'Open sesame'... Subaru key fobs vulnerable, says engineer A Dutch electronics engineer reckons Japanese auto-maker Subaru isn't acting on a key-fob cloning vulnerability he discovered. Tom Wimmenhove claims to have discovered that Subaru's electronic keys don't use a random number. The “rolling code” instead merely increments codes. Wimmenhove says he's built a cloning device ( …
Cost of replacement vs. low risk makes it unlikely to be addressed:
- Subaru are nice cars, but hardly on the hotlist of most stolen cars
- it takes effort to do this for a low return value
- you need to be close enough to catch the signal when transmitted to have the initial count
- they're older cars: it could get interesting if that's still the case with new cars.
I can't see Subaru pay too much attention to this.
It was from the days before it was offloaded to Toyota. In addition to everything, it now uses a different ECU and different transmitters - the Toyota ones. So, the "current" Subaru does not have the relationship with the manufacturers of the parts used in the old ECU and keyfobs to start off with.
Er.. I'm not sure Subaru has been "offloaded". Sure, they've done a couple of joint ventures with Toyota (like the BRZ/GT86), but they're still very much independent and a brand in their own right.
However, you are right that they could well use different ECUs and transmitters, just as the technology has naturally evolved over time.
A mate of mine had his Subaru RB320 stolen by thieves that broke into his house, took the keys and used the car for a post office robbery. Police rammed it several times, came back with every panel but the roof damaged, all 4 alloys bent! Very nice fast car but if you ever watch police car chase programs, the thieves are usually driving a Subaru WRX or Mitsubishi Evo, although maybe now Audi RS3's seem to be preferred.
But a decade before these models the Rex would have been close to the most stolen vehicle on sale. It's a bit hard to judge on popularity amongst car theives because cars are broken into for different reasons (joy ride/use in a crime/rebirthing/theft of contents/stereo etc)
The first two are much harder now due to immobilisers. The third is harder because of datadot. The fifth is less of an issue in modern cars, especially those where the stock head unit supports Bluetooth and Android auto/Apple car play (there isn't much of a second hand back of the truck market for stock head units). Smash and grab is still an issue but frankly a secure rolling code isn't going to help you avoid that.
"- Subaru are nice cars, but hardly on the hotlist of most stolen cars"
They weren't on the hotlist until someone publicised a vulnerability that allowed key-fob cloning using cheap off the shelf hardware. I wonder whether the third party central locking kits you can get have similar vulnerabilities, or whether there will be a sudden burst of people fitting them to old Subarus.
"Cost of replacement vs. low risk makes it unlikely to be addressed:"
The insurance industry has recently noted an uptick in car thefts without keys and aren't happy that it's due to poor security in car immobilisers and remote unlocking systems finally being exploited by cheap tech like RasPis
In a parallel vein, sales of things like "The Club" are on the rise again.
Stop and think about it for just 5 minutes, instead of throwing in a comment which isn't even worth 2 cents.
Follow Suburu cars pulling into mall parking lots, movie lots or anywhere else around Christmas time with this vulnerability, and you'll gather up enough merchandise to make back your $25 easily.
Plenty of people drive older cars, and just because he published older car models, doesn't mean it doesn't work with newer models.
If you can't think like a criminal, then you're not going to do well in information security.
It's fairly easy to attach a small package of electronics to a car to do mischief on its own. Spider-Man would do it using his special spider web that lasts for an hour. Indeed he's been using electronic "spider-tracers" on people as well as vehicles for decades - the device makes his secret spider-sense buzz.
Oddly though he tends to ride on the outside of buses, trains, and private motor vehicles to get around, when he isn't swinging on web-lines around town like an urban Tarzan with lianas.
I am in the process of implementing this on i10, seems that my problems with random failure of the keyfob
might be attempts to get into the car by a third party as well as radar interference.
Its feasible to use optical buffers (ie rapidly spinning GITD disk) and simple blue / IR LEDs with SMD diode pickup to store codes avoiding the need for a more expensive setup.
Also the advantage here is that even if someone finds the device you can claim its just a regular laptop HDD in a caddy as the RF circuitry and antenna can be disguised as part of the cable.
For £6 you can get an 8GB μSDHC card that will store the boot code needed to access your improvised optical storage device. If you delete the rest of the rest of the improvised storage device and just keep the μSDHC card to store codes then you have saved space, money, made the device more robust and drastically cut the power requirements.
People gave up trying to develop a competitive RW optical disk years ago.
This post has been deleted by its author
Possibly - but if done right this has some very sneaky potential.
It won't really speed up someone stealing the car outright (and that would be obvious anyway) but if you say left a wallet (or valuable item) in the car and a thief was able to unlock the car, steal the item and then lock the car afterwards, a lot of folks wouldn't even immediately notice and would likely have a hard time trying to remember where they actually last left with said wallet or item.
Certainly a locked car with no trace of tampering would not be high on the initial suspect list, and by the time the victim takes any decisive action, the thief has already had plenty of time to spend up large on their credit card or fob off stolen item. It's likely the car would remain completely unsuspected even well after the fact.
Would also not figure very high on the list of important things to investigate from a Police Dept. point of view.
Not to mention that every single insurance company would point to absence of break-in and leave you up the creek without a paddle.
So not good in any sense of the word.
I'm almost certain that they also have a separate immobiliser 'chip' in the physical key. This technique will open the doors which means you can steal whatever is in the car car and will also disable the alarm making it easier to tow but still won't let you drive it away.
" Fecking thing is a witch to start "
Mate had a beat up Mondeo parked outside his house. Early hours of the morning Police knock on the door saying neighbours had reported someone trying to steal his car.
Car was still there, it had been broken into. Police asked if anything was missing. Mate replied the ignition key. Police say 'what'.
Mate explains ignition lock is dicky and it takes ages fiddling around to get the key in it so he leaves the key in the lock. Thief must have thought my mate an idiot then pulled out the key and triggered the car's immobiliser :)
My friend Dom had a Vauxhall Ashtray which he parked unlocked around the city back when car theft was the North East's chief youth training scheme. He'd flip the bonnet and remove the HT lead. Never had a problem. That said, the car was a total shit tip.
"I'm almost certain that they also have a separate immobiliser 'chip' in the physical key."
Yup, but if you have access to the interior of the car then you also have access to the ODB2 port and you can teach it that the key transponder you just taped to the pickup ring is legitimate.
Professional outfits will just disable the alarm and lift the car, but the real problem will be when cheap kits start circulating allowing 20-30 recidivist sociopaths to raise mayhem by stealing any scooby they want.
FWIW: the most stolen cars are not the high performance ones. Those attract too much attention. Hardened car theives steal boring econoboxes that noone looks twice at.
Toyota Motor (16.48%)
The Master Trust Bank of Japan (5.40%)
Japan Trustee Services Bank (4.38%)
Mizuho Bank, Ltd. (2.05%)
Suzuki Motor Corporation (1.75%)
Sompo Japan Nipponkoa Insurance Inc. (1.55%)
FHI's Client Stock Ownership (1.40%)
Toyota Marine & Nichido Fire Insurance Co., Ltd. (1.32%)
And on the Nikkei 225
The “rolling code” instead merely increments codes.
Ah -- yes, that is how rolling codes work, the whole idea behind them. They roll, they don't hop.
You think a randomly selected code can work with a one-way data link? If you can use a random number for the next key, why not just use the random number? What do you need a rolling code for??
Rolling code hacking is nothing new. https://en.wikipedia.org/wiki/Rolling_code#Vulnerabilities
"the attacker can brick the owner's key fob with an integer overrun"
Only temporarily. Reintroducing the key to the car using the standard pairing sequence will fix that (it can happen in 2 key households with virtually any car if there are more than ~50 lock/unlocks from one fob before the other is used.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
