Car immobilizers cracked due to crappy proprietary crypto

Karsten Nohl of Security Research Labs, a white-hat hacker, believes that a recent spike in car theft is due to a break in the car immobilizer security systems; thieves are able to re-mobilize the immobilized vehicles. My question is: how long until someone builds a TV-B-Gone for car engines that lets you stop cars with the click of a button?
Juels says that these cracks were possible because the proprietary algorithms that the firms use to encode the cryptographic keys shared between the immobiliser and receiver, and receiver and engine do not match the security offered by openly published versions such as the Advanced Encryption Standard (AES) adopted by the US government to encrypt classified information. Furthermore, in both cases the encryption key was way too short, says Nohl. Most cars still use either a 40 or 48-bit key, but the 128-bit AES - which would take too long to crack for car thieves to bother trying - is now considered by security professionals to be a minimum standard. It is used by only a handful of car-makers...

What's more, one manufacturer was even found to use the vehicle ID number as the supposedly secret key for this internal network. The VIN, a unique serial number used to identify individual vehicles, is usually printed on the car. "It doesn't get any weaker than that," Nohl says.

Criminals find the key to car immobilisers (via Schneier)

(Image: Invalidka - Soviet car for disabled people, a Creative Commons Attribution (2.0) image from dittaeva's photostream)


  1. You should read some of this study on the security of the modern vehicle.

    “Even at speeds of up to 40 MPH on the runway, the attack packets had their intended effect, whether it was honking the horn, killing the engine, preventing the car from restarting, or blasting the heat. Most dramatic were the effects of De- viceControl packets to the Electronic Brake Control Module (EBCM) — the full effect of which we had previously not been able to observe. In particular, we were able to release the brakes and actually prevent our driver from braking; no amount of pressure on the brake pedal was able to activate the brakes. Even though we expected this effect, reversed it quickly, and had a safety mechanism in place, it was still a frightening experience for our driver. With another packet, we were able to instantaneously lock the brakes unevenly; this could have been dangerous at higher speeds.”

  2. “Usually” printed on the car? By law, the VIN must be visibly affixed to the car; that’s the entire point of a vehicle identification number.

  3. There are a lot of cyclists that would pony up good money for a Car-B-gone device. Is there a kickstarter page for this yet?

  4. Which manufactures? The encryption key isn’t something I’ve seen advertised, any recommendations on finding out what my car has and the cars I might be interested in buying?

  5. Well they can stop cars with the click of a button- it’s how Bait Cars work to catch thieves. They usually use it to kill the engine of course- applying brakes to a driver who’s not expecting it is a very bad plan. Now to stop ANY car- that’s different but I’m sure law enforcement would like such a thing.

  6. I read an article on car thieves a few years back – they actually flashed their own firmware on to the car computer. No amount of crypto will help if you have physical access to the hardware!

  7. “What’s more, one manufacturer was even found…”

    DAARG!! I see this more and more these days- sentences beginning with ‘What’s more,…’ and it’s really starting to drive me crazy. In this case those two words could have been omitted and it would have read just fine. If you absolutely have to use something, I’d think ‘Furthermore’ would be the primary choice.

  8. I’ve always regarded old-timers’ criticisms of EFI with scorn; just cause my car depends on electronics doesn’t make it any less reliable… EFI > carbies by miles.

    But here I think we’ve reached the point where I feel inclined to knock back new tech. I’m thinking if I ever own such a car, I’ll be disabling the radio receiver element of the circuit…

  9. how long until someone builds a TV-B-Gone for car engines that lets you stop cars with the click of a button?

    Last weekend there was some asshole who parked in my space all weekend. By the end of last night I decided the only course of action was to fry the car’s electrics with an EMP.

    Today’s task was to search for a solution online.

  10. It’s sad, but they really don’t care about true encryption. They want something that mechanics, dealers, repo men, etc. can hack or figure out at a moment’s notice, thus the reason for the VIN number being used. It would be nice to know which cars are vulnerable to this and make plans to never buy them.

  11. Must… crush… my… cynisism. The only thing that kept running
    through my mind towards the end of the article was,

    News Headline, ‘Assange dies in car crash’


Comments are closed.