So much for car security...
www.theregister.co.uk/2007/08/24/car_cypher_crack/
"Cryptographic researchers have identified a practical attack against the KeeLoq car anti-theft cypher. KeeLoq serves as the cryptographic underpinning of several car anti-theft mechanisms distributed by Microchip Technology.
The technology is used in a wide variety of car remote controls from manufacturers including Chrysler, Daewoo, Fiat, General Motors, Honda, Jaguar, Toyota, Volvo, and Volkswagen.
Each device has a unique key that has up to 18 billion billion combinations, though in practice a much lower key space is used. Nonetheless, the hardware-dedicated block cypher used in KeeLoq was thought to be secure.
But a team of security researchers from Belgium and Israel has developed a technique to identify the key in less than a day. The technique requires close proximity to an intended mark's key for about an hour, during which time the key is "probed". Data from this operation is then analysed for clues that allow the researchers to identify the unique key associated with a device."
So watch out for iffy types with laptops while you're in the barbers
Subject line changed to reflect the talking point - PU
|
>The technique requires close proximity to an intended mark's key for about an hour
So you have to stand next to me for an hour with a laptop in your hands. Thats covert and not at all sus!
------------------------------
< Ex RF, Ex TVM >
|
Or a PDA, or perhaps even a Smartphone (all it needs is the right sensor).
In fact this potentially makes such cars the easiest things in the world to steal. Second-hand, blocked Smartphone (worthless), hide in a bush near a car for an hour, come back, upload the details to a PC and you're away. Immobiliser defeated (as the "key" is returning the right information), car is driven away, stripped for parts and never seen again.
|
No you have to be really near the key. Not the car but me with my key. For an hour. I might notice.
Its really just hypothetical. Effort like this is only required for high net worth cars. And then its easier to break into your house and steal the key. Or bash you over the head, or stick a gun in your face.
------------------------------
< Ex RF, Ex TVM >
|
|
Try sitting in a bush (and there are plenty) outside my house for an hour and retain the seat of your pants.....
|
I want nothing to do with your bush PU.
------------------------------
< Ex RF, Ex TVM >
|
The thing is though, do you need to be all that near the key?
I can lock and unlock my Primera from my living room. The range of that key is unlikely to be remarkable.
All you need is to be close enough to get a signal -- and I'm sure it wouldn't be too difficult to probe for responses from keys.
And you don't need to be around when a key is being interrogated -- just the smartphone/PDA whatever. On a quiet cul-de-sac late at night I'm sure it wouldn't be too hard to hide one away somewhere and come back for it after an hour without being caught. Yes you'd doubtless lose kit occasionally if it's discovered by some other scrote, but that's par for the course and with smartphones being available s/h for £20-30, theoretically all the pieces are there to make a clean getaway without having to worry too much about being caught.
|
> The thing is though, do you need to be all that near the key?
Yes it looks like you do. They are using the imobilisor code so need to act like the reciever round the key lock
------------------------------
< Ex RF, Ex TVM >
|
|
|
|
|
It would be quite easy to follow someone in to say a swimming pool, watch them put their keys in the locker, you put PDA in next locker and leave it, come back over an hour later and it's done. Assuming the signal can pass through the locker walls - probably not, but they'll think of better ways of doing the same thing if there's enough money in it.
|
The other possibility of course is shady repair garage staff, valet parking operators and so on, who have hundreds of car keys and associated reg numbers go through their hands every day, grabbing this information and selling it on to organised rackets.
The problem with something like this is that once word gets out, it's only a matter of time before the technique is refined and simplified. The consequences are worrying because the racket in nearly-new cars being stolen to order is quite widespread.
|
The other possibility of course is shady repair garage staff
..wouldn't it be easier for them to just note the VIN and order a new key?
|
> ..wouldn't it be easier for them to just note the VIN and order a new key?
Traceable?
|
|
|
|
>>The thing is though, do you need to be all that near the key?
>>I can lock and unlock my Primera from my living room. The range of that key is unlikely to
>>be remarkable.
>>All you need is to be close enough to get a signal -- and I'm sure it wouldn't be too difficult to
>>probe for responses from keys.
I think that there may be a bit of confusion here. The article is about cracking the code of the immobiliser chip in the key - the one that tells the ECU that the right key has been inserted in the ignition and allows the car to run.
The system that remotely unlocks your doors is a different system altogether and all that does is tells the central locking to open and disables the alarm system etc. This system is different in that it works over a relative long range and the keyfob transmits a signal when you press the button.
The chip in the key doesn't so much transmit a signal but is more of a transponder and has to be very close to the ignition barrel in order to function. When I say very close, what I mean is that if the key is any further away from where it would be when it is inserted into the igniton, generally they are too far away and don't work.
So for these 'boffins' to be able to read the chip in your key, then basically they would require to be within a couple of inches of the key, not within feet for that hour that they need.
|
|
|
|
|
Surely two codes are needed though - code to open the doors via remote control (which this seems to target) and the separate code in the key transponder which the ECU looks for. I can't work this out. This system is said to 'need time in proximity to the key'. Odd, as the key doesn't emit any unlock signal unless the button is pressed, and it's probably a rolling code anyway. It would be more productive to target the car, where the locks opening would indicate sucess. With the right aerial it might be able to interrogate the transponder chip at a distance, (it's easy enough close up, obviously, as locksmiths now 'clone' keys) but then you've still got to open the doors......
JS
|
Look it really is a non event. This threat has been in theory for years. It takes an hour to suck all the codes out of your key and all day cpu power to crack the algorythm.
------------------------------
< Ex RF, Ex TVM >
|
Why would these three groups all set this as their target for the experiment?
I am wih AE on this, probably not an issue for 99% of us that don't drive Ferraris etc. I think my Altea will be safe for a while longer.
--
2007 Seat Altea XL 2.0 TDI (140) Stylance
2005 Skoda Fabia vrS
|
|
|
|
