To anyone with any background at all in computer security, this is such a "duh" moment. If Sony et al can't secure their massively important corporate infrastructure, what are the odds your car's wireless computers are secure in any way? They aren't, they knew it, and you knew it. Sorry.
It'll be interesting to watch the fallout from these obviously-present vulnerabilities. I see three possible outcomes, in decreasing order of likelihood: status quo, where they just "fix" the bugs as they hit the news; some sort of massive push towards real computer security, in this and other industries; or a massive reduction in features to avoid the flaws.
This is really just another symptom of the current state of computer security, best described as "a joke." My guess is in 50 years we'll have decent computer security. There's nothing that precludes it in theory. But it's going to be an ugly, ugly couple of decades while we pay off the wave of computer-security-debt that we have been riding.
Yeah, that's kind of a weird comparison. You can't really tailgate someone through a car door to gain physical access, or social engineer your way to the car's server closet, or spam the car's employees with phishing e-mails.
It was a general point about the state of computer security. In 2015, if you're connecting a computer to the internet, you're vulnerable. If your computer has non-trivial wireless functionality (in this case, keyless entry), you're vulnerable. The only question is whether someone cares enough to hack you, in particular.
"I see three possible outcomes, in decreasing order of likelihood: status quo, where they just "fix" the bugs as they hit the news; some sort of massive push towards real computer security, in this and other industries; or a massive reduction in features to avoid the flaws."
Only one of those three is the correct answer, and it is the third one.
Your car does not need a wireless network - since you have a newer, nicer one in your pocket every 18 months.
Neither does your refrigerator nor your smoke detector.
These are self-inflicted problems and they're easy to solve - just remove the gratuitous complexity.
The article isn't about people remotely taking over cars or disabling cars. It's that the anti-theft system has a flaw. That's not nothing, but it doesn't put anyone's safety at risk.
In particular, it's not necessarily worse than the status quo ante. Cars had mechanical locks, which were pickable. A "slim jim" could unlock many cars. Once you were in the door, you could hotwire the ignition. So to be able to defeat a computerized anti-theft system... no gain from the computerization, but is there any loss from it?
Most people do not have a background in security so this is anything but a 'duh' moment for them. The more news like this that makes it to the mainstream media, the more hopeful I am that regular folks will learn the state of security today.
I have a Passat from late 2013 -- it cannot be remotely started but doors are keyless. Twice in the last 16 months, somebody rummaged through it overnight, without breaking anything. We religiously close the car every night, especially after the first occurrence, but still it happened again. After it happened to my next-door neighbor's 2013 Golf as well, I reported it to VW and they never even bothered getting back to me.
I'm not surprised in the slightest, I think this sort of news will keep popping up all over the place and manufacturers will keep trying hard to suppress it. We know it will never end: good crypto is hard and inconvenient, so it's unlikely that car manufacturers will ever implement it properly. Bad guys get all the info they need, eventually, so it's just a matter of time before any digital lock is broken.
Your anecdote doesn't share anything in common with the article. One of two things are likely - your car wasn't actually locked this nights, or the theirs used a signal amplifier to make the car think your keys inside the house were next to your car.
Neither of those things is VW's fault - if you don't like the wireless automatic door unlocking because the signal can be boosted maliciously, then you should disable it. Otherwise live with the consequences.
No, my anecdote is more about a data point (well, three actually) indicating we don't really know how many ways there are to break into these cars, and that manufacturers are playing dumb, hence me not being surprised at the news that another one was found.
If really the problem was relatively trivial, VW should have warned me on how to avoid it, and they didn't. It can't be a simple amplifier: it's not just proximity, you actually have to press a button on the dongle to open a door, so whatever they were doing, it wasn't just repeating an existing signal; and as I said, I can tell you that making sure the car is locked has become a nightly ritual.
It doesn't share much in common with the article, but I believe this immediately because the same thing happened three times over the last two years with different people in my street. All with new and rather nice Audi models. Opened without any damage, the dashboard completely rampaged (nav, radio, airbags etc removed)
I won't be surprised if there's another, even more serious vulnerability in Volkswagen locks. The security researcher who found it probably sold it to the bad guys, totally understandable after reading how Volkswagen handles security reports.
The second thing - that thieves can use a radio signal amplifier to open your car - is definitely VW's fault. Even if they did not design that system, they chose a supplier for it. A fresh graduate engineer could have reviewed that design and seen that flaw. But would a fresh graduate manager listen to his report ?
I saw a report a while back that if you put your car keys in the freezer or something it blocks enough of the signal from your keys so that someone can't use this signal repeater to unlock your car, it's supposed to act like a Faraday cage (somewhat).
I know it sounds stupid but I remember seeing it on HackerNews a while back. I'm not sure if it was debunked or not.
The "new" (actually 2 years old) thing is the UK courts granting injunctions preventing the publication of security research from a well known UK university. WTF.
> The research team first took its findings to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013. The car-maker filed a lawsuit to block the publication of the paper - arguing that its vehicles would be placed at risk of theft - and was awarded an injunction in the U.K.'s High Court.
But then they don't detail the legal situation that led to the two years of litigation and the eventual release, so I don't know who to be mad at..
People are usually bad understanding counter intuitive notions such as the fact that making security flaws public actually makes consumers more secure, not less.
Now, after lengthy negotiations, the paper is finally in the public domain - with just one sentence redacted.
"This single sentence contains an explicit description of a component of the calculations on the chip," Verdult said, adding that by removing the sentence it was much more difficult to recreate the attack.
So the immobilizer does not immobilize as much as expected/hoped. While that sure isn't something the manufacturer should be proud of, it is hardly a really critical problem, nowhere close to "stop driving until resolved". Immobilizers may have lowered car theft before, but never fully stopped it. The incentive situation for thieves has shifted a bit, that's all, a gradual change, not a 180 degree bit flip.
The bigger mistake than sourcing imperfect components is the attempted cover-up and I am positively surprised that this is even reflected in the headline. (at least theoretically: the first glance takeaway message for this story will always be "security hole in car!", no matter how much the author tries to put the cover-up in focus)
So has VW taken advantage of the time given to them by the courts to release fixed transponders in new vehicles and slowly replace the current defective ones as part of a routine service?
Otherwise they've just delayed the information getting out which seems pointless?
"There's no quick fix for the problem - the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs."
What a nightmare. Car manufacturers have to design more resilient systems.
Based on the difficulty to secure hardware systems after deployment, they will be for sure trying to put more and more features on the software-side.
If so, they will also have to think about a quick way to deploy security fixes remotely. One way could be working with connectivity solutions for Embedded Systems (e.g. SigFox).
Well, the advantage of VW is that the car itself is pretty secure.
All messages on the CANBUS are securely signed, there are multiple rings of security where data can always pass only in one direction, etc.
The only thing this exploit enables is that if you already have the car, managed to break the steering wheel lock, managed to replicate the magnetic signature of the key, and managed to start the motor, that you can circumvent the immobilizer that comes after that.
This is a pretty minor flaw compared to the "full control via radio" that competitors had.
Is this a specific feature of VW's implementation of CAN? CAN in general (at least not in 2007 when I last worked in the industry) is not secured. The only real security once you had access to the CAN bus were the separate rings (although several modules bridged). You probably couldn't start the car and keep it started unless you figured out the variant of crypto handshake used between whatever did ignition/skim/rke and the engine (sometimes public key, sometimes symmetric, often with some sketchy cipher implemented by modules that would offer full memory access via debug protocols if you asked the right way). If you had access to the spec for messages for the machines, access to the CAN bus can do some very cool/scary things.
Depending on how the car manufacturer spec'd the engine<->skim handshake, you might get as lucky as to just be able to isolate the offending skim/rke unit and MITM/replay its messages. If the rke and skim units are separate, there's an outside chance that the beacon that is sent after remote-start that lets the engine know not to turn off doesn't contain a secret key itself and can be replayed. In any event, I'd assume that physical access to the vehicle means that a kit could be deployed in minutes to steal the vehicle without any fuss.
