Remote keyless entry systems with rolling code: are transmitters really clonable?| page 3

pozz · 2015-12-11T08:18:00-04:00

I'm interested in developing a new proprietary remote keyless entry system with rolling code. I know, there are many on the market. Many...

Reply by Paul Rubin ●December 15, 20152015-12-15

Waldek Hebisch <hebisch@math.uni.wroc.pl> writes:
> And keys seem to have fancy functions that require processor (and
> probably also two way communication)

I don't know of any keys/fobs with two way communication.  It would
simplify some things but make others more complicated.  I worked on one
a long time ago but it was never produced.  It was not intended for
cars and that might have made it harder.

Reply by Clifford Heath ●December 15, 20152015-12-15

On 16/12/15 06:58, Waldek Hebisch wrote:
> Nobody <nobody@nowhere.invalid> wrote:
>> On Sat, 12 Dec 2015 22:53:37 +0000, Waldek Hebisch wrote:
>>
>>> To avoid reply attacks you need two way communication
>>
>> Not necessarily; you can use timestamps.
>
> Yes, that also works.
>
>>> - you need more complicated device (probably processor)
>>>    instead of simple hardware used for existing systems
>>
>> This is the real issue.
>>
>> Strong ciphers (or hashes, or pseduo-random number generators) need
>> significantly more silicon than a weak pseudo-random number generator
>> (e.g. LFSR). Accurate timekeeping needs a crystal rather than an RC
>> oscillator, and backup power to avoid needing to re-synchronise if you
>> change the transmitter battery or the vehicle has the battery disconnected
>> during servicing.
>>
>> Whereas wireless fobs seem to aim for the complexity of a 74-series chip.
>>
>> And that's the ones used for protecting cars.
>
> Well, IMO there is no excuse for bad security of car keys.  Replacement
> keys seem to cost well beyond $50 and decent processor costs 30 cents.
> And keys seem to have fancy functions that require processor (and
> probably also two way communication)

Most modern keys have two systems - a remote door lock and a separate 
RFID chip to arm the ignition. The RFID is two-way - the car pings and 
the chip responds.

Reply by Waldek Hebisch ●December 15, 20152015-12-15

Paul Rubin <no.email@nospam.invalid> wrote:
> Waldek Hebisch <hebisch@math.uni.wroc.pl> writes:
> > And keys seem to have fancy functions that require processor (and
> > probably also two way communication)
> 
> I don't know of any keys/fobs with two way communication.  It would
> simplify some things but make others more complicated.  I worked on one
> a long time ago but it was never produced.  It was not intended for
> cars and that might have made it harder.

Dealer was able to read from the key mileage of my car.  How could
this happen without two way communication?

-- 
                              Waldek Hebisch

Reply by Paul Rubin ●December 15, 20152015-12-15

Waldek Hebisch <hebisch@antispam.uni.wroc.pl> writes:
> Dealer was able to read from the key mileage of my car.  How could
> this happen without two way communication?

Very interesting.  I had not heard of that before.  Thanks.

Reply by Hans-Bernhard Bröker ●December 15, 20152015-12-15

Am 15.12.2015 um 15:21 schrieb Anders.Montonen@kapsi.spam.stop.fi.invalid:

> I don't remember where I heard this attack described, but:
> - When the user clicks the fob, an attacker records the transmission
> while also blocking reception by the car.

That's going to be very hard to do in practice.  Usually there is just 
not enough spatial separation between the user and the car in that 
moment, and not enough time to set things up, because most people will 
walk only very few steps before the press their lock button.

You would have seconds at most to move quite a bit of tech smack into 
the line-of-sight between the two.  And receiving the very same signal 
coming from the right that you're trying to keep from reaching its 
intended receiver that's only a meter or two behind you requires some 
pretty finely tuned EM field manipulation.  As in: antennas, and weird 
ones, too.

> - When the car doesn't react, the user clicks the fob again. The
> attacker also records the second signal.

So now you're suspiciously standing there smack between the guy and his 
car, having basically jumped into that spot, just as his key failed, and 
you're wielding some rather conspicuous gear.  Not a good way to avoid 
being found out.

> - The attacker now replays the first signal, activating the lock. He
> still has the second signal with the next code in the sequence banked,
> and can use it to unlock the car.

If the user knows their car well, they may even notice the delay caused 
by this.

Reply by Hans-Bernhard Bröker ●December 15, 20152015-12-15

Am 15.12.2015 um 21:25 schrieb Paul Rubin:
> Waldek Hebisch <hebisch@math.uni.wroc.pl> writes:
>> And keys seem to have fancy functions that require processor (and
>> probably also two way communication)
>
> I don't know of any keys/fobs with two way communication.

Never heard of keyless entry and start systems, where you only need to 
have the key with you, but no need to take it out and press any buttons, 
then?

Those do use two-way comms.  They don't radio quite as far as your usual 
remote lock fob, though.

And yes, the theft protection system is RFID, i.e. two-way, too.

Reply by Paul Rubin ●December 15, 20152015-12-15

Hans-Bernhard Br&ouml;ker <HBBroeker@t-online.de> writes:
> Never heard of keyless entry and start systems, where you only need to
> have the key with you, but no need to take it out and press any
> buttons, then?

I guess I've heard of those but never seen one up close, so ok.

> And yes, the theft protection system is RFID, i.e. two-way, too.

I've seen keys with RFID but I don't think of that as similar to a remote.

Reply by Hans-Bernhard Bröker ●December 15, 20152015-12-15

Am 15.12.2015 um 23:40 schrieb Paul Rubin:
> Waldek Hebisch <hebisch@antispam.uni.wroc.pl> writes:
>> Dealer was able to read from the key mileage of my car.  How could
>> this happen without two way communication?
>
> Very interesting.  I had not heard of that before.  Thanks.

BMW has been doing that for about a decade now, I think.

Reply by ●December 16, 20152015-12-16

Hans-Bernhard Br&ouml;ker <HBBroeker@t-online.de> wrote:
> Am 15.12.2015 um 15:21 schrieb Anders.Montonen@kapsi.spam.stop.fi.invalid:
> 
>> I don't remember where I heard this attack described, but:
>> - When the user clicks the fob, an attacker records the transmission
>> while also blocking reception by the car.
> That's going to be very hard to do in practice.  Usually there is just 
> not enough spatial separation between the user and the car in that 
> moment, and not enough time to set things up, because most people will 
> walk only very few steps before the press their lock button.

You either plant the device in a parking spot, and wait and see who 
pulls up, or plant the device on the car in a targeted attack.

-a

Reply by Clifford Heath ●December 16, 20152015-12-16

On 16/12/15 11:16, Hans-Bernhard Br&ouml;ker wrote:
> Am 15.12.2015 um 15:21 schrieb Anders.Montonen@kapsi.spam.stop.fi.invalid:
>> I don't remember where I heard this attack described, but:
>> - When the user clicks the fob, an attacker records the transmission
>> while also blocking reception by the car.
> That's going to be very hard to do in practice.

I agree. You have to transmit enough power to stop the car hearing the 
fob, while still hearing it yourself. Unless you have two devices, your 
own transmit power will swamp your own receiver more than it swamps the 
car's one.

Sure, it's been demonstrated at DEFCON, but that doesn't mean it would 
be easy to put into practice.