

3129 numbers that unlock keyless entry cars (2004) - AndyBaker
http://everything2.com/index.pl?node_id=1520430&displaytype=printable

======
dale386
I give it a week before someone creates a lego mindstorm / arduino device with
suction cups that performs the entire sequence in much less than 20min.

------
michaelt
Some electric door locks (like the Codoor CD3500 [1] used at a place I used to
work) are designed so after a certain number of digits without a valid code
(16 for the codoor), they require the correct code to be entered twice in
succession in order to unlock.

This is transparent to the user - it's just as if you hit a wrong button - but
prevents using codes like this.

I don't know if this is common to all keyless entry systems, but you'd hope it
would be!

Of course you can still enter every every code, just it would take 80,000
button presses on a 10-digit lock.

[1] [http://www.assar.ee/cgi-
bin/document.cgi?doc=356](http://www.assar.ee/cgi-bin/document.cgi?doc=356)
see page 12 'access blocking'

------
brokenbeatnik
Neat analysis. Do keyless entry cars not have some kind of "too many presses"
sensor that would slow this process down or render it impossible by making you
start over? I don't know, I'm just asking.

~~~
logfromblammo
Given the huge security holes already known to be present in the median auto
electronics system, my guess is "absolutely not".

There may be some additional consideration for luxury-branded models, but for
the standard models, the consideration is primarily whether it works for the
auto-buyer every time, not how this could be used as an attack vector.

~~~
bradleyland
That’s awfully cynical. It also happens to be completely wrong. I extracted
the following form a horrible Answers.com FAQ that was spread over 75 slides
(barf):

"If the wrong code has been entered 7 times (35 consecutive button presses),
the keypad will go into an anti-scan mode. This mode disables the keypad for
one minute and the keypad lamp will flash. The anti-scan feature will turn off
after one minute of keypad inactivity."

The Ford Explorer is hardly a “luxury-branded model”, and I’d venture that
Ford uses this same system on all their models, across brands.

~~~
logfromblammo
Except that 35 consecutive button presses is actually the wrong code entered
31 times. That security feature only adds 101 minutes (and about 400 button
presses) to the cracking process.

I think I am correct to be cynical.

And why would you subject yourself to answers.com just for that?

~~~
bradleyland
Do you think this is an honest assessment?

"That security feature only adds 101 minutes (and about 400 button presses) to
the cracking process."

 _Only_ adds 101 minutes? I'm incredulous.

The claimed attack time is 20 minutes. By your assertion, this security
feature increases the required attack time by a factor of 5. Were this a
virtual system, that is trivial, but this attack requires physical presence,
or at least the presence of a device.

I think you're cynicism is unjustified, as the extra time makes this an
undesirable attack vector in light of the alternatives. Anyone willing to
spend 100+ minutes at a car door is just going to use a slim jim or move on to
an easier target instead.

~~~
logfromblammo
In contrast, requiring that each unlock attempt be a separate sequence of five
button presses with a ten-second timeout between attempts would make the brute
force attack take 15625 button presses with 520 minutes of waiting for
timeouts.

The security feature is a useless patch on a fundamentally flawed foundation.
It is less effective than fixing the underlying problem, which is that a well
crafted attack can rule out one code per additional button press.

Making odd and even numbers discrete buttons increases the attack difficulty
by a factor of 32. These things are not difficult or unpredictable. Literally
anyone with a calculator and 15 minutes to think about security could come up
with ways to improve the system superior to the BS band-aid they came up with.

If someone is attempting this, they will have barely-detectable near-instant
access to your vehicle's interior from that moment forward. This isn't just
about using a slim jim to grab your valuables. That someone could also smash
your window with a rock. What happens when someone wants to photograph your
auto registration while you are in your office, and visit your home address at
a later time? Perhaps you use the same 5-digit code for something else? The
attack space for that something else is now just 32 attempts.

Thinking about security threats requires predicting criminal motives. Cracking
the keyless entry system is not a simple robbery tactic. The person doing it
is after more than the contents of your vehicle at that instant.

~~~
bradleyland
I initially posted to refute this claim:

> Given the huge security holes already known to be present in the median auto
> electronics system, my guess is "absolutely not".

Which is provably false. There is a system to slow down attackers, and it
results in a 5x increase in attack time. The rest is tangential to the point.

Yes, it could be better, but you're trivializing what isn't trivial. A 100
minute increase is not trivial. Yes, it'd be even better if it took hours.
It'd be even better if it took years. If you're concerned about the security
of your vehicle, why have this system at all? It's a trade-off in convenience
for security, which many people can afford. All of these are tangents, but
they do not qualify a response of "absolutely not" in response to the original
inquiry.

Nothing else you've said is wrong, but it seem like you're grasping at other
points in order to justify your cynicism, which was proven unfounded. I won't
be baited in to an argument that the safeguards could be improved.

