If you have a Stellantis product make sure to get the key lockdown flash done. If not thieves can just program a new key to your car and drive off with it in under a minute (My car was stolen twice this way). Initially the flash was only available for Challengers and Chargers which made Trackhawk's and TRX's even more of a target.
I’d say this rates as “midrange” in terms of car theft difficulty. Some cars (very new American and nearly all European cars) use some form of cryptography to authenticate that immobilizer messages came from a module which posses an immobilizer secret, so simple message injection won’t work like this.
Others (older cars, famous US market Kias) have no immobilizer at all and not even this level of sophistication is necessary.
Yeah almost all Euro cars have had strong cryptography immobilizers since the mid to late 90s. It’s pretty shocking how secure those early systems are - to this day car enthusiasts cannot find any weaknesses or bypasses other than flashing the ECU firmware to remove the immobilizer code. A lot of people would rather not have that feature anymore on a 25 year old beater where replacement keys might cost as much as the whole car is worth.
> It’s pretty shocking how secure those early systems are
I generally don't think this is true; most early immobilizer systems were DST80 or Hitag2 based and are broken both cryptographically and practically.
The reason enthusiasts re-flash ECUs is that it's easy, permanent, and works across a whole model line of cars, compared to reverse engineering immobilizer cryptography which is difficult, transient and requires re-work for each individual car.
Even modern systems are generally broken in private; you can find "emergency start" and "all keys lost" products for most newer cars, even European ones using AES. However, they're usually much more complex to use than the fake JBL speaker in the parent article's attack - most revolve around extracting key material from a control module using a software exploit. Common approaches include leveraging a leftover development artifact of some kind which allows sensitive key material to be exfiltrated from RAM, or locating a state-confusion or memory safety exploit against a CAN message handler.
But, at the end of the day, most modern cars are attacked using simple bent-pipe range-extension/relay attacks, so there's less investment in cryptographic attacks or compromising the actual system anyway.
Note that these all focus on the key-authentication side. The inter-module communication ranges from completely insecure (like in the parent article - the key module says "OK, the key is auth'd!" and then just blasts an unauthenticated CAN message) to some variant of the key authentication strategy. For example, newer VW immobilizers use an AES-based nonce+MAC strategy similar to the theoretical Microchip one for both key communication _and_ module-to-module communication on the CAN bus.
If you can even get them. On some older cars with this technology, replacement keys are simply not available any longer. I agree it would be really nice to be able to (legally) disable the security for cars that are pretty much fully depreciated.
The low-tech solution is to remove the electronics from key and glue the near the ignition switch, but needs to be done before you loose the last working original key.
Yeah that works if the key uses simple RFID but not with other keys that must be physically inserted to activate (e.g. Mercedes-Benz keys from ~2000s era).
The positive thing about those keys is that you don’t have to worry about the mechanical part of the key wearing out.
That’s an issue for 20 year old mechanical key + immobilizer chipped keys. It’s not that you lost the key, it’s just finally in need of replacement. Of course; you could shuck the key from the old one and place it in the new one.
Protip everyone with any mechanical keys: take a picture of your keys!!!!!
And not just the key can wear out, so can the lock cylinder. I had a car where that was the problem. I removed the guts of the cylinder so that any key (or even a screwdriver) would turn it. Still needed the RFID nearby to actually start the car so it didn't seem like a big risk.
Lots of manufacturers are going to encrypted CAN to prevent these sorts of injection attacks. Of course it also makes life far more difficult for third party part suppliers. :/
> lights are smart, and include things like motors to level the headlights (so when the car is loaded with heavy luggage, the lights are turned to compensate), steering headlights to illuminate the corners, to automatically detect if the lights have failed, to turn on pumps to spray water on the lights, and so on.
There is no way all that crap can be worth the reliability cost or even the weight...
Anecdotally, a manufacturer of car headlights told an an acquaintance, a few years ago, that some cars would be written off solely if headlights were damaged due to increasing cost.
I wouldn't be surprised if this was becoming true, today?
Another ass move is manufacturers forming their company logo into more plastic, so you can’t just replace with an aftermarket part for a repair in many insurance-repair situations.
Headlight-leveling mechanisms have been around forever, and anyone who has been blinded by an oncoming, loaded pickup truck knows why. Headlights that either mechanically or electronically (as found in some motorcycles) point into a turn are a potentially massive safety increase.
A headlight-leveling servo can last the lifetime of the vehicle. Not everything is a Chrysler.
> A headlight-leveling servo can last the lifetime of the vehicle. Not everything is a Chrysler.
Everything can last the life of the vehicle. If you have 10,000 parts, each of which can last the life of the vehicle, there is epsilon chance that all of them will last the life of the vehicle.
If at any point in time t all the parts of the car have lasted so far, that point t is not yet the end of the life of the vehicle. The end of life occurs when a certain subset of the parts have failed, such that it's not economic to replace or repair those parts (except for a retro fanatic who does that because they love that car, which may even be valuable as a collector's item).
It's worth mentioning that a gasoline car made with perpetual, indestructible parts will be end-of-lifed when the infrastructure disappears: it cannot be gassed up anywhere. We can regard gasoline as a part that's always requiring periodic replacement. If that's not available, the car is toast.
I am routinely blinded by the LED headlights on modern cars. They are too white, too bright, and too small (forming a pinpoint bright light which creates terrible glare). They also don't seem to be aimed at the road but straight ahead. You can tell at a glance which cars are older and still have halogen bulb headlights because they are a bit yellow in color and don't create nearly as much glare. I don't know how these newer headlight systems were permitted. They are probably great for the driver but not for any oncoming traffic.
John Oliver claimed that they ran out of time one season but were going to do an episode on those headlights. I'm still sad they didn't get to it, or at least just dump their source material because I also think it's become terrible
They also don't seem to be aimed at the road but straight ahead.
In my opinion, DOT standards allow too much light above the cutoff. It's great for illuminating overhead signs, but with modern HID and LED systems it's just too much.
There is still the problem of vehicles approaching each other while cresting a small hill. You'll always be under each other's beam cutoff.
Your best hope is adaptive headlights that simply don't illuminate areas where oncoming road users are. Jump up 1:14 in this video:
> ECUs are connected together [...] doesn’t hear from another ECU it needs to talk to [...] there is an ECU that controls the lights
This is very unusual terminology. Most vehicles have exactly 1 ECU (occasionally 2, and addresses are allocated for ~4 depending on the gateway) which controls exclusively the engine parameters. The BCM, the HVAC, the ABS, the MIB, etc. are all other modules (nodes on the network) which go by names other than ECU. For example, TCU for the transmission.
Any module can throw a DTC, but only a DTC from the ECU will illuminate the MIL (check engine light).
They just believe that ECU = Electronic Control Unit rather than ECU = Engine Control Unit. Both are accepted terminology in different parts of the industry, although I'd have just used the word "module" instead.
I admittedly haven't finished reading the whole write up - I am surprised that neither you nor Ian suspected that the "vandals" were on to something a bit more worth the risk, being in Security and tech in general. Just saying - I'm not in either field but once I see those wires, I'm already thinking.. then a second time and I'm hiding my vehicle, somehow, ASAP.
It occurs to me that the power locks in my car are broken, and only the driver's one works properly. So, I'm three quarters of the way to an attack mitigation!
I am surprised that neither you nor Ian suspected that the "vandals" were on to something a bit more
Hindsight is 20/20. Have you ever run across meth heads? They do completely random nonsense and they'll do it time and again. A local meth head's activities are indistinguishable from those of a thief using techniques you've never heard of.
I recently saw a YouTube video[1] of a company trying to get analog circuits to market because they claimed that a great deal of modern electronics are using basically "polling" logic to test analog inputs for activation thresholds. They claimed that by pushing the logic further upstream along the analog path they could significantly reduce the power draw of those systems by removing the busy-wait loops
Back when cars had hardly any anti-theft mechanism, we'd put hidden toggle switch(es) that'd cut off the fuel pump and other stuff. In the 90s we'd get fancier and use (in addition to hidden toggle switch(es)) stuff like custom made transponder thinggies: we'd have a female port installed on the dashboard and the corresponding male "jack" on our keychain. These took a few hours to install and would shut some wires at different points.
