For anyone else who didn't know, I looked up what this is [1].
Essentially it boosts the search range for vehicles from a few feet to something more like 100 meters, when searching for wireless key devices. Then the car will unlock as if the device were very close.
The devices are very inexpensive and starting to see increased use.
Just to clarify, this is a vulnerability for cars with keyless entry. IE when you approach close enough to the car, it unlocks automatically if you have the key on your person, and you can start the car with the pushbutton without inserting a key. This attack makes the car consider "close enough" to be 100m instead of a few feet. If the key is inside your house a couple dozen meters away, the car unlocks automatically and you can drive it away.
Most smart key systems will let the car run indefinitely, or until it runs out of gas, etc, once the smart key is removed from range, provided you don't turn the car off.
This is done for obvious safety reasons. Imagine for example if a car just suddenly turned off while you were going over a major highway bridge with no shoulders, etc.
While I was driving a friends keyless car (he had the key) he stepped out to get something and the car flashed some lights to inform me I was driving without the key. It didn't turn off (thankfully). This is the correct behavior.
I once watched a friend's girlfriend throw his cell phone out of the car while on the freeway. Had this been his car keys I would hope that the car would not immediately power off (especially since I was in the car).
You don't even need to buy an amplifier. You can stick the key against your head and the water in your brain will amplify the signal. Bonus points for taking a plastic container of water for even further extension of the range!
That is if you want to amplify the signal. But if it's an adversary, they need to do a sort-of MITM to take the car's signal, amplify it, and then turn around and take the key's response and forward it to the car.
I don't think the problem is that people in possession of the vehicle's key can open it from too far away. The problem is that people who don't have possession of the key can open the car and drive off with it.
Couldn't it exchange a few messages with the key and precisely measure the time? I'm not sure if such precise measurement is possible, but given that light travels ~ 1 feet per second with 10Mhz clock you could theoretically test if it was more than 50 feet away (many approximations here, but I guess within an order of magnitude)
HDMI already does this for DRM (it won't cough up device keys if it thinks the TV is too far away), so it's possible to measure with the right precision.
That said, signals in twisted pairs propagate at about .6c whereas signals in air propagate at speeds very close to c, so this use case is a little more challenging.
You could attempt to time round-trip signal latency directly or via interference patterns, but it's a much shorter timescale. Light travels just shy of 1 billion feet per second, so we're talking differentiating in the 10s of nanoseconds, which requires nontrivial components.
I already posted this link in the epic nope thread that is a sibling to this one, but the paper linked from Wikipedia speaks of an experimental implementation with a return time of 1 ns:
There are papers going back to at least 2005 (this one, a top search result, is cited 390 times: http://www.cl.cam.ac.uk/~mgk25/sc2005-distance.pdf ), so it would not be all that surprising if there are some existing commercial implementations. The current rash of thefts seem to come down to the systems being completely naive to amplification attacks though.
Maybe the next escalation will be keys with GPS, which sends its encrypted position as part of the protocol. The car compares to its own GPS, or, in lieu of signal, it remembers its GPS stopping position. If the key has no signal, you have to insert it in the car.
The escalation just after that, of course, is GPS spoofing.
Wouldn't be the first time someone did this... For years trains arriving at London Victoria and a few other stations where the concourse was too well covered took 30+ seconds to open the doors because the driver had to override safety systems to unlock the doors after a new system was put in place that automated which doors to open based on GPS location (there's a lot of variation in how long the stations are, and some long distance trains will operate with up to 12 carriages even though they may stop at stations with space for possibly as little as 4 on the platform, and the platform may be on either side)
Wouldn't say they are in denial about the issue. Wish I had some better sources, but if I recall the automotive industry has always had issues with security regarding keys and ignitions. My 99 Prizm key would work for most all other Chevy Prizm cars. I know that this "cross keying" would work on quite a few different brands and models as well. Some ignitions can be "popped" and screwdrivers used to start the ignition. My point being that security of starting an automobile or accessing one has been plagues with problems. Break the window etc. Some manufacturers do require the key fob to be present while the motor is running in some cases the feul pump will shut off if the key is not present. It is highly likely that the Tesla demo is for opening the CAN exploitability issue to the convention. Attacks on the CAN remotely are much more serious.
