All CANBUS packages that are useful to drive a car should be encrypted using a public/private key that is in the owner key. Decryption chips are cheap and fast.
Maintenance is a big key management problem though: if only the owner has it, there will be problems when people inevitably lose it. If there are shared keys for service departments or databases, thieves will get access to them.
Things like time-limited on-demand keys can limit those problems but now you can’t get your car serviced when Toyota’s servers go down and they need to commit to not breaking API compatibility for multiple decades.
In the old days, most or all car companies had the ability to look up the bitting code to cut a replacement key (the mechanical kind) from the car's VIN. There's no reason they can't do the same with an encryption key.
Of course they'd need to do a good job securing that database since inappropriate access to it would make stealing cars very easy.
There is a very good reason that isn't possible/analagous to traditional rekeying.
Mechanical keys are not secure. They can be reproduced with basic skills. That's why there used to be a giant key cutting industry where much of the business was car keys (Thanks, GM.)
The whole idea of CA PKI and all modern TPM architecture on devices is that they CAN'T be reproduced or replaced in context without massive effort that would make the intended use moot; IE replacing the TPM and associated on both the key and car. This would require some bureaucratic pointless process to prove your identity, and it would be very expensive and frustrating, and completely at the manufacturers will.
Further, if the car CPU could allow this, it would be >.0001 second before theives use the same exact tools that the manufacturers use. This is basically what's happening now with current NFC/Radio Keyfobs. Basic access to existing cpu through canbus makes NFC/Radio moot.
Most modern keys already have cryptographic rfid transponders which must be in place to turn off the Immobilizer system.
Unfortunately, Immo can be trivially disabled/bypassed/reprogrammed on many cars using the canbus or odb2 interface.
Also trivially editable in many ICUs is the mileage, airbag (crash) history, etc.
The main vector is that this data typically exists alongside performance parameters and user data like registered keys and fobs, so is accessible either by catching the ecu in bootup/program mode, by buffer overrun attacks, or often just by asking nicely.
This is basically doable by anyone who can to chip tuning or ECU remaps. It’s technical, but not that technical. Many ECUs require JTAG access inside the ECU housing or even desoldering the serial flash chip, but many do not.
I just bought a whole setup for this from AliExpress for about 100 dollars and it’s worked well for me so far, just a specialised JTAG adapter with some cables really.
Pretty sure if you wrote drivers for chip tuning software to use a buspirate it would work just as well if not better.
The manufacturer should maintain a root cert that can be used. If that root cert is compromised then they should have a way of rotating keys if the vehicle and physical keys are present. Breaches then constitute what amounts to a software recall, putting the onus on the manufacturer to report them or be held liable for thefts. The recall notice puts the liability on the driver to have their vehicle updated (for free) in a timely fashion.
The situation doesn’t need to be as strict as #2: you could have a way for a registered service shop to get a per-device rekey by shifting some liability to them. Making it per device prevents bulk usage and an active communication with the manufacturer would mean the cops could ask the owners of a shady auto shop some questions when 80% of the stolen cars in the area are being rekeyed at a place the owners have never been to. I lost a car key once and the locksmith who showed up checked my drivers license against the title database because he could have been penalized for unlocking a vehicle without doing so - we could make the same model work electronically because while car thieves are anonymous, legitimate repair shops have a business presence and reputation to preserve. Even someone amoral isn’t going to look the other way for something which will cost them their primary revenue stream.
I don't think that the dealer equipment being used to steal cars today is coming from dealers where management is knowingly engaging in car theft. It is other people who are misusing those tools. There are many hundreds of thousands of people who work at dealerships, and many do not care about their employers reputation. Also, many dealerships are broken into.
Yes, which is why I suggested a combination of measures to change that. An active per-device transaction would make it clear when a dealer’s access is being misused, and if it affects their business viability it would turn out that they could do a better job of controlling access. Hundreds of thousands of people work at banks, too, and many of them do not care about their employers but thefts from customer accounts are rare because the companies are incentivized to set appropriate safeguards. There’s no reason why car repairs couldn’t be the same other than that it costs more than what they’ve been doing, and there aren’t strong enough incentives for them to take on those costs.
