Notices
Australia/New Zealand Forum They come from The Land Down Under.

Can the Hymee /Sco scanalyser to this trick

Thread Tools
 
Search this Thread
 
Rating: Thread Rating: 4 votes, 5.00 average.
 
Old 05-03-2006 | 10:25 PM
  #1  
Dan 8's Avatar
Thread Starter
Banned
 
Joined: Apr 2006
Posts: 95
Likes: 0
Can the Hymee /Sco scanalyser to this trick




http://www.autoexpress.co.uk/news/67...op_threat.html
Old 05-03-2006 | 10:48 PM
  #2  
Revolver's Avatar
Shootin' from the hip
 
Joined: Apr 2005
Posts: 7,584
Likes: 0
From: Sydney, Australia
Yes it can and we know where you live!

j/k

Of course it can't. Don't give them ideas. Hymee might need another prototype car.
Old 05-03-2006 | 11:40 PM
  #3  
takahashi's Avatar
New Member
 
Joined: Mar 2003
Posts: 9,944
Likes: 2
From: Melbourne, Australia
Originally Posted by Revolver
Of course it can't. Don't give them ideas. Hymee might need another prototype car.
I was just about to say....
Old 05-04-2006 | 01:44 AM
  #4  
xxup's Avatar
Registered User
 
Joined: Apr 2005
Posts: 1,028
Likes: 1
From: Brisbane, Australia
So they can't get into the car without keys - so how do they connect to the car's computer with a cable???? Surely BMW are no so dumb as to place a port in the engine bay??
Old 05-04-2006 | 01:59 AM
  #5  
timbo's Avatar
rock-->o<--hard place
 
Joined: Sep 2003
Posts: 3,242
Likes: 0
From: Canberra, AUSTRALIA
Wireless ?? !
Old 05-04-2006 | 05:59 AM
  #6  
xxup's Avatar
Registered User
 
Joined: Apr 2005
Posts: 1,028
Likes: 1
From: Brisbane, Australia
Originally Posted by timbo
Wireless ?? !
The article clearly states that the thieves connect to the car's system by cable..
Old 05-04-2006 | 06:39 AM
  #7  
sco's Avatar
sco
Registered
 
Joined: Aug 2003
Posts: 1,459
Likes: 0
From: Brisbane, Australia
No you can't do this with sCANalyser. No surprises there.

Hmm... I don't want to share what I understand about this stuff to assist anyone who might want to try it. Let me say I have a rough idea how it could be done but it would require much hard work. There could be ways to connect to the engine computer without accessing a diagnostic port. Again, not I'm prepared to share what I know on that for everyone's benefit. Each vehicle manufacturer has a different approach to security so something that works for one manufacturer may not for another. I also know of some manufacturers that vary the security even across models, so something that works for one model may not for another.

The fact of the matter is that any security system given enough time and resources can probably be broken. This applies to many things (secure credit card transactions, engine computers, internet banking, a combination lock etc). The aim is to make it difficult so it is impractical. Often complex security systems result in the simplest of workarounds anyway (like throwing a car onto a flat bed and getting a mate "on the inside" to get you new keys or replace the modules that relate to security). If someone wants your car they will get it. And there is always carjacking. Probably much less effort than this electronic skulduggery.

Last edited by sco; 05-04-2006 at 06:41 AM.
Old 05-04-2006 | 06:32 PM
  #8  
timbo's Avatar
rock-->o<--hard place
 
Joined: Sep 2003
Posts: 3,242
Likes: 0
From: Canberra, AUSTRALIA
Originally Posted by xxup
The article clearly states that the thieves connect to the car's system by cable..
Hmmm this report says wireless, which makes sense
Old 05-04-2006 | 09:36 PM
  #9  
auzoom's Avatar
Hmmmmmm.........
 
Joined: Mar 2005
Posts: 3,564
Likes: 6
From: Melbourne, Australia
"They then track a vehicle until they know it will be parked in a secluded area, because they need the time to connect their laptop to the car's computer via cable."
Old 05-04-2006 | 10:47 PM
  #10  
timbo's Avatar
rock-->o<--hard place
 
Joined: Sep 2003
Posts: 3,242
Likes: 0
From: Canberra, AUSTRALIA
Andrew, check the link in my post where you'll find -- reporting the same theft of Beckham's X5(s):
"The expert gang suspected of stealing two of David Beckham’s BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the car’s computer, open the doors, and start the engine.
As I said, it makes sense. They probably scan to catch the RF transmission from the fob to the car, then decrypt it, and replicate the next in the rolling key sequence
Old 05-05-2006 | 05:42 AM
  #11  
takahashi's Avatar
New Member
 
Joined: Mar 2003
Posts: 9,944
Likes: 2
From: Melbourne, Australia
Yeah all about the wireless ignition... so people steal car wirelessly now.

Make perfect logic...
Old 05-05-2006 | 06:09 AM
  #12  
sco's Avatar
sco
Registered
 
Joined: Aug 2003
Posts: 1,459
Likes: 0
From: Brisbane, Australia
Both scenarios are entirely possible.. wired or wireless. In both cases compromising some form of security is required to allow the engine to start without the correct key.

Don't forget in the early days people were getting into cars by recording the signal from remote key fobs and replaying it. This compromise may be similar in that they are simulating what the proper transmitter is doing but different in that it isn't replaying a recorded signal.
Old 05-05-2006 | 08:57 AM
  #13  
auzoom's Avatar
Hmmmmmm.........
 
Joined: Mar 2005
Posts: 3,564
Likes: 6
From: Melbourne, Australia
Originally Posted by timbo
Andrew, check the link in my post where you'll find -- reporting the same theft of Beckham's X5(s):


As I said, it makes sense. They probably scan to catch the RF transmission from the fob to the car, then decrypt it, and replicate the next in the rolling key sequence
Sorry mate, wasnt saying you were wrong, was just in a hurry and trying to point out that they may have gotten "into" the car wirelessly (the old "record" the rf signal of the beeper trick), but they still need the diagnostic port to get the car going.

Andrew
Old 05-05-2006 | 03:03 PM
  #14  
kunz's Avatar
•▫▪› is way, way way way way way way way way wayyy better than you ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ▪ ;)
 
Joined: Jul 2005
Posts: 436
Likes: 0
From: Sydney, Australia
Originally Posted by auzoom
Sorry mate, wasnt saying you were wrong, was just in a hurry and trying to point out that they may have gotten "into" the car wirelessly (the old "record" the rf signal of the beeper trick), but they still need the diagnostic port to get the car going.
Andrew
Not necessarily. (sorry for the rather unstructured response, its 5am. I'm almost dead!)

Hmm while I'm not expert in this field, I have lots of 'playing around' experience with ECU tweaks, RFID chips (both passive and non-passive) @ uni and curiosity about 'security' in general so heres my 2c. (I happen to be a comp/biomed engineer so I used to get a lot of special 'priviledges' at uni .. :P)

I've read a couple of these articles and there seems to be a lot of inconsistencies in the way they've presented certain information. Its not as easy as they make it look like - eg. CrashOverRide(1337 hax0r dude) standing outside your car with his laptop, types some stuff and drives with your car half and hour later). These journalists have a passion to bloat about things they dont understand just to create hype.

In order for them to get into the car, they would have had to challenge-hack the reader (in this case, the car). Most newer cars have RFID tags in them which are transponders. 99% of the time, these are passive tags hence they do not have an onboard power supply and only work when a reader (in this case, the car itself) periodically sends a 'challenge' signal.

Currently the most common type of key in these transponders are 40bit. This includes most of the expensive cars currently in production. Although the key is 'secret' and is the first line of defence, thats not where the real security of the system is. Each car produced in the same model/batch will have the same algorithm, however the keys will all be unique.

Once you have the key, you need to work out the algorithm implemented for the system.

That can only be done via A LOT of challenge+responses and some clever reverse engineering - not difficult, but takes time and patience A simplified version of this would be a keygenerator (used to crack software licences).

Anyway, once you have this algorithm, you've got the holy grail for that car make and model. (That explains why its easier to steal the same car twice, rather than go for a different car).