> Some ignitions can be "popped" and screwdrivers used to start the ignition
When I was a teenager, my family had a Fiat 500. Something had broken in the part of the ignition switch that you insert the key into, and so my Dad took it off until we could get it fixed, and we kept a screwdriver in the glove box to use to start the car.
There was virtually no car theft in our town (at least in the places we went), and people often left their car doors unlocked. Soon we got out of the habit of bringing our car keys with us. We weren't locking the doors, and we used the screwdriver to start the car, so why bother?
Well, I found out why we should have bothered a few weeks later when I was driving home. We lived a few miles outside of town, out in the sticks. I was a couple miles from home, taking a back road that had almost no traffic, and a tire blew out.
>My 99 Prizm key would work for most all other Chevy Prizm cars. I know that this "cross keying" would work on quite a few different brands and models as well.
Back in the later 80s my parents had a Toyota van. One day my mom accidentally started it with her house key. We then realized that pretty much anything that fit partway into the ignition started it. Many years later the key got lost and we kept a screw driver in the cup holder to start it. It was a little odd driving around without a key in the ignition.... always thought cops would get suspicious.
> My 99 Prizm key would work for most all other Chevy Prizm cars.
I accidentally stole a bike in college, because it was the same brand as mine, and had the same brand of lock. Got all the way back to my dorm before I realized that the reason the seat felt weird was that it wasn't mine. But my key worked!
I also used my apartment deadbolt key to let my girlfriend into her house when she accidentally got locked out. She was both horrified and grateful that it worked. (I expected that one to fail, but I figured why not try?)
I'm not sure what the trick is to finding locks that aren't vulnerable to this trick. I suspect it's "buy locks at least 50% more expensive than the cheapest option", but that's just a guess.
Most locks are only useful to deter those who apply a minimal level of effort to circumvent them. And that is good enough for a huge majority of cases.
It's hard to see how it could be fixed. Fundamentally, what is different about a local key fob, and a relay connected to a remote key fob? It seems fundamentally impossible to tell the difference.
The one thing that I could see working in theory would be detecting the roundtrip transmission time with a strict ceiling on it. No matter how good your relay is, it can't relay data faster than the speed of light, so you can enforce the fob being close by only listening to it if it responds fast enough.
The problem with this is that light moves pretty fast, and internal delays within the fob will dominate. If you want to put the range limit at, say, 30ft, that means your response time ceiling is a mere 60ns. Can you build a fob that responds anywhere close to that fast?
Edit: one other possibility is if the fob knows where it is. A GPS receiver on the fob, for example, would allow the fob and the car to securely confirm proximity (absent GPS spoofing). Getting a GPS receiver to run on a wireless fob's battery is left as an exercise for the reader.
The implied context here was "while keeping wireless keyfobs."
Yes, the problem becomes substantially easier if you require a direct physical connection, but that's not such an interesting problem.
Also, given that modern cars are vastly more difficult to steal, I object to your characterization of "traded too much security for convenience." If the current state is too insecure, then you must think that cars from 20+ years ago are absolutely appalling.
I think he was not saying a physical connection was necessary, only that a physical button on the key fob was necessary to start the car. Still wireless, it just requires interaction from the driver who must physically have the key fob.
Oh yes, that would obviously work, but of course you're changing the nature of the device. There are some easy ways to prevent relaying if you're open to that. It's more interesting to me to think about how you might solve the problem without changing anything from the user's perspective.
Ah yeah, I'd like that more as well because I really like driving without ever taking the keys out of my pocket :P I was mostly clarifying for the person you responded to.
Although from what I was seeing in the rest of the thread it seemed that preventing relaying may be more difficult than expected (as most methods relied on timing the signal response). I don't expect it to be impossible though.