They were "dumb" in a way (it was obvious looking at the dashboard that a car had such a system installed) but not easy to remove: you had to follow the wiring for a long time to find where the various cut-off points where installed.
Funnily enough after 30 years or so many of these transponders (?) start failing and it's a very common cause of youngtimer cars being stuck on the side of the road. While a dumb hidden toggle switch shall pretty much work forever (but is easier to neutralize as you only need to find the switch).
A toggle switch is literally less than $5 and trivially installed.
For added fun you can also add stuff directly on the fuses: they're easier to find but there are more advanced kits (for example you plug it on an important fuse and then you've got a remote on your keychain to "unlock" the mechanism).
I mean: yup, you can look into cryptography and install this and that software countermeasure.
Or, you, know, you can install (or have installed) a $5 toggle switch.
P.S: this made me think... I'll probably install a fake toggle switch, obvious to be found, linked to the highest non legal alarm I can find on alibaba. So if anyone tries to steal the car, he'll toggle the switch and trigger the alarm. That's dumb as heck and yet may work just fine.
I'm thinking of my old Landcruiser, which was secured by some fiddly choke-and-throttle work. And my VW van with its "security through obscurity" linkage.
The act of using them includes a signal to the rest of the world that they're in use (sorry, neighbors) and there's an unavoidable delay between signaling that intention and actually being able to use the equipment. Once in motion they require intimate knowledge of the machinery to remain in that state.
I'm wondering about "security through removing automation" at this point. E.g. what services am I relying on that could be reduced to manual commands when I need them?
Were these aftermarket products? It sounds like they only worked because they were bespoke. If Toyota started putting these switches on all cars it would simply become common knowledge among thieves right?
Yes, and they weren't all a bed of roses. Aftermarket car alarms, disablers, remote start systems, etc. were pretty notorious for causing minor to fairly serious issues of their own. Also maybe because a lot of the installers were not very good at their jobs.
There's also the question of how the incentives are aligned. At a time when the chief competition for new cars is older cars that are still perfectly functional, I'm sure manufacturers love the idea of being "forced" to include a deliberate single point of failure. One that will probably survive the warranty period, but that will instantly render the car beyond economical repair, by design, when it does fail.
"Please don't throw us into that briar patch," you can hear them begging the regulators.
Not really old cars having value means someone who wants a new car can trade in their old. If cars only lasted three years rich would be buying $30000 cars and many would be skipping the heater and electric start to lower prices.
If you have a Stellantis product make sure to get the key lockdown flash done. If not thieves can just program a new key to your car and drive off with it in under a minute (My car was stolen twice this way). Initially the flash was only available for Challengers and Chargers which made Trackhawk's and TRX's even more of a target.
https://media.stellantisnorthamerica.com/newsrelease.do?id=2...
Previous discussion: https://news.ycombinator.com/item?id=35452963
I’d say this rates as “midrange” in terms of car theft difficulty. Some cars (very new American and nearly all European cars) use some form of cryptography to authenticate that immobilizer messages came from a module which posses an immobilizer secret, so simple message injection won’t work like this.
Others (older cars, famous US market Kias) have no immobilizer at all and not even this level of sophistication is necessary.
All Canadian cars have had immobilizers for decades and our car-theft-to-shipping-container-going-overseas rates are through the roof.
An initial problem has been amplification/relay attacks from wireless key systems.
Totally keyless entry is just the next iteration of attacks.
Yeah almost all Euro cars have had strong cryptography immobilizers since the mid to late 90s. It’s pretty shocking how secure those early systems are - to this day car enthusiasts cannot find any weaknesses or bypasses other than flashing the ECU firmware to remove the immobilizer code. A lot of people would rather not have that feature anymore on a 25 year old beater where replacement keys might cost as much as the whole car is worth.
