In recent years, auto manufacturers have introduced a new security technology, sometimes called an immobiliser, in an attempt to reduce the incidence of car theft. The immobiliser, which is typically present in the key fob, sends an encrypted wireless signal to the car’s electronic engine control when the driver attempts to start the engine. If the encrypted code is correct, the engine starts; otherwise, the engine is locked down.
These systems have apparently achieved some success in reducing theft. Auto thefts in Germany had been steadily declining for sixteen years, but that trend has now been broken, according to an article at New Scientist:
AFTER a 16-year decline, car theft in Germany rose in 2009, according to figures released recently by the German Insurance Association. One “white hat” hacker, who probes security systems to flag up flaws that can then be patched, thinks he knows why. Karsten Nohl of Security Research Labs in Berlin, Germany, has identified vulnerabilities in the engine immobilisers used to protect modern cars from theft.
There appears to be an underlying problem with the encryption used in these systems, a problem that will not come as a surprise to anyone who has worked in the area.
… the proprietary encryption keys used to transmit data between the key fob, receiver and engine are so poorly implemented on some cars that they are readily cracked, Nohl told the Embedded Security in Cars conference, in Bremen, Germany, last month.
As I’ve said before, the history of proprietary security systems and encryption algorithms is fairly dismal. Getting this stuff right is hard, and the best way we know to get a method without serious flaws is to employ a technique that is published, so that a variety of people with the requisite expertise can check it.
It appears that, in addition to using questionable proprietary methods, some vendors also used key lengths of 40 or 48 bits. Using the relatively new Advanced Encryption Standard [AES] with 128-bit keys is now considered a minimum requirement for security. One manufacturer did something even dumber: the Vehicle Identification Number [VIN] was used as the cryptographic key. The VIN is generally displayed on a dashboard label, visible through the windshield, so it is hardly a closely guarded secret.
I’ve written before about the potential threat from hacking car’s electronic controls. It is somewhat disheartening to find that even the car’s security system is, well, not very secure.