Wednesday, September 12, 2007

Security Exploit for your Car

Car security
I have talked a bit about cars and technology here before, particularly security. I think this is an issue which deserves some attention, but nonetheless I will post about it here rather than forward an e-mail to everyone I know telling them to forward it in turn. That has its own security risks, which I will explain in a later post. This article explains how I discovered a security hole for the automatic remote for some cars, and how to avoid it. This is on a slightly older car, but this exploit can be gleaned from a simple reading of the car owner's manual without any special technical knowledge or equipment, just a sneaky mind like mine, and one's own keyless entry. Your mileage may vary, as they say. You should read your own owner's manual with a mind toward something similar. More on that later.

Security attempts
Over time, car manufacturers have taken on the issue of keyless entry security. Early transmitters simply sent a digital sequence to the receiver in the car, matched to that receiver. The problem with this was that criminals could simply sit in a parking lot and record the sequences on their own receiver, and play them back to open the doors. This particular exploit required special equipment, and so was a specialized type of threat, but a real one nonetheless. To correct for this, manufacturers began coding the transmitters to the receivers but with special encryption algorithms built into both, with two-way communication, so that a different code was sent each time.

The exploit
In the particular case of my car, a Chrysler Sebring, this fix for a relatively rare problem created a much more common and exploitable problem. The transmitter is matched to the car at the factory, but it has some kind of internal limitation on how many new unique codes can be generated without communication. According to the owner's manual, if the keyless entry is keyed "more than 250 times" when not within range of the car, this pairing is lost. I suspect they really mean more than 255 times, but that's a nit. Anyway, since there is a way the customer can lose the pairing, there has to be a way to resync. The way to resync, on my car, is simply this: Lock the doors (using the door-lock switch on the door, of course, because your remote doesn't work), then press the buttons on the remote in a particular way (which I will skip here to maintain a little security through obscurity). The remote resyncs and then can be used to unlock the door again.

If you haven't figured out the exploit by now, it is simply that if the owner of the car has locked his doors with the door-lock switch, any schmoe with the same remote can then press the appropriate sequence on his remote and get into the car. The key will still not fit, so they can't steal your car, but at least they can steal all your CD's and sunglasses. Up until I realized this, I locked my door this way all the time, because it's easier to flip the lever on the door than to fiddle around with the remote. Luckily, I discovered this exploit not by being victimized but because I had a remote that didn't work even after replacing the batteries, and it said on the remote "consult the owner's manual." I tried it on my dad's car, which is the same but a newer year, and sure enough it works.

Keeping out interlopers
The solution is simple, of course. Just lock your doors with the keyless remote always. This will also ensure that you don't lock your keys in the car, which is good.

Other cars
Your car may differ in the way that it resets the keyless entry. For example, some require that the key is in the ignition to initiate the sequence. In this case you are safe from this exploit, but there may be other ones depending on your car. Read your owner's manual, and if you find another exploit for your car, post it below.

No comments: