The main difference to Tesla hack is that you don't keep your MacBook outside the house at nights. And thief's don't need to unlock it to steal it, they just take it and leave.
Not fun getting into a car that's been in the sun most of the day when the temperature is 40°C
What’s happened is that the accessibility of the technology to undertake eg replay or relay attacks has increased so that’s now become a more casual theft vector. It’s a cat and mouse game.
Not all of them. Some have really really good security.
And security regulation for car security is coming worldwide in 2021, thanks to the "terrorist threat".
"In response to those attacks, Tesla started rolling out [...] If an owner activates the “PIN to Drive” function [...] anyone entering the car will have to know your PIN in order to be able to drive away."
And why wouldn't the car (all vulnerable cars) deactivate when it one minute later (or X meters) doesn't detect the key in the car? Ie do a second poll of the key.
This has been a solved problem for some time in luxury/expensive vehicles. Vehicle tracking systems detect if the car is moved without the tracking card in it and silently inform their control centre of the fact, along with vehicle’s location. Control centre then calls owner and verifies if it’s them. Doing it this way has the advantage that if the driver is being threatened (carjacking for example), it doesn’t put them at further risk.
Probably a safety vs security concern. They don't want your car to suddenly die on you in the middle of the highway if your keyfob battery dies.
And yes, I do have an unfortunate personal experience to support this theory :-)
Keys are sometimes set down in the vehicle before starting. A time based rule (motion within last x) won't help because sitting in a non-running car is something that happens often enough that keys not working would be a problem.
Also, someone could steal your car while you have your keys in your pocket inside your house, or walking around a store.
This was a relay attack. Not a re_p_lay attack.
It's just amplifying the signal from the outside car to the inside keys & vice versa.
Should Yale be responsible for all the stuff stolen from a house after someone picks the lock? I don't think so.
If a locks manufacturer market a lock to be secure giving it a 8 out of 10 rating but that lock could be decoded without any tools in a very short period of time then I believe that the manufacturer should bear some responsibility.
But then again Master Lock still exist lol... Take the 174SSD for example. Master Lock list it for $38 so not a bargain basement lock. They say it’s “best for“ For: Residential Gates & Fences, Sheds, Workshops, Garages, Storage Lockers, Tool Chests, Tool Boxes, the packaging boasts about its security and yet it can be quickly decoded without tools.
Now I’m sure the people on this site are aware of the quality of Master Lock but is your avg Joe walking into the hardware store? IMO there is a point where your performance can’t back up your marketing you become libel.
But in Tesla’s case I don’t think they market the security of their keyless entry/start. I would say they are aware of the security risks of the tech and is why they released an OTA update that enables the need of a passcode to start the car. The question for me then becomes, If Tesla we’re aware of this risk and added a protection against it but didn’t advise customers of the risks of keyless entry/start and the protections against it enough could they have at least a little liability? OTA Cuts both ways, Yes it allows for easy updating in the field, but it also provides a direct communication point with your customer to be able to advise them of "such new information".
EDIT: Cleared up some spelling (fucking auto correct). But I would also like to make it clear that I wouldn't expect a lock manufacturer to always be responsible for the items the lock is "protecting". For an example: You put a high security lock of your front door to protect your home, A burglar cases your joint and instead of picking the lock which will take too much time they break a window and enter your home though that instead. The lock did its job so I couldn't hold the manufacturer responsible at all.
My gripe is when weak locks, or locks with known defects are being sold to the general public as "secure". If a car manufacturer said their car was safe in a crash, giving themselves a high safety score but it found out that "safe" meant that it was only deemed safe under lab conditions were the impact was at exactly 55mph but in the real world a defect meant it was hit and miss that the airbags would actually deploy in the event of a collision people would be up in arms about it, lawsuits filed, recalls issued, etc.
I don't expect any lock to be 100% secure (nor any car 100% safe in a collision) but when the marketing team for a manufacturer take it on themselves to talk up the security then I don't think its wrong to expect that manufacturer to held to account when their claims don't hold up.
Tesla released an update in 2017 giving users the ability to disable keyless entry. That paired with OTA I wonder if it would be wise of them to push an advisory to all cars with keyless entry still enabled advising the customer of the risk of keyless entry and asking the customer if they would like to disable it? If you have made it explicitly clear that keyless gives a convenience bump at the sacrifice of security but the customer still decides to leave keyless enabled that is a choice the customer willingly made.
Just thinking outloud.
Just one instance of not having to push a button could be a convenience.
Not that I disagree that I much prefer having keyless entry disabled on my car. Just giving a situation where I could see keyless as being more convenient because I’m an argumentative little shit ;-)
Maybe could still be defeated with a very long range RFID reader? I don’t know how long range they get.
Several countries in the EU have automatic only drivers licenses, but hardly anybody gets them since being forbidden from driving a manual car is a pretty significant limitation.
And that's ignoring that it could just be sold for parts.
If you don't want to be banned, you're welcome to email email@example.com and give us reason to believe that you'll follow the rules in the future.
Insurance companies try to fight that by forcing the installation of a "safe" around the computer
E.g. See Tuomas Aura's most excellent paper: