Andy_Bangle Posted October 24, 2014 Report Share Posted October 24, 2014 BBC Watchdog are going to take another shot car manufactures about their crappy locks and immobilisers. The team investigate the major security weakness that leaves hundreds of thousands of popular cars (BMW, Audi, Range Rover etc), from around 30 different makes and models, vulnerable to theft. Is your vehicle safe? BMW - Open to car theft? Link to comment Share on other sites More sharing options...
Risky Posted October 24, 2014 Report Share Posted October 24, 2014 Well I'll be watching it. But alas it's too late for my poor old car. Link to comment Share on other sites More sharing options...
CarMad Posted October 25, 2014 Report Share Posted October 25, 2014 There is very little the car manufactures can do, its EU regs that making it difficult to come up with a solution that everyone can be happy with. Link to comment Share on other sites More sharing options...
Soulboy Posted October 26, 2014 Report Share Posted October 26, 2014 More gross stupidity from the EU. Link to comment Share on other sites More sharing options...
Tipex Posted October 26, 2014 Report Share Posted October 26, 2014 I don't see how it can be the EU's fault when it doesn't affect most manufacturers? It's poor understanding and implementation of those regs by certain manufacturers that is the issue, the only people to blame are those manufacturers. Link to comment Share on other sites More sharing options...
Mac Posted October 26, 2014 Report Share Posted October 26, 2014 As I'm sure you can imagine I've looked into this quite a bit - and in reality it does affect pretty much all modern cars. The issue comes down to the availability of manufacturer-aligned kit to do the decryption. Funnily enough, most of the free market kit is compatible with the more premium/German manufacturers, and less focussed on the Vauxhall's of this world. Technically, the way they've implemented the key encryption (I mean key from a cryptographic perspective) is utterly retarded. The key programming uses a form of public/private key (again, cryptographic key, not car key) encryption - which makes sense. The idea is you never have enough of the key to be able to break the encryption. Here's where it falls down though - the regulations for being able to recut a (physical) key means that *both* parts of the cryptographic route are available at the same connection point. Anyone who knows anything about cryptography will know how utterly daft that is, it breaks the whole point of it in some respect. There's not even third party key encryption (I.e. use another public/private combo) to gain access to the root. It's bizarre really - electronic encryption done properly will negate pretty much anyone getting past it, and yet they've been forced (with little fight from the look of it) to implement it in a way that actually makes physical security stronger! You can't do this type of attack on my car now, due to some of my own adjustments to it. You not only need access to the car, but you need a couple of other things to decrypt - in effect I've added 3 factor authentication to it. Possibly over-kill, but hey ho. 2 Link to comment Share on other sites More sharing options...
billy2shots Posted October 27, 2014 Report Share Posted October 27, 2014 (edited) I mean key from a cryptographic perspective) again, cryptographic Anyone who knows anything about cryptography Let's be realistic for a minute. If its enough to bring down Superman, what chance do car manufacturers have? Edited October 27, 2014 by billy2shots 7 Link to comment Share on other sites More sharing options...
Andy_Bangle Posted October 27, 2014 Author Report Share Posted October 27, 2014 BBC News: Keyless cars 'increasingly targeted by thieves using computers' Evening Standard: Insurers will not cover new Range Rovers in London - unless you have secure parking Link to comment Share on other sites More sharing options...
patently Posted October 27, 2014 Report Share Posted October 27, 2014 Note the quote from the SMMT: As part of the need for open access to technical information to enable a flourishing after-market, this equipment is available to independent technicians. Translation: there was a policy decision from on high to release the information, don't blame us. But hey - I'm sure all the EU officials involved have secure underground parking at their office so they're ok Link to comment Share on other sites More sharing options...
Ian_C Posted October 27, 2014 Report Share Posted October 27, 2014 You can't do this type of attack on my car now, due to some of my own adjustments to it. You not only need access to the car, but you need a couple of other things to decrypt - in effect I've added 3 factor authentication to it. Possibly over-kill, but hey ho. I don't think thats overkill - that's putting your computng know-how to good use Mac. Link to comment Share on other sites More sharing options...
