[HN Gopher] Various Honda vehicles send the same, unencrypted RF...
___________________________________________________________________
Various Honda vehicles send the same, unencrypted RF signal for
each door-open
Author : belter
Score : 261 points
Date : 2022-03-25 17:10 UTC (5 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| jeffbee wrote:
| Not going to get all worked up over this because I remember that
| I owned a 1985 Mazda and the key for it would open and start
| every 1979-1985 Mazda in town. Objectively we've come a long way.
| asdff wrote:
| It seems like there is a lot of security in just physical stuff.
| A car that needs you to use a key to unlock the door vs a signal
| that can be intercepted. A scrap of unimportant looking paper
| containing passwords vs a compromised password manager. It makes
| the attack surface so much smaller since, unless you are some
| VIP, chances are no one is going to ever root around your home
| for internet account passwords on scraps of paper. Software used
| by thousands of people presents an attractive target given the
| work vs reward ratio is so much more favorable, and imo its not a
| matter of if, but when, these systems do end up compromised.
|
| Maybe security in the future starts looking less like obfuscated
| software solutions, and more like simple analog solutions that
| ultimately require an operator on location, and are therefore too
| expensive to carry out to the scale that electronic crime has
| taken place in the past few decades.
| GekkePrutser wrote:
| This is a joke...
|
| For a 2005 vehicle this would be understandable. For 2016-2020
| model years absolutely not.
| pluc wrote:
| Civics too, which (used to be?) one of the top cars sold in
| North America (or at least in Canada)
| 1024core wrote:
| Can you monitor the frequency 433.215MHz via GnuRadio a standard
| RTL SDR DVB USB device?
| runjake wrote:
| Yes. You can even listen to the warble of the codes. And those
| of my, well your, neighbors.
|
| I did my own research (albeit not as far as this person) a
| couple years back and the 2018 CR-V is also vulnerable.
| mytdi wrote:
| Maybe it's similar to the TPMS (tire pressure monitoring
| system) as talked about here:
| https://news.ycombinator.com/item?id=30619612
| ctoth wrote:
| What you're looking for is RTL433[0].
|
| [0]: https://github.com/merbanan/rtl_433
| prova_modena wrote:
| Yes you should be able to, or with slightly more friendly
| software like gQRX or SDRSharp. It also looks like you can
| receive and decode the key signals using rtl_433[0] with option
| -R 64. Although it's a bit confusing looking at the source for
| the honda key rtl_433 decoder, as the author states it does not
| decrypt the rolling code.[1] According to the CVE there is no
| rolling code.
|
| [0] https://github.com/merbanan/rtl_433
|
| [1]
| https://github.com/merbanan/rtl_433/blob/master/src/devices/...
| sequoia wrote:
| Headline is confusing: the _vehicles_ are not sending signals,
| key fobs are sending signals (on click) and those signals do not
| change, so if someone records & plays back your "door unlock"
| signal they can unlock your door.
|
| The way this was written, I thought cars were sending signals to
| one another somehow.
|
| Furthermore, the "vehicles sending the same signal" refers not to
| a single signal shared between vehicles. It means vehicle X
| consistently relies on "the same" (unchanging) signal X, vehicle
| Y consistently relies on "the same" (unchanging) signal Y etc. As
| written, it sounds like every single honda of the same year &
| make uses _one, shared signal_ which is not what is meant, unless
| I 'm mistaken.
| [deleted]
| [deleted]
| rovr138 wrote:
| I thought the same, but upon reading, I agree with your
| interpretation.
| Bud wrote:
| Pretty bad for a system as crucial as this to be this bad in
| 2020. Honda ought to know better.
| liveoneggs wrote:
| 1990's hondas all used the same keys. You could, literally, steal
| a car by accident using your own key.
| marricks wrote:
| Any source for this? That's completely wild.
| liveoneggs wrote:
| aside from my high school parking lot google for terms like
| "honda civic same key" :)
|
| https://honda-tech.com/forums/honda-civic-del-
| sol-1992-2000-...
|
| https://honda-tech.com/forums/honda-civic-del-
| sol-1992-2000-...
|
| https://honda-tech.com/forums/honda-civic-del-
| sol-1992-2000-...
|
| I guess the real answer is that any key/lock that isn't
| 1-year-new is worn down enough to fit any other honda.
|
| I'm not sure they take security that seriously.
| marricks wrote:
| Ahh, I searched 1990s Honda same key and it was too broad.
|
| That is hilarious
| colechristensen wrote:
| Likewise for a huge range of years and models, all Ford
| commercial vehicles had the same key.
