Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Wireless Networking

New Bluetooth Hack Can Unlock All Kinds of Devices (arstechnica.com) 123

An anonymous reader quotes a report from Ars Technica: When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range. Now, a researcher has devised a hack that allows him to unlock millions of Teslas -- and countless other devices -- even when the authenticating phone or key fob is hundreds of yards or miles away. The hack, which exploits weaknesses in the Bluetooth Low Energy standard adhered to by thousands of device makers, can be used to unlock doors, open and operate vehicles, and gain unauthorized access to a host of laptops and other security-sensitive devices.
[...]
[The] attack uses custom software and about $100 worth of equipment. [Sultan Qasim Khan, a principal security consultant and researcher at security firm NCC Group] has confirmed it works against the Tesla Model 3 and Model Y and Kevo smart locks marketed under the Kwikset and Weiser brand names. But he says virtually any BLE device that authenticates solely on proximity -- as opposed to also requiring user interaction, geolocation querying, or something else -- is vulnerable. "The problem is that BLE-based proximity authentication is used in places where it was never safe to do so," he explained. "BLE is a standard for devices to share data; it was never meant to be a standard for proximity authentication. However, various companies have adopted it to implement proximity authentication."

Because the threat isn't caused by a traditional bug or error in either the Bluetooth specification or an implementation of the standard, there's no CVE designation used to track vulnerabilities. Khan added: "In general, any product relying on BLE proximity authentication is vulnerable if it does not require user interaction on the phone or key fob to approve the unlock and does not implement secure ranging with time-of-flight measurement or comparison of the phone/key fob's GPS or cellular location relative to the location of the device being unlocked. GPS or cellular location comparison may also be insufficient to prevent short distance relay attacks (such as breaking into a home's front door or stealing a car from the driveway, when the owner's phone or key fob is inside the house)."
There's a few countermeasures one can take to mitigate this attack. "One mechanism is to check the location of the authenticating device to ensure that it is, in fact, physically close to the locked car or other device," reports Ars.

"Another countermeasure is to require the user to provide some form of input to the authenticating device before it's trusted." The phone's accelerometer could also be used to measure its movements.

The advisories published by NCC Group can be found here, here, and here.
This discussion has been archived. No new comments can be posted.

New Bluetooth Hack Can Unlock All Kinds of Devices

Comments Filter:
  • sorry (Score:5, Funny)

    by OrangeTide ( 124937 ) on Wednesday May 18, 2022 @10:33PM (#62547974) Homepage Journal

    As an engineer I'd just like to apologize to the world for letting everyone assume that we know what we're doing.

    • by Luckyo ( 1726890 )

      These kinds of "bluetooth as a key" attacks having been a thing for a long time. This is just another one on top of many others.

      One of the more common ones used for stealing cars for example is a BT repeater. You get one, and just walk across the neighborhood intercepting the BT signals. Find a house with a car that is known to have BT lock that opens a car and disables the immobilizer, get close to the house to find the key fob signal, amplify it to reach the vehicle and drive off to the nearest chop shop

      • by Kisai ( 213879 )

        Honestly, a lot of these kinds of weaknesses could simply fixed by requiring geofencing.

        Like if the phone isn't travelling with car, but was "unlocked and started" by the phone, then the car would cut the engine after it gets more than 100m from the phone.

        A keyfob however a bit harder to deal with, and ultimately cars should not use the low-tech ones. Either setup a proper WiFi+BT pairing mechanism with a phone or start issuing "smartphone" style keyfobs that are closer to an ipod nano.

        • Re:sorry (Score:5, Insightful)

          by Luckyo ( 1726890 ) on Thursday May 19, 2022 @12:33AM (#62548168)

          Problem there is that immobilizer randomly turning the car off in the middle of the drive because phone ran out of battery, or GPS lost accuracy or phone and car desynced... Is not just extremely dangerous. It's illegal in many nations because of just how dangerous disrupting driving in this manner is.

          This is why immobilizers are usually shut off upon engine start until vehicle is turned off.

          Adding complexity to key fobs is frowned upon for similar reasons. More complex fobs = more points of failure. And every time someone is stuck in their car being unable to start it because their fob crashed is a lot of juicy headlines and utterly horrific PR for the manufacturer.

          • by DarkOx ( 621550 )

            Not to mention cost!

            Things happen to keys. They get dropped over the side the dock, they get misplaced, they get stolen part and parcel with the handbag that carried them. It can already run a $100 plus to replace a lost key fob. (a lot of that is just predatory pricing) but nobody consumer or manufacture really want to add to that; at least when the add is production cost not additional margin for the automaker..

            Phones are if anything at HIGHER risk for all the bad things that happen to keys. I would no

            • Lol, for my car, the proximity entry and start fob costs $360+ from dealerships and $280 online.

              It needs to come from the manufacturer and can't be changed from one car to another (they're locked to the VIN).

              They're already super expensive with exploitive prices.

          • A big point of failure in trying to drive your car somewhere is getting it stolen.

        • Re:sorry (Score:4, Insightful)

          by sjames ( 1099 ) on Thursday May 19, 2022 @01:20AM (#62548218) Homepage Journal

          Guy is late for work, he rushes to his car. Shuffles lunch, coffee, briefcase, suit jacket etc. Leaves his phone on the roof of the car. It slides off at some point of his trip to work and the immobilizer shuts the car down across the railroad tracks. OOPS.

          For that reason, cars do not shut down when you don't take the fob, your phone, or whatever access token you may have with you.

          • First, if the phone was left on the roof the driver should want the warning before they drive far away. Second the car can provide loud warnings and steering wheel vibrations before it stops, so that the train tracks situation never arises.

            • Exactly. It can gradually reduce maximum speed, too. Teslas already do this for some kinds of defects, you get warnings on the screen and the car gradually slows down, giving you plenty of time to find a safe spot to pull over.

            • by sjames ( 1099 )

              For any scenario you can invent, reality can invent another where doing nothing would be the least harmful option.

              Yes, warnings are good in case you are the legitimate owner and didn't mean to leave the fob behind, but notably, no car in production today does more than warn.

              Ultimately, even with strict geofencing, the bad guys maintain the relay attack long enough to drive the car onto a flatbed.

              • Yes it is possible to do highly targeted attacks, but that is possible without bluetooth too. Last I checked purely mechanical cars aren't invulnerable and are susceptible to various traps as well.

                • by djinn6 ( 1868030 )

                  The solution is a mechanical connection that can't be relayed, passing along challenges that can only be answered by a device with the cryptographic key.

                  I'm sure there's still ways around that, but you don't need an entry system that's impossible to hack. It just need to be harder for the thief than towing it away with a tow truck.

                • by sjames ( 1099 )

                  OR, they could just require pressing a button on the keyfob. Bad guys can easily relay your keyfob from your nightstand next to the window to your car in the driveway. It's much harder to get you to wake up and kindly push the button for them.

                  Even a simple timeout system where you have to have pressed a button on the fob in the last 5 minutes in order to unlock or start the car would be a big improvement.

                  • That would defeat the idea of not having to touch your smartwatch or fumble for a keyfob to have your car automatically unlock for you as you approach the door. I suppose tapping a smartwatch is not a big deal, but then not everyone likes to wear stuff on their wrist.

                    • by sjames ( 1099 )

                      And? Some things aren't done simply because it's a bad idea. For example, you could save a lot of inconvenience by disabling all locks and have push to start on the honor system. But that's a bad idea.

          • by sosume ( 680416 )

            Why not? Now you won't be able to lock the car at your destination or start it again. You can't drive back to search for your phone. Much better to stop immediately. My car actually requires the key to be present in the car when driving.

            • by sjames ( 1099 )

              Better to be unable to start the car or lock the doors in a parking lot at work rather than in the middle of the road.

          • It slides off at some point of his trip to work and the immobilizer shuts the car down across the railroad tracks. OOPS.

            15 seconds later, an out of control bus full of disabled child nun orphans with the bus driver slumped against the wheel slams into the immobilized car. Stopping the bus just short of the tracks and saving all the children from a highly cliché death.

            • by sjames ( 1099 )

              Car company still embroiled in a class action suit because their deliberate engineering decision resulted in the destruction of an expensive car and injuries to the driver.

    • Re:sorry (Score:5, Insightful)

      by anonymouscoward52236 ( 6163996 ) on Wednesday May 18, 2022 @11:20PM (#62548040)

      Why the hell would anyone write software that authenticates against a token that you're always spitting out everywhere? Who thought that was secure enough to use for a car or house lock? LOL....

      • by AmiMoJo ( 196126 )

        It would be fine if they just used accelerometers to determine if the phone is actually on the person's body.

        This kind of attack has been around for years. Thieves come along in the night, and the car is parked outside the owner's house. Thieves use a relay attack to unlock and start the car using the keyfob inside the house. If the keyfob bothered to check if it was in motion, i.e. on a person rather than just sitting on a table or hung up on a peg somewhere, that attack wouldn't work.

        Considering it's a ph

        • by sosume ( 680416 )

          How does the car determine that your phone has an actual accelerometer and not an emulator? How does it know it's an actual phone?

          • by AmiMoJo ( 196126 )

            Encrypted packets to prevent tampering with the packet. Shared secret between car and app.

          • It doesn't need to.

            Car's responsibility:
            Check proximity (spoofable) and wait for operate signal (allowing unlocking and driving)

            Phone/fob's responsibility:
            Check for proximity and motion
            Send operate signal if both are present.

        • That doesn't work. The actual phone still is on the person's body. Your relay stations aren't moving, but there's no way to know that.

          • by AmiMoJo ( 196126 )

            If the phone is on the person but still in range of a relay attack, they can probably see the car and the people trying to steal it.

            • by jabuzz ( 182671 )

              Bzzt fail. You are assuming the relay station is amplifying the signals and transmitting them again. The relay station could be two part and use the internet to relay the packets between the phone and the device to unlock. You get out the car someone follows you ate a distance and when you are sufficiently distant from the car it unlocks and your accomplice back at the car does whatever they are going to do.

              • by AmiMoJo ( 196126 )

                It's theoretically possible to use the internet to pass packets, but there are two major flaws that make it impractical.

                Firstly you have to know who the owner of the car is and where they are, and have a partner who can go there to help you perform the relay attack. Compared to just driving down a road looking for cars to steal, and using your laptop outside the victim's home in the dead of night.

                Secondly, these systems measure the latency and if it's too high they reject the packets. You will probably be r

                • and have a partner who can go there to help you perform the relay attack. Compared to just driving down a road looking for cars to steal, and using your laptop outside the victim's home in the dead of night.

                  I'm pretty sure you need a partner for the second one too, unless you are leaving your car at the victim's house.

            • Seems unlikely I'd notice someone steeling my car half a block down the street when I'm at home goofing off on my phone.

            • by Ost99 ( 101831 )

              I don't know what kind of distance your house is from the road and how many hours a day you spend staring at your driveway, but if someone walked of the sidewalk and got into my car and drove away I would not notice unless I was looking out the windows at the exact moment they drove away.

              In the small neighborhood where I live most cars are parked in a driveway a few meters from the road. Someone could probably drive away with 10 Teslas before anyone noticed anything, especially if done during the night. It'

      • by tlhIngan ( 30335 )

        Why the hell would anyone write software that authenticates against a token that you're always spitting out everywhere? Who thought that was secure enough to use for a car or house lock? LOL....

        Car locks are really weak. Practically all cars use what is in the end, a wafer lock, considered to be the lowest level of lock security there is. It's the kind of lock you find protecting such things as your desk drawer.

        It's also used by many people who assume it's cheap construction isn't a problem in more problema

        • by tlhIngan ( 30335 )

          If you want to see the attack in action, here's a video done by CBC Marketplace where they show the tools. I've taken the liberty of setting the timestamp to where it happens.

          Old school way of getting in, but using a professional programmer
          https://youtu.be/ARrlhlQiFzM?t... [youtu.be]

          A more recent "short" on getting in
          https://www.youtube.com/watch?... [youtube.com]

          A use of the relay attack which is getting a lot of attention, but the old school method still works better (lock picking, OBDII reprogramming, and driving away a brand ne

        • My last car had protection against this requiring 2 keys to program a third quickly, or a 2 hour time delay to program a key.

          My current car protects against this as it only works with OEM fobs that are ordered using your VIN provided when ordered (you'd need a disreputable dealer to get one of you didn't own the car and you still need an existing fob to get the car to recognize it).

    • We Know What We're Doing. Unfortunately.
      10 years ago, I was working at an automotive supplier, developing immobilizer and passive acess systems.
      My company knew exactly that every system out there is vunerable to relay attacks.
      Most OEMs were aware of it also, and did nothing, tried to justkeep the mouths shut, to avoid the problem getting in the wrong hands...
      That strategy only works for a time.

      Unfortunately, this relay attack is a physical limitation of the system architecture, and there was no alternative

    • A Canadian engineer, obviously.

  • Obvious question (Score:4, Insightful)

    by Valgrus Thunderaxe ( 8769977 ) on Wednesday May 18, 2022 @10:35PM (#62547980)
    Why go through all this high-tech nonsense when you can just break the window?
    • Is it really high tech to put some repeaters between the two devices? This is why keyless entry keyfobs go silent after sitting still for a few minutes (well, that and saving the battery a bit).
      • by Valgrus Thunderaxe ( 8769977 ) on Wednesday May 18, 2022 @10:44PM (#62548000)
        Is it really high tech to put some repeaters between the two devices?

        Compared to just breaking a window, yes.
        • Enjoy the car alarm and flashing headlights. Also enjoy the Tesla cameras recording your larceny in action.
          • This isn't about stealing the car, it's about "opening the door".

            I assume you haven't parked on the street in San Francisco or Philadelphia. Nobody cares about alarms or headlights. This happens 100's of times a day and nobody does anything about it or pays a lick of attention.
            • by cstacy ( 534252 )

              This isn't about stealing the car, it's about "opening the door".

              I assume you haven't parked on the street in San Francisco or Philadelphia. Nobody cares about alarms or headlights. This happens 100's of times a day and nobody does anything about it or pays a lick of attention.

              They might care more if they realized they were being videoed by the car. And it has called the cops.

              On the gripping hand, you're wearing a mask...

              • They're already being "caught" on a dozen cameras where the car is parked and they don't care and it's not a deterrent.
                • by dgatwood ( 11270 )

                  They're already being "caught" on a dozen cameras where the car is parked and they don't care and it's not a deterrent.

                  The only thing that would be a real deterrent would be if the car automatically enabled self-driving mode and followed them, transmitting GPS data to the police as it did so. Now that is a feature I'd pay for. Car broken into? Your car will hunt the thieves mercilessly. Call it bloodhound mode.

            • This isn't about stealing the car, it's about "opening the door".

              Which in 90% of the cases involving modern luxury cars is about stealing the car. Also just because you live in a shithole doesn't mean your example applies in the developed world.

              I can count on one finger the number of times I've heard a car alarm this year, but I don't have enough fingers to count the number of people who went out to investigate it, even if I discount myself.

          • If I can authenticate with the Tesla just using your BLE identifier, maybe I can get into the car and delete the cloud footage with that as well? Were they stupid with that too?

            • No need. Just take the USB drive that the recordings are on.

              There are some devices which present as a USB drive and upload the video, but few people have these and mostly the system works because thieves are too stupid or too lazy to remove the drive.

              • by micheas ( 231635 )

                No need. Just take the USB drive that the recordings are on.

                There are some devices which present as a USB drive and upload the video, but few people have these and mostly the system works because thieves are too stupid or too lazy to remove the drive.

                And the drive is in the glove compartment which requires the car to be unlocked to open the glove box. At least in later Teslas.

                But, can't the app on the phone and the car do a mutual TLS handshake over the Bluetooth connection using preshared keys? Furthermore, current iPhones and Android phones have a FIDO chip in them that could be used for super-strong authentication (think Yubikey or Titan key) This should be fixable for Tesla with a phone app and software update, at the expense of it taking a second

                • And the drive is in the glove compartment which requires the car to be unlocked to open the glove box. At least in later Teslas.

                  That's very true. But I doubt that it would be hard to force open the glove compartment.

                • Or if you're super worried about someone using this exploit to steal your Tesla, turn on "PIN-to-drive"

                  Hey look, MFA works again.

              • Recent Teslas have a USB connection in the locked glove compartment.

