Jump to content

car alarms: expiring code, not just hopping/rolling code


MonDie

Recommended Posts

Has anyone else looked into car alarms with expiring code? I want a car alarm that augments its rolling code with code expiration. It might not be an expensive feature—it seems less like an added feature and more like a security update to the code.

 

Theives can intercept and replicate the signal from your remote key, so your keyfob communicates with the "brain" of the alarm system through a special dialogue called "rolling code" or "code hopping". Rolling code systems expire each used code and generate a new code for the next access attempt. Unfortuantely rolling code is no longer enough, and expiring code is the change that will close the hole exposed by Kamkar's "RollJam".

 

WIRED; This Hacker's Tiny Device Unlocks Cars and Opens Garages (Andy Greenberg)

https://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/

To circumvent that security measure, RollJam uses an uncannily devious technique: The first time the victim presses their key fob, RollJam “jams” the signal with a pair of cheap radios that send out noise on the two common frequencies used by cars and garage door openers. At the same time, the hacking device listens with a third radio—one that’s more finely tuned to pick up the fob’s signal than the actual intended receiver—and records the user’s wireless code.

When that first signal is jammed and fails to unlock the door, the user naturally tries pressing the button again. On that second press, the RollJam is programmed to again jam the signal and record that second code, but also to simultaneously broadcast its first code. That replayed first code unlocks the door, and the user immediately forgets about the failed key press. But the RollJam has secretly stored away a second, still-usable code. “You think everything worked on the second time, and you drive home,” says Kamkar. “But I now have a second code, and I can use that to unlock your car.”

If the RollJam is attached to the car or hidden near a garage, it can repeat its jamming and interception indefinitely no matter how many times the car or garage door’s owner presses the key fob, replaying one code and storing away the next one in the sequence for the attacker.

 

[...]

 

Kamkar also says that Cadillac may be correct that its newest vehicles aren’t subject to the attack. The latest version of Keeloq’s chips, which the company calls Dual Keeloq, use a system of codes that expire over short time periods and foil his attack.

 

 

Arstechnica; Meet RollJam, the $30 device that jimmies car and garage doors (Dan Goodin)

https://arstechnica.com/security/2015/08/meet-rolljam-the-30-device-that-jimmies-car-and-garage-doors/

The reason many electronic locks are vulnerable to RollJam is that the rolling codes are invalidated only after it or a subsequent rolling code is received. Devices like the RSA SecurID, by contrast, cause validation codes to expire after a specific amount of time.

"Rolling codes should be valid only for limited period of time," Kamkar told Ars. "Code should be associated with a period of time."

At the moment, RollJam is about the size of a wallet, but with additional work it could be the size of a car key.

 

 

Edmunds; How to Protect your Car from Keyless-Entry Hacking (Patrick J. Kiger)

https://www.edmunds.com/car-news/technology/how-to-protect-your-car-from-keyless-entry-hacking.html

Vandelac has security cameras mounted around her home, but when she watched the video from around 2 a.m., she was puzzled.

"It was a group of four men who came down the driveway at the same time," she recalls. "Each went to a different side of the vehicles. Then one man took something out of his pocket — it looked to be about the size of a cell phone — and aimed it at the cars. Then, instantly, the lights went on and all four doors opened."

Vandelac is sure that both vehicles were locked. Nevertheless, the thieves apparently were able to open the vehicles' keyless-entry systems as readily as if they'd been using the smart keys that she says were inside her home.

The still-unsolved theft is just one of numerous reports over the past year, in locales ranging from Sausalito, California, and Yukon, Oklahoma, to Saginaw County, Michigan. Criminals are gaining entry to parked cars, apparently by tricking their keyless-entry systems into unlocking the doors.

None of the perpetrators have been caught, and the gadgetry they are using remains mysterious. But some electronic security experts believe that the criminals may be exploiting the convenience of keyless-entry systems, which are designed to detect and authenticate the smart key inside a car owner's pocket as he or she pulls on the door handle.

 

Edited by MonDie
Link to comment
Share on other sites

I don't understand rolling code authentication systems let alone those with expiring codes. Nevertheless, I think it should hinder attacks in instances where the device "is attached to the car or hidden near a garage." The tell is that you have to push the button twice before gaining access. If the RollJam device is hidden, however, then this is only true on the first instance, and thereafter it can seamlessly mimic normal functioning, simultaneously jamming your signal and broadcasting its stored signal. Expiring the code that was stored by the RollJam device would require the RollJam device to perform this first step again.

 

In retrospect, I'm finding the Edmunds quote misleading. In my opinion, your keyless entry system should not be seen as a weakness, but rather the car alarm should be seen as augmenting the traditional lock. Entry by key can be exploited too, with other, lower-tech methods: lock picking, key duplication, jimmying through the weather-stripping. I have picked padlocks, but you will gradually scratch up the keyway if you are unskilled. I've never tried to pick a car lock, for jimmying has always been the easier option. Both of these methods are useful for owners who have lost the key. On the other hand, a theif will probably prefer to borrow your key long enough to create a duplicate. Apparently it doesn't require much time or special equipment, and afterward the theif will have convenient, inconspicuous access. This is why you should have a car alarm too, in my opinion.


