Police 'stumped' by car thefts using electronic skeleton key Police in California have admitted they are baffled by a series of car thefts where robbers use a small hand-held electronic device to unlock supposedly secure car-locking systems. "This is bad in the sense we're stumped," Long Beach deputy police chief David Hendricks told NBC. "We are stumped and we don't know what this …
I'm an insider and I can tell you exactly what they are doing.
Remote entry keyfobs contain programmed secure microcontrollers that transmit a rolling code sequence to the car. To open the door you need to transmit the next code in the sequence. The system is programmed to take into account missed transmissions, etc.
They thieves used a special keyfob device with a microcontroller programmed to detect and transmit rolling code sequences. It intercepts and stores the rolling code signal from the keyfob to the car, then the device calculates the next sequences of that rolling code so that later it can send that code to the car to unlock the door.
Easy to do if you have inside knowledge of the highly confidential rolling code algorithm. By design this cannot be reverse-engineered - the microcontroller actually self-destructs.
So this means the special device was built and programmed by someone with inside knowledge. This means it's someone from keyfob manufacturers TRW or Bosch. My guess is they are all using Bosch keyfobs.
However, on some cars there is a way to reset the rolling code sequence and start over, no signal interception needed. This requires intense insider knowledge.
Of course, the keyfob manufacturer can't admit that this was done by someone inside their firms, as this would affect their contracts with the car manufacturers which are worth tens of millions of dollars.
There is no defense against this except to deactivate the cars wireless control.
There are companies that can analyze/reverse-engineer a surprising number of "secure" chips. Here's one, for example:
http://www.flylogic.net/blog/
And, while these guys are legit, there's probably dozens of illegit or university lab students who could/can/are doing the same thing.
Dave
P.S. Yeah, I've got some experience in the computer security field, too. Can't say what exactly, though. ;-)
There are companies that can analyze/reverse-engineer a surprising number of "secure" chips. Here's one, for example:
These chips can't be reverse-engineered. They will self-destruct if you:
- Clock them too fast
- Clock them too slow
- Expose them to light
- Attempt to probe any inside trace
- Expose them to extremes of heat and temperature
The chips contain false circuits and bogus code routines. And that isn't the half of it!
The gist of it is, it would be cheaper to buy a new car rather than attempt to reverse-engineer these chips.
I remember what BMW said about EWS4 first used in 2007 I think.
BMW
The electronic vehicle immobilizer 4 is an immobilizersystem that prevents unauthorized
engine start. It was used for the first time in the Car Access System 3 in the E92.
The electronic vehicle immobilizer 4 uses a new, modern encryption system. A 128 bit
long secret key is assigned to each vehicle and stored in the BMW database. This secret
key is kno wn onlyto BMW. The secret key is programmed and locked in the Car Access
System 3 and in the digital engine management.
Once entered in the control unit, the secret key can no longer be changed, deleted or
read. This therefore means that each control unit is assigned to a specific vehicle.
The electronic vehicle immobilizer 4 operates with bidirectional and redundant data
tr ansmission. The K-C AN (CAN prot ocol) and C AS-bus (K-bus protocol) are used for this
purpose.
Reprogrammers
- Programming of key is going directly in the ignition lock! No need for
additional programmers and preparations of keys!
- Support of latest technologies from BMW:
1) EWS4 Secret Key (new 128-bit synchronization with engine control unit).
BMW documentation “says” that noone can read or write it, but we can do it
through OBD-II socket! Surprise!
2) SOPT (encryption of keys and synchronizations with engine control unit).
Now the keys can be programmed even for encrypted CAS! And even with
encrypted EWS4 Secret Key, and now it’s the first software that can do it!
Don't waste your breath Stevie he's talking rubbish. There may well be a rolling code but it still has to be tied to the actual vehicle in some way otherwise a criminal gang could simple hire a BMW, take the fob apart and 'press' the button a few thousand times using a motorised switch, recording the radio code sequence generated each time. If it worked the way BillG claims you'd only have to replay one of the later sequences to open any other BMW.
@ecofeco
BillG wrote: "special keyfob device ... [that] ... calculates the next sequences of that rolling code so that later it can send that code to the car to unlock the door."
So the only SPECIAL bit is that it acts like a NORMAL keyfob being pressed lots of times. Do please think about what you are reading.
