Gone in 60 seconds--the high-tech version

By Robert Vamosi
News.com

http://news.com.com/Gone+in+60+seconds-the+high-tech+version/2100-7349_3-6069287.html

Story last modified Sat May 06 06:00:03 PDT 200



Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech 
vehicle with an antitheft keyless ignition system.

After you pull into a Starbucks to celebrate with a grande latte and a 
scone, a man in a T-shirt and jeans with a laptop sits next to you and 
starts up a friendly conversation: "Is that the S550? How do you like it so 
far?" Eager to share, you converse for a few minutes, then the man thanks 
you and is gone. A moment later, you look up to discover your new Mercedes 
is gone as well.

Now, decrypting one 40-bit code sequence can not only disengage the 
security system and unlock the doors, it can also start the car--making the 
hack tempting for thieves. The owner of the code is now the true owner of 
the car. And while high-end, high-tech auto thefts like this are more 
common in Europe today, they will soon start happening in America. The sad 
thing is that manufacturers of keyless devices don't seem to care.

Wireless or contactless devices in cars are not new. Remote keyless entry 
systems--those black fobs we all have dangling next to our car keys--have 
been around for years. While the owner is still a few feet away from a car, 
the fobs can disengage the auto alarm and unlock the doors; they can even 
activate the car's panic alarm in an emergency.

First introduced in the 1980s, modern remote keyless entry systems use a 
circuit board, a coded radio-frequency identification (RFID) technology 
chip, a battery and a small antenna. The last two are designed so that the 
fob can broadcast to a car while it's still several feet away.

The RFID chip in the key fob contains a select set of codes designed to 
work with a given car. These codes are rolling 40-bit strings: With each 
use, the code changes slightly, creating about 1 trillion possible 
combinations in total. When you push the unlock button, the keyfob sends a 
40-bit code, along with an instruction to unlock the car doors. If the 
synced-up receiver gets the 40-bit code it is expecting, the vehicle 
performs the instruction. If not, the car does not respond.

A second antitheft use of RFID is for remote vehicle immobilizers. These 
tiny chips, embedded inside the plastic head of the ignition keys, are used 
with more than 150 million vehicles today. Improper use prevents the car's 
fuel pump from operating correctly. Unless the driver has the correct key 
chip installed, the car will run out of fuel a few blocks from the 
attempted theft. (That's why valet keys don't have the chips installed; 
valets need to drive the car only short distances.)

One estimate suggests that since their introduction in the late 1990s, 
vehicle immobilizers have resulted in a 90 percent decrease in auto thefts 
nationwide.

But can this system be defeated? Yes.

Keyless ignition systems allow you the convenience of starting your car 
with the touch of a button, without removing the chip from your pocket or 
purse or backpack. Like vehicle immobilizers, keyless ignition systems work 
only in the presence of the proper chip. Unlike remote keyless entry 
systems, they are passive, don't require a battery and have much shorter 
ranges (usually six feet or less). And instead of sending a signal, they 
rely on a signal being emitted from the car itself.

Given that the car is more or less broadcasting its code and looking for a 
response, it seems possible that a thief could try different codes and see 
what the responses are. Last fall, the authors of a study from Johns 
Hopkins University and the security company RSA carried out an experiment 
using a laptop equipped with a microreader. They were able to capture and 
decrypt the code sequence, then disengage the alarm and unlock and start a 
2005 Ford Escape SUV without the key. They even provided an online video of 
their "car theft."

But if you think that such a hack might occur only in a pristine academic 
environment, with the right equipment, you're wrong.


Real-world examples

Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's 
alleged to have stolen several expensive cars in and around Prague using a 
laptop and a reader. Soucek is not new to auto theft--he has been stealing 
cars since he was 11 years old. But he recently turned high-tech when he 
realized how easily it could be done.

Ironically, what led to his downfall was his own laptop, which held 
evidence of all his past encryption attempts. With a database of successful 
encryption strings already stored on his hard drive, he had the ability to 
crack cars he'd never seen before in a relatively short amount of time.

And Soucek isn't an isolated example. Recently, soccer player David Beckham 
had not one, but two, antitheft-engineered BMW S5 SUVs stolen. The most 
recent theft occurred in Madrid, Spain. Police believe an auto theft gang 
using software instead of hardware pinched both of Beckham's BMWs.

How a keyless car gets stolen isn't exactly a state secret--much of the 
required knowledge is Basic Encryption 101. The authors of the Johns 
Hopkins/RSA study needed only to capture two challenge-and-response pairs 
from their intended target before cracking the encryption.

In an example from the paper, they wanted to see if they could swipe the 
passive code off the keyless ignition device itself. To do so, the authors 
simulated a car's ignition system (the RFID reader) on a laptop. By sitting 
close to someone with a keyless ignition device in his pocket, the authors 
were able to perform several scans in less than one second without the 
victim knowing. They then began decrypting the sampled challenge-response 
pairs. Using brute-force attack techniques, the researchers had the laptop 
try different combinations of symbols until they found combinations that 
matched. Once they had the matching codes, they could then predict the 
sequence and were soon able to gain entrance to the target car and start it.

In the case of Beckham, police think the criminals waited until he left his 
car, then proceeded to use a brute-force attack until the car was disarmed, 
unlocked and stolen.


Hear no evil, speak no evil

The authors of the Johns Hopkins/RSA study suggest that the RFID industry 
move away from the relatively simple 40-bit encryption technology now in 
use and adopt a more established encryption standard, such as the 128-bit 
Advanced Encryption Standard (AES). The longer the encryption code, the 
harder it is to crack.

The authors concede that this change would require a higher power 
consumption and therefore might be harder to implement; and it wouldn't be 
backward-compatible with all the 40-bit ignition systems already available.

The authors also suggest that car owners wrap their keyless ignition fobs 
in tin foil when not in use to prevent active scanning attacks, and that 
automobile manufacturers place a protective cylinder around the ignition 
slot. This latter step would limit the RFID broadcast range and make it 
harder for someone outside the car to eavesdrop on the code sequence.

Unfortunately, the companies making RFID systems for cars don't think 
there's a problem. The 17th annual CardTechSecureTech conference took place 
this past week in San Francisco, and CNET News.com had an opportunity to 
talk with a handful of RFID vendors. None wanted to be quoted, nor would 
any talk about 128-bit AES encryption replacing the current 40-bit code 
anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, 
and even fewer knew about keyless ignition cars being stolen in Europe.

Even Consumer Reports acknowledges that keyless ignition systems might not 
be secure enough for prime time, yet the RFID industry adamantly continues 
to whistle its happy little tune. Until changes are made in the keyless 
systems, any car we buy will definitely have an ignition key that can't be 
copied by a laptop.


================================
George Antunes, Political Science Dept
University of Houston; Houston, TX 77204
Voice: 713-743-3923  Fax: 713-743-3927
antunes at uh dot edu



Reply with a "Thank you" if you liked this post.
_____________________________

MEDIANEWS mailing list
medianews@twiar.org
To unsubscribe send an email to:
[EMAIL PROTECTED]

Reply via email to