May3
High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems. While many computer-based security systems on automobiles require some type of key — mechanical or otherwise — to start the engine, so-called 'keyless' setups require only the presence of a key fob.
The expert gang suspected of stealing two of David Beckham's BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the car's computer, open the doors, and start the engine.
"It's difficult to steal cars with complex security, but not impossible. There are weaknesses in any system," Tim Hart of the Auto Locksmith Association told the U.K.'s Auto Express magazine. "At key steps the car's software can halt progress for up to 20 minutes as part of its in-built protection," said Hart.
Because the decryption process can take a while — up to 20 minutes, according to Hart — the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham — the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.
While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands.
According to the Prague Post leaving such information on a laptop is what got Radko Sou�?ek caught for stealing several cars. "You could delete all the data from your laptop, but that's not good for you because the more data you have, the bigger your possibilities," he says. He says any car that relies on software to provide security can be circumvented by other software. "Every car has its weak spot," he says. Sou�?ek faces up to 12 years in prison.
The Leftlane Perspective: Many modern cars now rely on software entirely for security. Gone are the days where microchips supplemented mechanical locks as an additional security measure. In the case of true 'keyless' systems, software is the only thing between a thief and your car. As computers become more powerful, will stealing cars become even easier? Never mind future cars with better security — what about today's cars a few years down the road? With cars as inexpensive as the Toyota Camry offering entirely keyless systems, these concerns a relevant to all consumers.
I'll stick to my kill switch.
"what about today’s cars a few years down the road?"
That is what I was thinking. Seems like it will be like the early Camrys that you could use any key from any other Camry. We will see.
[…] Click here to view the article […]
who would want a keyless car anyway.i think all cars should still have keys to start them and unlock them.
The lesson to be learned from this article? Buy cheap cars. Like cory said in the previous message, "who would want a keyless car anyway?".
Kiltak
[Geeks Are Sexy] Tech. News
so…when will fingerprint starters be released on the market?
×’× ×‘×™×? פורצי×? ×œ×ž×›×•× ×™×•×ª יוקרה בעזרת מחשב × ×™×™×“
×ž×›×•× ×™×•×ª יוקרה מצוידות במערכת ×?שר מ×?פשרת ×œ×”× ×™×¢ ×?ת הרכב בלי ×œ×”×›× ×™×¡ ×?ת המפתח. מספיק שהמפתח ×™×”×™×” בקרבת הרכב בכדי שהרכב ×™×•× ×¢. ×’× ×‘×™ רכב הצליחו לפ…
[…] Przyznam siÄ™ szczerze, że nie wiem jak siÄ™ kradnie samochody. Wiem za to czym. Laptopem. Najnowsze modele, rzecz jasna, te z najwyższej półki. W ten wÅ‚aÅ›nie sposób w ciÄ…gu ostatnich szeÅ›ciu miesiÄ™cy podprowadzono Davidowi Beckhamowi dwa BMW X5 (sztuka kosztuje w Polsce nawet ponad 300 000 peelenów). ZÅ‚odzieje bezprzewodowo podÅ‚Ä…czyli siÄ™ do komputera pokÅ‚adowego, zÅ‚amali zabezpieczenia, otworzyli drzwi, odpalili silnik, wsiedli i odjechali. […]
pay no attention to line 10. This is just a secret message for terrorists using public posts for their instructions. Please citizen, go about your business.
How about lockout policies? I mean one would think that any automobile wireless key entry system would employ an encrypted key complemented with a lockout policy. The user always carries the unique key identifier, so theft of the ID device is still possible. But wouldn't lockout policies (similar to a corporate environment) be helpful?
Short and sweet:
2 unique Identifiers (1 for car + 1 for driver)
Lockout 2-3 authentication threshholds (in the event car ID is obtained)
Lockout duration (5-15 minutes)
Somwhat functional as to an ASYM encryption approach
Theoretical result:
Pay no attention to comment #13.
That is just what they want you to think!
[…] Leftlane has posted an article about car thieves stealing cars using laptops to open the doors and start the car. A lot of modern vehicles come with remote-driven keyless entry and the ability to start the engine remotely as well. […]
"While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands."
The writer shows his ignorance of information security here. Security through obscurity has been proven to be useless. It IS possible to build cryptographically secure systems that are not defeatable even if the attacker knows how the system works.
The failure of the auto manufacturers to design their computer systems securely is horrible, but not really suprising. It did take them fifty years to include seatbelts…
Pay no attention to comment #14 as Israel is a terrorist state. Furthermore, people and organizations that use terror for financial, political, or various sundry reasons communicate in many languages and ciphers.
The Israelites are terrorists. Everyone just steriotypes the muslims as terrorists when that is like saying all Americans love George Bush and are fat, and drive huge gas guzzlers( ok maybe thats true for most). Israel routinely bombs Palestine. They are such idiots, even with Americas help they still lost the Gaza Strip.
The comments are nice. Policticks suck! get it…..ticks….suck…ahahahahahaha
Ooh, looks like we have some allah-heiling neo nazis here.
Point of order: it wasn't Hitler who came up with the idea of labeling Jews with identifying tags. Mohammed wrote that into the Koran. Hitler just thought it was a good idea.
Any religion based on a piece of racist trash like the Koran ought to be got rid of ASAP.
MOm! I can't read post #10
Now if they could just perfect the ability to wirelessly assume control of the a-hole's car that just cut you off in traffic so you force his car to make a right turn off the bridge…
I wish my car had wireless entry the day I fell on my keys.
Why am I not suprised? Now your car can be stolen in broad daylight and no one would know or care. Park next to the car, crack it, and get in it like you own it.
BTW, comment #1 is pretty stupid. A kill switch can be found by any decent theif in less than 30 seconds, or completely bypassed in the same amount of time.
There will always be a way to steal car. In big cities it's not uncommon for a car theif to just use a Flat bed truck. Easiest way to get around ANY security or alarm system.
FYI - I fear for LLN's bandwith usage for the month - looks like a good slashdotting is in effect: http://slashdot.org/articles/06/05/03/1928256.shtml
Good job keeping the site operational under the increased load!
Sometimes, i still trust cars with conventional keys. The more complex it is, everything tends to be even easier to be decoded.
I, for one, welcome our new keyless overlords.
Agree with 16. Its *pretty* stupid if they havent designed with hackers in mind.
Gumibears on fingerprint pads. Please. If you pay 100k for a vehicle Im pretty sure the recognition tech will be better then your $15 Micro$hit reader.
Eitherway, anything is breakable. The titanic sunk, file sharing still exists, and where there is a will there is a way.
When building this kind of a system, it's tough to make reasonable defaults. For example, how many times should it take before you pause the authentication engine? How long should it pause? 20 minutes doesn't seem long, but if you consider that someone with a powerful enough transmitter could send deliberately false authentication codes to try and make everyone's cars lock out in a crowded parking lot at the mall during Christmas rush. All of a sudden, 20 minutes seems reasonable in comparison to 1 hour.
Even more scary: imagine a criminal deliberately disabling the authentication system of a keyless entry car so he can physically assault his victem. Keyless entry using bluetooth or other wireless seems positively hare-brained.
My opinion? Don't use wireless authentication mechanisms for anything that needs to remain physically secure. On a network, you can make these kinds of tradeoffs, but not in your car..
"When building this kind of a system, it’s tough to make reasonable defaults. For example, how many times should it take before you pause the authentication engine? How long should it pause? 20 minutes doesn’t seem long, but if you consider that someone with a powerful enough transmitter could send deliberately false authentication codes to try and make everyone’s cars lock out in a crowded parking lot at the mall during Christmas rush. All of a sudden, 20 minutes seems reasonable in comparison to 1 hour."
If the system were cryptographically sound, there would be no need to have any pause, because there would be so many possible codes that it would take beyond the age of the universe to find the correct code.
retinal scans should do the trick
The first and most obvious answer is to make the range of the system very short, less than a foot. A thief standing next to the driver's door of an expensive car, laptop in hand, would be kind of obvious.
There are still reliable antitheft techniques.
Own a 15-year old Toyota, and park it between a Mercedes CLS 500 and a Lincoln Navigator. Works every time.
[…] Dave Beckham is pissed. People keep stealing his cars with laptop computers. […]
[…] […]
Cars a lot cheeper than a Camry also offer keyless entry.
By the way, what about our nowadays alarm systems?
Are they really secure? I don't trust, but I use. . .
Comment #32 makes sense, but what if the system isn't totally wireless?
I mean, it works wireless, but if brutal force attack is detected it stops working and the user have to join the portable device in the door and/or the engine's power system.
And about the distance, well. . . A great thief could use a external wireless anten. Just drop it in the sand. . . Or maybe even use a splited system. He puts a small recever/transmitter device near the door. . .
One thing I was thinking today is how our lifes changed with mobile phones and PDAs. . . By the way, do we care about our information in it? If someone steals it, can I recover the information? Can I forbidden he/she to read it? Absolutely not.
So I think the information we use in these systems would be better hosted in servers, instead of mobile devices. And a quick way to avoid the thief getting your info would be necessary. For example, what about a 4 numbers code you submit to a website or by telephone to block the device's access to your virtual data storage system?
Keyless entry is fairly common these days (getting moreso). Hopefully keyless theft will not!
Even as technology security gets better, the technology to thwart it stays one step ahead.
Poor Technology?
As a computer scientist, I find it difficult to understand why any laptop can foil the encryption (or unencrypted byte sequence for that matter) in under 20 minutes. Properly encrypted, long byte sequences should take considerable time (years if encrypted) to crack.
You're right, it would still be reasonable to include measures against a brute force attack. But if the system uses strong cryptography, a delay of mere seconds after an incorrect try would be enough to make brute forcing nearly impossible.
There's no reason physical contact should be required though. Think about SSL, the system that protects your data when you submit it to a secure web site. There's no way an attacker can read the data without compromising your computer or the remote server, and there's no way to impersonate the web server to trick you. The same protocols would work for authenticating to your vehicle, if the manufacturers were not too lazy and stupid to use it.
Well,
the thing is. . .
I think these wireless systems (at least the weaks ones) work in a one-way and without variation. Am I right?
If so, the encryption wouldn't work. Once it'd no matter to the theif.
A solution I'd consider would envolve a two-ways dialog. I mean, not only the car receives the data, but also the mobile device receives and works on it.
For example:
To open the door:
1st. mobile tells the car that the user wants to open the door and the time (maybe with an obscure offset) is xyz (sync would be made necessary) in an encrypted way
2st. car sends to the mobile device the time set on it and checks if it matter (and if anything strange happens the mobile device could tell it's owner that someone is trying to open the door if it isn't that away from it)
3st. mobile device check the data against a token in it and finally tell the car to open it if the data transmiter pass.
4st. car checks the data and, if ok, tell the mobile device that it's going to open the door, waits for a tiny time to get the response (in a way like TCP of the TCP/IP), if the mobile says ok, it opens. If it doesn't, it doesn't open.
Both the car and the remote device could have a log of its activites and could check one against the other if necessary. . .
[…] [Via LeftLaneNews] […]
Lots of good points above.
The "One-Time Pad" is the only true, 100% uncrackable (when used correctly), encryption cypher. It was developed many years ago (1917) and was even used to a large extent in WWII. If this method of encryption was used, we would only have to be concerned about those rogue tow-truck operators.
One-Time Pad Info
[…] LeftLaneNews has an interesting article on using laptops to defeat security on modern vehicles. […]
SSL-tunnels AND public / private key encryption, anyone ?
[…] InteresantÃsimo artÃculo que nos explican (en inglés) una de las posibles maneras que pudieron utilizar los ladrones del BMW X5 de Beckham. […]
So, who's in to make a movie out of this ?
One of the interesting comments from the article reads, "While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands". This is called security-through-obscurity, and should be a warning sign to anyone that something is not secure at all (as opposed to simply having weak security). There are many very secure systems whose entire inner-workings are fully disclosed to the public. It is that disclosure that helps such systems start out strong and stay strong with respect to security.
Hey champ I discussed that over 12 hours ago
All the computer professionals who want to work for GM's automotive division, raise your hand!
(Toyota, maybe, but it's in the South)
I leave my 1991 Vauxhall unlocked and still nobody has stolen it. Please somebody help mme get rid of it!
[…] Gone in 20 Minutes: using laptops to steal cars (from /.) - High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems. While many computer-based security systems on automobiles require some type of key — mechanical or otherwise — to start the engine, so-called ‘keyless’ setups require only the presence of a key fob to start the engine. Wow… Makes me think twice before deciding to make my security all based on software. […]
[…] May 5, 2006, 9:08 am Very ineteresting Posted by russell under News , Off Topic Gone in 20 Minutes: using laptops to stealcars […]
We need to go back to standard keys . In the old days it only took 60 seconds. Now with these new fangled gadgets I have to bring my lunch.
"so…when will fingerprint starters be released on the market?"
Hmmm - already done. Some high-end Mercedes use fingerprints-based locks. And, about 2 years ago, the owner of one (in Malasia) lost both his car AND a finger to four machete-wielding car-jackers. Who needs Gummi Bears?
The best security to go with keyless enrty is to get a Trunk Monkey!
Your Paranoia Shidoshi Knew This Would Happen
Keyless entry, OnStar, and so on and so forth. You saw convenience, and I saw it coming….
I have a keyless car and it's great for when you in a hurry. from a distance I can unlock the doors and start the car. I think if the thiefs get the same frequency as the transmitter then who cares what computers can do to cars?
If someone wants to steal a car they will. They will find a way, no matter what security you have.
[…] *door bell rings* - Ah, finally! What took you so long?! - I came by bike.. - ?!??!??@@#{???? - yeah, my car got hacked […]
Pay no attention to comment to comments 45 and 51. These are just secret messages for terrorists using public posts for their instructions. Please citizen, go about your business.
[…] Gone in 20 Minutes: using laptops to steal cars The expert gang suspected of stealing two of David Beckham’s BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the car’s computer, open the doors, and start the engine. […]
[…] Take a look out for anyone using their laptops in carparks. It appears that car-theives have evolved. They can break into your car using laptops. Don't ask me how they did that. Beats me too. […]
[…] Não é que eu tenha muita pena dele. Não tenho. Mas de qualquer maneira fica a nota: O sr. David Beckham devia pensar em comprar carros menos vistosos e tecnológicamente avançados. Segundo consta, nos últimos 6 meses já lhe roubaram 2 BMW's X5. A tecnologia é verdadeiramente impressionante. Segundo a LeftLane News é coisa para um laptop e 20 minutos de espera. Tal como eles dizem, nem precisamos de pensar nos carros do futuro com as tecnologias do futuro. Basta pensar num carro do presente (um X5 de 2006 por exemplo) daqui a dois ou três anos… […]
SEI QUE COM A GLOBALISAÇÃO E O ALMENTO DA CAPACIDADE DE IMAGINAÇÃO ESTAMOS EVOLUINDO TECNOLOGICAMENTE E AO MESMO TEMPO SOFRENDO AS CONCEQUENCIAS DE TAL EXITO, QUE DEIXAR BEM CLARO QUE COM TANTA TECNOLOGIA E RIQUESAS PRA POUCOS SER� O MEIO DE VIDA PARA OS MARGINAIS TAMBEM, ESTAREM SE ESPECIALIZANDO ALMENTANDO ASSIM A MARGINALIDADE OS GRANDES EMPRESARIOS ESTÃO ESQUECENDO QUE, INVESTIR EM TECNOLOGIA E NÃO INVESTIR EM MENOS GRIMES NÃO É UM BOM NEGÓCIO. OBRIGADO
well a steering wheel that you can remove is the best thing you can get so they dont steal it.
[…] Gone with your car in 20 minutes […]
ã‚ーレスエントリã?¯20分ã?§é–‹ã??ï¼?
Stealing cars: have laptop, will travel(Register)元ãƒ?ã‚¿ã?¯ã?“ã?£ã?¡ãƒŽãƒ¼ãƒˆãƒ‘ソコンをæŒ?ã?£ã?Ÿçªƒç›—犯ã?Œã€?ã‚ーレスエントリã?®è»Šã?®é?µã‚’é–‹ã?‘ã‚‹ã?®ã?«ã?‹ã?‹ã‚‹æ™‚é–“ã?¯20分ã? ã?¨ã?®ã?“ã?¨ã€‚ã?—ã?‹ã‚‚直接触る必è¦?ã‚‚ã?ª…
ready?
[…] VÃa: Leftanenews Filed under: Informática, Got life?, Futbol, Cars | Tags: Cars, Futbol, Got life?, Informática. […]
Well, I make no claims to being a security expert, but if this gets more and more popular, a scenario where an attacker is trying to hack the key must become easier with a caryard full of vehicles with these keyless sytems.
I know the numbers are spectacularly large on guessing a decent-length key, but if there are say 50 cars within range which respond to the same format of RF or whatever wireless system is used, each key attempted would have a chance on all of them simultaneously, yeah? So still 20mins between attacks, but it increases your odds somewhat, surely.
Further, what if an attacker wandered into a car-park somewhere likely to have expensive vehicles parked in it regularly (preferably the same vehicles), and installed a recording device that logged signals from nearby vehicles/keys? Simply rebroadcast…
Attention to comment 19, perhaps Israel lost the Gaza Strip because of the Yanks help, look at Vietnam…
[…] High tech thieves are targeting keyless entry cars. Becoming more prominent is the option to enter your car and start it without a key. We rely on the quality of the software and the strength of encryption. But what happens as your car ages and over time strong encyption becomes weak encryption? I can see a day where a thief simply walks past older cars in a mall parking lot to have doors pop open or engines start. Or perhaps I sit down in the drivers seat to see a message on the dash "Important security update available! Download now?" I'll ponder my watch knowing I'm already late but a security update means a vunerability in my security system has been found and the thieves know it. BUT! If I update and restart my car, it might not work. I am powerless but to turn on my best Shatner, clench my fists, look to the ceiling, and as the camera pans out scream "Gaaaaattees!" (hear Shatner) […]
posts 10 and 11 are definitely for terrorists to post secret messages. man it would suck to live in america and not be able to post messages in spanish or english. and not know how to even drive a car.
[…] read more | digg story posted by crzyland at 2:28 pm […]
Hi, try also: Nice site ac milan bayern and add more info.
[…] [Via LeftLaneNews] […]
How about "Quantum cryptographic protocols" ??
[…] http://www.leftlanenews.com/Â You can leave a response, or trackback from your own site. RSS 2.0 […]
Number 6: when will finger print scanners …..Useful ones — never.
Take a look at Microsoft's unit. Software and drivers NOT Microsoft. Thing is called a "password manager" and terms and conditions deny it is a security device. The software is crzy and will ruin your computer. You want something like this is your car? Why not invite the whole Windows operating system into your car? Nightmares.
I want buy this key
hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiihhiiiiiiiiiiiiiiiiiiiiiiiiiii
[…] Leftlanenews has more here. […]
asdsad
hola
hola
[…] A look at how thieves are using laptops to steal the most expensive luxury cars. Many of these cars have completely keyless ignitions and door locks, meaning it can all be done wirelessly. Thieves often follow a car until it gets left in a quiet area, and they can steal it in about 20 minutes. Scary stuff.read more | digg story […]
[…] "High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems." […]
[…] Commission of crimes - this is the one part of Crime.net that's gotten mainstream press coverage so far. Phishing, hacking into computers for credit card numbers, and so on. Data thefts at major retailers such as BJ's Wholesale Club and Lowe's indicate that there is probably more of this going on than has been reported in the media. And smart criminals may target smaller retailers that can't afford the security resources of large corporations. Although not strictly a network based attack, computers have also been used to steal cars and other items as reported here and here. […]
[…] read more >> […]
[…] read more >> […]
[…] Leftlane reports that all is not well in the world of high-tech gadgetary in cars. It looks like thieves are using laptops to crack the wireless code that controls the keyless entry systems for cars. […]
[…] Check out this post from /. "Thieves are using laptops/notebooks to steal the most expensive luxury cars. Many of these cars have completely keyless ignitions and door locks, meaning it can all be done wirelessly. Thieves often follow a car until it gets left in a quiet area, and they can steal it in about 20 minutes…" […]
dhvlgllz
dhvlgllz
fahchifn
fahchifn
Keyless car.. I have one of those.. And it is not amuzing at all, It is a real pain if you ask me!