

Weak security in our daily lives - MikeCapone
http://everything2.com/index.pl?node_id=1520430&displaytype=printable&lastnode_id=1520430

======
32bitkid
When I started learning how to pick locks, I was shocked to find out how
simple most house and apartment locks are to pick. I went to a fellow picker
who had been in the scene way longer than I had. I asked "why don't more
criminals use lockpicks or hacks to get bypass security?"

The reply has always stuck with me: if ones objective is to steal something of
value, then picking or hacking a lock -- or a desire to be undetected - is
outweighed by a necessity for speed."

If you are trying to break into a car to take something out of it -- or take
the car itself -- then a glass breaker or even a brick will turn your 20 to 30
minute hack into a 3 second breech. Besides, they will know someone was in
there when they realize everything is missing, whether you picked the lock or
not. So minimize risk, not detection.

------
kayoone
Interesting. I am a car nut but have never heard of this keypad thing under
the door handle of cars, so i went to google it and found it to be mostly
(only) present on US models. I am from europe and have never seen it here, but
maybe it never came to my attention.

Even with modern systems i think that there are alot of security issues.
Keyless Entry Systems for example in theory allow you to drive off in a car
without having the key present (atleast thats true for many VW models). You
can basically open, start and drive off if the owner is nearby. Does anyone
know how complex is it to crack those wireless key things ?

~~~
mwill
Similarly, in Australia, I've only seen it once, and it was on a (from what I
was told) special edition F-150 won in a contest in the US, that was converted
to right hand drive.

Seems to be a security vulnerability all by itself, to me. I'm not sure I see
the appeal.

~~~
delinka
"I'm not sure I see the appeal."

'Convenience.' That is all. US'ians are notoriously lazy and require
convenience everywhere. Convenience overrides security and often convenience
overrides safety.

It's surprising how many devices and service businesses have been created to
allow people to continue to be lazy under the guise of "increasing
productivity" - 'You just keep sitting on your backside at your desk and we'll
run your errands!'

~~~
jtheory
It's worth noting that security/safety and convenience are almost always in
opposition.

There are probably cultural trends as to where different groups make the
trade-off (I've never dug into it), but the principle is the same everywhere.

You could put all of your money and attention into guarding your stuff, if you
so chose, and guarantee that the work required to defeat your security was far
greater than any potential benefit. Never take your car out of its concrete
bunker.

Or you can ignore security in favor of convenience -- always leave your car
key in the ignition, and thus never be locked out accidentally, never fumble
to find your keys in a large bag, never drop your keys in a snowbank....

But obviously most people try to fall just on the side of "safe enough that no
one will steal my car", depending on how high they perceive that risk.

For a car keypad entry -- if trying all of the possible combinations would
take 20 minutes, that's probably not any less secure than driving a slightly
older car with a fairly-easily pickable lock, and in return you will never
accidentally lock your keys in the car again.

I don't think I'd go for the keypad lock on a _new_ car, but I have locked my
keys in my car twice in my life, and it's really annoying.

One of those times there was a three-year-old in a carseat, inside the locked
car... fortunately it was the loaner, sitting in the parking lot at the
mechanics (where my normal car was being repaired).

The first time it happened I was driving an old car, and I was at the grocery
store... so I went back in, bought a screwdriver & coathanger, and broke into
my own car in about a minute. In that security context, having a keypad would
have been convenient without adding anything to the security risk
whatsoever....

------
rachelbythebay
Ah yes, two digit answering machine code phreaking.

    
    
        001122334455667788990246813579258369147032949727651
        07182162805263064098753937431738420861950415485960
    

(No, I didn't remember that... but I bet some people did.)

------
Mahh
If you're interested becoming afraid around your cars, some of my security
friends at the University of Washington have been busting up cars for
research: <http://www.autosec.org/faq.html>

This paper is particularly in depth and interesting:
<http://www.autosec.org/pubs/cars-usenixsec2011.pdf>

Of course, their exploits are a bit more complex and involve various side
channels and hardware vulnerabilities, while the keypad issue can be executed
by someone just typing in numbers with their fingers.

------
vinceguidry
Here's an unlock trick for Ford Rangers that saved me a bunch of money on
locksmiths: <http://www.youtube.com/watch?v=OzNb4YKBlRo>

The first time I did this it took me ten-fifteen minutes. (now it takes 30
secs) I disagree with the argument that anyone fiddling with a lock for twenty
minutes is going to attract attention, I wasn't bothered and I was in a busy
urban parking lot with lots of passers-by.

Few seem to know about it, if anyone's used it to get in my truck in the 7
years I've owned it I haven't noticed.

------
walls
It seems this could be automated to be done a lot faster than twenty minutes,
even just mechanically.

I'm somewhat curious if it would be possible to push a kind of needle/wire
through the buttons and automate key presses via electronic signals instead of
a physical push.

------
greenyoda
I'd guess that these results vary based on the make, model and year of the
car. It doesn't seem likely that all car companies get their keyless entry
systems from the same manufacturer.

~~~
delinka
I think it seems likely there are few manufacturers of these devices. That
aside, seems to me a simple firmware update could prevent this long string of
numbers from opening a door - as soon as a failed code is entered, require re-
entry from the beginning, forcing the would-be attacker to try every
combination.

------
Pitarou
Doesn't the car lock you out after too many failed attempts?

If they don't, these keyless entry pads have just set back car security by
about about 15 years.

~~~
ktosiek
Sounds like it doesn't only let you try again, it actually only checks if last
[password length] numbers match the password (that's why he can compress it
into one long number)

~~~
tempestn
Right, even removing that flaw would make it closer to two hours than 20
minutes (although half that to get in on average). Significantly less if you
leave finger smudges on the keys though.

That said, agreed with the above: anywhere someone fiddling with the lock for
20 minutes would go unnoticed, a brick would go unnoticed too. I highly doubt
a car has even been stolen through hacking the keypad lock in this manner.

~~~
delinka
"Significantly less if you leave finger smudges on the keys ..."

Those that I have seen have this plastic covering that allows some tactical
feedback (a small pop under the finger.) And people are lazy and don't change
codes. So the plastic wears and even comes off, leaving the silicone exposed
on the numbers that are used. Well beyond smudges, and much shorter than this
20 minute code.

------
kbatten
I think master locks are a much more prevalent example of this.

~~~
mistercow
Which type of master lock? This technique surely wouldn't apply to the kind
with a dial, since those involve reversing direction. There are other
techniques that make those locks very weak, but I don't think this article is
relevant to them.