    • Breaking windows is not a discreet way to steal a vehicle. Getting ordinary access raises no eyebrows and triggers no alarms. Once inside other measures may be used to either start the vehicle or release the parking brake for swift loading on tow truck or rollback.

      $100,000 vehicles are quite common today and worth the effort to steal especially when they can be sold intact overseas.

      • Re:Obvious answer (Score:5, Informative)

        by whoever57 ( 658626 ) on Thursday May 19, 2022 @12:38AM (#62548182) Journal

        $100,000 vehicles are quite common today and worth the effort to steal especially when they can be sold intact overseas.

        Teslas are not a common target for thieves: I think that getting a Tesla to run completely independent of the Tesla network, and hence out of reach of a remote shutdown and tracking would be very difficult.

        • by sosume ( 680416 )

          The car is worth more as parts

        • by AmiMoJo ( 196126 )

          It's easy to get a Tesla to run outside of the network, people do it all the time for salvaged ones. Tesla requires you to pay them to inspect the car before they will allow it onto their network again, and many people don't want the expense when they can just drive the car as-is with the current software and no supercharger access.

          Tesla doesn't have a complete remove kill-switch because it would be both illegal and a major safety risk if it was ever accidentally triggered.

          • It's easy to get a Tesla to run outside of the network, people do it all the time for salvaged ones.

            They have the keys for those salvaged Teslas. Perhaps it is possible to hack the firmware to add a key, I don't know, but it's another level of difficulty.

            Since the car will have no connectivity, the giant screen that would normally show a map is going to be an annoyance.

            Simply put, even if thieves can get a stolen Tesla back on the road, its value will be much less without the connectivity, making it a less

      • Wait, you mean when a car alarm goes off, people pay attention to it where you live? Where I live, when a car alarm goes off, people just get annoyed. In fact, the same thing happens when the fire alarm in a store goes off. "ANNOYING! Some kind of test!" (Instead of "oh crap, run for your lives!")

    • by cstacy ( 534252 )

      Why go through all this high-tech nonsense when you can just break the window?

      Because you can't start the car without the electronic key present? Hot-wiring the ignition won't do anything: the car's computer will not be impressed. You need the code, baby!

      However, as we all know, You Can't Stop The Signal. Hence the relay / amplification attack.

    • by AmiMoJo ( 196126 )

      Because breaking the window doesn't allow you to start the car and drive it away.

      What would you rather do, break the window which attracts attention and only allows you to take whatever the owner left inside the car, or calmly and non-suspiciously open the car, start it and steal the whole thing worth tens of thousands of Euros/Dollars?

    • by stooo ( 2202012 )

      Breaking the window opens the car with an alarm bell, but cannot drive away.

    • Why go through all this high-tech nonsense when you can just break the window?

      Because it's not the 70s and breaking a window will set off a car alarm, unlocking it in a high tech way allows you to discretely steal it.

  • by oblom ( 105 ) on Wednesday May 18, 2022 @10:37PM (#62547986) Homepage

    Can they finally get my phone to pair with my car without me wasting 10 minutes on a side of a highway?

    • If you really need to listen to those Limp Bizkit albums that badly, just plug your phone into your car's USB port - the way God intended.

    • Then you'd have two problems and I don't just mean your taste in music. Thanks, I'll be here all week. Tip your wait staff
      • I thought I was seemingly the only person that has this problem with unreliable BT pairing with the car's head unit.

        It seems to work for everyone else but me. I would estimate it works properly 80% of time, whereas it seemingly works for everyone else 100% of the time -- "I have no problems, ever. You must be doing something wrong, etc".
        • by cstacy ( 534252 ) on Thursday May 19, 2022 @12:13AM (#62548134)

          I thought I was seemingly the only person that has this problem with unreliable BT pairing with the car's head unit.

          It seems to work for everyone else but me. I would estimate it works properly 80% of time, whereas it seemingly works for everyone else 100% of the time -- "I have no problems, ever. You must be doing something wrong, etc".

          You're holding it wrong, of course.

        • by dgatwood ( 11270 )

          I thought I was seemingly the only person that has this problem with unreliable BT pairing with the car's head unit.

          Nope. Not just you. Basically, the car starts looking for paired BT devices to connect to for a very short period of time after it powers up, and if it doesn't find your phone in that narrow window, it never will unless you manually tell it to connect. Add to that the fact that the iOS Bluetooth stack requires periodic reboots because it gets so broken that it won't connect to anything, plus the fact that Tesla's Bluetooth stack *also* occasionally gets wedged to the point where it won't connect to anyth

          • Android phones+model 3 here.

            It work fine when I'm getting in the car.
            It doesn't work fine when my wife and I get in the car. It's a BT connection lottery. Then the mirrors and seats adjust to the settings of whoever's phone connects first, regardless of who it driving.

            When you have a phone call going through the car, you park and leave the car, the car will hold onto that call for dear life, so you have to turn off the bluetooth on your phone to be able to take the phone call back into the house with you.

            No

            • Is there any car that does what I think would be the sensible thing - pop up on the car display:

              I see more than one phone nearby:
              * John Doe's phone
              * Jane Doe's phone ...
              Who is driving?

        • I thought I was seemingly the only person that has this problem with unreliable BT pairing with the car's head unit.

          It seems to work for everyone else but me. I would estimate it works properly 80% of time, whereas it seemingly works for everyone else 100% of the time -- "I have no problems, ever. You must be doing something wrong, etc".

          Unfortunately this will probably not get enough points for you to see my response, but on the very small chance you might actually see it, I don't understand why you don't just blame the head unit for this and replace it. The standard head unit in many cars is crap. GM makes some of the very worst or at least a few years ago they did. My GM car is 7 years old and its head unit was crap. GM wanted to get people to pay for OnStar, which runs through their standard head units, so they crippled the int

          • I see your post because I'm logged in, and duly noted.

            While it's possible to replace the head unit (I've investigated this possibility), it's a big complex hassle and not like replacing a radio in the '90s. If I decide to keep this vehicle for a few more years I might do this, but not now.
    • Further evidence to the rule that convenience will trump security every time. Manufacturers need to dedicate more resources to making their products BOTH convenient AND secure. How about triggering statutory recalls (no courts necessary) if serious security vulnerabilities are exposed?
  • That work issued RFID security card that you like to leave on the dashboard of your car can be replicated right through the windshield while you're inside the restaurant for team lunch, and your "rolling code" garage door is easily cracked from 100yds away by software defined radio on a laptop and a pringles can antenna. Your name and email address is on hundreds of ID theft data dumps posted to "dark web" message boards every year, right along with your actual social security number (hey, thanks Equifax!).

    • Yea, I'm going to use the wired ethernet unlock feature only from now on!

      • Yea, I'm going to use the wired ethernet unlock feature only from now on!

        That's what I do, while I wait for the IEEE to come up with a wireless protocol for ethernet.

  • Always known (Score:5, Informative)

    by FeelGood314 ( 2516288 ) on Wednesday May 18, 2022 @11:31PM (#62548058)
    The feasibility of just adding a stronger repeater has always been know. The same attack works on all your proximity cards and even the credit card in your wallet. A point of sale device can only read your credit card from 3cm but with something that won't cook the user it can be done at 10-15m. Also a round trip challenge message isn't feasible. The speed of light is just to fast compared to the symbol rate. Assuming predictable jitter in the software and a well known back off between receiving the challenge and sending the response and ignoring the hardware interrupt time you still can't measure the round trip better than the length of a single BLE symbol. 1 million symbols per second means at best you can measure down to 300m.
  • Relay attack (Score:4, Insightful)

    by bradley13 ( 1118935 ) on Thursday May 19, 2022 @01:54AM (#62548232) Homepage

    Relay attacks are not "new". The only thing special about this one is that they have two parties communicating over a large distance.

    This is really just another case of incompetent or under-supervised engineers not thinking about security. Relay and replay attacks are old hat - the *first* question any EE should ask themselves, when designing an access system, is how to avoid these very well known vulnerabilities.

    For software types, this is the same level of idiocy as creating a fancy new website that is vulnerable to SQL injection. Anyone who does that is either incompetent, or a graduate of some code-camp that never taught the basics.

    • Anyone who does that is either incompetent, or a graduate of some code-camp that never taught the basics.