| johnvaluk wrote:
| Did you lock your keys in your trunk and need your key to
| unlock the trunk release? No problem, just pull off the casing
| with your hand and poke the mechanism with a stick. Let's face
| it, car security is generally a game of rock, crowbar,
| towtruck.
| walrus01 wrote:
| see also, from just 4 hours ago:
|
| "Have a car with a push-to-start ignition? Here's how it could
| end up stolen and overseas"
|
| https://www.cbc.ca/news/canada/marketplace-car-thefts-1.6396...
| matthewdgreen wrote:
| 2017 and 2018 vehicles. That's pretty surprisingly recent!
|
| I understand that, in general, door locks aren't considered to be
| very high-security in vehicles: doors can be opened in other
| ways. But remote start is a very big deal. Article doesn't
| mention whether the car prevents people from driving away after
| it's been started. I would have loved to see a portion of the
| video where they tried to shift into D and move the car.
| neoecos wrote:
| Remote start just turns on the car but you're not able to
| drive. For drive requires the key to be near, thats the PKE
| system referenced in the article.
| krnlpnc wrote:
| Typically as soon as you touch the brake pedal (which is
| required to shift from park in an automatic) the engine will
| cut if the key is not present.
| PaulHoule wrote:
| Once you get the door open you can usually plug a programmer
| into the OBD-2 port under the steering wheel and pair a new key
| fob, then drive away.
|
| Back in the day it was pretty easy to get the door open like
| this
|
| https://www.wikihow.com/Use-a-Slim-Jim
| hereforphone wrote:
| Don't all or nearly all modern vehicles use OBD-3?
| core-utility wrote:
| My 2017 and 2018 vehicles have OBD-II
| bri3d wrote:
| There is no such thing as OBD-3 currently.
|
| All cars sold in the US since 2008 use ISO 15765-4 OBD over
| CAN for emissions diagnosis, and almost all use ISO 14229
| UDS for manufacturer/dealership diagnosis.
| PaulHoule wrote:
| https://straighttalkautomotive.com/articles/have-you-
| heard-o...
|
| The intent of OBD-III is to use some kind of wireless
| mechanism to notify the state that your check engine
| light is on. In California, for instance, you have to
| pass a smog check every six months, so people driving
| four months with a failed emission control system are
| contributing a lot of emissions.
|
| It's been hung up forever because of privacy concerns,
| fears about rent seeking (being forced to buy a cell
| phone plan for your car), etc.
|
| These sort of applications
|
| https://www.nhtsa.gov/technology-innovation/vehicle-
| vehicle-...
|
| are also hung up indefinitely because the cell phone
| industry is pushing "secure" solutions that involve
| cellular infrastructure but not promising to invest
| enough in their network to cover all the places you might
| want them. That and the rent seeking, privacy, etc.
| gabrielsroka wrote:
| > In California, for instance, you have to pass a smog
| check every six months
|
| I live in California and you only have to do it every
| other year [0]. My car is almost 30 years old, not super
| well maintained, and it's never failed.
|
| [0]
| https://www.bar.ca.gov/Consumer/Smog_Check_Program/FAQ
| lotsofpulp wrote:
| If your car has a check engine light on, you can also
| unplug the battery overnight, connect it in the morning,
| drive 40 to 70 miles in a mix of city and highway
| conditions, and take it immediately to the inspection
| station before the check engine light comes on.
|
| There is usually a window between when the car will
| report there is not enough data to pass the emissions
| test, and when the car reports a failure of the emissions
| test. Maybe try unplugging the battery every night for a
| week and you can get a good idea of when you can get it
| inspected and passed.
| elygre wrote:
| Or just fix your car.
| sokoloff wrote:
| That's what most people do for a repeatable issue, but
| there are "gremlin cases" where a car in otherwise good
| repair will somewhat randomly set a MIL code.
|
| Wife's 2005 CR-V will around once per year set P0325
| (knock sensor, bank 1). I've replaced the knock sensor
| [twice], rang out the wiring, and checked/cleaned all the
| connectors. It's a 17.5 year old car with ~225K miles on
| it that sets a code once a year. It's not going to get
| any more fixed than it already is.
| lotsofpulp wrote:
| Catalytic converters are an expensive fix. It might not
| be worth it to fix the car.
|
| Alternative option is to sell the car to someone in a
| state that does not require emissions testing.
|
| Also, if someone steals your catalytic converter, and
| there is not much damage, it is possible to "straight
| pipe" it for cheap and just not put in a catalytic
| converter. Although, I would assume inspection stations
| have cameras or mirrors where they can see the bottom of
| the car, so this might only be worth it in states that do
| not do inspections.