There may well be a rolling code but it still has to be tied to the actual vehicle in some way
Exactly. Each keyfob is "seeded" with a code unique to that car/keyfob pair. The seed is transmitted when you press the keyfob button so your car knows it's being addressed, while nearby cars know to ignore your keyfob's transmission.
But the seed isn't transmitted in the clear or separately - it's encrypted as part of the the entire transmission sequence. First decryption of the total transmission tells the car yes, it is being addressed. That triggers the second decryption which says open the door or boot, or turn on the lights, activate alarm, etc.
This post has been deleted by its author
The police are stupid when it comes to many things.
In the UK they are recommending peoples locks being changed to this new type. (£75 a lock or something like that).
The person from the fire brigage who does stuff for a council that is to do with locks tested one and could get in within 10 seconds tried to tell the police what a waste of time it was and they basically ignored and kept hassling the council to pay for these new useless locks. I am sure there must be something corrupt about it. I think being a policeman attracts people who are just as bad as the criminals most of the time.
"I think being a policeman attracts people who are just as bad as the criminals most of the time."
I think you've got that backwards. Being a criminal makes becoming a policeman attractive. Society just has to ensure that there are checks and balances within the police force to spot people who have joined in order to be bent.
It's a command culture, a Police officer will swear yellow is green it told to by a senior officer, even if it flies in the face of common sense. Policy is policy, the police are not the only organisations that suffer from this blindness, and no policeman is an expert in everything.
There is a defense - stop using security through obscurity. History has told us a thousand times over - It NEVER works. If US defense contractors have had half their secrets spilled with their security budgets, then I'm not going to be the least bit surprised if automotive manufacturers have leaks.
And get the guys creating the "secure" systems talking to those who break them. The former don't think outside the box enough, and the latter are never taken seriously enough, or worse, they're criminalised. The entire industry needs a change of mindset- quite how automotive industries expect a proprietary secret such as a key fob switching algorithm to remain secret for the lifespan of your average car (15 years or so) would be laughable, was it not so serious.
I live near an auto plant, and a friend bought their latest desirable top spec sports model. Within a week it was stolen from his drive. The police told him that, that make's the worst to have round here, the local car thieves knew how to steal them before they came off the production line.
Bring back crook locks and garages with big bolts on the inside.
Some things are best left to the old fashioned, manual way that involves physical contact.
Physical access to properties and vehicles.
In-person card purchases.
Networking.
Password storage in a well guarded, coded book, instead of password vaults on a computer.
To name but a few.
"Physical access" involves tumblers and keys. Those haven't ever been secure. Leave aside the practice of key bumping, there are so many ways to circumvent physical locks.
Tumblers are often relatively easy to deal with, but the older lever locks are not. Yes, the cheap skeleton door keys are a joke, but even a very old 5 lever lock can be difficult, and/or time consuming to open. Of course there's a phobia for using old technology so that's out, along with anything that doesn't have fashion value. The bottom line is that there is no cure for car thieves - except driving a junker.
You don't want foolproof security on your car, otherwise you just get creeper burglaries* instead which happens a fair bit now anyway, at least here in NI it does.
I believe there's also been an increase in car-jackings over the years as car security has improved.
------------------------------------------------------------
* If you don't know what a creeper burglary is:
It's easier to break into your house than your car. So they break into the house and look for the keys. So if you hide your keys? On occasion, if they really want your car, they'll boil the kettle and then bring it upstairs. They'll wake you up, hold the kettle over your head, and demand your keys.
I'd rather they took my car than poured a kettle of boiling water over my head.
>You don't want foolproof security on your car
For your average car, you want good enough security, so that there is a good chance the car is still there when you get back to it, but also if it does go missing you want to know that it is unlikely to re-appear any time soon and so the insurance will pay out.
They'll wake you up, hold the kettle over your head, and demand your keys.
Do you know how quickly some people can bolt right up out of bed and shove the creep along with a faceful of boiling water all over the back wall of the bedroom?
I'm going to love it when that happens the first time, if it hasn't already. I hope it ends up on Youtube.
This post has been deleted by its author
I always thought there were more car thefts in NI because PSNI landrovers can’t go round corners fast, or for that matter in straight lines fast, I assumed it had gone down now they use Astra’s and only pull out the landrovers in July.
My dad tells a story of noticing a burning car during one of the usual spots of bother back in the 70s, and ringing my nan to confirm that yes, his car was no longer parked outside her house.