What would that look like in reality? Expecting dealerships to have the same physical security, procedures, and security vetting of a bank? There's already a shortage of workers in these roles, now we want the guys busting their knuckles on vehicle repairs to have a good credit score and good background check and perform elaborate opening and closing procedures with a buddy system? Storing tools in a vault?
I really don't see how any of this is merited or reasonable, especially when the vast majority of the cars being stolen in my neighborhood are either stolen with the keys or with a tow truck.
Require resets to be initiated and authorized by the F&I department, whose security and KYC processes should already be substantially similar to those of other institutions that regularly approve $50,000+ loans.
1. As a result, we'll see costs like losing the keys to a rental car go from a $250-500 fee to a $2500-5000 fee, due to the additional costs to process and the additional loss of use.
2. Criminal rings that steal high value cars will go from often using tow trucks, to exclusively using tow trucks.
3. The number of cars stolen via stolen keys will remain unchanged.
Yes, the key itself will be more secure, but I'm not really sure it will actually improve anything. More security is not better if the costs do not create real-world results.
Your second point is leaving out a lot: there’s no way adding a requirement that you have heavy equipment and a skilled operator isn’t going to reduce the number of thefts, and those trucks are in more limited supply and easier to track than a small tablet. They’re also way less stealthy so there’s a lot more time to get caught.
The third point may be true for classic theft but would not be true for the growing category of thefts caused by abusing wireless keys. If you can’t easily get a new key, the resell value for that car is going down dramatically.
Commercial tow trucks are not hard to get in many places, but it is also not required to tow a car. There are many consumer oriented solutions for towing a car. Tow dollies are about $40 to rent in my city. Or if you're a thief, trailers aren't hard to steal either.
> If you can’t easily get a new key, the resell value for that car is going down dramatically.
Most of the vehicles that are stolen for resale are high value and sent overseas to parts of the world where the labor cheap to do something like entirely rip out all of the security components. I don't really think that these criminals will stuff a G-wagon in a shipping container for $100,000 but they won't do it for $80k or $90k.
> Commercial tow trucks are not hard to get in many places, but it is also not required to tow a car. There are many consumer oriented solutions for towing a car. Tow dollies are about $40 to rent in my city. Or if you're a thief, trailers aren't hard to steal either.
Again, it’s possible but do you really think there isn’t even one thief who lacks easy access to a tow truck or will be caught firing up noisy equipment at 3am but not if they fumble around in their pocket while walking up to a car? Not a single teenager looking to joyride won’t give up if it’s harder than the Kia video they saw on Tik Tok?
Similarly, yes, people will still steal vehicles and ship them overseas but the more work they do the lower the resale market and value will be, and that will make it less tempting since you’d only be able to sell to people who are content never getting service from the manufacturer. Even if we assume that there are countries with skilled technicians and effectively no law enforcement, only something like 10-15% of stolen vehicles are shipped according to U.S. officials so even if you wrote those off entirely you would have plenty of room to improve by reducing the majority of thefts which never leave the country.
There's different categories of criminal here who are willing and able to do different things to different types of cars.
> Again, it’s possible but do you really think there isn’t even one thief who lacks easy access to a tow truck or will be caught firing up noisy equipment at 3am but not if they fumble around in their pocket while walking up to a car?
Canbus attacks, OBDII reprogrammers, and similar are typically pretty intrusive, they require cutting into fender liners, removing lamps, busting a window, or otherwise gaining physical access to the bus. They also require specialized tooling and expertise that are harder to get than the tools which physically move vehicles.
The one that might be an exception, and some savvy street criminal might be able to get their hands on is a tool to do is a relay attack, which is usually good enough to steal belongings from a car, but generally not capable of stealing the car.
> Not a single teenager looking to joyride won’t give up if it’s harder than the Kia video they saw on Tik Tok?
Definitely not. Vehicles with immobilizers are essentially never stolen by joyriders unless they have also stolen the keys.
> Even if we assume that there are countries with skilled technicians and effectively no law enforcement, only something like 10-15% of stolen vehicles are shipped according to U.S. officials
Yes, and almost all of the other ones either just lack immobilizers, or the thief also stole the keys.
Simply requiring the dealers to take seriously ownership validation and track which workers used the reset system (no shared logins, etc.) would do most of it.
The result of that may be that losing a key is financially devastating enough that it totals many vehicles. And/or if the odometer and other local storage is affected, that may cause permanent title issues for the car.
The number of people who lose their keys vastly dwarfs the number of people who are having their car stolen with a flipper zero.
It has to be hard enough it can't be done in the street (without getting attention), but maybe it could be easy enough to do in a garage.
But even if it is expensive, the result would be that either people with take more care, or they'll lose their car.
Maybe it's not a bad thing that people who can't manage a key are less likely to be on the roads - or that its more likely they lose access to their car then it ends up in the hands of criminals. A car can be a dangerous thing, even an inexpensive one.
Yes, but this wouldn't prevent dangerous street criminals from stealing cars. Many of them steal the keys with the car. They go down to the gas station, and wait for an old lady with a nice car to pull up to the pump, and when she hops out they hop in.
The criminals doing more skilled attacks typically aren't joyriding or using it to commit other crimes, they typically doing it for financial gain: they want the car, its contents, or its parts.
Ultimately the overlap between the violent street criminals and those skilled at attacking digital security systems is not much.
> But even if it is expensive, the result would be that either people with take more care, or they'll lose their car.
The entire reason keys were explicitly designed with the functionality to program new ones is because that's not considered by most to be an acceptable solution.
That kind of expands the scope of this conversations to mugging/carjacking, which also comes with a higher penalty, and probably higher priority to the police.
And, it involves interacting with someone, who presumably can call the police afterwards, and activate any lojack / immobilisation device before it can be removed. Presumably the appeal of stealing a parked car it may be a while before it has been discovered and reported stolen.
Also, doing such a thing in a gas-station where there are likely cameras and even other people / attendants make it seem pretty risky to me. Are these dudes just hanging around the pumps in masks? What country is this?
> not considered by most to be an acceptable solution
Things change, but also, it's as much up to the government and/or insurance corps what's acceptable.
The only reasonable way to evaluate risk is as a whole. Real world attackers pick whichever realm is easiest to exploit, they aren't going to waste their time doing something difficult when there are easier ways to accomplish their goal.
> who presumably can call the police afterwards, and activate any lojack / immobilisation device before it can be removed.
Yes, people who carjack usually aren't looking for a nice daily driver to hang on to for the next 3 years. Usually they want to joyride, or use the car for some other crime, in the immediate term.
> Also, doing such a thing in a gas-station where there are likely cameras and even other people / attendants make it seem pretty risky to me. Are these dudes just hanging around the pumps in masks?
Stealing a car, and being in possession of a stolen car, is pretty risky already. I think someone who does this type of crime is probably not very risk averse. Wearing masks is a pretty common way to thwart cameras when committing a crime in many places, I don't think this potential security issue is specific to certain countries. I think what you might be hinting at is that fewer people want to do carjackings in different places, but the same applies to canbus exploits. Nor do I think anyone really needs to "hang out" to find a car at a gas station. Many have cars filling up at them regularly throughout business hours.
> Presumably the appeal of stealing a parked car it may be a while before it has been discovered and reported stolen.
Yes, and while there are some instances of this happening electronically, I don't think closing those avenues will change anything, because towing cars is neither difficult nor suspicious in many places. Again, security is only as good as the weakest link. Nearly all criminals cut locks, even ones are very easily picked.
Buying a tow truck is no different than buying a truck just about anywhere. Or one can simply buy a regular truck and bolt on a towing attachment to make their own tow truck.
One can also purchase, rent, or steal a trailer and attach it to a vehicle. There are several types of trailer which can haul a car, which are all widely available to the public.
A traditional car key can be trivially duplicated at any hardware store. That's the difference. You can make as many spares as you want for a couple bucks a pop. No dependencies. No network.
Do any cars have "traditional keys" anymore? My 15 year old Corolla has an embedded RFID tag in the key, and can only be duplicated at a Toyota dealership.
Assume that for anything new enough to have keyless entry, the answer is no.
The big switchover was in '96 when OBDII/CAN bus became mandatory. At that point it became pretty cheap to do things electronically, often cheaper than mechanically, so lots of things started switching over around then.
Not fully true. Just as it's not true with non-car keys. Some blanks are heavily protected. Now these days with the dissemination of cheap cnc mills, maybe thats a bit more trivial, but you are paying a lot more for a cnc mill than you pay for a old key grinder.
Same issue we have now with ghost guns honestly. CNC mills are powerful tools, with the right software you can essentially just place the properly sized chunk of metal in the box and hit go.
That's why I said traditional key. They're just metal with a few parts cut to a specific profile. It's once you start mucking around with immobilizers and other encrypted things that need the factory tools... Those can cost tens of thousands, and usually require continuous internet access back to the home office.
Because they only have the public key. You need the private key which NO ONE gets, not even the dealer. They send the required info in (which includes the serial / "key") for the new key to the home office. You can't just copy the key, even electronically, as it will have a different hard-wired "seed".
My Ducati bike had immobilizers that would prevent the bike being started without the key or the per-bike code card. When it was stolen, the thieves tried all manner of things to start it, including drilling through the ignition keyhole. I managed to get it all fixed and the bike still ran. Without the immobilizer, someone else would be riding my bike.
That's no different from this proposal. You just give them the keys, or the key card (or red key) if you've lost the keys.
Some of the tools used to steal cars are the legitimate tools used to repair cars. Key programmers aren't cheap, but at under $5k for decent ones, they aren't crazy expensive either. It pays for itself in one job.
You could make these tools more difficult to obtain, but that won't stop the crime.
Immobilizers and requiring a PIN to start the car are cheap, effective ways of preventing car theft without negatively impacting our ability to repair vehicles. It would behoove government agencies to include a list of anti-theft techniques on the window sticker and it would behoove insurance companies to be very upfront with the anti-theft features they think vehicles need.
Right now many of the components of your iphone are paired to the phone through signing. It's a huge fucking pain in the ass, and it makes the whole 'right to repair' a huge can of worms.
I work in CA/PKI, particularly IOT device registration/security via TPM keys.
I cannot imagine a scenario after years working with our own infra and clients where a car manufacturer would restrict access to the vehicle with a private key decryption on the FOB tpm, (that can't be exported or copied.)
Lost/broke fob? 4000 pound paperweight, to no ones benefit. Insurance nightmare that would also be violating right to repair in many states (which is a different issue) .
There SHOULD be a standard like every person has some device or process that is also a CA, who can then generate and dictate what keypairs can access a device, car etc. But we are very very very far away form that.
It's an enormous amount of implementation effort aimed at tampering which, to some approximation, never happens. And as another poster has said elsewhere, partitioning the communications would be cheap.
That they are using the OEM software indicates that there is some authentication going on with the ECU to start the engine anyway. I bet they didn't truly plan for key rotation.
Allow me to offer a different opinion. There is little sense in applying logical security when physical security is lacking. CANBUS should not be accessible by taking apart headlights. Communication buses must be protected from physical access, i.e., trip the alarm system or disable the car upon unauthorized access. There can be no logical security without physical security.
It would be very hard to make CANBUS inaccessible from headlights, since that what controls it. However, the headlight shouldn't be able to tell the rest of the system that the key is in the car.
Logical compartmentalization like you suggest is a fine approach, but even better is to not allow physical access. Unless the car is in maintenance mode at the shop, the chassis should be sealed tight. Maybe the manufacturer decided to favor headlight maintainability over theft prevention, or was simply oblivious.
From what I've been seeing with Toyota and their ECU Security Key, it hasn't been cracked yet but it's close to being cracked and extracted from a running car and the private key extracted (so things that look at CAN bus messages can work again, like comma.ai)
CANbus protocol makes this hard. Payloads are limited to 64 bits, to start with. But the payload for each message could be encrypted, even though secure key exchange would be difficult.
It's so hard that (almost) every European manufacturer figured it out.
There is also FlexRay. There is nothing interesting you can do with CANbus on new mercs. Even unencrypted CANbus messages go through gateways that (could) prevent headlights from reporting key presence.
There is a reason that some cars don't have reasonable attack vectors (excluding parachuting the driver out of the car) and some can be started with a screwdriver (or slight more involved way with CANbus). It's not complexity, it's cost.
