This is a most excellent place for technology news and articles.
It’s so difficult to use a regular key though.
I’ve had to cancel journeys before because I get in the car and I just cannot work out how to turn it on 😞
I finally did but...gawd turning a key is so much work!
We need a turnkey solution for this, stat!
You have to use your hands? That's like a baby's toy!
They struck gold in the most horrible way possible: People dependent on their cars + their car keeps getting stolen = infinite money printing machine
Convenience is usually at odds with security.
That said, keyless access is amazing. Not having to dig out the car key is just so comfortable.
My favorite keyless car: 
I wish one of them went from my home to my place of employment or my places of entertainment, much less at a time that’s reasonable
The bus trip home from the nearest transit route can take up to half an hour for me due to how often it comes and its path. The drive from the transit stop is 3 minutes.
Not that it matters, I still wouldn't be able to get to the nearest grocery store on the bus, inexplicably none of them go there. These systems need work.
I have a key fob faraday cage/pouch keychain to prevent people from being able to dupe my key fob's signal.
Seems like keyfobs need an on/off switch for signal broadcasting.
Honestly this is a great idea. You could likely even make one yourself with a couple wires, a switch and a piece of tape.
Aren't all cars within the past decades using rolling keys?
This article does not do a good job of explaining what the attack vectors are.
Damn wtf. I think I learned of this and forgot
Among other things, this is why I wanted a house with a garage. I just keep my car in the garage.
I'm very much in the minority in my neighborhood though. Everyone seems to use their garage for other things then park in the driveway or on the street. It annoys me to no end.
These are different attack vectors.
The classic one was listening to a key, then impersonating it later.
Rolling keys fixed that.
For keyless, the usual attack is working as a relay.
Victim is 30m from their car, too far for keyless.
Attacker stands between the car and the victim with a transceiver that links the car and the key together, despite the distance, and opens it.
If you have an older renault with a keyless card, press the lock button two times and it will disable the keylless system until you start the car. It hink this should be the standart.
The newer hyundai and kia dont have a good immo, they can be started by breaking the ignition lock and turning the start key, also if you can catch the unloxking signal you can reuse it. Normaly you wouldnt be able to start a car without an immo chip, that is tied to the car. Normaly you woulnd be able to unlock the car because the remote and the car keeps changing the unlock code, but to make these cars cheeper for America market they removed these futures.
Okay but did the stockholders profit? Yes? Goddamn right they did.
are they talking about smart phone app to unlock cars or the keyless entry that has been around since the 90s?
Both, honestly. But the real problem in this case is the keys that can open and start a car with their mere presence. A relay attack makes bypassing them trivial, and when a large number of people leave their keys at the front door, it’s not difficult to give it a shot.
It didn't need to be warned anyway. it knew. they always only ever lie.
I mean sure.. but using a key to enter isnt really any safer? Like lock picks and jimmys and air bags have been defeating physical locks for even longer? Hell, a brick through a window gets you in faster than anything.
These keyless ignition cars should never have been legal and the manufacturers should be on the hook for recalling and fixing them.
I’ve been saying that since they were first released.
That flipper zero (not disguising a car theft tool as a game device btw) can be used to attack said cars is irrelevant, because you could trivially order the parts to make your own.
I hate that the insurance lobby is winning out on security by obscurity via lobbying governments and putting out scary statements, instead of hiking the rates for Kia’s and other trivial to steal cars. The insurers are having their cake and eating it too by wanting to charge money but lacking the wherewithal to actually charge rates commensurate with risk.
It's not just a car theft tool, its not really even intended for that. It's just a neat little multi tool and it isn't even close to the first or only device capable of repeating recorded codes. A hammer can be used to break into a car really easily and nobody's ever called those "car theft tools disguised as hand-tools"
"THAT WASN'T MY QUESTION!!! WILL THEY MAKE ITS MONEY???"
Seems to be specifically about these you unlock from your phone and then press a button to start
A device disguised as a games console - known as an “emulator” - is being exploited by thieves to steal vehicles within 20 seconds by mimicking the electronic key.
Don't they use rolling codes? So I suppose this emulator is some malware you install on your phone
Could be the Flipper Zero that Canada just banned, due to it's use in car thefts.
The flipper zero can't get around rolling codes, unless it's a very specific situation. Car thiefs aren't using them.
