New form of keyless car theft
April 9, 2023 2:15 PM Subscribe
Security parts need to be paired. Not doing so is negligent.
posted by Your Childhood Pet Rock at 2:50 PM on April 9, 2023 [4 favorites]
posted by Your Childhood Pet Rock at 2:50 PM on April 9, 2023 [4 favorites]
I don't know if this is really any worse than what we had in the past. In older cars, you'd break the window to get into the car, then pull the wires out of the ignition to start the car.
Now that last step is actually more complicated because you have to pull the CAN bus wires out and hook up a CAN bus device to start the car.
Maybe we should go back to needing a key that locks the steering wheel. Come to think of it, those locks could just be punched out.
There are always ways to increase security at the cost of convenience. Maybe have a CAN bus with beefed up security.
posted by eye of newt at 2:56 PM on April 9, 2023 [1 favorite]
Now that last step is actually more complicated because you have to pull the CAN bus wires out and hook up a CAN bus device to start the car.
Maybe we should go back to needing a key that locks the steering wheel. Come to think of it, those locks could just be punched out.
There are always ways to increase security at the cost of convenience. Maybe have a CAN bus with beefed up security.
posted by eye of newt at 2:56 PM on April 9, 2023 [1 favorite]
In older cars, you'd break the window to get into the car, then pull the wires out of the ignition to start the car.
You may have watched too many bad TV shows or movies.
But yeah, one would have expected better protection of the CAN bus.
posted by Artful Codger at 3:32 PM on April 9, 2023 [3 favorites]
You may have watched too many bad TV shows or movies.
But yeah, one would have expected better protection of the CAN bus.
posted by Artful Codger at 3:32 PM on April 9, 2023 [3 favorites]
This problem should be moot as anyone caught with a bluetooth speaker in public should be arrested in any case.
posted by maxwelton at 3:37 PM on April 9, 2023 [27 favorites]
posted by maxwelton at 3:37 PM on April 9, 2023 [27 favorites]
I mean, this is fixable with a software patch.. If you're gonna have a car as a computer (which I don't like, but is inevitable these days), .....you don't need to ultra-harden the car against violent wiring intrusion, just game some simple attacks & push out updates with alacrity.
posted by lalochezia at 3:38 PM on April 9, 2023 [2 favorites]
posted by lalochezia at 3:38 PM on April 9, 2023 [2 favorites]
> Maybe have a CAN bus with beefed up security
It's called a CAN bus not a CANT bus
posted by 7segment at 3:55 PM on April 9, 2023 [30 favorites]
It's called a CAN bus not a CANT bus
posted by 7segment at 3:55 PM on April 9, 2023 [30 favorites]
Around here, the big thing is still stealing catalytic converters. They can cut them out and be gone before anyone has time to notice. Cars do get stolen, but most of the local FB/Nextdoor complaints I see are about cat thefts.
The article claims this is specifically tied to stealing cars for export, for which thieves are going to be targeting a small number of specific models, so learning an invasive technique like this that requires knowing the right wires to hook into makes some sense.
posted by Dip Flash at 4:00 PM on April 9, 2023 [1 favorite]
The article claims this is specifically tied to stealing cars for export, for which thieves are going to be targeting a small number of specific models, so learning an invasive technique like this that requires knowing the right wires to hook into makes some sense.
posted by Dip Flash at 4:00 PM on April 9, 2023 [1 favorite]
Hopefully they’re learning their lesson. Catalytic converter thief fatally run over by vehicle he was under, authorities say
posted by Melismata at 4:13 PM on April 9, 2023 [1 favorite]
posted by Melismata at 4:13 PM on April 9, 2023 [1 favorite]
In older cars, you'd break the window to get into the car,
In my day, you'd use a coat hanger!
posted by aniola at 4:21 PM on April 9, 2023 [5 favorites]
In my day, you'd use a coat hanger!
posted by aniola at 4:21 PM on April 9, 2023 [5 favorites]
Hopefully they’re learning their lesson. Catalytic converter thief fatally run over by vehicle he was under, authorities say
This is sad. Aren't drivers supposed to check under the car for cats? Also catalytic converter thieves.
posted by aniola at 4:24 PM on April 9, 2023 [2 favorites]
This is sad. Aren't drivers supposed to check under the car for cats? Also catalytic converter thieves.
posted by aniola at 4:24 PM on April 9, 2023 [2 favorites]
Before locking columns most cars could be started/ran just by crossing the right wires. Ignitions were just fancy key switches. After locking columns you had to punch the lock but for many/most cars well into the 90s all you needed was a slide hammer. Drove quite a few cars that had a screwdriver for a "key".
Back when cars had vent windows the quickest way in was with a properly bent screwdriver. I've seen my father open a car faster than you could dig your keys out of your pocket.
posted by Mitheral at 4:30 PM on April 9, 2023 [7 favorites]
Back when cars had vent windows the quickest way in was with a properly bent screwdriver. I've seen my father open a car faster than you could dig your keys out of your pocket.
posted by Mitheral at 4:30 PM on April 9, 2023 [7 favorites]
“Back when cars had vent windows...”
I'd forgotten about those. I'm having a sense memory of the feel of the swivel-lock and the smell of the rubber weatherproofing.
I always thought that if I ever really was worried about a car being stolen, I'd just hardwire a hidden cut-off switch to the fuel pump that I could reach somewhere.
posted by Ivan Fyodorovich at 5:04 PM on April 9, 2023 [1 favorite]
I'd forgotten about those. I'm having a sense memory of the feel of the swivel-lock and the smell of the rubber weatherproofing.
I always thought that if I ever really was worried about a car being stolen, I'd just hardwire a hidden cut-off switch to the fuel pump that I could reach somewhere.
posted by Ivan Fyodorovich at 5:04 PM on April 9, 2023 [1 favorite]
The vent window was how I got into my 1973 VW Beetle whenever I inadvertently locked the keys in the car. Wiggle wiggle pop and it was open in less than 15 seconds. My security system was to pop the distributor cap and take the rotor with me.
posted by fimbulvetr at 5:46 PM on April 9, 2023 [6 favorites]
posted by fimbulvetr at 5:46 PM on April 9, 2023 [6 favorites]
Vent window era cars of course didn't have electric fuel pumps for the most part but a kill switch that grounded the coil was just as effective.
posted by Mitheral at 5:56 PM on April 9, 2023 [2 favorites]
posted by Mitheral at 5:56 PM on April 9, 2023 [2 favorites]
In my last vehicle, if you just open the unlocked door and looked in the visor, you would find the key. I had this setup for about4 years, parked it on the streets of NYC, in my driveway, at the local strip mall, etc. Not once was the vehicle touched. Plenty of people tossed their garbage in the bed, but no one thought to open the door.
I guess there was not much demand for a 6 year old Ford Ranger (the original Ranger not the new imposter).
posted by JohnnyGunn at 6:31 PM on April 9, 2023 [3 favorites]
I guess there was not much demand for a 6 year old Ford Ranger (the original Ranger not the new imposter).
posted by JohnnyGunn at 6:31 PM on April 9, 2023 [3 favorites]
This problem should be moot as anyone caught with a bluetooth speaker in public should be arrested in any case.
I strongly disagree with this on many levels, but also, I laughed.
posted by curious nu at 6:51 PM on April 9, 2023
I strongly disagree with this on many levels, but also, I laughed.
posted by curious nu at 6:51 PM on April 9, 2023
As with all of these anecdotes about theft I am always astounded by the shitty ratio of ingenuity to payoff. There’s an extraordinary amount of expertise and problem solving ability going on here, as well as planning in detail and human organisation in the service of… stealing cars. It’s perverse.
posted by Fiasco da Gama at 6:56 PM on April 9, 2023 [2 favorites]
posted by Fiasco da Gama at 6:56 PM on April 9, 2023 [2 favorites]
my security system for my 14 year old ford fairmont was that I drove a 14 year old ford fairmont
posted by logicpunk at 7:02 PM on April 9, 2023 [33 favorites]
posted by logicpunk at 7:02 PM on April 9, 2023 [33 favorites]
My 70's Ford truck didn't even need a key. You just turned over the ignition switch and away she went. I don't think I'd ever locked it once in its long and loyal lifetime. When it was new, this was rural and a good place to live. For the last decade, there's been some sketchy folks living here, but nobody ever messed with it. Don't know why. After all, it was a Custom 150. It still even had doors and bumpers!
posted by BlueHorse at 7:47 PM on April 9, 2023 [3 favorites]
posted by BlueHorse at 7:47 PM on April 9, 2023 [3 favorites]
Our Mazda 3 has a stick shift, so no-one under about 40 knows how to drive it.
posted by Artful Codger at 7:57 PM on April 9, 2023 [17 favorites]
posted by Artful Codger at 7:57 PM on April 9, 2023 [17 favorites]
My father in law had a dodgy farm car that he used to just pop the gear stick out when he left it.
posted by freethefeet at 8:18 PM on April 9, 2023 [2 favorites]
posted by freethefeet at 8:18 PM on April 9, 2023 [2 favorites]
I knew a dude who did 2 for GTA. He was the pm wrecker driver where I worked.