RFID immobilizers add a layer of computerized security to the task of key duplication, but they have their own weaknesses and they prevent the theif from starting the car.

https://arstechnica.com/security/2015/08/researchers-reveal-electronic-car-lock-hack-after-2-year-injunction-by-volkswagen/

Edited by MonDie
Link to comment
Share on other sites

Can't the signal between the lock device and the receiver just be encrypted?

 

 

 

No they just put a device near your car to record the signal and generate that signal when you are gone. It is irrelevant wether the signal is encrypted or not.

Link to comment
Share on other sites

Can't the signal between the lock device and the receiver just be encrypted?

 

The keyword is "just". Encryption might be useful in a more complex system. As far as I can tell it is a one-way connection, going from the remote key to a computer control unit ("brain") that generates predictable codes in a sequence. I could fathom a two-way connection to a brain that is always generating new codes randomly. The brain would broadcast the code in encrypted form, and the remote key would have the key to decrypt it. I think this is essentially what happens in systems like HTTPS that utilize Secure Socket Layer (SSL) encryption. At the outset an encryption key is exchanged between server and client, and that key is used for ongoing, encrypted communication. Thus an eavesdropper will only have the key if they were eavesdropping from the very start.

[sic]

Link to comment
Share on other sites

 

The keyword is "just". Encryption might be useful in a more complex system. As far as I can tell it is a one-way connection, going from the remote key to a computer control unit ("brain") that generates predictable codes in a sequence. I could fathom a two-way connection to a brain that is always generating new codes randomly. The brain would broadcast the code in encrypted form, and the remote key would have the key to decrypt it. I think this is essentially what happens in systems like HTTPS that utilize Secure Socket Layer (SSL) encryption. At the outset an encryption key is exchanged between server and client, and that key is used for ongoing, encrypted communication. Thus an eavesdropper will only have the key if they were eavesdropping from the very start.

[sic]

Right

Link to comment
Share on other sites

Could the theif decrypt the intercepted code given enough time and enough computing power? This is the case for a hacker decrypting computer files or systems, but is this the case because the hacker already vaguely knows what decrypted code should look like? In the scenario above we are using a randomly generated key to encrypt ... another randomly generated key.


Alas, encryption has been used for immobilizers and weaknesses were discovered.

 

Arstechnica; Researchers reveal electronic car lock hack after 2-year injunction by Volkswagon (Sean Gallagher)

https://arstechnica.com/security/2015/08/researchers-reveal-electronic-car-lock-hack-after-2-year-injunction-by-volkswagen/

By eavesdropping on the radio exchange between the Megamos Crypto system and the key only twice, the researchers were able to dramatically reduce the size of the pool of potential matches to the system's 96-bit secret key. Because the system allowed unlimited attempts to authenticate, Verdult, Garcia, and Ege were able to recover the secret key within "3 x 2^16" (196,607) tries with "negligible computational complexity." It all took less than 30 minutes. Some car manufacturers used weaker keys, and the researchers were able to recover the secret key in just a few minutes with a laptop computer.
Link to comment
Share on other sites

The reality is that you would need at a minimum

 

a. A manufacturer identifier

b. A unique car id which should probably be in ipv6 or similar

c. A unique changing password with encryption

 

and it would all have to fit into the very small form-factor of a car key.

Link to comment
Share on other sites

The reality is that you would need at a minimum

 

a. A manufacturer identifier

b. A unique car id which should probably be in ipv6 or similar

c. A unique changing password with encryption

 

and it would all have to fit into the very small form-factor of a car key.

 

Make it optional. A woman who keeps the key in her purse might opt for the larger, encrypted version.

Regardless, I'm concerned that the thieves might pick up on the manufacturer's signature, allowing the thieves to shrink the pool of possible encryption keys by testing them against the manufacturer's signature. The manufacturer ID should be a brief snippet of code relative to the encryption key, or otherwise it should be a dynamic signature.

Edited by MonDie
Link to comment
Share on other sites

Regardless, I'm concerned that the thieves might pick up on the manufacturer's signature, allowing the thieves to shrink the pool of possible encryption keys by testing them against the manufacturer's signature. The manufacturer ID should be a brief snippet of code relative to the encryption key, or otherwise it should be a dynamic signature.​

 

 

The manufacturer id and car id is to ensure that your key fob won't open the car next to yours. Not to stop the thieves from accessing your car that would be a number of unique changing passwords set by yourself. Say when I open my car with one password then it will switch to the next password.

Link to comment
Share on other sites

 

 

The manufacturer id and car id is to ensure that your key fob won't open the car next to yours. Not to stop the thieves from accessing your car that would be a number of unique changing passwords set by yourself. Say when I open my car with one password then it will switch to the next password.

 

And it might create a weakness. Step 1: Intercept the transmission of the encrypted code. Step 2: Determine where the manufacturer ID is in the decrypted code. Step 3: Use your relatively powerful laptop to test possible encryption keys by inspecting the output for the manufacturer ID.