As noted in the conversation about the Jeep hacking thread,
This is an example of "better" security by not making the security system reprogammable (its read only). But it does incur this huge cost when you find a problem with it.
I'm sure the time to fix is also made more problematic by the need to fab new chips.
> If so, they will also have to think about a quick way to deploy security fixes remotely. One way could be working with connectivity solutions for Embedded Systems (e.g. SigFox).
Something tells me giving the car's immobilization system a routable IP address is not the best way to "fix security"
I almost want my next car to have a physical key, but a digital one. Back after mechanical keys but before wireless entry/start, there was a short period where you had to plug the entire keyfob into the dash to start the car... I want that back.
Mechanical keys have the "photograph" problem (i.e. a single photograph can be used to reproduce them). Wireless start has the wireless hacking problem (i.e. if you broadcast, that can be intercepted/manipulated/etc). Digital keys have neither of these, and can utilise real challenge/response protocols since the keyfob can be powered by the car while authenticating.
I will say I don't know if wireless entry will ever be secure. Too many technical problems to overcome, soon we'll be reproducing the military's channel hopping.
The mechanical keys used in VWs today can not be reproduced with photographing. They have non-standard cut-ins on both sides and also activate magnetical bolts inside the lock.
If I read this correctly, the vulnerable vehicles are not really left in a worse state because of this defect. If they did not have cryptographic electronic start, they'd simply be vulnerable to old-fashioned hotwiring. I could be wrong, as I haven't been in a recent model, but I assume there is still a physical steering column lock that needs to be disabled, no?
No. The whole point of keyless entry is that you don't need to physically handle a key to enter and start the car. Its presence in your pocket is sufficient to enable the Start button to work. Or, as this article demonstrates, the car's belief that the key is in your pocket is sufficient.
But anyone waiting to spend 30 minutes with an electronic crack is also smart enough to use liquid nitrogen to crack this too.
The difference is that a keyless hack can look natural since there is no physical force for entry or ignition. A funnel and chisel would raise some eyebrows.
This attack is against the RFID immobilizer for the engine, which means an attacker would have to break into the car, break the steering wheel lock and break the physical ignition lock prior to starting the car.
If the article is accurate, avoiding use of the key fob should make it more difficult for the attack to be carried out (which admittedly isn't very useful).
As far as my limited understanding goes using the the key fob for remote central locking does not expose any risk, instead its the immobiliser part, so manually opening your door with the physical key provides no extra safety, its when the key is present near the ignition barrel, thats where the immobiliser kicks in and where this venerability exists
Readit News
It'll be interesting to watch the fallout from these obviously-present vulnerabilities. I see three possible outcomes, in decreasing order of likelihood: status quo, where they just "fix" the bugs as they hit the news; some sort of massive push towards real computer security, in this and other industries; or a massive reduction in features to avoid the flaws.
This is really just another symptom of the current state of computer security, best described as "a joke." My guess is in 50 years we'll have decent computer security. There's nothing that precludes it in theory. But it's going to be an ugly, ugly couple of decades while we pay off the wave of computer-security-debt that we have been riding.
Only one of those three is the correct answer, and it is the third one.
Your car does not need a wireless network - since you have a newer, nicer one in your pocket every 18 months.
Neither does your refrigerator nor your smoke detector.
These are self-inflicted problems and they're easy to solve - just remove the gratuitous complexity.
I'm not surprised in the slightest, I think this sort of news will keep popping up all over the place and manufacturers will keep trying hard to suppress it. We know it will never end: good crypto is hard and inconvenient, so it's unlikely that car manufacturers will ever implement it properly. Bad guys get all the info they need, eventually, so it's just a matter of time before any digital lock is broken.