| kube-system wrote:
| Not sure which particular protocol(s), but OBD-II was
| generally required for all cars from 1996 up in the US
| for emissions testing purposes.
| bri3d wrote:
| Prior to 2008, OBD-II had several allowed wire protocols
| - SAE J1850 PWM (Ford), SAE J1850 VPW (GM), ISO 14230
| KWP2000 (most other vendors), or ISO 15765 (OBD over
| CAN). In 2008, the US requirement switched to exclusively
| ISO 15765 OBD over CAN.
| macintux wrote:
| I've been researching OBD-2 port physical locks, since I
| drive doorless most of the summer. Not much available.
| qbasic_forever wrote:
| Does the hood or hood latch lock? If so just disconnect the
| battery negative after parking. Anyone that plugs anything
| into the OBD-2 while you're gone is going to get an
| unresponsive system. I doubt they're going to take the time
| to troubleshoot, pry open the hood and reconnect the
| battery, etc.
| macintux wrote:
| Hood doesn't lock, and the dual battery setup (for ESS)
| is much too failure-prone on my Jeep.
| post-it wrote:
| Having to unlock and crack your hood every time you park
| takes away some of the coolness and convenience of a
| doorless Wrangler.
| Zircom wrote:
| Could rig up a switch somewhere inside the car near the
| driver's seat pretty easily. I had an old motorcycle with
| some kind of electrical issue that would drain the
| battery if I left it off for more than a day at a time.
|
| But instead of spending days and weeks chasing it down, I
| spent maybe $30 on a battery cover with a little hidden
| flip switch. It was originally designed for turning on
| (illegal in my state)under lights, but I modified it
| slightly and had the switch connected to the ground
| terminal instead, so whenever I got off the bike I'd flip
| the switch and boom, problem solved, no more dead bike.
| qbasic_forever wrote:
| As a Jeep owner (an older one), get used to chasing
| electrical gremlins now and just put a battery kill
| switch on it. :)
| Scoundreller wrote:
| Just rewire the pins and build your own jig that reverses
| it (or undo rewiring as needed).
|
| Might be able to short the right data pins from behind to
| ground and rip that out as needed. Or a hidden switch that
| does that.
| macintux wrote:
| I'm reluctant to mess with the wiring on a brand new
| vehicle; a lock would make me much happier.
| javajosh wrote:
| Also reversing pins would be something that is very easy
| to forget - you end up shooting yourself in the foot!
| vgeek wrote:
| https://autocyb.com/shop/ is this the leading contender?
| macintux wrote:
| I don't think I'd come across that one. It probably would
| be, but the website sends me to some 3rd party spam site
| every time I click a link.
| qbasic_forever wrote:
| I would be shocked if OBD-2 is used for any key programming.
| They're almost certainly using a CAN bus (modern cars have
| both, OBD-2 strictly for legacy emissions testing and
| multiple CAN buses for everything else). Not that a CAN bus
| is any less accessible or more secure, but in almost all
| cases to do anything non-trivial over CAN like key
| programming requires the $20k dealer computer system (which
| is specific to every manufacturer and sometimes even model of
| car) or some serious reverse engineering chops and weeks of
| time to figure it out.
| mox1 wrote:
| I believe he meant the physical OBD-2 port.
|
| As an analogy: One can access a computers PCI bus over the
| Thunderbolt / USB-C connector, given the correct situation.
| bri3d wrote:
| The OBD port exposes diagnostic interface on most cars,
| either K-Line or CAN.
|
| And indeed, many cars in the early 2000s supported key
| enrollment without cryptographic material using diagnostic
| tools, so it was only a matter of sniffing a dealership
| tool.
|
| More modern cars from most manufacturers require
| cryptographic material from a central server to enroll
| keys. These systems are still often broken (look up XHorse
| for a popular product in this space) but generally require
| more in-depth physical access or complex software exploits
| to bypass the signing process or extract private key
| material from hardware.
| qbasic_forever wrote:
| My '05 Holden has multiple buses and I imagine every car
| of that era and beyond is the same. One is OBD-2 and
| accessible under the steering wheel. It _only_ has the
| mandated emissions equipment info connected to it, like
| oxygen sensor readings and such.
|
| It has an entirely separate and different physical
| connector for a CAN bus, one in the engine bay and
| another under the driver seat IIRC. This one has all the
| goodies--locks, entertainment system, full engine
| diagnostics and sensors, etc. I actually have the full
| factory service manual for the car and key programming is
| only possible with GM's tech 2 computer system connected
| to the CAN bus, not OBD-2.
| bri3d wrote:
| This split-connectors model is actually quite uncommon.