A slim Jim, spark plug and jacked Bic. He stole a running car from a valet.
I borrowed 2 cars as a youth. Deloren that some GM exec left keys right in the ignition, by the third joyride we were convinced he wanted it stolen so we just put the keys on the seat and my friends mom's AMC Pacer.
like back to the future of joyride selection.
The Car Thief
The first car stolen was in in France, 1896.
100 years later. the first time I drove my grandmother, she laid down the rules and said:
"In my day it was the horse, the Metzger (which barely held a charge) or you had to crank it and don't doubt me because I met Henry Ford when I was 15 and I drove that T home, 100 miles by myself in the dark. Her father knew Metzger and sold metzger's even had a charging company only to cash it all for a Ford dealership which leads me to my grandmother's first and only joyride. her father bought a Cadillac to resell and one Friday night grandma and her friends decided to take it out for a ride. the next afternoon my great-grandfather asked her to come around to the side of the barn we're wrote down a series of numbers for which my grandmother looked puzzled.
it was the odometer reading.
posted by clavdivs at 8:45 PM on April 9, 2023 [5 favorites]
A slim Jim, spark plug and jacked Bic. He stole a running car from a valet.
I borrowed 2 cars as a youth. Deloren that some GM exec left keys right in the ignition, by the third joyride we were convinced he wanted it stolen so we just put the keys on the seat and my friends mom's AMC Pacer.
like back to the future of joyride selection.
The Car Thief
The first car stolen was in in France, 1896.
100 years later. the first time I drove my grandmother, she laid down the rules and said:
"In my day it was the horse, the Metzger (which barely held a charge) or you had to crank it and don't doubt me because I met Henry Ford when I was 15 and I drove that T home, 100 miles by myself in the dark. Her father knew Metzger and sold metzger's even had a charging company only to cash it all for a Ford dealership which leads me to my grandmother's first and only joyride. her father bought a Cadillac to resell and one Friday night grandma and her friends decided to take it out for a ride. the next afternoon my great-grandfather asked her to come around to the side of the barn we're wrote down a series of numbers for which my grandmother looked puzzled.
it was the odometer reading.
posted by clavdivs at 8:45 PM on April 9, 2023 [5 favorites]
I always thought that if I ever really was worried about a car being stolen, I'd just hardwire a hidden cut-off switch to the fuel pump that I could reach somewhere.
Key relay or fuse from the fusebox in your pocket is a classic. Often accessed under the dash, doesn't even need you to dig in the engine bay.
posted by Dysk at 10:50 PM on April 9, 2023 [2 favorites]
Key relay or fuse from the fusebox in your pocket is a classic. Often accessed under the dash, doesn't even need you to dig in the engine bay.
posted by Dysk at 10:50 PM on April 9, 2023 [2 favorites]
Security parts need to be paired. Not doing so is negligent.
This is kinda asking for cars to become like Apple devices, where there is no real parts market because you can't swap out anything due to it not being paired correctly. I like a world where you can replace e.g. headlights by going to a junkyard, rather than needing the manufacturer to set some up with firmware special for your individual car.
posted by Dysk at 10:52 PM on April 9, 2023 [4 favorites]
This is kinda asking for cars to become like Apple devices, where there is no real parts market because you can't swap out anything due to it not being paired correctly. I like a world where you can replace e.g. headlights by going to a junkyard, rather than needing the manufacturer to set some up with firmware special for your individual car.
posted by Dysk at 10:52 PM on April 9, 2023 [4 favorites]
A family member had their car stolen recently. I thought maybe it was something high tech like this, cloning or amplifying the nfc signal, but no, it was just left unlocked and with the keys in it. I might have done that with my $2000 Subaru, but I couldn't really fathom it with a brand new expensive-ass monster child hauler. Thankfully it was recovered, with no help from the ridiculous amount of tracking tech installed on new cars that's only available if you pay the subscription before it gets stolen...
JohnnyGun - you'd be surprised! I wish you could get that size pickup still, and clean models are selling at ridiculous premiums because apparently lots of people agree.