Really old cars have very simple electronics. Even after computers started showing up in cars, they were pretty simple and didn't interact much with the security aspect of things. When you start a car like this, you're just making a connection between two wires to power up the electronics, and briefly making a connection between another two wires to run the starter motor. The only security in the whole system is provided by the fact that the connection is made by a switch that requires a key to turn it. If you don't have the right key, you can't turn the switch, and that means you can't connect the wires.
The trouble is that the wires must be fairly exposed to the occupants of the car, since the switch has to be accessible. That means you can just bypass the switch entirely by removing the appropriate covers and attacking the wires directly. This is "hotwiring."
Physical locks are also not all that difficult to defeat directly. You can pick an ignition switch much like you might pick any other lock.
Starting around the late 90s or so, car manufacturers started adding more robust security measures. These include things simple like locking the steering column when the ignition switch is off (thus preventing you from driving the car after hotwiring it), all the way up to authenticating the key with a relatively sophisticated protocol, and having the engine computer refuse to run the car unless it can sense a real key.
As a result of these changes, the list of most stolen car models is still topped by cars manufactured in the late 90s. Low-end Hondas from around 1998 are right at the top of the list, because they occupy a sweet spot of being relatively valuable and still fairly easy to steal. Modern cars are stolen literally orders of magnitude less frequently; about 100,000 older Hondas stolen per year in the US, whereas new cars are stolen at a rate of hundreds per model per year at worst. Also as a natural result of these changes, car theft is way down in the US. About 700,000 cars were stolen in the US in 2013, compared to almost 1.7 million in 1991. Pretty much the only way to steal a newer car is to either tow it away or steal the owner's keys. (A common scenario for car thefts is a burglary turned into auto theft when the burglars find car keys in the house.)
It's easy to get into many older cars. Slim jim past the window is the classic example (and I opened my 80s Toyota with a coathanger multiple times when I locked myself out), but many times the locks could be opened by keys to other cards from the same manufacturer as well, they just didn't seem to be that precise. And of course, smash the window as a last resort, that wouldn't set off an alarm in the past. Nowdays cars have recessed lock things in the door panels (or button-controlled-locks that can't be as easily manipulated with a coathanger, or even that don't work at all if the car was locked from outside) to help prevent this, and the interior of the doors has more protection built around the lock mechanism so you can't easily fish through there and hook onto the right lever.
Once inside an old car, starting it is usually just a matter of shorting the right pair of wires. Or using brute strength to turn the ignition cylinder even if they key isn't an exact match (or maybe with a screwdriver, as another poster mentioned doing in the past in this thread). Modern cars have chips in the keys so that it's not just a matter of closing a circuit, the key has to be coded to the car.
Or just tow the car somewhere and work on picking the lock later at your leisure. Overkill for a common car, but for something really nice it could be practical. Nowdays your more expensive cars have tilt and motion sensors that'll set off the alarm if you locked it, left it, and someone else comes up and tries to tow it. Possibly GPS tracking or similar as well, IIRC, on some fancy stuff.
The fob-in-pocket entry/pushbutton start stuff gives up some of those improvements given an exploit like this, but overall I'd say is still much more secure. You need specialized hardware (that's only useful for breaking into someone else's car) and it wouldn't work to, say, steal cars from an airport parking lot or somewhere else where they were left and the owner wasn't in range. Keeping your car in a garage at home seems to mitigate a lot of the easiest vectors for this attack.
To add to the comments about immobilisers, in a number of countries (UK and Germany, amongst others), from 1998 all new cars were required to have an engine immobiliser. Most manufacturers simply made them standard for all countries, so nearly all cars built since 1998 have had them fitted.
It's important to look at this in the context of overall auto theft trends. Auto theft has dropped by more than 50% over the past decade, driven mostly by the broad use of smart keys. (http://www.iii.org/issue-update/auto-theft). The lion's share of the thefts are of older cars (mentioned in the above cite) -- thefts of 2013 vehicles number in the hundreds.
Further, a Tesla has a GPS, sophisticated processor, and a 4G WAN. It would be easy enough to have the car report back to the owner if it's being driven without sensing the key, and give the owner the option to route a theft report and live location of the vehicle to police with one click. That's something I wished for in my revenge fantasies when my car was stolen a decade ago.
We could do more, sure -- but it's hard to argue that we are making cars less secure, or even that car security should be a major care-about for the buyer.
1. Use a modified form of triangulation. Have multiple transceivers in the car (At the front and back) and make the remote directional aware. Then have the remote and transceivers ask each other if the angles they are seeing are the same. The only way for the thieve to bypass this would be two remote amps set at almost 180 from each other.
2. stick an ultrasonic speaker in the key fob and have the car send it a random sequence to play back. For those worried about battery life use a wireless charging system.
Both of these assume that the transmission is encrypted and the thieves are just boosting the signal.
the attacker has two devices communicating by radio. Device A is near the keyfob, and device B is near the car. Each is a repeater for the other: Whatever the car sends is picked up by device B and repeated by device A. Then the keyfob's response is picked up by device A and repeated by device B.
This type of setup will defeat both of your proposals. Triangulation won't detect anything out of the ordinary, because device B can be right next to the car. And the ultrasonic challenge/response can be defeated just like a radio challenge/response, using microphones and speakers on the repeaters.
Ultrasound helps because the speed of sound in air is much lower than the speed of radio waves. This makes it massively easier to do distance measurements.
Rather than put an ultrasonic speaker in the fob, I'd put a microphone. The car would send an ultrasonic signal, and the fob would send a radio response indicating it heard it. The car could then calculate how far away the fob is.
Ultrasound also makes it massively easier to spoof distance measurements, because there's nothing that requires the attacker to use ultrasound for his own transmissions.
The speed of sound in air is about 1ms/foot, so if you're trying to measure proximity within 30ft, you're looking for a 60ms roundtrip delay, or 30ms for one-way. If the attacker has ultrasonic microphones and speakers connected with radio waves, that means he can spoof your fob from up to 9,000km away for roundtrip ultrasound, and 4,500km away for one-way, under ideal conditions.
The speed of light imposes difficult constraints in terms of how fast you have to respond, but at least the attacker can't outrun it (as far as anyone knows).
The description I saw of the amplifier attack said that the attacker put an amplifier near the car. This amplified the car's weak signal so it could reach the fob, which would then respond. The attacker does not have any equipment near the fob (and may not even know where it is).
If the car then did an ultrasonic distance check by emitting a coded ultrasonic signal that the fob had to receive, and then relay the code back to open the door, I don't see how the attacker would spoof that. Even if he has an ultrasonic microphone near the car, and an ultrasonic transmitter somewhere else, with a radio link to tell the transmitter what the send...how does he place the transmitter so that your fob will hear it?
If the attack is targeted against a specific individual, where the attacker knows both where the car is parked and where the individual is when away from the car, and the attacker can place equipment at both locations, then yes, I see that the attacker can get around ultrasonic distance measurement.
But for the most common case, where the attacker is at the car and has no idea where the owner is, it seems workable to me.
Right, I see, that makes sense and your idea would definitely help there. It wouldn't defeat a more targeted attack, but just defeating a simpler one could be worthwhile.
It took a few minutes for the 'relay' portion of what you just wrote to click.
So, in theory, if you wanted to steal a REALLY expensive keyless car you could have two devices connected over a mobile data connection that just relays communication with the keyfob. You put one device near the owner of the fob, so in his office, and you keep the other. Then you can just walk off with the car.
You can try to detect the amplified signal, and if you put an accurate timer in the fob you can make it take exactly 5000ns to process and then require a signal back within 5020ns.
Detecting the amplified signal won't work. There are these things known as directional antennas...
The timer idea is a good one, although a ns-accurate timer is starting to get a bit much for something to put into a key fob. Especially give it's run off of a watch battery (power requirements) and often exposed to heat / cold (thermal drift).