Neither of those things is VW's fault - if you don't like the wireless automatic door unlocking because the signal can be boosted maliciously, then you should disable it. Otherwise live with the consequences.
If really the problem was relatively trivial, VW should have warned me on how to avoid it, and they didn't. It can't be a simple amplifier: it's not just proximity, you actually have to press a button on the dongle to open a door, so whatever they were doing, it wasn't just repeating an existing signal; and as I said, I can tell you that making sure the car is locked has become a nightly ritual.
I won't be surprised if there's another, even more serious vulnerability in Volkswagen locks. The security researcher who found it probably sold it to the bad guys, totally understandable after reading how Volkswagen handles security reports.
I know it sounds stupid but I remember seeing it on HackerNews a while back. I'm not sure if it was debunked or not.
http://www.networkworld.com/article/2909589/microsoft-subnet...
http://www.theguardian.com/technology/2013/jul/30/car-hackin...
> The research team first took its findings to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013. The car-maker filed a lawsuit to block the publication of the paper - arguing that its vehicles would be placed at risk of theft - and was awarded an injunction in the U.K.'s High Court.
But then they don't detail the legal situation that led to the two years of litigation and the eventual release, so I don't know who to be mad at..
Now, after lengthy negotiations, the paper is finally in the public domain - with just one sentence redacted.
"This single sentence contains an explicit description of a component of the calculations on the chip," Verdult said, adding that by removing the sentence it was much more difficult to recreate the attack.
The bigger mistake than sourcing imperfect components is the attempted cover-up and I am positively surprised that this is even reflected in the headline. (at least theoretically: the first glance takeaway message for this story will always be "security hole in car!", no matter how much the author tries to put the cover-up in focus)
They got an injuction so that's a pretty public way to go about trying to do a "cover-up".
"Cover up" sounds accurate to me.
Otherwise they've just delayed the information getting out which seems pointless?
What a nightmare. Car manufacturers have to design more resilient systems.
Based on the difficulty to secure hardware systems after deployment, they will be for sure trying to put more and more features on the software-side.
If so, they will also have to think about a quick way to deploy security fixes remotely. One way could be working with connectivity solutions for Embedded Systems (e.g. SigFox).
All messages on the CANBUS are securely signed, there are multiple rings of security where data can always pass only in one direction, etc.
The only thing this exploit enables is that if you already have the car, managed to break the steering wheel lock, managed to replicate the magnetic signature of the key, and managed to start the motor, that you can circumvent the immobilizer that comes after that.
This is a pretty minor flaw compared to the "full control via radio" that competitors had.
Depending on how the car manufacturer spec'd the engine<->skim handshake, you might get as lucky as to just be able to isolate the offending skim/rke unit and MITM/replay its messages. If the rke and skim units are separate, there's an outside chance that the beacon that is sent after remote-start that lets the engine know not to turn off doesn't contain a secret key itself and can be replayed. In any event, I'd assume that physical access to the vehicle means that a kit could be deployed in minutes to steal the vehicle without any fuss.
I'm sure the time to fix is also made more problematic by the need to fab new chips.
Something tells me giving the car's immobilization system a routable IP address is not the best way to "fix security"
Mechanical keys have the "photograph" problem (i.e. a single photograph can be used to reproduce them). Wireless start has the wireless hacking problem (i.e. if you broadcast, that can be intercepted/manipulated/etc). Digital keys have neither of these, and can utilise real challenge/response protocols since the keyfob can be powered by the car while authenticating.
I will say I don't know if wireless entry will ever be secure. Too many technical problems to overcome, soon we'll be reproducing the military's channel hopping.
Right, what could possibly go wrong?
But anyone waiting to spend 30 minutes with an electronic crack is also smart enough to use liquid nitrogen to crack this too.
The difference is that a keyless hack can look natural since there is no physical force for entry or ignition. A funnel and chisel would raise some eyebrows.
The full paper here: https://www.usenix.org/sites/default/files/sec15_supplement.... has a lot better detail.
Dead Comment