      Isn't "actively evil" also a possibility?

    • This is really just another case of incompetent or under-supervised engineers not thinking about security. Relay and replay attacks are old hat - the *first* question any EE should ask themselves, when designing an access system, is how to avoid these very well known vulnerabilities.

      Security isn't a binary concept. The question you should be asking is how much engineering effort and complexity do you bake into a solution vs the risk of someone breaching your non-existent security.

      In other news my front room has a giant window. Absolutely not secure. A brick very quickly makes a hole easily large enough to steal my entire king size bed if someone wanted to. But is it preferential to replace that window with a 1" steel plate? Probably not. If a zombie apocalypse started my answer may be

      • Sure, the windows of your house could be smashed. However, two unlike your windows, this system is precisely and *only* an access control system. It has no other purpose. Hence, there really is no excuse for making basic security errors.

        • It has no other purpose.

          False. It has secondary purposes like (identical to my windows) to be easy to use. It has a tertiary purpose to be limited in cost and use existing technology already present in the car and key.

          There's no such thing as "only an access control system". Well there is but it's rarely useful beyond some insanely basic and limiting function.

    • Re:Relay attack (Score:5, Informative)

      by Orgasmatron ( 8103 ) on Thursday May 19, 2022 @06:48AM (#62548590)

      The most famous case of a relay attack involved defeating a radar with IFF back in the late 1970s or early 1980s.

      Think of a military radar as a giant radio station, constantly transmitting in the high hundreds of megahertz range. Instead of using a free running sine wave, the signal is modulated - the radar set is beaming a stream of bits out into space. Friendly aircraft recognize the bit stream and calculate a response, which they transmit back. When the radar station sees the reflection of the bits it sent out, it knows something is out there. If it also sees the response signal, it knows that thing is friendly.and the people running that radar don't send missiles or other jets to shoot it down.

      The attack involved two Israeli jets which waited for an enemy aircraft (friendly to the radar station that needed to be defeated) to start a flight that was likely to keep it in the sky and outside the view of the radar for long enough to complete the mission.

      Israeli jet A shadows the enemy aircraft. Jet B flies towards the target. Jet B re-transmits the radar bitstream to Jet A, which fires it at the enemy aircraft. The enemy aircraft's IFF module recognizes the bitstream as friendly, so it calculates the correct response and sends it back out. Jet A picks up the response code, transmits it back to Jet B, which then fools the radar station on the ground.

      Next thing you know, something on the ground blows up, without an enemy aircraft in the sky. In an era before extensive data logging, the radar station might not provide much data at all about friendly aircraft that it sees. So maybe the trick is used sparingly for the next decade or two, until radar systems in the 1990s start using phased transmitters to send a unique bit stream to each individual target.

      Once all of the old radar systems are retired, you can finally declassify your trick, and 10 or 15 years after declassification, you can shake your head when you read about someone using the now 40 year old track, essentially unmodified, to steal cars.

  • by TheMiddleRoad ( 1153113 ) on Thursday May 19, 2022 @01:57AM (#62548236)

    Now that this hack is out, and until it's dealt with, I'll just turn the keycode security on. Then they can't drive off.

    • Now that this hack is out, and until it's dealt with, I'll just turn the keycode security on. Then they can't drive off.

      But they could get in the car and steal my breve latte.

  • I architected a form of wireless unlocking technology using BLE. This technology required the user to press a button as part of the authorization process. This certainly wasn't the only security feature in the technology meant to prevent this attack and other attacks, but the specifics are unimportant to the crux of this attack. Anyway, this is how the technology was tested and initially built. The button was designed specifically to prevent this relay attack. Unfortunately, the client decided to remove th

  • So the older version of the August Lock I have does use bluetooth, but you have to actively press the bottom on your phone or watch. It does offer a proximity locking and unlocking. However it is done not with low energy bluetooth but instead by using the GPS in your phone and/or watch. You have to manually create a geo fence using the app. If you enter the geo fence and have your bluetooth turned on it will unlock and if you exit it it will lock. You can also set it to auto lock after a set period time. Th
  • This is why OpenBSD removed Bluetooth support in 2014.
    It has been known to be insecure for quite a while.
    Suck it up buttercup.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...