Dylan's comment requires a timer in both the key fob and in the car. The key fob to delay transmission of the challenge response, the car to check if there isn't too much delay in the challenge / response pair.
You really need a timer in the key fob, as the processor in the key fob is often so slow (for battery / cost reasons) that an extra couple clock cycles somewhere would throw off the timing enough to make it fail.
Cool trick in that one, the Prover(i.e. the key fob) does the distance measuring part of the challenge response protocol using analog only components. This means its response time is <1 nano second.
So you can do it with only the car having a good timer.
Well for the example timing I gave you only need 1 part per thousand accuracy, and it's easy to get 10ppm or much better. It only needs to run during communication, anyway.
I can't edit anymore, but expanding on the GPS idea: I just realized that we pretty much all carry around a GPS-enabled "fob" these days. If you switched away from using a dedicated fob and instead authenticated against a person's phone, you could double-check proximity that way. It would only need a quick check before opening the car, so battery life shouldn't be affected too much.
If you put the car's public key on the fob, the fob can validate that it is talking directly to the car over a secure connection and then the car can validate the fob's secret.
Please elaborate as to how the fob or car would detect the MITM:
1. You place device A near car and device B near fob.
2. Device A relays all Rf transmissions in the target frequency range(s) to device B, which rebroadcasts, and vice versa.
Public-key encryption / authentication only ensures that no-one in the middle is reading or editing your connection. It does not prevent someone from relaying your communication. (And a good thing too, else the entire encrypted web wouldn't work.)
Well, there may be one way. But it's not user friendly at all.
When the driver presses lock/unlock on the fob, the car first sends a signed message with a session secret. The fob checks the signature, takes the secret and creates a _single use_ auth token and signs it with the private key stored on the fob. That signed auth token is then sent from the fob to the car to lock/unlock the car.
To check if there was a MITM you would have to pull the door handle to see if your keypress was successful. If it was successful, you don't need to worry if the key was grabbed by a MITM, they can't use it even if they tried. If it was unsuccessful for some reason (e.g. the MITM knew it was single use auth token so they didn't pass the token onto the car in hopes you might not be paying attention and will press the button a second time) then there should be a manual override outside and inside the car that clears the valid auth tokens and allows you to lock/unlock/start the vehicle without sending any RF transmissions. A slot that you insert the key would work.
Signatures do nothing to prevent blind relaying. Transmitting through an amplifying relay in this attack looks identical to transmitting through free space, aside from the received power level and propagation delay.
The amplifier relays that signed signal to the fob. The fob receives it and its unlock signal is relayed back to the car.
No matter what tricky message protocol you come up with, it won't matter. The car and the fob can't detect the difference between being next to each other, and being next to a set of relays rebroadcasting their signals. Not by reading and transmitting radio signals at least.
You can't think about this like internet security. Normal encryption doesn't care how long the network cord is. Opening your car door does. This attack lengthens the cord between client and server without touching the data on the cord so that you are genuinely logged in from an encryption standpoint, but from a world standpoint you are sitting at your office desk unable to see your car.
Have the key fob beep or buzz when it gets used, along with a panic button that the user could hit on the fob to force the car off and set off the alarm. To defeat against the attacker cuts off the amplifier just after getting the car started, have the car shut off if it loses contact with the key fob within the first 15 seconds.
Edit: just thought of another possibility -- use spread spectrum. An amplifier would have to be tuned to a specific frequency. With spread spectrum, the car and key fob switches frequencies every second based on a cryptographic function, therefore defeating the amplifier.
I think including a keyfob buzzer would be a hard sell. The whole purpose of these keyless entry systems is convenience and asking buyers to hover over their keyfob like a baby monitor is not convenient (nor cheap).
You're assuming omnidirectional amplification. It's easy enough to amplify without leaking more signal back to the source than, say, a metal-faced wall would.
- If the car was inductively powering the key, that might be harder/more dangerous to amplify.
- The car or house could send a false key signal, which would also be amplified, and refuse to open when receiving it. (New attack: lock rich people out of their car with 17$ of equipment!)
- If your house/public-buildings/phone+gps could track the key, they could tell the car to disable the system.
- Sending the signal with audio or visible light? Something that doesn't pass through walls.
- Use a pedometer to deactive the key when it's at rest.
- Use a really long key (like... 2 metres long) with transmitters at each end, use crypto and frequency hopping, and use multiple receivers on the car to triangulate both ends. If both transmissions are coming from the same spot, it's an amplifier.
The root of the problem isn't encryption or communication but rather than the key fob's location is data in the clear and easily tampered with. That data is the signal strength and/or triangulation of the fob's signal.
The fob has no knowledge of it's own location, so the car must figure it out on it's own, allowing the attack to occur. If you gave the key fob some way of calculating it's position relative to the car, you may be able to transmit that to the car over the existing communication channel and have the car verify it.
The question then becomes: how can one give the tiny computer in a key fob independent access to it's location relative to a car? An inertial navigation system[1] would probably be cheapest and most power-efficient. Though they suffer from inertial drift, that could be mitigated by periodic re-calibration while the car is driving and then parks (and the occasional non-keyless entry). The key fob then only transmits a signal when it detects that it's close enough, and the problem is "solved".
Now you just need to replace the batteries on your keys every few weeks...
Perhaps moving to a shorter distance transmission method would work. You could use NFC and then touch the fob against a portion of the door, placing the key in a cup holder (or something similar in the center console) with NFC support when you want to start the engine? It's not the exact same functionality, but is close.
But if we are going over a very short distance like NFC does then their amplifier is going to have to be close to the key. If my NFC key only works when it is within two inches of the door lock, your amplifier is going to have to be within two inches of my pocket to pickup the signal to amplify it.
Well... they might have a better antenna or just a bigger amplifier than your car does. And if they can just walk past you to unlock your car, that's still pretty unnerving.
Against this attack? Yes. Against a trivial modification of this attack? No.
(Trivial modification: you have two transceivers. Each transceiver encodes and encrypts everything in the frequency range, and sends it to the other one, which decrypts it and rebroadcasts it.)
Think of the original attack as being the equivalent of placing a megaphone up against the guy whispering, and this attack as being the equivalent of placing a cell phone up against the guy whispering and another cell phone that's connected to the first one up against the guy waiting to hear something.
Not to mention that triangulation has... problems. You really don't want your car to not open because there was a stray reflection off of something nearby.
This is more of a question . Is it not possible to "listen" for your reflected (there will be some always right?) search pings, and conclude that there is some amplifier attack happening if the signal is much stronger than usual. Even if there is no signal reflected usually, wouldn't this amplifier be more or less omnidirectional (they don't know where your key is right now). If so, a stronger than expected "reflected" ping can still be recognized. What am I missing?
You can relatively easily set up an amplifier with a directional antenna. Also, that will easily false positive - there are a lot of things that reflect RF in weird ways.
A lot of things will reflect RF in weird ways, and that is precisely what I was counting on. Surely an amplifier that changes the detection range from 1 feet to 100 feet will be emitting much much higher energy than what is usually experienced under normal operation. I guess, the antenna does not have to be omnidirectional as long as the attacker can search around the direction the key is likely to be.
It should be able to triangulate the response and normalize for signal strength at a known distance with standard hardware. Of course on could still make an amp to do full emulation but it would become at least more expensive.
Can someone explain how this works? Naively, I'd expect that this is just a signal amplifier, which boosts the signal from the key fob to a level where the car will accept it as close enough (via inverse square law computations and a known transmit power). But the key fob would have to transmit far enough to reach the amplification point, no? If I have my keys in my pocket in my house, how is the key fob going to be putting out enough juice to reach more than a couple of feet, let alone through walls?
Attacker at the car while car owner waits for the elevator
Also, the radio jamming attack described on page 10 is so simple but isn't something I've considered before. Basically you just jam the right frequency before the victim presses the 'lock' button and you now have access to their car (if they didn't notice).
Wow, I am legitimately shocked that the fob is capable of transmitting that far. I'd have thought that the "is the key in close proximity to the car" transmitters would be intentionally range-limited.
Being able to keep your keys in your pocket/purse/etc when entering and driving a car I find to be a pretty big upside. Especially in areas where it can be cold enough to freeze the key mechanism on your car door.
The drawback is if you left your keys on the bench in the garage next to your car. You get in, push the button to start, then drive off. Now you can't get back home. At least with the physical key you are guaranteed to have it with you.
The other thing -- do the key fobs have an on/off switch? If not, you wouldn't be able to have a spare "hidden" under your car somewhere (yes this is insecure anyway, but it works for most people).
People bring this up as an objection all the time, and I think it always comes from people who have never actually had a car with this feature. First, as mentioned earlier, every car I've had with pushbutton start will not let you start the car unless the key is INSIDE the car. Second, if you try to drive off with the key NOT in the car, they've all made an alert sound and shown a message on the display that the key isn't in the car. It's certainly possible to intentionally drive off without the key, but I don't think it's possible to do so accidentally (or if you're so inattentive that it is possible, you probably shouldn't be driving in the first place).
Pop out the battery. You don't need the battery to use the hidden spare if you lose your key: there's a physical key hidden inside the fob to unlock the door, then a slot on the dash to stick the whole fob into to start the car. It's there so you can't be stuck unable to start your car when the fob's battery dies.
I actually got curious and have a friend hold my key outside the car while I try to start the engine, and I couldn't. The car correctly detects that the key is not inside with me.
Also, the dashboard will always tell you if you are inside the car but key is not detected. So even if it miscalculates where the fob is and let you start the engine, that key-not-present light will be on as you drive off.
I suppose in very cold places, there are issues I haven't thought of. Honestly though, I think it's more about how novel and shiny it feels. It makes (made?) the car feel a little futuristic in most cases. A sort of signal a potential buyer that this is the next generation of car..
I think the trade off makes it not worthwhile. If it's optional, I prefer a normal key.
OTOH, There are lots of other cool gadgets that I'd like to see. A car that remembers everyone's seat position and mirrors, that's progress. Manual transmission, normal key, smart seat. That's my niche.
I have a Town and Country and the key never really leaves my pocket. I can touch the door handle on the driver's or passenger's side and unlock all the doors. I thought of it as a novelty at first, then in real life I realized how handy it is. Maybe it's just because I have kids and my hands are usually full but I use it all the time. Also it is nice to just push one button on the door handle to lock all the doors.
Another benefit that I know BMW has (and probably others too?) is that I can press-and-hold the unlock button as I approach the car and the windows roll down. Keep holding, and the sunroof opens. In the summer, it's a nice way to cool off the scorching-hot sun-baked interior before getting in.
This isn't an attack against cars that you have to press a button on the remote to unlock the car. It's an attack on the cars/remotes that are just near each other and unlock/start.
The simple solution: Just go back to pressing a button to unlock and putting the key in the ignition.
If the manufacturer really wants to keep the feature, then they could switch to those keys that flip out like Fiat has and just turn off the near-unlock functionality on the remote when the key is folded in.
Keyless entry and start decrease the amount of time you are vulnerable.
This may not be a problem in California, but it is in some parts of the world. Imagine the shadiest neighborhoods you know. Now, imagine that all of the neighborhoods are like that.
Being able to quickly get in and start the engine is convenient, but also important. The last thing you want to do is to fumble with keys. Or drop them while doing it. It is a plot device in some movies, but also real life.
The problem is that many keyless entry systems - and most wireless 'pushbutton' alarm keys haven't actually picked up gadgety improvements. Instead of a digital system and crypto keys, you have extremely rudimentary, frequency-based systems that are trivial to hack.
Keyless handling is really, really lovely. For a week I drove an e-key system that you just get in and hit start. Even though I only made a couple trips a day, it dramatically increased my satisfaction and happiness.