Anyone trying to carry a kettle of boiling water through our house in the dark is risking a broken leg *and* a self scalding.
Besides, I challenge anyone to get the controls on that never-to-be-sufficiently-damned cooker right first time by moonlight, and the leaky kitchen faucet aerator will spray water all over them. Also: our kettle is like unto a bell. Filling it is not a silent process. God help the poor bastard if he wakes the wife before me.
A thought occurs (ow!). Why not forestall this grisly scenario that troubles you so much by simply alarming your kettle in some way?
Or replacing your real kettle with one with holes in it so the Headboiling Burglar of Olde Londone Towne ends up leaving in disgust (and possibly wet clothes)?
Or hiding your real kettle and leaving another with a snake sleeping inside it (and holes in case the burglar susses that the snake isn't venomous)?
Or hiding your real kettle and replacing it with one housing one of those disgusting plate-sized spiders, so the burglar will awaken you with his unmanly shrieks of terror? Add holes for backup fun.
Or hiding your real kettle and replacing it with one with the insulating stuff removed from the handle so the burglar will burn his hand when he picks it up, again alerting you with his shrieks of agony (bonus scalding if he drops the kettle here)?
Or hiding your real kettle and replacing it with one with a hole drilled in the bottom that you fill with a gallium plug so the burglar fills the kettle, boils it only to have the water flood all over the place?
Or hiding your real kettle and replacing it with one fitted with an internal steel reed whistle (like the ones you can get to ram up your neighbour's car's exhaust pipe) so the whole house is alerted to a headboiling in progress?
Or hiding your only kettle eg in the fridge and have one high-level kitchen cabinet rigged to drop noisy cans, small bells, whatever you have onto the person who opens it? Rig is simple on an Ikea-style cabinet. You remove the shelf and the little pin bracket thingy from each side. Drill through the cabinet so the pin thingy hole is a through-hole. Insert nail through hole from outside, replace shelf and load with light but resonant crap. close door (reinforce latch with rare earth magnets for best effect). with door held closed, remove nail to drop shelf front and load door with crapolanch-in-waiting. Warn family.
I came up with these in about a minute and they are all doable with stuff I can get easily.
So, Stevie, how are you going to guard the iron? The waffle-iron? The cast-iron skillet? The 8" chef's knife? The scissors? The screwdrivers? The wine/beer bottles? The hair curler? The knitting needle? The fireplace poker? Etc?
I could have shot the one intruder we have had here at chez jake, but when I got down to the kitchen, where he was, instead I calmly put down my Kimber & picked up the phone & called the non-emergency police line. When they arrived, I called off the dogs & he was transported to the hospital to stop the bleeding (and bleating, I might add!), and then on to booking & jail time. Stupidity should hurt! ;-)
Dogs are Gawd/ess's gift to humanity.
"So, Stevie, how are you going to guard the iron? The waffle-iron? The cast-iron skillet? The 8" chef's knife? The scissors? The screwdrivers? The wine/beer bottles? The hair curler? The knitting needle? The fireplace poker? Etc?"
The iron is in the basement o' crap, good luck finding it since none of us have seen it in months.
Waffle iron broke and was tossed.
The scissors are always AWOL but on the off chance the bloody kid put 'em back in the drawer she undoubtedly put 'em back open with the points sticking out. If my experience is anything to go by the screaming of the pig-stuck burglar will alert us.
If he opens the cupboard with the hair care electronics in it he will precipitate a crapolanche the likes of which hasn't been seen since that mountain in Iceland blew up.
The beer and wine is in the basement: see comments re: iron.
No-one knits in this house.
We don't have a fireplace.
The etc? is a problem but I feel up to the task of defeating anyone with my own counter etc? etc?
Which leaves the 8" kitchen knife. My only hope is that he will knock over the butcherblock because he will have a leaky snake-filled kettle in one hand. I always do when trying to get a cutting implement one-handed.
In all fairness I feel you are being disingenuous. The specific fear here was the Headboiling Intruder and I have shown how to deal with him.
In point of fact anyone entering the Steviemanse will be deafened by the alarm system, designed for maximum disorientation and annoyance. Unless they have the power to ghost through walls.
Then I'm f*cked.
Our household has some that are up until as late (early?) as 6 am, and others that wake up at about 5 am (roughly). Most of the time there's no gap. Odds are high that it would end very badly for any late night 'creepers', especially if they ran into Grandpa in the wee hours (raised in the jungles of Asia, wrestles carabao, juggles knives, etc.).
