Gone in 60 seconds--the high-tech version

According to the article, BMWs may be susceptible...
http://news.com.com/Gone+in+60+seconds--the+high-tech+version/2100-7349_3-6069287.html
Let's say you just bought a Mercedes S550--a state-of-the-art, high-tech
vehicle with an antitheft keyless ignition system.
After you pull into a Starbucks to celebrate with a grande latte and a scone, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later, you look up to discover your new Mercedes is gone as well.
Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.
Wireless or contactless devices in cars are not new. Remote keyless entry systems--those black fobs we all have dangling next to our car keys--have been around for years. While the owner is still a few feet away from a car, the fobs can disengage the auto alarm and unlock the doors; they can even activate the car's panic alarm in an emergency.
First introduced in the 1980s, modern remote keyless entry systems use a circuit board, a coded radio-frequency identification (RFID) technology chip, a battery and a small antenna. The last two are designed so that the fob can broadcast to a car while it's still several feet away.
The RFID chip in the key fob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings: With each use, the code changes slightly, creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code, along with an instruction to unlock the car doors. If the synced-up receiver gets the 40-bit code it is expecting, the vehicle performs the instruction. If not, the car does not respond. Unfortunately, the companies making RFID systems for cars don't think there's a problem.
A second antitheft use of RFID is for remote vehicle immobilizers. These tiny chips, embedded inside the plastic head of the ignition keys, are used with more than 150 million vehicles today. Improper use prevents the car's fuel pump from operating correctly. Unless the driver has the correct key chip installed, the car will run out of fuel a few blocks from the attempted theft. (That's why valet keys don't have the chips installed; valets need to drive the car only short distances.)
One estimate suggests that since their introduction in the late 1990s, vehicle immobilizers have resulted in a 90 percent decrease in auto thefts nationwide.
But can this system be defeated? Yes.
Keyless ignition systems allow you the convenience of starting your car with the touch of a button, without removing the chip from your pocket or purse or backpack. Like vehicle immobilizers, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, they are passive, don't require a battery and have much shorter ranges (usually six feet or less). And instead of sending a signal, they rely on a signal being emitted from the car itself.
Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall, the authors of a study from Johns Hopkins University and the security company RSA carried out an experiment using a laptop equipped with a microreader. They were able to capture and decrypt the code sequence, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key. They even provided an online video of their "car theft."
But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong.
Real-world examples
Meet Radko Soucek, a 32-year-old car thief from the Czech Republic. He's alleged to have stolen several expensive cars in and around Prague using a laptop and a reader. Soucek is not new to auto theft--he has been stealing cars since he was 11 years old. But he recently turned high-tech when he realized how easily it could be done.
Ironically, what led to his downfall was his own laptop, which held evidence of all his past encryption attempts. With a database of successful encryption strings already stored on his hard drive, he had the ability to crack cars he'd never seen before in a relatively short amount of time.
And Soucek isn't an isolated example. Recently, soccer player David Beckham had not one, but two, custom-designed antitheft-engineered BMW X5 SUVs stolen. The most recent theft occurred in Madrid, Spain. Police believe an auto theft gang using software instead of hardware pinched both of Beckham's BMWs.
How a keyless car gets stolen isn't exactly a state secret--much of the required knowledge is Basic Encryption 101. The authors of the Johns Hopkins/RSA study needed only to capture two challenge-and-response pairs from their intended target before cracking the encryption.
In an example from the paper, they wanted to see if they could swipe the passive code off the keyless ignition device itself. To do so, the authors simulated a car's ignition system (the RFID reader) on a laptop. By sitting close to someone with a keyless ignition device in his pocket, the authors were able to perform several scans in less than one second without the victim knowing. They then began decrypting the sampled challenge-response pairs. Using brute-force attack techniques, the researchers had the laptop try different combinations of symbols until they found combinations that matched. Once they had the matching codes, they could then predict the sequence and were soon able to gain entrance to the target car and start it.
In the case of Beckham, police think the criminals waited until he left his car, then proceeded to use a brute-force attack until the car was disarmed, unlocked and stolen.
Hear no evil, speak no evil The authors of the Johns Hopkins/RSA study suggest that the RFID industry move away from the relatively simple 40-bit encryption technology now in use and adopt a more established encryption standard, such as the 128-bit Advanced Encryption Standard (AES). The longer the encryption code, the harder it is to crack.
The authors concede that this change would require a higher power consumption and therefore might be harder to implement; and it wouldn't be backward-compatible with all the 40-bit ignition systems already available.
The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks, and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence.
Unfortunately, the companies making RFID systems for cars don't think there's a problem. The 17th annual CardTechSecureTech conference took place this past week in San Francisco, and CNET News.com had an opportunity to talk with a handful of RFID vendors. None wanted to be quoted, nor would any talk about 128-bit AES encryption replacing the current 40-bit code anytime soon. Few were familiar with the Johns Hopkins/RSA study we cited, and even fewer knew about keyless ignition cars being stolen in Europe.
Even Consumer Reports acknowledges that keyless ignition systems might not be secure enough for prime time, yet the RFID industry adamantly continues to whistle its happy little tune. Until changes are made in the keyless systems, any car we buy will definitely have an ignition key that can't be copied by a laptop.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Sun, 14 May 2006 14:23:44 -0400, bjn wrote:

http://news.com.com/Gone+in+60+seconds--the+high-tech+version/2100-7349_3-6069287.html Interesting article. I didn't know they used 40 bit encryption. That can be cracked on a laptop in about 2-10 minutes, depending on the number count.
The thing is that all wireless waveforms are insecure. That includes your wireless network and garage door opener. The most secure thing would be a 512-1024 bit cypher key along with 128 bit encryption over the waveform.
You are fighting processing time with encryption. All of it can be cracked. A laptop cannot crack 128 bit with an encrypted key while sitting at starbucks. The NSA linux cluster supercomputers can, but it takes a few days. If they just included a key exchange across the encrypted link, it would eliminate fly by night car theft. I don't know of any car company that does this, but I set up ip wireless networks that do this. RFID should never be used. Any device can light it up and read it, and it doesn't have a key exchange. It's a joke.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Security is not a binary thing, it is a risk management thing. Nothing is ever completely secure, but somethings may be secure-enough for the task at hand.
Clearly, 40-bits for auto security is completely inadequate, you might as well leave the doors open and the car running (OK, so I exaggerate, but not by much).
My home wireless network uses WPA-2, with 256-AES encryption. That is plenty secure for my needs here at home.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Since this is a BMW newsgroup..

And how did they get around the need for a physical KEY to turn the ignition on?
I think this article is somewhat poorly researched.
An X5 doesn't use a fob - it uses a chip in the key which talks to the EWS (driveaway protection system) via a small ring antenna that surrounds the key slot. While one might be able to use a laptop to send a signal to the EWS - it does one no good unless you can operate the starter and START the engine... which can't be done remotely by computer.
The article also ignores the basic anti-theft alarm built into all 5 series - which uses a different code-jumping chip to disarm... and unless it's disarmed - the car still will not start.
On newer BMWs - such as the new 3 series - they DO use a fob instead of a key - but to start the car - the fob must latched into a slot in the dash (it won't work in your pocket) and the brake must be pressed. The newer 5 series - uses the same key/EWS/alarm system as the X5 mentioned. The 7-series - fob must be physically in the dash for the car to start.
If they get that much WRONG - one has to question how accurate the rest of the article is..
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

My wife has a new 7 series. ('06) Doors unlock and car will start with the "key" or "fob" still in her pocketbook. It does not need to be physically in the dash for the car to start.
RCE
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
We bought a 3 series about a month ago. It does not have keyless entry option( I think its called comfort access) . On the way home from the dealer we were able to start the car with the key in our pocket. When we restarted the car the next time, we needed to have the fob in the key slot. Makes me think that BMW can activate/deactivate this.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Motorsforum.com is a website by car enthusiasts for car enthusiasts. It is not affiliated with any of the car or spare part manufacturers or car dealers discussed here. All logos and trade names are the property of their respective owners.