
Police admit they're 'stumped' by mystery car thefts - thedoctor
http://www.today.com/news/police-admit-theyre-stumped-mystery-car-thefts-6C10169993
======
mindcrime
What's the big mystery here? There have been published articles on the ease of
hacking car remotes (and even the onboard electronics) going back at least a
couple of years. For example:

[http://content.usatoday.com/communities/driveon/post/2011/01...](http://content.usatoday.com/communities/driveon/post/2011/01/car-
theives-can-eaisly-hack-remote-keyless-systems-swiss-research-
discovers/1#.Ua9oK-lMY7w)

[http://www.schneier.com/blog/archives/2012/07/hacking_bmws_r...](http://www.schneier.com/blog/archives/2012/07/hacking_bmws_re.html)

[http://reviews.cnet.com/8301-13746_7-20085131-48/remote-
unlo...](http://reviews.cnet.com/8301-13746_7-20085131-48/remote-unlock-and-
start-for-cars-hacked/)

[http://news.consumerreports.org/cars/2011/03/researchers-
car...](http://news.consumerreports.org/cars/2011/03/researchers-cars-
electronics-can-be-hacked-remotely.html)

Here's a video (with no commentary, unfortunately) that shows someone who has
apparently decoded the signals from a car remote and is using the remote and
an arduino, to toggle some LEDs:

<http://www.youtube.com/watch?v=doELL4g4cS0>

I have little doubt that there are hackers out there who can easily build a
device to remotely unlock / start cars that use keyless entry. In fact, I'd be
far more surprised if there weren't.

Edit: to elaborate... when I say "What's the big mystery" I'm referring to a
notion, which I interpreted from the article (rightly or wrongly), that people
are totally unaware that this kind of thing is even conceptually possible. I
don't claim to know the exact exploit or mechanism being used here! Just
pointing out that this general class of attacks isn't something totally
foreign and unknown.

~~~
Glyptodon
If they were using key reprogramming/hacking there's no reason to 'always use'
the passenger side front door as claimed in the video. So I don't think it's
clear that these thieves are using any of those techniques.

I imagine it might be stupider, like maybe there's a way to induce the unlock
button or motor to trigger via induction or something. Though I'm pretty
poorly informed about that kind of thing scientifically and am likely
completely wrong.

~~~
michael_h
I would assume that they use the passenger side front door because that is
where the storage compartment is located.

~~~
adammil
They use the passenger side door because its the one facing the sidewalk.

------
mindcrime
I was intrigued by their mention of this "Jim Stickley" who was cited as a top
security expert. I had never heard of him before, so did a quick search to
find out a little more about him. He seems to be a pretty legit and well known
security guy[1], but it surprises me that he said:

 _This is really frustrating because clearly they've figured out something
that looks really simple and whatever it is they're doing, it takes just
seconds to do," Stickley said. "And you look and you go, 'That should not be
possible._

Considering, again, that there has been published research on this topic, and
a presentation at Black Hat, revealing that (at least some) cars are
vulnerable.

Honestly, I feel like the reporter on this article should have done a bit more
background research and interviewed a few more people. Not that it changes the
fundamental issue (don't leave valuables in your car, etc.) but it would have
been a stronger article with some more context, IMO.

[1]: <http://en.wikipedia.org/wiki/Jim_Stickley>

~~~
droopybuns
I agree with your skepticism but I disagree with your analysis of Stickley.
This looks like the typical security clown out there writing his own wikipedia
entry. His article's main point seems to be that he found a buffer overflow.
There, he's a security expert.

What security professional worth his salt says "that should not be possible"?
The entire security profession is about identifying assumptions and then
challenging them. He sounds more like a software developer cashing in on the
"s" word because he found a buffer overrun than a security profesional
assessing an attack.

~~~
mindcrime
You're right, actually. I was trying to be charitable though, and I didn't
feel like I had time to do a serious deep dive into this background and
credentials. Nor am I necessarily qualified to pass any serious judgement on
his knowledge.

A quote from somebody like Bruce Schneier, or tptacek, would have been a lot
better.

------
outworlder
The advice given in the article sounds ridiculous to my (brazilian) ears.

\- "Don't leave valuables in the car". Really? I'd have to deal with smashed
windows every single day if I left anything that could possibly be of value
sitting overnight (or for a few minutes in some places). Perhaps even an empty
shoe box. And that's with tinted windows so dark they are not even supposed to
be street legal.

\- "Keep your car registration in the wallet". Identity theft with a car
registration should not be possible here, as it doesn't contain ID numbers,
nor photographs and is no proof of identity (you have to display the driver's
licence - which is proof of identity - and the car's documents on demand if
requested by authorities). Still, it is a ridiculously bad idea to leave it
sitting in a car overnight. If the car is stolen, the crooks would have a much
easier time evading minor police checkpoints.

I guess some places have such a low crime rate that people just forget basic
security precautions?

