Car immobilizers cracked due to crappy proprietary crypto

Discuss

19 Responses to “Car immobilizers cracked due to crappy proprietary crypto”

  1. AirPillo says:

    and the password was “password”, right?

  2. Dom says:

    You should read some of this study on the security of the modern vehicle.

    http://www.autosec.org/pubs/cars-oakland2010.pdf

    “Even at speeds of up to 40 MPH on the runway, the attack packets had their intended effect, whether it was honking the horn, killing the engine, preventing the car from restarting, or blasting the heat. Most dramatic were the effects of De- viceControl packets to the Electronic Brake Control Module (EBCM) — the full effect of which we had previously not been able to observe. In particular, we were able to release the brakes and actually prevent our driver from braking; no amount of pressure on the brake pedal was able to activate the brakes. Even though we expected this effect, reversed it quickly, and had a safety mechanism in place, it was still a frightening experience for our driver. With another packet, we were able to instantaneously lock the brakes unevenly; this could have been dangerous at higher speeds.”

  3. AGC says:

    Off topic but what model of car is that in the picture?

  4. Baldhead says:

    Well they can stop cars with the click of a button- it’s how Bait Cars work to catch thieves. They usually use it to kill the engine of course- applying brakes to a driver who’s not expecting it is a very bad plan. Now to stop ANY car- that’s different but I’m sure law enforcement would like such a thing.

  5. Niklas says:

    … and how long until Gizmodo uses it at a car show?

  6. Anonymous says:

    I read an article on car thieves a few years back – they actually flashed their own firmware on to the car computer. No amount of crypto will help if you have physical access to the hardware!

  7. Michael says:

    “Usually” printed on the car? By law, the VIN must be visibly affixed to the car; that’s the entire point of a vehicle identification number.

  8. mercator says:

    There are a lot of cyclists that would pony up good money for a Car-B-gone device. Is there a kickstarter page for this yet?

  9. quail says:

    It’s sad, but they really don’t care about true encryption. They want something that mechanics, dealers, repo men, etc. can hack or figure out at a moment’s notice, thus the reason for the VIN number being used. It would be nice to know which cars are vulnerable to this and make plans to never buy them.

  10. chris says:

    The first thing you should be taught in any cryptography class:
    http://en.wikipedia.org/wiki/Kerckhoffs's_Principle

    Quit using proprietary crypto systems.

  11. Anonymous says:

    maybe to car manufacturers should have read this first….. http://www.schneier.com/crypto-gram-9902.html

  12. Nadreck says:

    Oh, so that’s how the car-immobilising Bat Beam worked.

  13. teapot says:

    how long until someone builds a TV-B-Gone for car engines that lets you stop cars with the click of a button?

    Last weekend there was some asshole who parked in my space all weekend. By the end of last night I decided the only course of action was to fry the car’s electrics with an EMP.

    Today’s task was to search for a solution online.

  14. Anonymous says:

    “What’s more, one manufacturer was even found…”

    DAARG!! I see this more and more these days- sentences beginning with ‘What’s more,…’ and it’s really starting to drive me crazy. In this case those two words could have been omitted and it would have read just fine. If you absolutely have to use something, I’d think ‘Furthermore’ would be the primary choice.

  15. Kimmo says:

    I’ve always regarded old-timers’ criticisms of EFI with scorn; just cause my car depends on electronics doesn’t make it any less reliable… EFI > carbies by miles.

    But here I think we’ve reached the point where I feel inclined to knock back new tech. I’m thinking if I ever own such a car, I’ll be disabling the radio receiver element of the circuit…

  16. jadeonly says:

    Which manufactures? The encryption key isn’t something I’ve seen advertised, any recommendations on finding out what my car has and the cars I might be interested in buying?

  17. Anonymous says:

    Must… crush… my… cynisism. The only thing that kept running
    through my mind towards the end of the article was,

    News Headline, ‘Assange dies in car crash’

    sigh.

Leave a Reply