| Many newer cars have either a single CAN bus, a "Gateway"
| module which bridges Diagnostic CAN accessible through
| the OBD port to the various CAN buses used inside of the
| car, or Ethernet / DoIP exposed over "unused" pins on the
| OBD connector.
|
| For example, on modern VW AG cars, key programming is
| performed over the OBD connector, using specific UDS
| readLocalIdentifier and writeLocalIdentifier requests,
| but the data involved in the Immobilizer is both signed
| and encrypted using secret keys on a VW server (called
| FAZIT) over a subscription system called GeKo. The dealer
| diagnostic tool essentially sets up a tunnel over UDS
| between the Immobilizer software module in a control unit
| and the FAZIT server.
| myself248 wrote:
| I'm in the industry and most cars 2008-2017 or thereabouts
| have multiple CAN buses exposed on the OBD2 port. One
| (powertrain CAN) on the regulated 6/14 pins which is
| guaranteed to answer the emissions messages but probably
| exposes other stuff too, and then others (body CAN,
| infotainment CAN, etc) on other pairs of pins.
|
| Post-2018-ish, they tend to have a gateway module, and
| accessing anything interesting requires you to get into the
| wiring "behind" the gateway where all the internal buses
| are. But that's also trivial, in most cars it takes about
| 20 seconds once your wrist knows the way.
|
| > requires the $20k dealer computer system
|
| Or knowing the messages it sends. It's only $20k because it
| can be.
|
| > or some serious reverse engineering chops and weeks of
| time to figure it out.
|
| Which someone then packages into a $500 car-stealer they
| sell on aliexpress and then all the criminals have to do is
| buy that thing and push a button.
| colechristensen wrote:
| I was in the situation of trying to "steal" my own car after
| a cat knocked the keys in the trash without me noticing.
|
| I could get in the car, but it was not possible with the
| security system enabled without a currently working chipped
| key to program a new one without the dealership to do some I
| think cryptographic pairing of a new key to the car.
|
| I could start the car and it would after one second shut
| itself off after buying a replacement key and tried many
| things with many scan tools before giving up and getting
| towed to the dealer.
|
| There might be some sort of cracked tools out there but I was
| not able to find them, or get a straight answer if the very
| expensive software packages out there could actually solve
| the situation.
| thenewwazoo wrote:
| Do you have a citation for this? In my experience, pairing a
| new key requires either providing a cryptographically signed
| certificate or having an existing paired key within range
| before a new key can be added.
| CoastalCoder wrote:
| > Do you have a citation for this?
|
| I don't think it was limited to Chevies.
| RavingGoat wrote:
| Come for the car vulnerabilities and stay for the Chevy
| Citation jokes.
| thought_alarm wrote:
| Cars with key fobs are easily stolen and shipped overseas
| by programming a new key fob.
|
| https://www.cbc.ca/news/canada/marketplace-car-
| thefts-1.6396...
| serf wrote:
| there isn't much citation needed; it's common practice at
| many dealerships for certain eras of cars.
|
| the 90s era hondas up to about 2001 use various key-turn-
| rituals to enroll/program keys into the immobilizer, the
| later ones use the Honda HDS system which is just a
| specialty Toshiba/Panasonic ToughBook with an obd dongle
| and special software.[0]
|
| I've enrolled keys myself for my 04 BMW with bootleg 'BMW
| MODIC' and 'BMW Rheingold' software packs pirated from The
| Pirate Bay.
|
| You don't need existing keys for either system.
|
| The trick (used to be) at the time that BMW keys were
| difficult to cut, and the key cutters were well controlled.
| This isn't the case any more, and in reality if a key was
| the deterrent you could always just program an immobilizer
| chip from another key, tape the key/chip to the column, and
| then use a pry bar and screwdriver to break the key tumbler
| and turn the switch without a key. This is neither rare nor
| hard to do -- and it used to be the defacto way to steal
| pre-immobilizer Hondas (breaking the column/tumbler, that
| is).
|
| It was common enough that an in-joke at the Honda
| dealership I worked at was that a flathead screwdriver
| could be referred to as a 'lazy CRX key', a majority of
| those era cars encountered were so worn that a flat head
| would turn most of their tumblers by the time I got to work
| on them.
|
| [0] : I was a Honda tech from 07ish to 09ish
| olyjohn wrote:
| I used the key from my 84 Accord to get into my 98
| Integra when I locked the keys in it. Similarly, my 89
| Accord would unlock using pretty much any other Honda
| key. One day, I locked myself out of my 81 Accord... but
| it uses the short, old school style Honda keys, so I
| didn't have another car to take keys from to try... so I
| called a locksmith. He comes out and goes "Oh I haven't
| done one of these in a while..." pulls a blank key out of
| his toolbox, sticks it in the door tumbler, and opens it
| right up.
|
| So now I have an 80 and an 81 Accord... and I have also
| interchanged keys between them. The 80 doesn't open as
| easily, as I think it's less worn out. But there's
| practically no security on these old Hondas.
| bri3d wrote:
| There was a limited time window in the early 2000s where many
| cars used only obfuscated access or a cryptographically
| insecure PIN code for key enrollment, but most modern cars
| use an attempt at cryptographic security with a centralized
| server.
|
| If you want to see what's possible with modern cars, keywords
| like "VVDI" or "Abrites" and "All Keys Lost" will show you
| what aftermarket tools are capable of. Generally speaking,
| the capabilities in these tools are roughly equivalent to
| those the most sophisticated criminals have, as they're
| usually just stealing the techniques from one another in a
| big circle.
|
| The level of security varies heavily from manufacturer to
| manufacturer.
|
| For example, most modern VW cars require using an ECU exploit
| (which depending on the specific ECU, almost always requires
| physically removing the control unit and sometimes requires
| opening it) to extract encryption key data (CS/MAC) or
| physical extraction of the instrument cluster EEPROM.
|
| However other manufacturers like Toyota seem to be more
| vulnerable to other exploits (I only research VW for the most
| part, so I frankly have no idea what's going on here),
| including a bizarre process which seems to require
| disassembling the steering column and unplugging a connector.
| neuralRiot wrote:
| Car thieves don't go out to program new keys on the cars
| the want to steal, they just lift them with a tow truck.
| Quick, easy and nobody suspects anything.
| petre wrote:
| Unless the victim has a GPS tracker installed on the
| vehicle.
| bri3d wrote:
| I agree that diagnostic-port reprogramming at the point
| of theft is uncommon (although absolutely not unheard
| of).
|
| I'm not sure what the effect of that observation is,
| though - key and immobilizer security is extremely
| important still, because cars which are stolen by any
| mechanism (tow, stolen key, transponder relay, etc) then
| need to be resold or broken down for parts. Especially in
| Europe where control module security is generally both
| more robust and more insurance regulated, many parts on a
| stolen vehicle are increasingly not valuable unless the
| immobilizer / key enrollment system can be bypassed.
| PaulHoule wrote:
| I look at the enrollment problem on Zigbee networks and
| similar things and it's hard for me to resist the
| conclusion that the most practical architecture is to have
| a private key in the hub and a private key in the device
| and have these authenticate against a central server and
| have the central server give them both a shared key -- as
| much as people hate the central control, lack of
| interoperability, etc.
| Teever wrote:
| I think people hate mandated central control. Designing a
| system that is opt-in, and otherwise degrades gracefully
| to a reasonable state of functionality will win a lot of
| fans.
|
| Automobile companies won't do that however, they'll serve
| you subscription spyware/adware laden services and you'll
| have no choice.
| makeworld wrote:
| README says 2016-2020 vehicles affected. Where are you getting
| 2017 and 2018 only?
| xwdv wrote:
| Remote start can be used for homicide by starting a vehicle
| parked in a garage and letting the carbon monoxide flood the
| house and kill all occupants.
| Spooky23 wrote:
| My cars have a remote start timer where the cars shuts down
| after a period of time. That would be a crazy crime... hide
| in the bushes for an hour or two continuously restarting the
| car every 10 minutes.
| ilikepi wrote:
| We have a 2019 Honda Pilot. The remote start will work for
| two 10-minute cycles, but then it will not work again until
| you start it via the primary ignition switch inside the
| vehicle. Other manufacturers may differ on this behavior
| however.
| jrockway wrote:
| Step 0.5, break in and disable all the CO detectors.
| BHSPitMonkey wrote:
| This assumes the target's attached garage is part of the
| conditioned space making up the rest of the home (i.e. that
| there's no air sealing around the door between the house and
| garage, but the garage door itself is perfectly sealed). That
| would be a pretty spectacularly bad house design.
| nanochad wrote:
| punnerud wrote:
| Is there any fuse or something the owner can take out to use the
| key in manual mode? until there is fix
| jeffbee wrote:
| There are fuses for each door lock actuator. You can open the
| car with the physical key inside the key fob in this case. You
| always need the keyfob to start the car because the immobilizer
| requires its presence.
| dheera wrote:
| Not a direct answer but something that might mitigate. I have
| these motion-activated alarms on my bike, moped, and in my
| backpack, and activate the alarms when I'm not within view of
| them.