~~~
javert
That stuff really isn't necessary in much of the US (many non-urban areas...
thought not all). I don't even always lock my car doors in some places. To
someone who's not used to it, it's probably amazing how benevolent people and
society really can be.

~~~
jeffasinger
I lived in a town where if someone was running into a store for only a few
minutes, they would probably just leave the car unlocked, with the keys in it,
and the engine running.

~~~
stcredzero
In many jurisdictions, if the car was stolen and used in a crime, you could be
charged for negligence.

~~~
gojomo
Which jurisdictions? (Do you have a reference?) I don't think US law works
this way, for example, and would be curious to know where it does.

~~~
stcredzero
It varies from jurisdiction to jurisdiction. You can indeed be financially
liable for leaving your keys in the ignition, if the car is taken and a crime
is committed.

[http://blog.lawinfo.com/2011/06/22/if-you-leave-your-keys-
in...](http://blog.lawinfo.com/2011/06/22/if-you-leave-your-keys-in-the-
ignition-are-you-liable-for-a-thief%E2%80%99s-damages/)

------
kweks
Probably the attack from two years ago:
[http://www.technologyreview.com/news/422298/car-theft-by-
ant...](http://www.technologyreview.com/news/422298/car-theft-by-antenna/)

Essentially, with the newer cars keyless entry cars, it's the _car_ that
transmits the signal to the fob (so you can't get stranded with a flat
battery).

The protocol itself is secure, but open to a MITM attack. The exploit works
essentially like a WiFi booster. Perp #1 places himself near the car,
receiving the car's transmission. This is relayed to perp #2, who is near the
owner (and the key). The key communicates with the car (via the relay) - the
door opens, the car starts, and off you go.

------
gvb
Sounds a lot like the Chamberlain garage door gaping security hole:
[http://en.wikipedia.org/wiki/The_Chamberlain_Group,_Inc._v._...](http://en.wikipedia.org/wiki/The_Chamberlain_Group,_Inc._v._Skylink_Technologies,_Inc).

The level of security of a car door is presumably a lot higher than that of a
garage door, but the technology of using a rolling code is the same and the
need to be able to (re)synchronize remote keys/fobs is also there. With the
cars I own, there is a procedure in the operator's manual on how to resync
your keys. Nominally, it requires physical access - an already unlocked car.

Ref: <http://www.programmingkey.com/>

My first guess is that the bad guys figured out a timing attack that confuses
the lock software if the "right" sequence of codes are sent with the "right"
timing.

My alternate guess is that the bad guys figured out a way to mimic the resync
mechanism without requiring physical access.

~~~
cheald
If they'd figured out how to invoke resync, the owners' keyfobs would stop
working, which would be a dead giveaway.

~~~
gvb
The "(re)sync" mechanism allows you to add new keys without disturbing the
existing keys.

~~~
cheald
Source? I've never encountered that. Every time I've ever reprogrammed a
wireless entry remote, I've had to reprogram all of them at the same time.
Garage door openers can store multiple keys, but I've never run into a car
that will.

For example, from my Grand Prix's owner's manual:

> Each remote keyless entry transmitter is coded to prevent another
> transmitter from unlocking your vehicle. If a transmitter is lost or stolen,
> a replacement can be purchased through your GM dealer. Remember to bring any
> additional transmitters with you when you go to your dealer. When the dealer
> matches the replacement transmitter to your vehicle, any remaining
> transmitters must also be matched. Once your dealer has coded the new
> transmitter, the lost transmitter cannot unlock your vehicle. The vehicle
> can have a maximum of four transmitters matched to it.

And from the shop manual:

> Once the keyless entry receiver enters the programming/diagnostic mode, the
> programming of the first transmitter erases all previous transmitter
> programming information. You must then program all of the transmitters.

------
DanBlake
I never understood why keyfobs work in a UDP style, when communication between
the remote and car would be infinitely better.

For instance, instead of just sending "12345" and having the doors open since
the code was expected, What about if the remote said "hey car, whats your
random number" - the car then transmits back "54321" at which point the
transmitter sends a hashed reply sha512(54321 + unique-random-id-set-per-car)
which the car receives then verifies matches expected output.

The takeaway being that both the car and the remote know what "unique-random-
id-set-per-car" is, but nobody else does. It should be randomly set at the
factory so each car and the remotes have a unique id.

My only thoughts as to why its not like this is that the logic required to do
that type of operation might not be possible without a higher wattage
'processor' in the keyfob which would eat through batteries. Im totally out of
the know in that area though.

Also, unrelated- but the passenger door thing is likely just coincidence
because they want to get in the glove box. But, there is another thing that
could explain it. On my last car (mercedes) when I wanted to reprogram a new
keyfob to work with the car, I had to do a long process of certain actions to
make it work. It was like "press on brake, release brake, press on brake for 3
seconds then release, open drivers window, open passenger door, close drivers
window, press open button on keyfob" So the car CPU is definitely aware and
can take actions specific to which door is being opened, so its possible its
related.