> It’s pretty shocking how secure those early systems are
I generally don't think this is true; most early immobilizer systems were DST80 or Hitag2 based and are broken both cryptographically and practically.
The reason enthusiasts re-flash ECUs is that it's easy, permanent, and works across a whole model line of cars, compared to reverse engineering immobilizer cryptography which is difficult, transient and requires re-work for each individual car.
Even modern systems are generally broken in private; you can find "emergency start" and "all keys lost" products for most newer cars, even European ones using AES. However, they're usually much more complex to use than the fake JBL speaker in the parent article's attack - most revolve around extracting key material from a control module using a software exploit. Common approaches include leveraging a leftover development artifact of some kind which allows sensitive key material to be exfiltrated from RAM, or locating a state-confusion or memory safety exploit against a CAN message handler.
But, at the end of the day, most modern cars are attacked using simple bent-pipe range-extension/relay attacks, so there's less investment in cryptographic attacks or compromising the actual system anyway.
Do you have a good source where could learn more about rolling codes & cryptography immobilizers? The wiki for it just brushes over it.
https://en.wikipedia.org/wiki/Immobiliser
Here's some basics about older systems:
https://www.researchgate.net/publication/346706377_Dismantli...
https://www.researchgate.net/publication/235916472_Gone_in_3...
https://blog.cryptographyengineering.com/2011/09/24/where-th...
Newer systems use AES, which is at least less cryptographically unsound than the LFSR-based systems like Hitag2.
Microchip present an interesting theoretical approach to AES-based immobilizer authentication here:
https://ww1.microchip.com/downloads/en/DeviceDoc/article_ope...
Note that these all focus on the key-authentication side. The inter-module communication ranges from completely insecure (like in the parent article - the key module says "OK, the key is auth'd!" and then just blasts an unauthenticated CAN message) to some variant of the key authentication strategy. For example, newer VW immobilizers use an AES-based nonce+MAC strategy similar to the theoretical Microchip one for both key communication _and_ module-to-module communication on the CAN bus.
If you can even get them. On some older cars with this technology, replacement keys are simply not available any longer. I agree it would be really nice to be able to (legally) disable the security for cars that are pretty much fully depreciated.
The low-tech solution is to remove the electronics from key and glue the near the ignition switch, but needs to be done before you loose the last working original key.
Often it also means shucking the chip from all remaining keys too so your fixed chip doesn’t interfere with the mobile chips.
I think you could also create a DoS attack in a parking lot by trashing the spectrum.
Yeah that works if the key uses simple RFID but not with other keys that must be physically inserted to activate (e.g. Mercedes-Benz keys from ~2000s era).
The positive thing about those keys is that you don’t have to worry about the mechanical part of the key wearing out.
That’s an issue for 20 year old mechanical key + immobilizer chipped keys. It’s not that you lost the key, it’s just finally in need of replacement. Of course; you could shuck the key from the old one and place it in the new one.
Protip everyone with any mechanical keys: take a picture of your keys!!!!!
And not just the key can wear out, so can the lock cylinder. I had a car where that was the problem. I removed the guts of the cylinder so that any key (or even a screwdriver) would turn it. Still needed the RFID nearby to actually start the car so it didn't seem like a big risk.
Lots of manufacturers are going to encrypted CAN to prevent these sorts of injection attacks. Of course it also makes life far more difficult for third party part suppliers. :/
(2023)
Some more discussion then: https://news.ycombinator.com/item?id=35452963
> lights are smart, and include things like motors to level the headlights (so when the car is loaded with heavy luggage, the lights are turned to compensate), steering headlights to illuminate the corners, to automatically detect if the lights have failed, to turn on pumps to spray water on the lights, and so on.
There is no way all that crap can be worth the reliability cost or even the weight...
Anecdotally, a manufacturer of car headlights told an an acquaintance, a few years ago, that some cars would be written off solely if headlights were damaged due to increasing cost. I wouldn't be surprised if this was becoming true, today?
Another ass move is manufacturers forming their company logo into more plastic, so you can’t just replace with an aftermarket part for a repair in many insurance-repair situations.
https://www.eastgatefordpartscanada.ca/oem-parts/ford-signal...