 

:doh:

 

I take it the manufacturer ID would not be encrypted.

Edited by MonDie
Link to comment
Share on other sites

And it might create a weakness. Step 1: Intercept the transmission of the encrypted code. Step 2: Determine where the manufacturer ID is in the decrypted code. Step 3: Use your relatively powerful laptop to test possible encryption keys by inspecting the output for the manufacturer ID.​

 

 

Encryption is kinda irrelevant a password is a password encrypted or not. The idea is the theif doesn't know all the passwords you are using.

 

You would have

Manufacturer ID.Car ID number. Password . function(open/close)

 

then a list of possible passwords

a

b

c

d

e

 

and iterate through them each time you open or close the car. The theif should never know what the next password is going to be.

Link to comment
Share on other sites

Can't the signal between the lock device and the receiver just be encrypted?

Maybe I should have left HTTPS and SSL out of this since I never really understood asymmetric key systems.

 

Aaaaannnyway we have more reading material.

 

TB003 An Introduction to Keeloq Code Hopping (Kobus Marneweck, Microchip Technology Inc)

http://ww1.microchip.com/downloads/en/AppNotes/91002a.pdf

 

It turns out that KeeLoq (the original that was later succeeded by Dual KeeLoq) is actually an encryption cipher that was sold to Microchip Technology Inc. Yes, KeeLoq systems are encrypted, and they were considered secure at first. KeeLoq locks and unlocks with a relatively long, 66-bit code consisting of a "34-bit fixed portion" and a "32-bit encrypted portion", and KeeLoq uses a 64-bit encryption key that encrypts "information regarding transmitter identity and synchronization." The Keeloq system became less secure in 2007, when somebody leaked proprietary information about its functioning.

 

Researchers Crack KeeLoq code for Car Keys (Kim Zetter)

https://www.wired.com/2007/08/researchers-cra

 

 

The KeeLoq technology, which is licensed by Microchip Technology to car makers and other entities, has long been considered to be pretty secure. Each KeeLoq key or key fob uses a unique value, out of billions and billions of possibilities, to unlock a car.

 

But after proprietary information about KeeLoq was leaked to a Russian hacking web site (pdf) last year, the five researchers, from the University of Leuven as well as the Hebrew University and the Technion in Israel, began examining the system for vulnerabilities. Within three to five days Dunkelman says they developed their first basic attack, then spent months refining their technique.

The attack involves probing a digital key wirelessly by sending 65,000 challenge/response queries to it. Once the researchers collect 65,000 responses – which takes about an hour – they use software they designed to decipher that key’s unique code. The deciphering currently takes about a day using a dedicated computer. But once they’ve cracked one key, they know 36 bits of the 64 bits they need to know. Those 36 bits are identical for every car model a manufacturer makes (different car models will vary only slightly).

 

 

In fact, it looks like most transmitters, not just KeeLoq's, were using encryption already.

 

"There is one master key from which is derived the key for each car a company makes," says Orr Dunkelman, a researcher from the University of Leuven in Belgium who worked on the project with four colleagues.

 

 

 

 

Can other people unlock my car door with their remote? (Patrick E George, HowStuffWorks)

http://electronics.howstuffworks.com/gadgets/automotive/unlock-car-door-remote1.htm

 

Before this rolling code system was developed, thieves were able to use electronic devices called "code grabbers" to lock onto your keyfob's unique signal. With rolling codes, the signal is unique every time, rendering a code grabber device useless [source: Lake].

In addition, the code is stored inside the car, not within the keyfob. A thief would need to break into the car to access the code, which defeats the purpose of getting it in the first place.

The numbers generated when the code hops is random. However, in theory, an astute hacker dead-set on stealing your car could find a way to anticipate the next code in the sequence. For this reason, the codes are encrypted as well, making each electronic keyfob have billions of possible codes.

 

Edited by MonDie
Link to comment
Share on other sites

My key has a data connection with the car when it's on gh dashboard (it logs error codes). It would be an added security measure if it used that connection to also pass newly created codes. Obviously if you just unlock and then lock your car without​ using the key tool drive you'd have to rely on the old method but that would reduce the opportunities for interception.

Link to comment
Share on other sites

It would be interesting to see if it was possible to make a smartphone app to unlock the car. Phones already have alot of the tech needed in them and it would be one less thing to carry.

Would a quick method of dual authentication when using your phone be feasible?

Edited by StringJunky
Link to comment
Share on other sites

Would a quick method of dual authentication when using your phone be feasible?

 

 

Absolutely what I can imagine is that you could have a small circuit added to your phone which would have an antenna operating on the same frequencies as the car key. It can function similarly to the existing car keys which are really very simple they have a battery which is connected to a rom chip or small microcontroller and switches when the key is pressed the rom chip sends the signal to the antenna which opens or closes your car. If you had a phone with the circuit it should be possible to replace your existing key with it by recording the signal your key already sends.

 

Edited by fiveworlds
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.