~~~
WiseWeasel
Wouldn't you then be able to determine the fob ID by recording multiple car
"random number" requests and fob responses?

~~~
lucb1e
I think that's part of how Mifare (NFC) was cracked; the entropy of the card's
random number generator was very low. When implemented correctly it's a safe
method though.

------
Dnguyen
I wonder if they found an exploit for Bluetooth. Newer cars have this feature
so the owner doesn't have to use the key. If the Bluetooth service has access
to the On Board Diagnostic (OBD), it can get to a lot of the car's info and
commands, such as unlock door. I remember working on AutoPC back in the day
and we tapped into the OBD and provided a feature to send a message to the car
to unlock the doors. Similar to OnStar now a day.

~~~
klinquist
I don't think this is done via bluetooth - I believe the remote/app unlocking
is all done via cellular.

------
clavalle
>Both the transmitter and the receiver use the same pseudo-random number
generator. When the transmitter sends a 40-bit code, it uses the pseudo-random
number generator to pick a new code, which it stores in memory. On the other
end, when the receiver receives a valid code, it uses the same pseudo-random
number generator to pick a new one. In this way, the transmitter and the
receiver are synchronized. The receiver only opens the door if it receives the
code it expects.

So, if you figure out how these are salted (VIN?) and what pseudo-random
generator it uses, you can recreate the signal.

~~~
darkarmani
I'm betting these generators have large sources of entropy, right? You have to
move your mouse around a bunch before you lock your doors.

------
astral303
RSA Security and John Hopkins have been able to crack an RFID keyfob in 15
minutes [0] back in 2005. Rumor had it that later on it was something like 30
seconds to crack a Ford key. 40-bit RFID keyspace--combine that with 2013-era
technology and this is absolutely no surprise.

<http://www.jhu.edu/news/home05/jan05/rfid.html>

------
RyanBrantley
How about the possibility that the thieves have simply purchased replacement
remotes from eBay (or similar), and programmed them when they had access to a
compatible vehicle? Maybe the thieves work at a car wash, valet or have
organized a larger network of goons (think credit card skimming).

Programming a replacement remote is a simple procedure, requiring only a few
moments in the vehicle with the key present... like when parking a car. Paired
with an easily accessible address (registration?), you have a crime ready to
take place.

This would confirm why multiple vehicles in the same driveway were targeted.
Families use the same service providers. It could also make sense of why the
"device" occasionally did not work. Maybe they got the remotes / addresses
mixed up, the programming did not take or their mule is selling them
unprogrammed remotes.

I think this is more logical of a solution considering the facts. Any
thoughts?

------
jmspring
Recent rental car in Italy - get the keys, head to parking lot, and search out
car based on license plate on keys. Writing is dodgy, could mistake an 8 for a
9. Find car, electronic control unlocks it, yet key will not start car.

Head back to desk, slam keys down (person behind desk had previously shown a
serious attitude to renters), get startled look and say "car doesn't work".
After a bit of shock due to slammed keys and firm voice person says "colleague
should be there" (he wasn't), pointed out "nope", responded with "oh, in 5
minutes".

Wander back out to car, electronic lock locks/unlocks care, but still doesn't
start. "Colleague" shows up. Points out diff between 8 and 9. I mention "uh,
car unlocked". He shrugged. Turns out the car was in a completely
different/not visible (for the company) part of the parking lot. Both
electronic locks and key worked in that vehicle.

Having an electronic system for duplicate cars (1 off in license plates) seems
like a bad idea.

------
jordan_clark
They didn't release all of the details. We would need to know which makes and
models and years this does/does not work on. In the videos they only showed
Honda products (Acura) (The MDX was a 2000-2006 model) but does not work on GM
or Ford. So this is most likely is manufacturer specific.

------
_jackwink
Seems like this might be relevant. <http://www.autosec.org/pubs/cars-
usenixsec2011.pdf>

------
Fuxy
Why is this so baffling a shocking? I think we all knew this was possible
before anybody actually did it. It's not like their using proper crypto. It's
the equivalent of a bad house lock give me some good lock picks and 60 seconds
and I'm in so why is this so surprising?

