Skip to content

Stifling the truth about keyless ignition has only helped car thieves

November 3, 2015


Some good news for a start. Last Thursday, according to the Province newspaper, a Vancouver resident, Katya Pinkowski, had her one-year-old Tesla Model S85d electric car stolen from a downtown parkade. She was able to help police recover the car by tracking its movement online using the iPhone app that the Tesla company makes for Model S owners.

The Tesla app, which is available for both iOS and Android devices, gives owners of the Model S the ability to unlock and drive their cars using just their smartphone. They can also remotely check the status of their vehicle, stop and start charging, honk the horn, flash the lights and, to Katya Pinkowski’s delight, see the real time location of their car on a map.

It’s quite possible that an October 30 tweet from the @scanbc account about police using the iOS app Find My iPhone to track a stolen vehicle was actually referring to the Tesla iOS app being used to track Pinkowski’s Tesla Model S85d.

As the Province declares, this appears to be the first time that a Tesla has been stolen in Canada. It also marks the first use of the Tesla app to catch a thief — in Canada, at least.

Last year, in September of 2014, a woman in San Diego, Shahin Pirani, also used the Tesla app to locate her stolen Model S. As she directed police, a friend drove her to where her car was parked — less than a kilometre from where it had been stolen .

As police arrived, the thief drove off in the car and Pirani actually used the app on her iPhone to follow the 20-minute high-speed chase before police were able to use spike belts to stop the thief and recover the car.

Reports don’t explain how the thief was able to steal Pirani’s Model S but the Province reports that the thief who made off with Katya Pinkowski’s Model S used a duplicate electronic key fob which had been purchased earlier in the week and left in the car.

Police still say that most keyless car thefts are committed in this manner, using a stolen key fob.

I won’t dispute that most car thefts still begins the old fashioned way — with the theft of a key — electronic or otherwise. But keyless car theft is on the rise around the world, as is the hacking of key fobs.

What keyless car owners are clueless about can hurt them

While I don’t know the exact statistics for Vancouver or the rest of North America, I can say that keyless car theft has become something of an epidemic in parts of Europe and the UK.

Almost half of all motor vehicles stolen in London, England, in 2014 — 42 percent, or over 6000 — were nicked using electronic key spoofing say police in that country. In France, a stunning 74 percent of all car thefts are being attributed to the spoofing of electronic key fobs!

The rub is, that for the last two years at least, many people in Europe have known just how simple it is to hack key fob codes.

The thieves who have been hacking the key fobs have known it. The three European security researchers who uncovered the security flaw in the Megamos Crypto aoutomobile imobilizer, used in the keyless car systems used by Audi, Fiat, Honda, Porsche, Volvo and Volkswagen — they knew it in 2013 and they told the car manufacturers.

It would seem that only the police and the car owners themselves have been kept in the dark about how easy it is to steal cars by stealing the codes to key fobs.

That would be because Volkswagen sued the researchers in 2013, to keep them from publishing their paper Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser at the Usenix Security Symposium in Washington DC in August of 2013.

Volkswagen won the British High Court injunction preventing publication of the researcher’s findings, arguing before Justice Sir Colin Birss that the information could be used by criminal gangs.

The findings (and Volkwagen’s reaction to them) were both topics of serious discussion within the cryptographic community and enough details came out in 2013 that, the only real result of the gag order has been to leave the public and authorities largely in the dark while Volkswagen’s so-called “criminal gangs” have had a field day exploiting the flaw to steal cars for the last two years.

Your Twitter account has better security than a Bentley

Remote keyless entry systems and keyless ignition systems (typified by key fobs or so-called “smart keys”) are all implementations of a short-range radio communication technology dating back to the 1980s called Radio-frequency identification (RFID), originally created to facilitate the tracking of things, like boxes in a warehouse.

The security of keyless systems is provided by the very short-range nature of the communication between fob and car, as well as a challenge/response authentication process involving random numbers, weak 40-bit encryption and…nothing else, if I’m not mistaken.

Unfortunately, inexpensive and unobtrusive amplifiers exist so that would-be thieves can stand off several metres and intercept both sides of the conversation between your keyless devices and your vehicle. And the encryption? Pfft!

Someone can have your keyless codes in 60 seconds.

Putting aside any particular security hole, such as the Megamos Crypto algorithm, keyless systems are flawed to the core, with the The real problem being the obsolete 40-bit encryption that they all rely on.

It was common for software to use 40-bit encryption way back in the 1990s but 14 years ago, in 2001, the Advanced Encryption Standard (AES) made 128-bit encryption the everyday minimum standard, with heavy-duty 192- and 256-bit encryption for the really important stuff.

Keyless vehicle systems continue to use 40-bit encryption because that’s about all they’re designed to manage. 128-bit encryption is an order-of-magnitude more complex to handle than 40-bit and requires more powerful processors that use that much more electricity.

Not only is RFID technology old but it was never intended for the security applications that it’s being retrofitted for, such as swipe cards for door locks and contactless debit, credit and transit cards.

To my mind, RFID-based keyless locks and ignition systems offer vehicle owners about the same balance of convenience and security that bicycle owners can experience with a $19 cable lock, if you know what I mean.

Everyone (not just the automobile industry) should, ASAP, agree on new remote access systems, based entirely around contemporary standards and the best security practices of the present day.

Postscript: visualizing a big number and a big difference

In case anyone’s curious, a 40-bit number is a maximum five bytes long. With 8 bits to a byte, that’s a number 40-digits (or bits) long:

00001010 01101001 10011110 00011100 01010101

Compared to 40-bit encryption, 128-bit encryption offers 88 additional bits of key length. So, while a 40-bit key can have about a trillion possible combinations (1,097,728,000,000), a 128-bit key can have…several more:



Make a green square that is 55 squares on a side, in order to approximately represent all the possible combinations of a 128-bit key. Then make one of the squares white. All of the possible combinations of a 40-bit key roughly equals that one white square. Click the top image to enlarge it.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: