"Car Remotes Hacked
( Page 1 of 2 )

Some of the simplest things that we take for granted aren't as secure as we assume. But will this really help car thieves?
German scientists have cracked the KeeLoq system, which is the cryptography used in RFID-based remote devices, including car remotes from Volvo, Honda, Toyota and Volkswagen.

At first glance this seems like a catastrophe for owners of those cars (I own two Hondas myself). And make no mistake, if the report is true, it exposes great failings of both U.S.-based Microchip Technology, which designed the security system in those devices, and the automobile companies that implemented it and trusted Microchip Technology. They both have a problem. This isn't a new phenomenon, by the way. A similar crack happened a couple years ago.

And it's not just cars. Many remote openers for gates and garages are based on the same technology, which the article I cited says uses a 20-year-old insecure cipher. "

==================================================

Here's the whole article:
http://www.eweek.com/c/a/Security/Car-Remotes-Hacked/?kc=EWKNLSTE041008FEA1

Holy shades of OBDIII Batman. Does this mean my OBDIII box can now be hacked too?!?

Once again it was shown that Security by Obsurity (i.e., not open for public scrutiny) doesn't exist ...

Once again it was shown that Security by Obscurity (i.e., not open for public scrutiny) doesn't exist ...
Yeah, that's why I prefer "Security by Smith & Wesson".

since i do computer security professionally, i should probably chime in...
wireless security is a joke, wifi, rfid, bluetooth, even the digital cellphones are all hackable. granted, some of them take more effort (read: computing horsepower) than others (bluetooth is trivial, cell phones are not) but ultimately there is no such thing as a secure wireless connection.
this is why things like rfid in passports (especially now that passport production is apparently offshored!) is a horrid idea. we'd make document forgery actually easier, as the bad guys wouldnt even have to pick pocket our passports, just pass by us close enough to read off all the info. realid i think is based around the same technology, so it's equally stupid.

bluetooth is the worse offender, as the number of combinations that 'protect' the communication is a 10 digit (so only a 10^10 key space!) pin number. this is so low that it's best solved by bruteforce.

wifi isn't much better, i've cracked the 128bit WEP with about 10min of data gathering and then about a second (!) of actual cracking. WPA2 is much better, but still not perfect, but just by looking at the AP's around in my neighbourhood there's only 2 out of about 11 that use it. sadly enough i dont even use it as my wifi hardware is old and doesn't support it.

so with all this crap out there, i'm amazed that there havent been better hacks. i heard of being able to lock/unlock doors in Lexus cars few years ago, i dunno if they've protected it better since. but with the integration of entertainment/nav/ecu electronics, soon enough we'll be able to bluejack a car and turn off the engine, or better yet, put it in reverse at highway speeds. there will be deaths due directly to wireless hacking, i will bet anybody a good chunk of money.

there's enough jackasses out there, the other day i read a story about someone who put rapidly blinking pictures on a internet forum dedicated to support people with epilepsy. you can guess the outcome.

or better yet, put it in reverse at highway speeds. there will be deaths due directly to wireless hacking, i will bet anybody a good chunk of money.

I HIGHLY doubt that one... There ar PHYSICAL safeguards to prevent reverse engagement while traveling forward. I know the GM trucks with the Allison WILL NOT engage reverse while moving forward at highway speed (I've tried it), and IIRC, when mythbusters tried it with a Crown Vic, same thing, no reverse while moving forward with any significant velocity.

i dunno man, when microsoft made the computer for the 7series bmw they had some serious problems on the beginning, car would shift to neutral (at speed!), the trunk would pop open (also at speed), etc...

Dropping to neutral and goofy stuff like the trunk popping open I can see (If my truck tries to shift to 6th when I have the 4th gen controler hooked up {I have an 04 LLY/5speed}, it'll drop to neutral, for example), but not shifting to reverse while driving down the highway unless something is SERIOUSLY wrong with the transmission to begin with. The mechanical portion of the shifter controls the basic flow of fluid in the valve body, so in order to even attempt reverse, you'd need to move the lever, and then as I said before, there are other mechanical safeguards to prevent reverse engagement at speed. The other major thing I have a hard time beleiving that a hacker could do is shut the engine down. I know in the GM vehicles, it is NOT possible to kill the engine via onstar (there are physical ign power feeds, not data feeds, to the major modules like ECM and TCM that contol the powerup/start/run/shutdown), so I HIGHLY doubt a hacker could do it remotely. Maybe other mfgs do it differnetly, but I'd hope they'd have a similar safeguard to prevent such things.

No, there isn't power feeds, there is this thing called bus commands.... If there is a bus command that can be sent, OnStar can send it. I'll leave it at that.


...I know in the GM vehicles, it is NOT possible to kill the engine via onstar (there are physical ign power feeds, not data feeds, to the major modules like ECM and TCM that contol the powerup/start/run/shutdown), so I HIGHLY doubt a hacker could do it remotely. Maybe other mfgs do it differnetly, but I'd hope they'd have a similar safeguard to prevent such things.

No, there isn't power feeds, there is this thing called bus commands.... If there is a bus command that can be sent, OnStar can send it. I'll leave it at that.

Yes there are ign and +12 power feeds to the ECM, TCM and IPC (In the GMT800's at least), as well as class 2. If you can program it on the bench without a BCM, it has ign power feeds. Devices such as the radio, amp, CDX, etc that only have +12 and Class2 feeds DO use bus commands to power on and will not power on without a BCM.

I meant power feeds through the TCU. OS can't "cut" power per se....

Basically if OnStar commands the TCU (Telematics Control Unit) to shut of engine, it will do so. Trust me, you don't have all the Class2 or CAN/GMLAN commands.... There are tons of them.... lots and lots.....

General rule I have heard, OnStar won't, but I am sure if the police told them to, they can. They can do lots.

Tinfoil hat time, I guess. :shock:

Tinfoil hat time, I guess. :shock:

:laugh: Computer's scare me. :throw: LOL

Mr. P. :)

I meant power feeds through the TCU. OS can't "cut" power per se....

Basically if OnStar commands the TCU (Telematics Control Unit) to shut of engine, it will do so. Trust me, you don't have all the Class2 or CAN/GMLAN commands.... There are tons of them.... lots and lots.....

General rule I have heard, OnStar won't, but I am sure if the police told them to, they can. They can do lots.

Not if you pull the onstar fuse.....lol :cucumber:

I thought manual trans was always the way to go until a I got out of my M6 bird and test drove an M5 Dodge Ram with no reverse lock out :D

Even I couldn't send a wireless command to shut down an engine, I still think it would be cool to pull up on Bill and 0 the VE table :D

i'd love to be able to tune from a car next to the car i'm tuning, less noise, no shaking, no gas smell...

Good point!! As someone here found out the hardway, just because you don't see the OnStar mirror doesn't mean an OnStar module isn't in the car....

And with no antenna don't even think that it can't make a call still, Analog 3w is pretty robust compared to digital when it comes to that.... But now that Analog CAN be shut off (not 100% if Verizon did do it for the sake of the OnStar customers with the Gen 1, 2, 3, 4 and 5 units) might be much less of an issue...

And if anyone has a OnStar TCU, Gen 4, aka, the black box one, please, let me know, I would like to get a few of them..... (I worked on the hardware design for a lot of them, Gen 2-6.x....):secret: And for you ham radio guys out there, PM and I will tell you why....


Not if you pull the onstar fuse.....lol :cucumber:

Lets just say the OnStar box in my 02 is sitting in my garage...Let GM try and control the JBL amp I put in its place, muahahaha!!! And its a complete stealth install, no one knows its there. D