Andy_Bangle Posted October 27, 2014 Author Report Share Posted October 27, 2014 interesting as shows the scale of the problem for Land Rover. 294 Evoques and Sports stolen in first 6 months of the year, next car is the BMW X5 with 63 stolen. I'd like to know full figures for all cars though. http://www.autoexpress.co.uk/land-rover/range-rover/89183/range-rover-owners-refused-insurance-due-to-theft-risk Link to comment Share on other sites More sharing options...
max_b Posted October 27, 2014 Report Share Posted October 27, 2014 Rife and common across the Midlands unfortunately. Started with BMWs (all models including mainly M's), then onto Audi's (mainly RS and S) and taking things like Focus's (albeit RS models) and Fiesta's on pretty much a daily basis now. RRs are the flavour down south as easy access to the ports, the cars are driven straight out of the UK Link to comment Share on other sites More sharing options...
CarMad Posted October 27, 2014 Report Share Posted October 27, 2014 See thats why I went for the Ugly duckling, I mean who would want a 5 Series GT! Mind you in saying that I have thought about securing the ODB port with another solution but not sure I really want to add a third party solution to it to be honest. Link to comment Share on other sites More sharing options...
eldavo69 Posted October 28, 2014 Report Share Posted October 28, 2014 I believe the best solution involves one of the data pins being connected to a chunky 12V live. Just remember to tell the dealers before you fry their gear instead of the would-be thieves. 1 Link to comment Share on other sites More sharing options...
patently Posted October 28, 2014 Report Share Posted October 28, 2014 As I'm sure you can imagine I've looked into this quite a bit - and in reality it does affect pretty much all modern cars. The issue comes down to the availability of manufacturer-aligned kit to do the decryption. Funnily enough, most of the free market kit is compatible with the more premium/German manufacturers, and less focussed on the Vauxhall's of this world. Technically, the way they've implemented the key encryption (I mean key from a cryptographic perspective) is utterly retarded. The key programming uses a form of public/private key (again, cryptographic key, not car key) encryption - which makes sense. The idea is you never have enough of the key to be able to break the encryption. Here's where it falls down though - the regulations for being able to recut a (physical) key means that *both* parts of the cryptographic route are available at the same connection point. Anyone who knows anything about cryptography will know how utterly daft that is, it breaks the whole point of it in some respect. There's not even third party key encryption (I.e. use another public/private combo) to gain access to the root. It's bizarre really - electronic encryption done properly will negate pretty much anyone getting past it, and yet they've been forced (with little fight from the look of it) to implement it in a way that actually makes physical security stronger! You can't do this type of attack on my car now, due to some of my own adjustments to it. You not only need access to the car, but you need a couple of other things to decrypt - in effect I've added 3 factor authentication to it. Possibly over-kill, but hey ho. I've been thinking about this. What we need is a second private key - something that cannot be copied on the spot and which the owner can keep somewhere safe, only taking it out when he or she wants to access the car. It needs to be simple and inexpensive, obviously, but it would be useful if it could be copied when needed, but perhaps in a way that took a while and made quite a bit of noise so that it would alert the owner if done on the driveway. Something like a piece of metal, maybe, that was an intricate shape and had to be fitted into a correspondingly-shaped slot in the car before the car would start? 1 Link to comment Share on other sites More sharing options...
Tipex Posted October 28, 2014 Report Share Posted October 28, 2014 Lol, Fiat, Alfa (and others) always used to supply a red master key which you needed to do anything to the immobiliser or to make new keys etc, the theory was that you put the red key away somewhere safe until you need it, and use the normal black key day to day. The problem with that, is that if you place the responsibility in the hands of the owner, it all goes wrong when they inevitably lose the key, the result of that being that if you lose the normal key, and can't find the red one, not only do you need a complete replacement lock set, you also need to replace the ECU and Immobiliser, which is quite expensive. Having said that, if you are not a complete f*ckwit, it's quite a good solution to the problem, just don't ever buy a second hand car that doesn't have the red key! Link to comment Share on other sites More sharing options...
patently Posted October 28, 2014 Report Share Posted October 28, 2014 The problem with that, is that if you place the responsibility in the hands of the owner Not really a problem, so long as it's made clear to them Owner takes care of key, all is fine. Owner is an idiot, has to pay to correct consequences of idiocy, all is still fine. Owner is sensible and takes care of car and key but car gets nicked anyway because distant Eurocrats decide that life should be made easy for criminals purely to pursue their vision of how things should be without asking owners in advance and without really thinking through the consequences but safe in the knowledge that owners cannot turn round and vote them out for their stupidity, all is very definitely not ok. 1 Link to comment Share on other sites More sharing options...
