Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: Scientists crack security system of millions of cars

  1. #1
    Junior Member
    Join Date
    Feb 2006
    Posts
    36

    Default Scientists crack security system of millions of cars

    Good reading!
    http://www.sundayherald.com/news/her...ns_of_cars.php



    Scientists crack security system of millions of cars

    It's the worst nightmare of the remote-control age - German scientists claim to have cracked the code of the electronic blipper that locks and unlocks cars and garage doors.

    The team from Ruhr University says it is now relatively straightforward to clone the remote control devices that act as the electronic keys.

    The scientists say they have overcome the KeeLoq security system, which is made by US-based Microchip Technology and is used by Honda, Toyota, Volvo, Volkswagen and other manufacturers to transmit access codes using radio frequency identification technology.

    The revelation caused consternation among the car makers. Volvo said it took security extremely seriously, but preferred not to comment further until its technical teams were able to look at the scientists' claims to establish whether they could be substantiated. At Volkswagen, a spokeswomen would make no comment. Honda also said it would pass the information to its engineering teams, echoing the view: "We obviously take security very seriously."

    If the claims are correct, it could pose a major headache for the car companies, whose keyless entry systems are becoming increasingly more common in their high-end marques.

    The research team from Ruhr's Electrical Engineering and Information Sciences Department said the crack applies to all known car and building access control systems that rely on the KeeLoq cipher. It targeted and ultimately cracked its RFID as part of its research in embedded security. "The security hole allows illegitimate parties to access buildings and cars after remote eavesdropping from a distance of up to 100 meters," says professor Christof Paar, head of the communication security group at the department.

    Timo Kasper, a PhD student who worked on the research, blamed KeeLoq for keeping the cipher secret. He said: "If they had made it public they would have found out 20 years ago that it's insecure. Now it's a little bit too late, because it's already built into all the garages and cars."

    Because most access devices are publicly available, it's not too hard for attackers to get their hands on one to perform the analysis. The hack requires about £1500 worth of equipment and a fair amount of technical skill, but once the unique master key for a particular model is available, it works universally, Kasper said.

    Paar's team used various code-breaking technologies to develop several attack variables. The researchers said that the most devastating was the so-called side-channel attack on car keys (or building keys), which can be cloned from a distance of several 100 meters.

    Based on the research, an attacker can reveal the secret key for the remote control in under an hour, and the manufacturer key of the corresponding receivers in less than a day.

    "Eavesdropping on as little as two messages enables illegitimate parties to duplicate your key and to open your garage or unlock your car," says Paar. "With another malicious attack, a garage door or a car door can be remotely manipulated so that legitimate keys do not work any more. Thus, after the security of the building or car has been breached, the attacker can prevent you from future access."

    The scientists said the KeeLoq's security relies on poor key management, in which every key is derived from a master that's stored in the reading device. Moreover, it uses a proprietary algorithm that had already been shown to generate cryptographically-weak output.

    That algorithm was kept secret for most of the last 20 years but 18 months ago an entry on Wikipedia published it. The research team almost immediately spotted weaknesses.

    Microchip officials have been quiet on the revelations, relying instead on a prepared statement which said: "The paper requires detailed knowledge of the system implementation and a combination of data, specialised skills, equipment and access to various components of a system, which is seldom feasible.

    "These theoretical attacks are not unique to the Keeloq system and could be applied to virtually any security system."

    11:09pm Saturday 5th April 2008

  2. #2
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    This reminds me of when bump-keying became public. I believe the Germans also discovered that as well. Let's hope that the car industry's response isn't as poor as was from lock manufacturers.
    "Sure is for people with nothing on the line.....you and me? We just get on with it."

    -Garabaldi

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    The article on the Register said that someone posted the algorithm for the code on Wikipedia and they happened to read it there. So did they really 'crack' it?

    If I recall, the person that posted the algorithm had inside information to the technology, so they didn't even crack it. This isn't a case of poor security, its more of a case of industrial espionage.

    After all, these things have been in place for over 20 years an no one had 'cracked' it until the algorithm was released.

    So for those 'full disclosure' people, exactly how has this release made us all safer? Now any jagoff can open my garage doors, or my car, it will cost the manufacturer millions if they can do anything about it.

    Gee, I really don't feel that safe from this particular case of 'full disclosure'.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by streaker69 View Post
    The article on the Register said that someone posted the algorithm for the code on Wikipedia and they happened to read it there. So did they really 'crack' it?

    If I recall, the person that posted the algorithm had inside information to the technology, so they didn't even crack it. This isn't a case of poor security, its more of a case of industrial espionage.

    After all, these things have been in place for over 20 years an no one had 'cracked' it until the algorithm was released.

    So for those 'full disclosure' people, exactly how has this release made us all safer? Now any jagoff can open my garage doors, or my car, it will cost the manufacturer millions if they can do anything about it.

    Gee, I really don't feel that safe from this particular case of 'full disclosure'.
    Don't worry, it was on wikipedia, it's probably wrong.

    Hey, speaking of opening cars, did anyone ever build that car door combination button pusher thingy?
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  5. #5
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Barry View Post
    Hey, speaking of opening cars, did anyone ever build that car door combination button pusher thingy?
    I don't think it ever got past the conceptual stage. I was just thinking about that the other day.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    I wrote the program for the Basic Stamp 2, but got stalled on the mechanical side. There didn't seem to be a good arrangement that would cover multiple models/years. It could be built easily enough to cover just one model as a proof-of-concept though.
    Thorn
    Stop the TSA now! Boycott the airlines.

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Thorn View Post
    I wrote the program for the Basic Stamp 2, but got stalled on the mechanical side. There didn't seem to be a good arrangement that would cover multiple models/years. It could be built easily enough to cover just one model as a proof-of-concept though.
    I found some lighter weight solenoids than I had shown you when we talked about this last.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #8
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Quote Originally Posted by Barry View Post
    Don't worry, it was on wikipedia, it's probably wrong.

    Hey, speaking of opening cars, did anyone ever build that car door combination button pusher thingy?
    Is this some concept to break the code on the keypads for cars? My friend had a riviera that had one and I knew his code was really quite easy and theres no failed attempts lockout.

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by hhmatt81 View Post
    Is this some concept to break the code on the keypads for cars? My friend had a riviera that had one and I knew his code was really quite easy and theres no failed attempts lockout.
    Specifically because there is no failed attempts lockout, you can simply configure a string of numbers that covers every possible combination. Since these buttons are 1/2, 3/4, 5/6, 7/8, 9/0, you can basically ignore the even numbers and concentrate on the odd.

    You'll see in the following link there are only 3,129 button presses to brute force every possible 5 digit combination. This would take about 20 minutes manually. There previous few posts regarded a discussion we had a while back about creating an automated "button presser" to quickly go through the 3,129 keys.

    http://everything2.com/index.pl?node_id=1520430
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  10. #10
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    But a brick works so much better!
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •