this post was submitted on 26 Feb 2024
494 points (96.4% liked)

Technology

59594 readers
2945 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Experts ​alerted motor trade to security risks of ‘smart key’ systems which have now fuelled highest level of car thefts for a decade.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 67 points 9 months ago (2 children)

It’s so difficult to use a regular key though.

I’ve had to cancel journeys before because I get in the car and I just cannot work out how to turn it on 😞

[–] agent_flounder 31 points 9 months ago (1 children)

I finally did but...gawd turning a key is so much work!

[–] [email protected] 11 points 9 months ago

We need a turnkey solution for this, stat!

[–] [email protected] 5 points 9 months ago

You have to use your hands? That's like a baby's toy!

[–] [email protected] 56 points 9 months ago (13 children)

They struck gold in the most horrible way possible: People dependent on their cars + their car keeps getting stolen = infinite money printing machine

load more comments (13 replies)
[–] [email protected] 29 points 9 months ago (1 children)

Convenience is usually at odds with security.

That said, keyless access is amazing. Not having to dig out the car key is just so comfortable.

[–] [email protected] 22 points 9 months ago (2 children)
[–] captainlezbian 24 points 9 months ago (1 children)

I wish one of them went from my home to my place of employment or my places of entertainment, much less at a time that’s reasonable

[–] [email protected] 17 points 9 months ago* (last edited 9 months ago)

The bus trip home from the nearest transit route can take up to half an hour for me due to how often it comes and its path. The drive from the transit stop is 3 minutes.

Not that it matters, I still wouldn't be able to get to the nearest grocery store on the bus, inexplicably none of them go there. These systems need work.

load more comments (1 replies)
[–] [email protected] 20 points 9 months ago (3 children)

Aren't all cars within the past decades using rolling keys?

[–] atrielienz 33 points 9 months ago (2 children)

This article does not do a good job of explaining what the attack vectors are.

[–] atrielienz 7 points 9 months ago (6 children)
[–] [email protected] 6 points 9 months ago

Damn wtf. I think I learned of this and forgot

load more comments (5 replies)
[–] Alexstarfire 6 points 9 months ago (12 children)

Among other things, this is why I wanted a house with a garage. I just keep my car in the garage.

I'm very much in the minority in my neighborhood though. Everyone seems to use their garage for other things then park in the driveway or on the street. It annoys me to no end.

load more comments (12 replies)
[–] [email protected] 10 points 9 months ago

These are different attack vectors.
The classic one was listening to a key, then impersonating it later.
Rolling keys fixed that.

For keyless, the usual attack is working as a relay.
Victim is 30m from their car, too far for keyless.
Attacker stands between the car and the victim with a transceiver that links the car and the key together, despite the distance, and opens it.

load more comments (1 replies)
[–] [email protected] 20 points 9 months ago (1 children)

I have a key fob faraday cage/pouch keychain to prevent people from being able to dupe my key fob's signal.

[–] Alexstarfire 18 points 9 months ago (1 children)

Seems like keyfobs need an on/off switch for signal broadcasting.

[–] [email protected] 10 points 9 months ago

Honestly this is a great idea. You could likely even make one yourself with a couple wires, a switch and a piece of tape.

[–] Tautvydaxx 16 points 9 months ago* (last edited 9 months ago) (2 children)

If you have an older renault with a keyless card, press the lock button two times and it will disable the keylless system until you start the car. It hink this should be the standart.

The newer hyundai and kia dont have a good immo, they can be started by breaking the ignition lock and turning the start key, also if you can catch the unloxking signal you can reuse it. Normaly you wouldnt be able to start a car without an immo chip, that is tied to the car. Normaly you woulnd be able to unlock the car because the remote and the car keeps changing the unlock code, but to make these cars cheeper for America market they removed these futures.

load more comments (2 replies)
[–] unreasonabro 14 points 9 months ago (1 children)

It didn't need to be warned anyway. it knew. they always only ever lie.

[–] UPGRAYEDD 7 points 9 months ago (3 children)

I mean sure.. but using a key to enter isnt really any safer? Like lock picks and jimmys and air bags have been defeating physical locks for even longer? Hell, a brick through a window gets you in faster than anything.

load more comments (3 replies)
[–] [email protected] 14 points 9 months ago

Okay but did the stockholders profit? Yes? Goddamn right they did.

[–] joel_feila 14 points 9 months ago (1 children)

are they talking about smart phone app to unlock cars or the keyless entry that has been around since the 90s?

[–] [email protected] 17 points 9 months ago* (last edited 9 months ago) (3 children)

Both, honestly. But the real problem in this case is the keys that can open and start a car with their mere presence. A relay attack makes bypassing them trivial, and when a large number of people leave their keys at the front door, it’s not difficult to give it a shot.

load more comments (3 replies)
[–] [email protected] 12 points 9 months ago* (last edited 9 months ago) (2 children)

These keyless ignition cars should never have been legal and the manufacturers should be on the hook for recalling and fixing them.

I’ve been saying that since they were first released.

That flipper zero (not disguising a car theft tool as a game device btw) can be used to attack said cars is irrelevant, because you could trivially order the parts to make your own.

I hate that the insurance lobby is winning out on security by obscurity via lobbying governments and putting out scary statements, instead of hiking the rates for Kia’s and other trivial to steal cars. The insurers are having their cake and eating it too by wanting to charge money but lacking the wherewithal to actually charge rates commensurate with risk.

[–] [email protected] 11 points 9 months ago (2 children)

It's not just a car theft tool, its not really even intended for that. It's just a neat little multi tool and it isn't even close to the first or only device capable of repeating recorded codes. A hammer can be used to break into a car really easily and nobody's ever called those "car theft tools disguised as hand-tools"

load more comments (2 replies)
load more comments (1 replies)
[–] Snapz 12 points 9 months ago

"THAT WASN'T MY QUESTION!!! WILL THEY MAKE ITS MONEY???"

[–] [email protected] 11 points 9 months ago* (last edited 9 months ago) (4 children)

Seems to be specifically about these you unlock from your phone and then press a button to start

A device disguised as a games console - known as an “emulator” - is being exploited by thieves to steal vehicles within 20 seconds by mimicking the electronic key.

Don't they use rolling codes? So I suppose this emulator is some malware you install on your phone

[–] baronvonj 6 points 9 months ago (2 children)
[–] kurwa 26 points 9 months ago (2 children)

The flipper zero can't get around rolling codes, unless it's a very specific situation. Car thiefs aren't using them.

[–] baronvonj 13 points 9 months ago (1 children)

The OP's quote leaves out the "It is being targeted at Hyundai and Kia models." part. From what I can find those brands are (were?) susceptible to rollback where sending an old code reactivates codes that came after it

https://www.reddit.com/r/flipperzero/comments/z2fq6h/broken_rolling_code_system_old_sent_signal/

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] T156 5 points 9 months ago (1 children)

Don’t they use rolling codes? So I suppose this emulator is some malware you install on your phone

I would hope that they would use rolling codes, but I would also not be all that surprised if they did not. Car manufacturers have cheaped out for less.

The emulator part seems like it's confusing a few different things together. Although I'm a little suspect of that, since someone holding up a games console to a car or house is suspicious anyway.

It could also be described as an emulator (emulating the key), and the crossover with game emulators might be causing some confusion?

A dedicated device might make sense there, if it has better antennas, or better capabilities than would be available with a basic phone, in addition to being less technical than having to install an app and fiddle about with all of that.

load more comments (1 replies)
load more comments (2 replies)
[–] Mango 11 points 9 months ago (1 children)

Literally nothing is secure.

[–] [email protected] 14 points 9 months ago (5 children)

Nothing wireless is secure, especially when dealing with end user electronics.

The only possible exception is WiFi and commercial wifi services like 4G/5G... In the case of WiFi, it really depends on the configuration. A local ISP was, by default, programming their combination router modems for WEP security for years after it was known to be insecure, and for years after tools to obtain the security key for WEP were commonly available. However, WPA2 and now WPA3 is used by corporations to secure their wireless traffic, and those technologies have been made available to the public on almost all consumer WiFi products made in the last few years, though, some may need to be updated to show the option for it. As far as I know, as of now, WPA3 has no known vulnerabilities that will allow a hacker to penetrate into the subject network. The weakest part of the system is people using poor passwords for their wifi, which can be easily guessed, which is not a fault of the technology itself.

IMO, the best, most shining example of well implemented security is PKI, which is used in HTTPS/TLS. A high security asymmetric key is used to generate a short-term use symmetrical key to secure the communication. It becomes basically pointless to try to break the encryption at that point.

But this isn't the issue in the OP. The problem is: where does everyone keep their keys? If you said "at the front door" you'd be right. In most cases, keys are at, or very near the front door. Where are most people's driveways? At the front of their house, next to the front door. There's usually enough distance to keep the fob from being detected by the car and unlocking it for anyone who walks up, but with a small amount of tech, attackers can pull the signal through your front door and relay it to the car. The process is actually kind of trivial. This is known very aptly as a relay attack. One attacker with a high gain antenna loop, places that loop on or near your front door, while their partner has another device which is relaying the signals from the high gain antenna to the car. This makes the car think the key fob is nearby, and it unlocks the doors, and the vehicle can be started.

Once started, the vehicle will not automatically power off if the fob goes out of range, since that would create an unpredictable safety hazard. At this point the attackers only job is to get the vehicle somewhere that they can work on it for an unlimited amount of time, and program new fobs for it (which can be done with diagnostic tools).

The best way to prevent this is simply not to keep your keys in range of your front door, nullifying the attack. Otherwise, buy an RF blocking key box to put them in at the front door. Something that automatically closes would be beneficial here; something with a Faraday style mesh, or lead (embedded in the walls of the box) would be best IMO. Keep any spare keys in a similar lock box elsewhere in the home.

My family has our keys, at least 10 feet away from the door for storage, in our kitchen. It's a short walk from the door down a tiled hallway, which makes for easy cleanup if someone walks over to get their keys from that location with muddy/wet boots or something.

Relay attacks are very common and easy to execute with a high degree of success. To their credit, manufacturers have done their diligence in implementing anti-replay attacks (where an attacker well record the signal to unlock/start a vehicle, then replay it later for access), but the relay issue is harder to account for. From the perspective of the car, or simply looks like you started the car, dropped your fob on the ground and drove away. This is a legitimate scenario, and one that is entirely plausible for an end user to create unintentionally.

load more comments (5 replies)
[–] [email protected] 10 points 9 months ago (1 children)

Y'all ready for the same article to come out about various smart home devices?

load more comments
view more: next ›