Soulboy Posted October 28, 2014 Report Share Posted October 28, 2014 Not really a problem, so long as it's made clear to them Owner takes care of key, all is fine. Owner is an idiot, has to pay to correct consequences of idiocy, all is still fine. Owner is sensible and takes care of car and key but car gets nicked anyway because distant Eurocrats decide that life should be made easy for criminals purely to pursue their vision of how things should be without asking owners in advance and without really thinking through the consequences but safe in the knowledge that owners cannot turn round and vote them out for their stupidity, all is very definitely not ok. Well said. My thoughts exactly 1 Link to comment Share on other sites More sharing options...
Tipex Posted October 28, 2014 Report Share Posted October 28, 2014 (edited) Well there we are then, Fiat group had the answer 15 years ago, let's all go and buy 15 year old Punto's! Just make sure it's got the red key! Edited October 28, 2014 by Tipex 1 Link to comment Share on other sites More sharing options...
M8CKN Posted October 28, 2014 Report Share Posted October 28, 2014 They're all in scrap yards 1 Link to comment Share on other sites More sharing options...
Ian_C Posted October 28, 2014 Report Share Posted October 28, 2014 Do I recall reading on the BMWs you can only have four keys assigned to one car? For example, the car comes with two keys, you *could* have the dealer supply and code two further keys, so no more further keys can be assigned? Link to comment Share on other sites More sharing options...
patently Posted October 28, 2014 Report Share Posted October 28, 2014 Cunning plan. You could paint one red, too. 2 Link to comment Share on other sites More sharing options...
Scotty Posted October 28, 2014 Report Share Posted October 28, 2014 Four sounds reasonable as long as it's 'at anyone time' and you can remove lost/stolen ones etc. That's normally how they do it isn't it? Link to comment Share on other sites More sharing options...
Tipex Posted October 28, 2014 Report Share Posted October 28, 2014 Could they not just wipe the four keys from the memory and programme a new one with these machines? Link to comment Share on other sites More sharing options...
Soulboy Posted October 29, 2014 Report Share Posted October 29, 2014 (edited) As I'm sure you can imagine I've looked into this quite a bit - and in reality it does affect pretty much all modern cars. The issue comes down to the availability of manufacturer-aligned kit to do the decryption. Funnily enough, most of the free market kit is compatible with the more premium/German manufacturers, and less focussed on the Vauxhall's of this world. Technically, the way they've implemented the key encryption (I mean key from a cryptographic perspective) is utterly retarded. The key programming uses a form of public/private key (again, cryptographic key, not car key) encryption - which makes sense. The idea is you never have enough of the key to be able to break the encryption. Here's where it falls down though - the regulations for being able to recut a (physical) key means that *both* parts of the cryptographic route are available at the same connection point. Anyone who knows anything about cryptography will know how utterly daft that is, it breaks the whole point of it in some respect. There's not even third party key encryption (I.e. use another public/private combo) to gain access to the root. It's bizarre really - electronic encryption done properly will negate pretty much anyone getting past it, and yet they've been forced (with little fight from the look of it) to implement it in a way that actually makes physical security stronger! You can't do this type of attack on my car now, due to some of my own adjustments to it. You not only need access to the car, but you need a couple of other things to decrypt - in effect I've added 3 factor authentication to it. Possibly over-kill, but hey ho. Can I use that on another forum Mac? There is a long thread about keyless security with a lot of bull5hit being spouted on AudiSport- and this is the answer to a lot of it. As its security related, I dont want to post it without asking first. No problem if the answer is 'no'. Edited October 29, 2014 by Soulboy Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now