Wondering about which time warp you fell through regarding locks and cars, the shitty wafer locks are long gone.
It isn't a lock problem it's a nature of cars problem, they have windows, doors made of folded sheet metal and often a fabric roof. 'Tumblers are easy to deal' what a glorious almost politician like generalisation with well lets see you deal with an Assa Flexcore with anything other than a power drill or breaking the door in question
In the UK immobilizers have been compulsory for years (and most of Europe) unless you have something very old (or shit) nobody is stealing it unless they have the keys or something that attaches to the management port and even then it's only for entry (unless they have fucked up real bad)
Even Ford started using the Tribbe system in the early 90s, yeah you can punch the lock out but the immobiliser takes stops the car from moving (as I suffered back in 95 but the car didn't move)
If a car hasn't an alarm then they just spread the door, it's the work of seconds, but the car is still not going anywhere (if it has an immobiliser)
Hence you end up with a house break in and potential torture (as described by another comment)
A fair example of the tools available for car entry are shown here http://shop.multipick-service.com/?language=en and you will find that the electronic options are limited to particular mfgr / mode / and date of manufacture
Well I don’t know, I sure I remember hearing about the South African car alarms that included flame throwers, and then you have James Bonds BMW that electrocuted would be thieves (Tomorrow never Dies I think, the one where he drives it using his phone), funny how the real life instance of the protection is much more scary, stupid and ridiculous then the one they thought only James Bond could have
Ahhh the old "South Africans have flame throwers" chestnut.
1. It was not linked to the alarm. It was a manual anti-hijack device.
2. It was not a flame thrower. It was gas-driven and ignited a squirt of gas (not gasoline, but actual gas) to scare off the attacker.
3. It was an experimental design that did not pass legal muster, so it certainly is not in use.
Just had a quick Google
1) Yep, manual anti-highjack device, not car alarm
2) “The Blaster was a liquefied petroleum gas flamethrower installed along the sides of the vehicle under the doors.” - http://en.wikipedia.org/wiki/Blaster_(flamethrower)
3) It was legal, but demand was low and the cost to high so it was discontinued.
""Physical access" involves tumblers and keys."
No it doesn't. Think I2C single-wire protocols. They only work when actual electrical contact is made (i.e. with the car body or door handle or a metal panel somewhere), do not transmit anything over RF (beyond electrical noise), and yet can transmit data (and power) back and forth. Then that can be use to activate car central locking.
Or, hell, even the old Ford keys (though hackable in their current form) use this. The key is a blank, really, and relies on the chip inside it to negotiate over the metal connection of the key to the ignition / door and unlock the central locking. The "key" itself does nothing but turn the lock, but there's no reason it needs to do that at all, once the communication is working (I think that was left in to make people think it was still a "secure" key... fact is that a dead key, even for the right car, is like poking a stick into the lock - no tumblers are going to move and nothing is going to open)
This has been done. Implementations of it have been hacked. But the fact is that you COULDN'T open the door without touching the car, and you couldn't tell what the car was communicating with without somehow being in the path of that electrical connection (not down the street with a radio scanner).
But people seem to want RF remote connections, despite the fact that they have to then touch the door to open it anyway.
Wish I could upvote that a hundred times over. Why, why, WHY do people see any advantage in a wireless "key" rather than a contact "key"? Same as paying more for notebooks lacking a wired network socket, I guess.
Driving a junker works well. Someone recently radio-unlocked my 12-year-old car - presumably the tech to break 12-year-old radio security is now available for less than the cost of a new key? Anyway, they couldn't find anything much worth stealing, neither car nor contents.
So why don't people have remotes for their homes to open the door? (with a key backup of course).
What has happened is over time the car makers decided to forget trying to make a car more difficult to get into and focus on making the car impossible to start without the right key.
There are two reasons why people want to get into your car, 1. Steal contents, 2. Steal car. Most people don't leave anything valuable in their car these days.
So the immobiliser has been very useful in stopping cars from being stolen. It stopped hotwiring or mechanical lock picking/bypass as the way to steal cars. But all this has done is force the car thieves to change tactics, so they now look for more hi-tech solutions (or carjack).
What seems to be the problem is there is obviously some dealership backdoors or tricks that are known about. Just like I remember hearing how you could bypass password security on laptops by connecting a few pins together on the parallel port (a reset procedure).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