The OP's quote leaves out the "It is being targeted at Hyundai and Kia models." part. From what I can find those brands are (were?) susceptible to rollback where sending an old code reactivates codes that came after it
https://www.reddit.com/r/flipperzero/comments/z2fq6h/broken_rolling_code_system_old_sent_signal/
Don’t they use rolling codes? So I suppose this emulator is some malware you install on your phone
I would hope that they would use rolling codes, but I would also not be all that surprised if they did not. Car manufacturers have cheaped out for less.
The emulator part seems like it's confusing a few different things together. Although I'm a little suspect of that, since someone holding up a games console to a car or house is suspicious anyway.
It could also be described as an emulator (emulating the key), and the crossover with game emulators might be causing some confusion?
A dedicated device might make sense there, if it has better antennas, or better capabilities than would be available with a basic phone, in addition to being less technical than having to install an app and fiddle about with all of that.
Literally nothing is secure.
Nothing wireless is secure, especially when dealing with end user electronics.
The only possible exception is WiFi and commercial wifi services like 4G/5G... In the case of WiFi, it really depends on the configuration. A local ISP was, by default, programming their combination router modems for WEP security for years after it was known to be insecure, and for years after tools to obtain the security key for WEP were commonly available. However, WPA2 and now WPA3 is used by corporations to secure their wireless traffic, and those technologies have been made available to the public on almost all consumer WiFi products made in the last few years, though, some may need to be updated to show the option for it. As far as I know, as of now, WPA3 has no known vulnerabilities that will allow a hacker to penetrate into the subject network. The weakest part of the system is people using poor passwords for their wifi, which can be easily guessed, which is not a fault of the technology itself.
IMO, the best, most shining example of well implemented security is PKI, which is used in HTTPS/TLS. A high security asymmetric key is used to generate a short-term use symmetrical key to secure the communication. It becomes basically pointless to try to break the encryption at that point.
But this isn't the issue in the OP. The problem is: where does everyone keep their keys? If you said "at the front door" you'd be right. In most cases, keys are at, or very near the front door. Where are most people's driveways? At the front of their house, next to the front door. There's usually enough distance to keep the fob from being detected by the car and unlocking it for anyone who walks up, but with a small amount of tech, attackers can pull the signal through your front door and relay it to the car. The process is actually kind of trivial. This is known very aptly as a relay attack. One attacker with a high gain antenna loop, places that loop on or near your front door, while their partner has another device which is relaying the signals from the high gain antenna to the car. This makes the car think the key fob is nearby, and it unlocks the doors, and the vehicle can be started.
Once started, the vehicle will not automatically power off if the fob goes out of range, since that would create an unpredictable safety hazard. At this point the attackers only job is to get the vehicle somewhere that they can work on it for an unlimited amount of time, and program new fobs for it (which can be done with diagnostic tools).
The best way to prevent this is simply not to keep your keys in range of your front door, nullifying the attack. Otherwise, buy an RF blocking key box to put them in at the front door. Something that automatically closes would be beneficial here; something with a Faraday style mesh, or lead (embedded in the walls of the box) would be best IMO. Keep any spare keys in a similar lock box elsewhere in the home.
My family has our keys, at least 10 feet away from the door for storage, in our kitchen. It's a short walk from the door down a tiled hallway, which makes for easy cleanup if someone walks over to get their keys from that location with muddy/wet boots or something.
Relay attacks are very common and easy to execute with a high degree of success. To their credit, manufacturers have done their diligence in implementing anti-replay attacks (where an attacker well record the signal to unlock/start a vehicle, then replay it later for access), but the relay issue is harder to account for. From the perspective of the car, or simply looks like you started the car, dropped your fob on the ground and drove away. This is a legitimate scenario, and one that is entirely plausible for an end user to create unintentionally.
Y'all ready for the same article to come out about various smart home devices?
Already has a few dozen times. All the more reason to self-host. Corporations can't be trusted to secure your data.
...and keyful ones aren't?
To be fair, I think we ignore the security of physical locks. Atleast one must get physical access to the lock in order to pick it.
Or even password books. Atleast someone has to get physical access to said book, which requires knowing it exists in the first place.
Does that make them better? No, not imo, but it is an aspect of these things that often gets overlooked
Atleast one must get physical access to the lock in order to pick it.
It's a fair point, but if we're taking about cars, I'd say physical access is a given. Keyless vehicles haven't quite enabled remote car thefts just yet
This is lockpickinglawyer and today I'm going to show you picking 100 locks in 100 seconds
