Dan 8

http://www.autoexpress.co.uk/news/67...op_threat.html

Revolver

Yes it can and we know where you live!

j/k

Of course it can't. Don't give them ideas. Hymee might need another prototype car.

takahashi

I was just about to say....

xxup

So they can't get into the car without keys - so how do they connect to the car's computer with a cable???? Surely BMW are no so dumb as to place a port in the engine bay??

timbo

Wireless ?? !

xxup

The article clearly states that the thieves connect to the car's system by cable..

sco

No you can't do this with sCANalyser. No surprises there.

Hmm... I don't want to share what I understand about this stuff to assist anyone who might want to try it. Let me say I have a rough idea how it could be done but it would require much hard work. There could be ways to connect to the engine computer without accessing a diagnostic port. Again, not I'm prepared to share what I know on that for everyone's benefit. Each vehicle manufacturer has a different approach to security so something that works for one manufacturer may not for another. I also know of some manufacturers that vary the security even across models, so something that works for one model may not for another.

The fact of the matter is that any security system given enough time and resources can probably be broken. This applies to many things (secure credit card transactions, engine computers, internet banking, a combination lock etc). The aim is to make it difficult so it is impractical. Often complex security systems result in the simplest of workarounds anyway (like throwing a car onto a flat bed and getting a mate "on the inside" to get you new keys or replace the modules that relate to security). If someone wants your car they will get it. And there is always carjacking. Probably much less effort than this electronic skulduggery.

timbo

Hmmm this report says wireless, which makes sense

auzoom

"They then track a vehicle until they know it will be parked in a secluded area, because they need the time to connect their laptop to the car's computer via cable."

timbo

Andrew, check the link in my post where you'll find -- reporting the same theft of Beckham's X5(s):
As I said, it makes sense. They probably scan to catch the RF transmission from the fob to the car, then decrypt it, and replicate the next in the rolling key sequence

takahashi

Yeah all about the wireless ignition... so people steal car wirelessly now.

Make perfect logic...

sco

Both scenarios are entirely possible.. wired or wireless. In both cases compromising some form of security is required to allow the engine to start without the correct key.

Don't forget in the early days people were getting into cars by recording the signal from remote key fobs and replaying it. This compromise may be similar in that they are simulating what the proper transmitter is doing but different in that it isn't replaying a recorded signal.

auzoom

Sorry mate, wasnt saying you were wrong, was just in a hurry and trying to point out that they may have gotten "into" the car wirelessly (the old "record" the rf signal of the beeper trick), but they still need the diagnostic port to get the car going.

Andrew

kunz

Not necessarily. (sorry for the rather unstructured response, its 5am. I'm almost dead!)

Hmm while I'm not expert in this field, I have lots of 'playing around' experience with ECU tweaks, RFID chips (both passive and non-passive) @ uni and curiosity about 'security' in general so heres my 2c. (I happen to be a comp/biomed engineer so I used to get a lot of special 'priviledges' at uni .. :P)

I've read a couple of these articles and there seems to be a lot of inconsistencies in the way they've presented certain information. Its not as easy as they make it look like - eg. CrashOverRide(1337 hax0r dude) standing outside your car with his laptop, types some stuff and drives with your car half and hour later). These journalists have a passion to bloat about things they dont understand just to create hype.

In order for them to get into the car, they would have had to challenge-hack the reader (in this case, the car). Most newer cars have RFID tags in them which are transponders. 99% of the time, these are passive tags hence they do not have an onboard power supply and only work when a reader (in this case, the car itself) periodically sends a 'challenge' signal.

Currently the most common type of key in these transponders are 40bit. This includes most of the expensive cars currently in production. Although the key is 'secret' and is the first line of defence, thats not where the real security of the system is. Each car produced in the same model/batch will have the same algorithm, however the keys will all be unique.

Once you have the key, you need to work out the algorithm implemented for the system.

That can only be done via A LOT of challenge+responses and some clever reverse engineering - not difficult, but takes time and patience A simplified version of this would be a keygenerator (used to crack software licences).

Anyway, once you have this algorithm, you've got the holy grail for that car make and model. (That explains why its easier to steal the same car twice, rather than go for a different car).

Sniffing for the 'key' isnt as easy as it sounds (or used to be :P). Although they do make 48 and 128bit key RFID chips, they're not really that feasible for car manufactures atm so almost all of them use the standard 40bit chips. 40bit might not sound as 'swarve' as 128bit, but on todays computers, obtaining the correct 40bit key via brute-force on 10 P4 would take more than 2-3 days. So yeah, this is not something you're average hacker will bother doing =) (most thieves would be better off trying to tow the car away hehe).

Is there a way around the 10 days? Of course For around 500$ a pop, get some programmable gate arrays, some clever coding and you could crack the key in around 16 hours. The more of these gate arrays you get, the easier it is to crack the key. To obtain the key in around 30 minutes, i'm guessing you'd need around 20 of these.

To obtain the keys, you dont have to wait for the victim to do anything either. All you need, is get in close range with the victim, (or use an antenna) to act as a reader. Even if the transponder (key) is in the pocket of the victim, you can send the challenge signal around 5-10 times PER second. You only need a couple of minutes for enough data to go home and either 1) play with it to figure out the algorithm or 2) emulate the key and fool the car into thinking its a legit key.

The way it works isnt as simple as a hello-heres my key. What actually happens is the car(reader) sends out a 'statement' to the transponder. The transponder then encrypts the statement it receives using the pre-programmed 40bit key and the 'secret' algorithm and responds with a 24bit sentence which is then verified by the car to ensure the transponder is legit.

Once the key is obtained, all the attacker needs to do is emulate the function of the transponder ie, using the 40bit key, encrypt the statement sent by the car and return a 24bit response using another RFID transponder (which is programmable of course).

Once they're inside the car, they dont need to hook anything up to the OBD port. In fact, there is no other way to access the ECU other than the diagnostic port UNLESS you piggy back another ECU onto it. If the car can be remotely started using the transponder key, then the attacker wouldnt really have to do anything else to drive away with the car.

If the car doesnt have a wireless ignition system, then the attacker has two ways to get on with it. Most of the new cars will not allow you to start the car without the correct RFID key-auth in place (which is why you cant just go and get your car keys cut and start using them straight away). Again, the information does not travel through conduction via the metallic key - its the same challenge-auth in place during the initial door-opening phase. All the attacker has to do is use traditional hot-wire methods + place their RFID transponder close to where the key is inserted and ..vallah =)

kunz

If you havnt figured it out already, the cheapest save yourself from _rare_ and _extremely gifted_ thieves would be to wrap the transponder (i.e your car keys) in some sort of shielding when not in use

Dan 8

Are you suggesting we lead coat our keys or carry a lead pipe , great info thanks

timbo

Trunkmonkey

Next problem?!

kunz

LOL timbo, can you organise a group buy for trunkmonkeys? :D

/side note: Got my car back today :D wooo