|
| https://www.amazon.com/gp/product/B0734QN8KR/
|
| I imagine you could probably ziptie one (or maybe a few, though
| you'd have to carry a few remotes) onto an inconspicuous
| location on the car. It would be a good deterrent for car
| thieves and possibly also towing companies.
|
| I actually want to work on a modification of this device where
| it shoots out fart spray in addition to the loud alarm.
| jmrm wrote:
| I know people who use hidden or magnetic switches to being able
| to start the car because they have a relatively expensive and
| easy to stole car.
| walrus01 wrote:
| people also do this on a DIY approach with old cars that are
| easy to steal (like a 2002 subaru or something) by wiring an
| ignition kill switch into the ignition fuse, and hiding it
| somewhere not obvious...
| willcipriano wrote:
| Adam Carolla famously did with but with the fuel pump, the
| thieves would get a few feet up the road before the fuel in
| the line would run out.
| m463 wrote:
| The trick would be to make sure the fuel pump doesn't
| lose power in a critical situation.
| 0xbadcafebee wrote:
| Having lived in big cities half my life, I leave my car's doors
| unlocked, and keep a waterproof seat cover on.
|
| Remote start is troubling though.
| LAC-Tech wrote:
| It's kind of depressing how much we tolerate this state of
| affairs.
| tokamak-teapot wrote:
| I used to leave my windows open on sunny days, to stop the car
| getting too hot or anyone breaking in to look for stuff to
| steal.
|
| When I did this at my office car park, well-meaning people
| would call security and ask them to help the person with open
| windows by earning them they were open. Or if they knew it was
| my car they'd seek me out to warn me that my windows were down.
|
| The reason they gave was always that they were worried someone
| would steal stuff from the car. There was nothing in it to
| steal.
|
| Eventually I got sick of wasting other people's time for them
| and left my windows closed.
|
| So many of them complained that their cars were hot, and/or had
| them broken into by people looking to steal things.
|
| I think the only real solution would be for me to buy a car
| that lets me take the roof off. If your car is roofless, no-one
| comes to warn you.
| vuln wrote:
| I've owned a few convertibles and I always left the doors
| unlocked and/or the top down. I'd rather someone steal the
| $100 radio than cut through the top or break a window. I did
| always keep the glovebox locked but that only contained my
| registration and proof of insurance. I have had a radio
| stolen once but it was just the faceplate. Not sure what
| they're going to do with that.
| dharmab wrote:
| It is very common for Miata owners to leave the doors
| unlocked if they need to put the roof up because the roof is
| more valuable than the interior. (Since it is a common
| track/race car, every interior piece has an aftermarket
| replacement.)
| vmception wrote:
| As a courtesy to people looking for wheels?
|
| Or is this a reverse psychology thing where people are supposed
| to think it's already been checked by others
| function_seven wrote:
| One rationale I've seen is, "If my car is likely to be broken
| into, I'd rather not have to replace the window."
|
| For example, "they stole my $20 from my center console, but
| broke a $200 window to get to it."
|
| I also wonder if potential thieves think a car with open
| windows is a bait car or something. Probably not often enough
| in its own right to justify leaving things open?
| vuln wrote:
| I commented earlier that I left the top down or doors
| unlocked on my convertibles. A window or a cut top is far
| more expensive to replace than my $100 aftermarket radio.
| I've actually had a radio faceplate stolen once.
| rurp wrote:
| I'm guessing the unlocked doors are so thieves don't break the
| windows to get in. But what is the waterproof seat cover for?
| asdff wrote:
| People can set up shop in your car:
|
| https://old.reddit.com/r/LosAngeles/comments/dc6s78/came_bac.
| ..
| [deleted]
| vuln wrote:
| Probably in case someone doesn't shut the door or perhaps a
| person sitting in the drivers seat while rummaging.
| 0xbadcafebee wrote:
| Homeless pee.
| atdrummond wrote:
| This makes me think of another vulnerability with these door/key
| systems, this time actually acted upon by bad (yet creative!)
| actors: the creative relay system thieves used to nick Tom
| Cruise's BMW X7M - https://www.autoevolution.com/news/tom-
| cruises-bmw-x7-was-st...
| exabrial wrote:
| > Utilize a Faraday Pouch for the key fob.
|
| Sorry to ask a dumb question, but how does this help?
| rmetzler wrote:
| I think this only helps against relay attacks. To use the key
| to open the door the owner probably has to take the fob out of
| the pouch and then replay attacks might be possible.
| exabrial wrote:
| I still don't understand I guess how the pouch mitigates
| anything
| chiph wrote:
| I'm assuming it attenuates the signal so that someone
| parked nearby has a more difficult time capturing the code.
| Downside is you can't use your remote start from inside the
| house anymore - you'll have to be very close before the
| remote will work (which raises the question of what good is
| having a remote if you're close enough to just use the
| physical key). But with the faraday pouch, at least the car
| won't have been stolen.
|
| For the MITM attacks on the modern proximity car keys, drop
| your fob into a metal tin (like the Danish Butter Cookie
| ones) when you walk in the house to block the signal.
|
| https://www.schneier.com/blog/archives/2017/11/man-in-the-
| mi...
| jcrawfordor wrote:
| Relay attacks seem to be in use in the wild by
| sophisticated car thiefs, although I'm not sure how
| commonly. Given general trends, it's probably more common
| in Europe than in the US. More to your question though, the
| issue is that proximity key systems rely on the limited
| radio transmission range. If a thief uses something like an
| SDR to "amplify" or repeat the transmissions, they can get
| the car to think the key is much closer than it is... and
| potentially unlock the car in your driveway by "using" your
| key fob inside your house. A faraday pouch makes this very
| difficult by significantly attenuating the signal from the
| key fob.
| devin wrote:
| I have a Flipper Zero and so far cannot reproduce on my 2017
| model.
| vuln wrote:
| I'm still waiting on mine. I suppose that's what I get for
| ordering the black one instead of white.
| alexk307 wrote:
| How do you like your Flipper? Seems like a great tool
| devin wrote:
| I'm a fan. It has great battery life, has more heft than I
| expected.
|
| The second day I had it we went to my mother-in-law's new
| apartment building. Her call button wasn't working to let
| people into the building, so I asked if I could try to copy
| her FOB since we needed to get some things from our car and
| boom, it worked just like that.
|
| Also had some fun mucking around with raw NFC and emulating
| them. Took a bit of tinkering, but it was pretty cool to see
| it work.
|
| The #sub-ghz channel on Flipper Zero's discord blew up a
| little bit today with this news. So far though, the couple us
| with affected model years according to this CVE have been
| unable to reproduce. FCC ID matches. The precise frequency
| was added to a modified firmware, and we are using FSK
| modulation, but still no luck.
| arajesh wrote:
| rdtwo wrote:
| If a newer car gets stolen it's just an inconvenience because
| it's likely insured.
| rurp wrote:
| Oh great, so all you have to worry about is:
|
| - the deductible cost
|
| - the risk of the insurance company not paying, or low-balling
| the payout
|
| - loss of all personal items in the vehicle
|
| - time and monetary cost of temporary transportation
|
| - future insurance premium increases
|
| - having to buy a new car
|
| We must have dealt with different insurance companies if your
| expectation is that it will be a quick, satisfactory, process.
| ska wrote:
| Also, if you don't have replacement cost coverage you're
| either eating depreciation to buy new again, or hoping you
| can find a used one in the right cost/quality window.
| p1mrx wrote:
| Even if that's true, new cars tend to become old cars.
| kube-system wrote:
| This doesn't enable anyone to steal the car, unless they also
| have a tow truck.
|
| It would let someone steal the contents of the vehicle, which
| may not be insured, and I suspect it would be difficult to
| collect on without signs of entry to the vehicle.
| rdtwo wrote:
| If they steal the contents by opening the door you should be
| grateful that your windows are in tact and you just lost some
| stuff
| kube-system wrote:
| If I had comprehensive insurance and coverage for contents,
| I would rather the window be broken. It would make the
| claims process easier.
| ComputerGuru wrote:
| Eh, I've been there but decided to pay out of pocket
| because the deductible is there (and generally it's
| smarter to have a higher deductible unless you really
| can't afford it) and then you risk your premiums going
| up.
| sleepdreamy wrote:
| If I'm not mistaken, unlocking the doors is half the exploit.
| The vehicle can also be started which..means you just drive
| it away. This is very dangerous and crazy if true. 300 Bucks
| for tools is nothing -
| kube-system wrote:
| Modern vehicles factory-equipped with remote starters
| prohibit the car from being shifted into drive when the
| remote starter function is used via the long-range remote.
| (so random people walking down the street can't hop in and
| steal it) Hondas are no exception to this. There is another
| radio exchange that happens inside of the car with the key
| before you are able to shift into drive. This example
| doesn't demonstrate that being broken.
| danso wrote:
| > _Vehicles Affected: 2016-2020 Honda Civic(LX, EX, EX-L,
| Touring, Si, Type R)_
|
| I own a Honda model just prior to this date range -- but I assume
| it's not necessarily the case that pre-2016 Honda vehicles used a
| more secure system? It may just be that they aren't specifically
| vulnerable to the exact same RF signal type as 2016-2020
| vehicles?
| jeffbee wrote:
| How can this not affect the Insight that is based on the 10th-
| generation Civic?
|
| At least I always naturally follow the advice in the article: I
| use the passive entry system and I can't recall ever pressing
| the buttons on the fob.
| dharmab wrote:
| Owner and modder of a nearly-classic Honda here. Yes, the older
| models have the same vulnerability. Please forgive the awful
| pun based on the author's mistranslated Japanese and focus on
| the technical part:
| https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patt...
|
| (Honda does not mean "Original Rice Patty." It literally means
| "Original (as in older) Rice Paddy", but you wouldn't translate
| Henry Ford's surname as "Shallow River Crossing.")
|
| Honda enthusiasts commonly store their cars in private garages,
| install hidden killswitches and avoid keeping items in their
| cars.
| post_break wrote:
| TPMS is something you can sniff as well which I think is much
| more of an issue.
| boardwaalk wrote:
| Wait, reading or spoofing tire pressure is more of an issue
| than opening doors and starting the engine?
| montjoy wrote:
| Potentially. You could put a dangerously high or low amount
| of air in the tire and then tell the car, "this is fine".
| ctoth wrote:
| More disturbing to me is that most TPMS transmissions have
| a unique ID associated with them making it trivial to track
| a given vehicle. Many vehicles only transmit pressure when
| prompted, but I have definitely noticed those which
| constantly transmit. Usually Toyota.
| ComputerGuru wrote:
| Isn't the range extremely close?
| mywittyname wrote:
| That's how Toyota's proximity unlock feature works.
| sennight wrote:
| I'd say so, from the perspective of utility and persistence.
| 4 (maybe 5 including spare) uniquely serialized radio beacons
| make a good target for dragnet surveillance with zero risk to
| abusers.
|
| I'm also more weary of scam extended warranties than I am of
| kidnap and ransom, even though one is obviously far more
| unpleasant than the other.
| ctoth wrote:
| Unrelated but does anyone know of a good and available
| replacement for the HackRF One? The LimeSDR Mini looks good but
| is impossible to source because of the chip shortage. HackRF is
| getting a little long in the tooth these days.
| belter wrote:
| "Hackers remotely start, unlock Honda Civics with $300 tech":
| https://www.theregister.com/2022/03/25/honda_civic_hack/
|
| CVE-2019-20626: https://cve.mitre.org/cgi-
| bin/cvename.cgi?name=CVE-2019-2062...
|
| CVE-2022-27254: https://cve.mitre.org/cgi-
| bin/cvename.cgi?name=CVE-2022-2725...
| throw0101a wrote:
| There's an industry standard (?) for Digital Keys:
|
| * https://carconnectivity.org
|
| * https://carconnectivity.org/digital-key/
|
| Perhaps moving to that will help with security since everyone
| won't have to re-invent the wheel. (Of course implementation bugs
| are still possible.)
| zcmack wrote:
| at least my dystopian future toyota keyfob subscription could be
| patched to fix this...
| pards wrote:
| Or reducing/eliminating the $800 keyfob replacement cost on my
| 2018 Rav4. It's the worst case of vendor lock-in and customer
| fleecing.
| jjoonathan wrote:
| The subscription will be a lot more than $800 by the time
| it's done with you.
| devin wrote:
| I wrote another comment saying I couldn't reproduce but since
| this is on the front page, I do have a lot of questions for the
| authors of this CVE. Under their "prevention" section they say
| manufacturers should use rolling codes. This implies these FOBs
| don't use them, but per my previous understanding, they do.
|
| Perhaps there is more to the setup of this CVE than they're
| talking about. Is it possible they're doing a rolljam attack +
| replay?
|
| The CVE is really scant on details, so while I believe they did
| manage to get this to work, they don't really say how.
|
| If rolling codes are implemented, it should be pretty simple with
| the right gear to prove it.
| colechristensen wrote:
| Since there are various values attached to getting a CVE
| published, they just aren't always of the highest quality. Lots
| of "vulnerabilities" which are actually impossible to exploit
| or irrelevant in other ways in a real attack scenario, other
| low quality or misrepresented issues like we might be seeing
| here.
| emerongi wrote:
| Definitely hard to believe a 2020 Honda is not using rolling
| codes.
| olyjohn wrote:
| Pretty sure that even my garage door opener used rolling
| codes back in 1995...
___________________________________________________________________
(page generated 2022-03-25 23:00 UTC)