|
Security Watch: Gone in 60 seconds--the high-tech version - CNET reviews by dmv at 11:54 am EDT, May 9, 2006 |
Let's say you just bought a Mercedes S550, a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system. After pulling into a Starbucks to celebrate with a grande latte and a scone while checking your messages on a BlackBerry, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later you look up to discover your new Mercedes is gone as well. Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.
As the F-Secure blog put it -- you wouldn't dream of securing 100$K of information with a 40-bit encryption system, right? And my first thought -- as in general with electronic locks -- is that as Matt Blaze has shown, analog keys are far worse. Look at your car key, or your house key -- how many real bits of information are encoded? But the electronic start and everything else... it feels too clean. The advantageous property of analog cracking is that in public, it requires the criminal to act in some way that is different from a legitimate user. The scenerio presented was that I sit near the car or key holder for a couple of minutes -- no sign of entry -- and then to steal the car I just walk up to it, laptop in bag, like I had pressed the remote in my pocket, car starts and off we go. Also, traditional lock-picking also requires the criminal to possess a skill that requires practice. With these electronic systems, people will download the right script... Script-kiddie car thieves? |
|
RE: Security Watch: Gone in 60 seconds--the high-tech version - CNET reviews by Lost at 2:03 pm EDT, May 9, 2006 |
dmv wrote: Let's say you just bought a Mercedes S550, a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system. After pulling into a Starbucks to celebrate with a grande latte and a scone while checking your messages on a BlackBerry, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later you look up to discover your new Mercedes is gone as well. Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car--making the hack tempting for thieves. The owner of the code is now the true owner of the car. And while high-end, high-tech auto thefts like this are more common in Europe today, they will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.
As the F-Secure blog put it -- you wouldn't dream of securing 100$K of information with a 40-bit encryption system, right? And my first thought -- as in general with electronic locks -- is that as Matt Blaze has shown, analog keys are far worse. Look at your car key, or your house key -- how many real bits of information are encoded? But the electronic start and everything else... it feels too clean. The advantageous property of analog cracking is that in public, it requires the criminal to act in some way that is different from a legitimate user. The scenerio presented was that I sit near the car or key holder for a couple of minutes -- no sign of entry -- and then to steal the car I just walk up to it, laptop in bag, like I had pressed the remote in my pocket, car starts and off we go. Also, traditional lock-picking also requires the criminal to possess a skill that requires practice. With these electronic systems, people will download the right script... Script-kiddie car thieves?
Matt Blaze's paper did not apply to automotive door locks, where master keys wouldn't have been made (would they?). And while its true that not much information is encoded in a mechanical key, in something like a double sided automotive lock it is prohibitively difficult to actually pick the lock. Especially considering a slim jim or a rock will have the same effect for much, much less effort. I find it hard to understand how Mercedes could make such a serious fuck up. Then again, I'll probably never have to personally worry about it as the owner of a Mercedes :) |
|
|
|