Headlight-leveling mechanisms have been around forever, and anyone who has been blinded by an oncoming, loaded pickup truck knows why. Headlights that either mechanically or electronically (as found in some motorcycles) point into a turn are a potentially massive safety increase.
A headlight-leveling servo can last the lifetime of the vehicle. Not everything is a Chrysler.
> A headlight-leveling servo can last the lifetime of the vehicle. Not everything is a Chrysler.
Everything can last the life of the vehicle. If you have 10,000 parts, each of which can last the life of the vehicle, there is epsilon chance that all of them will last the life of the vehicle.
If at any point in time t all the parts of the car have lasted so far, that point t is not yet the end of the life of the vehicle. The end of life occurs when a certain subset of the parts have failed, such that it's not economic to replace or repair those parts (except for a retro fanatic who does that because they love that car, which may even be valuable as a collector's item).
It's worth mentioning that a gasoline car made with perpetual, indestructible parts will be end-of-lifed when the infrastructure disappears: it cannot be gassed up anywhere. We can regard gasoline as a part that's always requiring periodic replacement. If that's not available, the car is toast.
I am routinely blinded by the LED headlights on modern cars. They are too white, too bright, and too small (forming a pinpoint bright light which creates terrible glare). They also don't seem to be aimed at the road but straight ahead. You can tell at a glance which cars are older and still have halogen bulb headlights because they are a bit yellow in color and don't create nearly as much glare. I don't know how these newer headlight systems were permitted. They are probably great for the driver but not for any oncoming traffic.
John Oliver claimed that they ran out of time one season but were going to do an episode on those headlights. I'm still sad they didn't get to it, or at least just dump their source material because I also think it's become terrible
They also don't seem to be aimed at the road but straight ahead.
In my opinion, DOT standards allow too much light above the cutoff. It's great for illuminating overhead signs, but with modern HID and LED systems it's just too much.
There is still the problem of vehicles approaching each other while cresting a small hill. You'll always be under each other's beam cutoff.
Your best hope is adaptive headlights that simply don't illuminate areas where oncoming road users are. Jump up 1:14 in this video:
https://m.youtube.com/watch?v=CBUYm5AghVI
It's not worth it. It's also why cars are absurdly expensive these days, not due to part cost, but due to testing and reliability costs.
And of course, everything is a new hack entry.
It's CAN Injection. Controller Area Network.
https://en.wikipedia.org/wiki/CAN_bus
> ECUs are connected together [...] doesn’t hear from another ECU it needs to talk to [...] there is an ECU that controls the lights
This is very unusual terminology. Most vehicles have exactly 1 ECU (occasionally 2, and addresses are allocated for ~4 depending on the gateway) which controls exclusively the engine parameters. The BCM, the HVAC, the ABS, the MIB, etc. are all other modules (nodes on the network) which go by names other than ECU. For example, TCU for the transmission.
Any module can throw a DTC, but only a DTC from the ECU will illuminate the MIL (check engine light).
They just believe that ECU = Electronic Control Unit rather than ECU = Engine Control Unit. Both are accepted terminology in different parts of the industry, although I'd have just used the word "module" instead.
I'd never heard of the former, but it seems that's the case! Thanks.
It's not wildly obscure. For instance Wikipedia currently uses it:
https://en.wikipedia.org/wiki/Electronic_control_unit
Note that I'm not arguing Wikipedia using it means it is "correct" or whatever, just that it demonstrates it being at least somewhat commonplace.
Interesting, though Wikipedia also uses it the way I do:
https://en.wikipedia.org/wiki/Engine_control_unit
I admittedly haven't finished reading the whole write up - I am surprised that neither you nor Ian suspected that the "vandals" were on to something a bit more worth the risk, being in Security and tech in general. Just saying - I'm not in either field but once I see those wires, I'm already thinking.. then a second time and I'm hiding my vehicle, somehow, ASAP.
Good read so far, thank you.
It occurs to me that the power locks in my car are broken, and only the driver's one works properly. So, I'm three quarters of the way to an attack mitigation!
My 1995 Miata doesn't even care/know whether the seatbelts are fastened or not, ha ha.
I am surprised that neither you nor Ian suspected that the "vandals" were on to something a bit more
Hindsight is 20/20. Have you ever run across meth heads? They do completely random nonsense and they'll do it time and again. A local meth head's activities are indistinguishable from those of a thief using techniques you've never heard of.
> ...and because noise from an (airport) radar sweep is never going to look like a proper CAN frame, there is no spurious wake-up.
Next up on HN: "Expensive cars being stolen with cheap microwave ovens"
I recently saw a YouTube video[1] of a company trying to get analog circuits to market because they claimed that a great deal of modern electronics are using basically "polling" logic to test analog inputs for activation thresholds. They claimed that by pushing the logic further upstream along the analog path they could significantly reduce the power draw of those systems by removing the busy-wait loops
1: https://www.youtube.com/watch?v=6AgkTdQXFTY (Analog computing will take over 30 billion devices by 2040. Wtf does that mean? | Hard Reset)
(2023)
Also it really needs capitalization of the first word. CAN is an acronym. Otherwise the title is quite funny.
Back when cars had hardly any anti-theft mechanism, we'd put hidden toggle switch(es) that'd cut off the fuel pump and other stuff. In the 90s we'd get fancier and use (in addition to hidden toggle switch(es)) stuff like custom made transponder thinggies: we'd have a female port installed on the dashboard and the corresponding male "jack" on our keychain. These took a few hours to install and would shut some wires at different points.
They were "dumb" in a way (it was obvious looking at the dashboard that a car had such a system installed) but not easy to remove: you had to follow the wiring for a long time to find where the various cut-off points where installed.
Funnily enough after 30 years or so many of these transponders (?) start failing and it's a very common cause of youngtimer cars being stuck on the side of the road. While a dumb hidden toggle switch shall pretty much work forever (but is easier to neutralize as you only need to find the switch).
A toggle switch is literally less than $5 and trivially installed.
For added fun you can also add stuff directly on the fuses: they're easier to find but there are more advanced kits (for example you plug it on an important fuse and then you've got a remote on your keychain to "unlock" the mechanism).
I mean: yup, you can look into cryptography and install this and that software countermeasure.
Or, you, know, you can install (or have installed) a $5 toggle switch.
P.S: this made me think... I'll probably install a fake toggle switch, obvious to be found, linked to the highest non legal alarm I can find on alibaba. So if anyone tries to steal the car, he'll toggle the switch and trigger the alarm. That's dumb as heck and yet may work just fine.
I'm thinking of my old Landcruiser, which was secured by some fiddly choke-and-throttle work. And my VW van with its "security through obscurity" linkage.
The act of using them includes a signal to the rest of the world that they're in use (sorry, neighbors) and there's an unavoidable delay between signaling that intention and actually being able to use the equipment. Once in motion they require intimate knowledge of the machinery to remain in that state.
I'm wondering about "security through removing automation" at this point. E.g. what services am I relying on that could be reduced to manual commands when I need them?
Were these aftermarket products? It sounds like they only worked because they were bespoke. If Toyota started putting these switches on all cars it would simply become common knowledge among thieves right?
Yes, and they weren't all a bed of roses. Aftermarket car alarms, disablers, remote start systems, etc. were pretty notorious for causing minor to fairly serious issues of their own. Also maybe because a lot of the installers were not very good at their jobs.
I am reminded of the war rig's kill switch in Mad Max: Fury Road.
There's also the question of how the incentives are aligned. At a time when the chief competition for new cars is older cars that are still perfectly functional, I'm sure manufacturers love the idea of being "forced" to include a deliberate single point of failure. One that will probably survive the warranty period, but that will instantly render the car beyond economical repair, by design, when it does fail.
"Please don't throw us into that briar patch," you can hear them begging the regulators.
Not really old cars having value means someone who wants a new car can trade in their old. If cars only lasted three years rich would be buying $30000 cars and many would be skipping the heater and electric start to lower prices.