~~~
dclowd9901
From what they describe, it sounds like the locking systems use a system that
works like a VPN key (this was actually surprising to me). Those seem pretty
tough to crack, so why would this be any different?

~~~
PeterisP
Even if you use practically unbreakable encryption keys, there are a million
things that you can fail in the whole cryptosystem and any one of them will
make you vulnerable.

How are keys generated? What is the source of randomness? How are keys reset
if needed? What are the manufacturer/service/guvmint backdoors in the keys?
etc.

~~~
Fuxy
I think you're on to something with the backdoor. Backdoors have to be extra
secure because if you hack that you have access to all of them. Hell they
shouldn't even exist it's like asking to be exploited.

------
runamok
I read a recent 2600 article that said it's fairly easy to procure (from
overseas) a jammer to prevent the lock signal from reaching the car. It would
not open the doors but instead stop them from locking so the would-be thief
would later manually open the unlocked doors.

------
progrock
How about the manufacturers providing a back door? Their own code.

What happens in the event that you loose your fob?

~~~
astral303
If you loose your fob, the workaround is re-programming via the OBDII or other
diagnostic ports. Yes, that has a backdoor. But typically there is no remote
backdoor.

------
axus
Is there a way to disable remote access to the doors? Other than driving an
old car :)

~~~
wmeredith
You should be able to pull the fuse for the door locks; the mechanical lock
buttons and key will continue to work. To find out which fuse, just Google
"[car make] [model] [year] fuse diagram" and look for door lock actuators or
similar.

~~~
untothebreach
Also, most (if not all) car user manuals come with a diagram of the fuse box.

~~~
ewbuoi
Some even have a diagram of the fuse box _in_ the fuse box.

------
zw123456
You can Google the phrase "car learning keyless remote control" and see tons
of sites selling these for "legit" purposes as replacement remotes. I am sure
not all of them work on all cars but I am sure the thieves simply figured out
which ones work on which cars and just target those. And I agree, this is
nothing new, a story about it pops up on the news every so often and the it
seems like each time the Police are baffled. Maybe there needs to be a web
site for the police that provides them with such information. If there isn't
one already, there is an app opportunity for someone perhaps.

~~~
Zarathust
All of the remotes I've seen require physical access to an unlocked car to
initiate the re-synchronization procedure between the new remote and the car.
This involves complex things like starting the car 5-10 times and pressing
buttons on the remote at the same time

------
NameNickHN
> and should be hackproof

I always chuckle when I read something like this because if something has been
made by men it can be cracked by men. It's simple as that.

------
nakedrobot2
Um, maybe this?

<https://www.google.com/search?q=car+key+duplicator+alibaba>

:-)

------
keithjia
assuming the car remote is using some kind of asymmetric encrytion algo,
doesn't this simply mean either A) somebody leaked the private key from the
manu? B) encryption was done with lower enough bits so that it is brute-force
breakable

They could have just asked any CS prof or student for the possiblities...

------
nodata
Anyone know how much compute time is needed to crack a new BMW or Audi remote?

~~~
TheCapn
Seconds I believe.

I have no source but I recall seeing a story where people were able to fake a
BMW remote by plugging directly into the OBDII port on the cars and running a
quick program on an attached arduino. As for remote access I'm sure its
equally plausible to crack if you know the right steps to take.

~~~
gambiting
But that was a clear mistake in the ODB port programming on new BMW, which was
fixed by the manufacturer. Not something that can be easily done on any car.

~~~
nodata
So how long would it take to remotely crack or brute force or otherwise gain
access to a brand new BMW? I'm interested in the cost on AWS compute or GPU
compute.

------
saddino
Get ready for two-factor authentication coming to a car near you.

------
joars
wow, i really disliked the way that news report was presented. i think it was
because the narrator ended each sentence as if it was the last sentence in the
story.

------
kbar13
TIL today.com's site looks really nice

------
youngerdryas
Ghost Dog was doing this back in 2005.