I would not have predicted this response for such a trivial thing - what's a few seconds more on top of a 20 minute or 2 hour drive? But it made a big difference to me, and I'm guessing many other people enjoy it as well. The downside of paying for a spare isn't very visible, and when it is, it's just a short acute pain, and is washed away in the daily nicety of "keyless" entry.
GP and your comment - Exactly the thought process I go through every time I see something about Tesla. "Look Elon, you already got me, there's really no point in continuing to rub it in over and over again!"
The automotive industry certainly has some interesting times ahead with regard to security. Audi's proposed plan for allowing deliveries to be placed in the boot of a locked car [0] certainly seems like it could be ripe for exploitation.
How seriously are car manufacturers going to take security though? Is it going to be like the numerous router manufacturers that don't seem bothered? Perhaps some kind of regulatory body will need to intervene to make automotive manufacturers take security seriously.
Currently many deliveries are just left on people's doorstep, and people "Pre-Sign" for expensive things so they don't risk missing the delivery (Apple offers this option). I fail to see why someone would go through the effort of trying to get into a trunk when you can easily target the non-Audi owners with packages out in the open?
In the US USPS/UPS/Fedex usually will usually just leave it on the porch/in front of the door. If it's a package that you need to sign for you can print out a "Pre-Sign" form that you leave on the door and they will just leave the package.
I worked at a process automation firm in the early 00's that had micro-controller software written in ASM and C that was in sore need of standardization; we referenced MISRA C [0] in researching a sound way to improve that code. After all, those instruments were headed for nuclear refineries and submarines.
Per EETimes [1]: MISRA C is a subset of the C language. In particular, it is based on the ISO/IEC 9899:1990 C standard, which is identical to the ANSI X3.159-1989 standard, often called C ’89. Thus every MISRA C program is a valid C program. The MISRA C subset is defined by 141 rules that constrain the C language. Correspondingly, MISRA C++ is a subset of the ISO/IEC 14882:2003 C++ standard. MISRA C++ is based on 228 rules, many of which are refinements of the MISRA C rules to deal with the additional realities of C++.
I did a quick search for Tesla programming jobs and they do command a familiarity with MISRA C, so somewhere it is being used by Tesla in their firmware. That standard is supposed to ensure security and reliability in firmware programming for critical devices, such as motor vehicles. I wonder if this knowledge expands upon this challenge and other avenues for hacking Tesla, and also I wonder if MISRA C practices extend to outlying modules in the vehicle...
I too thought the same thing and got really excited (not that I own a Tesla or have any chance of owning one any time soon). Tesla just gives me hope for the future of automobiles.
Obligatory: HACKERS CAN TURN YOUR CAR INTO A BOMB [0]
But on a more serious note this is pretty cool to see not only Tesla but GM and BMW reaching out to these groups. We saw an article or two here on HN not to long about about, IIRC, car makers trying to use DMCA to prevent people from modifying the software in their cars [1] (I know there was another article about tractors as well [2]). I'd be interested to know Tesla/GM/BMW's stance on that issue. They are opening up to hackers to find issues but that doesn't mean they are on board with making it easy for people to modify software in their cars.
So do I have to tie both hands behind my back to find a problem before Tesla will acknowledge their error or award a bounty?
What if there is an intractable design flaw that is costly to fix? Will it get swept under the rug as they get litigious with those who attempt to expose it?
The assumption usually is if the bounty is less than the expected reward from exploiting a system, then you're really not doing anything other than a PR stunt.
I don't see a mention of a bounty. I do see a mention of them keeping track of those trying to exploit their system at Defcon. Not sure of what the supposed benefit to those that attempt to break their system is.
It's interesting reading this about a car maker, when I work for a home device maker and fight tooth and nail to open up API control of home security/thermostats.
People find a way in either way, whether you want them to or not.
We can only hope this becomes a more widely adopted practice. Vehicle computer security, especially when it relates to self driving Autos, needs way more attention to operational security than it has been given.
