itself does nothing but turn the lock, but there's no reason it needs to do that at all, once the communication is working (I think that was left in to make people think it was still a "secure" key... fact is that a dead key, even for the right car, is like poking a stick into the lock - no tumblers are going to move and nothing is going to open)

        This has been done. Implementations of it have been hacked. But the fact is that you COULDN'T open the door without touching the car, and you couldn't tell what the car was communicating with without somehow being in the path of that electrical connection (not down the street with a radio scanner).

        But people seem to want RF remote connections, despite the fact that they have to then touch the door to open it anyway.

        1. Nigel 11
          Thumb Up

          @Lee D Re: Only a matter of time.

          Wish I could upvote that a hundred times over. Why, why, WHY do people see any advantage in a wireless "key" rather than a contact "key"? Same as paying more for notebooks lacking a wired network socket, I guess.

          Driving a junker works well. Someone recently radio-unlocked my 12-year-old car - presumably the tech to break 12-year-old radio security is now available for less than the cost of a new key? Anyway, they couldn't find anything much worth stealing, neither car nor contents.

      3. Anonymous Coward
        Anonymous Coward

        Re: Only a matter of time.

        So why don't people have remotes for their homes to open the door? (with a key backup of course).

        What has happened is over time the car makers decided to forget trying to make a car more difficult to get into and focus on making the car impossible to start without the right key.

        There are two reasons why people want to get into your car, 1. Steal contents, 2. Steal car. Most people don't leave anything valuable in their car these days.

        So the immobiliser has been very useful in stopping cars from being stolen. It stopped hotwiring or mechanical lock picking/bypass as the way to steal cars. But all this has done is force the car thieves to change tactics, so they now look for more hi-tech solutions (or carjack).

        What seems to be the problem is there is obviously some dealership backdoors or tricks that are known about. Just like I remember hearing how you could bypass password security on laptops by connecting a few pins together on the parallel port (a reset procedure).

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019