Sniffing for the 'key' isnt as easy as it sounds (or used to be :P). Although they do make 48 and 128bit key RFID chips, they're not really that feasible for car manufactures atm so almost all of them use the standard 40bit chips. 40bit might not sound as 'swarve' as 128bit, but on todays computers, obtaining the correct 40bit key via brute-force on 10 P4 would take more than 2-3 days. So yeah, this is not something you're average hacker will bother doing =) (most thieves would be better off trying to tow the car away hehe).

Is there a way around the 10 days? Of course For around 500$ a pop, get some programmable gate arrays, some clever coding and you could crack the key in around 16 hours. The more of these gate arrays you get, the easier it is to crack the key. To obtain the key in around 30 minutes, i'm guessing you'd need around 20 of these.

To obtain the keys, you dont have to wait for the victim to do anything either. All you need, is get in close range with the victim, (or use an antenna) to act as a reader. Even if the transponder (key) is in the pocket of the victim, you can send the challenge signal around 5-10 times PER second. You only need a couple of minutes for enough data to go home and either 1) play with it to figure out the algorithm or 2) emulate the key and fool the car into thinking its a legit key.

The way it works isnt as simple as a hello-heres my key. What actually happens is the car(reader) sends out a 'statement' to the transponder. The transponder then encrypts the statement it receives using the pre-programmed 40bit key and the 'secret' algorithm and responds with a 24bit sentence which is then verified by the car to ensure the transponder is legit.

Once the key is obtained, all the attacker needs to do is emulate the function of the transponder ie, using the 40bit key, encrypt the statement sent by the car and return a 24bit response using another RFID transponder (which is programmable of course).

Once they're inside the car, they dont need to hook anything up to the OBD port. In fact, there is no other way to access the ECU other than the diagnostic port UNLESS you piggy back another ECU onto it. If the car can be remotely started using the transponder key, then the attacker wouldnt really have to do anything else to drive away with the car.

If the car doesnt have a wireless ignition system, then the attacker has two ways to get on with it. Most of the new cars will not allow you to start the car without the correct RFID key-auth in place (which is why you cant just go and get your car keys cut and start using them straight away). Again, the information does not travel through conduction via the metallic key - its the same challenge-auth in place during the initial door-opening phase. All the attacker has to do is use traditional hot-wire methods + place their RFID transponder close to where the key is inserted and ..vallah =)

Last edited by kunz; 05-05-2006 at 03:13 PM.
Old 05-05-2006 | 03:18 PM
  #15  
kunz's Avatar
•▫▪› is way, way way way way way way way way wayyy better than you ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ▪ ;)
 
Joined: Jul 2005
Posts: 436
Likes: 0
From: Sydney, Australia
If you havnt figured it out already, the cheapest save yourself from _rare_ and _extremely gifted_ thieves would be to wrap the transponder (i.e your car keys) in some sort of shielding when not in use
Old 05-05-2006 | 05:46 PM
  #16  
Dan 8's Avatar
Thread Starter
Banned
 
Joined: Apr 2006
Posts: 95
Likes: 0
Are you suggesting we lead coat our keys or carry a lead pipe , great info thanks
Old 05-05-2006 | 08:33 PM
  #17  
timbo's Avatar
rock-->o<--hard place
 
Joined: Sep 2003
Posts: 3,242
Likes: 0
From: Canberra, AUSTRALIA
Trunkmonkey

Next problem?!
Old 05-05-2006 | 10:42 PM
  #18  
kunz's Avatar
•▫▪› is way, way way way way way way way way wayyy better than you ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ∙ ▪ ;)
 
Joined: Jul 2005
Posts: 436
Likes: 0
From: Sydney, Australia
LOL timbo, can you organise a group buy for trunkmonkeys? :D

/side note: Got my car back today :D wooo
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
projectr13b
New Member Forum
7
03-01-2019 09:00 AM
drebbrnator
Series I Trouble Shooting
11
12-27-2018 07:02 PM
thegoodfella334
New Member Forum
8
09-02-2015 09:57 AM
wanted797
New Member Forum
3
08-26-2015 11:24 PM
reni04
Series I Tech Garage
8
08-21-2015 01:52 PM



You have already rated this thread Rating: Thread Rating: 4 votes, 5.00 average.

Quick Reply: Can the Hymee /Sco scanalyser to this trick



All times are GMT -5. The time now is 09:15 AM.