Microchip Technologies (MT) is in full damage/spin control mode, as Israeli and Belgian boffins say they've cracked the "Keeloq" anti-theft key code. The code is the foundation of the company's remote control system. MT's plippers lock and unlock the doors and immobilize and de-immobilize models built by Fiat, General Motors, Toyota, Volvo, Honda, Volkswagen, Jaguar, Daewoo and Chrysler. Microchip's website calls the code "a highly secure algorithm." The hackers call it lunchmeat. The Jerusalem Post says all the geeks have to do is wirelessly access your key for about an hour, run their computer program and hey presto! They can identify your code from a billion billion possibilities, unlock your car and motor away. Or can they? "Our attack was checked in depth in program simulations," claimed researchers Sebastian Indestig, Eli Beham, Or Dunkelman, Barrett Fernil and Natan Keller. These guys would do well to remember the Ancient Art of War admonition: the algorithm is not the territory.
Find Reviews by Make:
Read all comments
Only the Chrysler Sebring will be safe from theft.
This has played out thousands (probably tens of thousands) of times in the sofware world.
The person who breaks the software thinks they’ve done it supergood and their discovery will change everything.
The company who made the product thinks that the hackers have overstated their position.
It’s usually somewhere in between. Although “needing wireless access to your key for an hour” sounds like a relatively high design bar for the company to have used, so it wouldn’t surprise me if they did that.
“all the geeks have to do is wirelessly access your key for about an hour”
Or they can haul your car away on a flat-bed in about 10 minutes.
I think that the primary technical reason most keyless entry (and garage door opener and other wireless) security systems has sucked is that there is not enough battery capacity in the fob to run a processor beefy enough to implement a real crypto protocol. A “real” fob might have you replace batteries at least once a year, and it might have to be bigger.
However the fundamental reason car ignition/immobilizer security sucks is convenience: the need to replace lost keys/fobs quickly and inexpensively.
My Thinkpad laptop has a security feature which, if enabled, lets me lock the machine at a fairly low (BIOS) level. There are warnings that if I forget the password, I’ll be looking at an expensive motherboard replacement. Something similar would be the only way to provide some decent security for cars: losing your keys must result in a $1000 parts-and-labor ECU replacement job, otherwise it’s easy/cheap enough for the thieves to bypass or scam their way through the procedure. Who wans to guess the odds of that ever happening?
Then there is the issue of the owner becoming the weakest link. Uhh, you can have my car, thanks.
When I finally buy a new car, I’ll try hard to avoid keyless entry systems. Even though they amount to no more than security-through-obscurity, the insurance companies consider them unbreakable and effectively won’t cover the cost of a stolen car. Fun.
Robert has the most valid point anyone who steals cars for a living and wants your car doesn’t need your keyfob info to steal it. If the key coding really made that much of a difference we would have seen a HUGE drop in car thefts over the last 10 years, and that is not the case. False security.
Um, if it takes someone an hour of wireless access to break a key or keyfob code, doesn’t that mean my key code or keyfob has to be broadcasting to let the hacker determine its coding for the entire hour. Do our keys and fobs continuously broadcast?
My Thinkpad laptop has a security feature which, if enabled, lets me lock the machine at a fairly low (BIOS) level. There are warnings that if I forget the password, I’ll be looking at an expensive motherboard replacement.
LOL. How long does it take to remove a cover. Google it, there is nothing to bypassing/resetting this.
CSJohnston: The keyfobs mentioned in this story only broadcast when you press the button (the keys do not broadcast). In the early days of car alarms, there were “Code Grabbers” that could potentially steal the frequency of your remote control. But the conditions had to be just right to have it work. So someone would have to steal your keyfob for AN HOUR to learn the algorithm of your keyfob to potentially code up a new set of keys. Fugeddeboudit- the cost and time involved for the average thief would be prohibitive. Some geeks out there are brilliant to crack a code, but to no avail with no practical application.
Even though they amount to no more than security-through-obscurity, the insurance companies consider them unbreakable and effectively won’t cover the cost of a stolen car. Fun.
That sounds backwards. First, wouldn’t the insurance lower my rates for a security system they consider unbreakable?
Second, why does it matter how my car is stolen? If someone puts it on a flatbed, or mugs me and takes my keys, the insurance company is supposed to cover that. What circumstances would have the car company determining that they must’ve broken the unbreakable system and declining to pay?
If the key coding really made that much of a difference we would have seen a HUGE drop in car thefts over the last 10 years, and that is not the case. False security.
http://www.nytimes.com/2005/06/28/opinion/28kristof.html?ex=1277611200&en=54885fd31890c085&ei=5090&partner=rssuserland&emc=rss
Kristof cites a source that claims that auto theft is indeed lower now. I’m not sure if it’s “dramatically” lower. Anyone have the actual numbers?