Side note - I bluetooth speaker in public. On my bike. The amount of people it has kept from carelessly walking into the road in front of me is significant. Can't see anyone if they decide to pop out from between a few big SUVs.
posted by jellywerker at 4:08 AM on April 10, 2023 [1 favorite]
JohnnyGun - you'd be surprised! I wish you could get that size pickup still, and clean models are selling at ridiculous premiums because apparently lots of people agree.
Side note - I bluetooth speaker in public. On my bike. The amount of people it has kept from carelessly walking into the road in front of me is significant. Can't see anyone if they decide to pop out from between a few big SUVs.
posted by jellywerker at 4:08 AM on April 10, 2023 [1 favorite]
With all these fancy new ways to steal cars, can we outlaw all the car alarms that don't prevent these methods and just serve as noise pollution? Greatly appreciated.
posted by Pitachu at 4:21 AM on April 10, 2023 [4 favorites]
posted by Pitachu at 4:21 AM on April 10, 2023 [4 favorites]
Can we nick it? Yes we CAN!
Fiasco de Gama 'There’s an extraordinary amount of expertise and problem solving ability going on here, as well as planning in detail and human organisation in the service of… stealing cars. It’s perverse.'
As long as private cars exist, people will steal them. The challenge of fooling the on board computer is always going to be of interest to problem solvers.
Considering that incarceration increases the chances of a person committing a crime, is it not possible that the prison system is producing future car thieves? People who were arrested and sentenced for some minor offense? People who are disenfranchised, and as a result of having a criminal record, have low chances of getting a job that stimulates their intellect, and are aware that the system that incarcerated them is a business unrelated to justice. They're also likely to have gained useful contacts while incarcerated, which would help them establish their new line of business.
posted by asok at 5:17 AM on April 10, 2023 [1 favorite]
Fiasco de Gama 'There’s an extraordinary amount of expertise and problem solving ability going on here, as well as planning in detail and human organisation in the service of… stealing cars. It’s perverse.'
As long as private cars exist, people will steal them. The challenge of fooling the on board computer is always going to be of interest to problem solvers.
Considering that incarceration increases the chances of a person committing a crime, is it not possible that the prison system is producing future car thieves? People who were arrested and sentenced for some minor offense? People who are disenfranchised, and as a result of having a criminal record, have low chances of getting a job that stimulates their intellect, and are aware that the system that incarcerated them is a business unrelated to justice. They're also likely to have gained useful contacts while incarcerated, which would help them establish their new line of business.
posted by asok at 5:17 AM on April 10, 2023 [1 favorite]
Key relay or fuse from the fusebox in your pocket is a classic. Often accessed under the dash, doesn't even need you to dig in the engine bay.
In college, a friend had a total shitbox of a car. I think the key was stuck in the lock or the lock was broken, so you just got in and turned the switch and it would start. So his anti-theft solution was to pull a fuse, like you suggest. But I guess he lost one of the fuses and was too cheap or lazy to replace it, so from then on it was a process of moving a fuse from one place in the fusebox over to activate the ignition, and then you had to put it back because otherwise you would have no lights. He drove it that way at least until graduation, when we lost touch.
Almost no one would willingly borrow his car twice, which I think was a major factor in him never fixing it.
posted by Dip Flash at 5:22 AM on April 10, 2023 [5 favorites]
In college, a friend had a total shitbox of a car. I think the key was stuck in the lock or the lock was broken, so you just got in and turned the switch and it would start. So his anti-theft solution was to pull a fuse, like you suggest. But I guess he lost one of the fuses and was too cheap or lazy to replace it, so from then on it was a process of moving a fuse from one place in the fusebox over to activate the ignition, and then you had to put it back because otherwise you would have no lights. He drove it that way at least until graduation, when we lost touch.
Almost no one would willingly borrow his car twice, which I think was a major factor in him never fixing it.
posted by Dip Flash at 5:22 AM on April 10, 2023 [5 favorites]
Some cars have headlights that are on the CANbus. Smart thieves are smashing car frontends and then pulling the light's cabling to directly access the bus. If you get into a fender bender or find your frontend damaged, get your car fixed pronto.
posted by tommasz at 8:03 AM on April 10, 2023 [2 favorites]
posted by tommasz at 8:03 AM on April 10, 2023 [2 favorites]
> Security parts need to be paired. Not doing so is negligent.
> This is kinda asking for cars to become like Apple devices, where there is no real parts market because you can't swap out anything due to it not being paired correctly.
> Just security parts, not headlights.
These three comments above are, in a nutshell, a summary of the past ten years of debate around repairability versus repurposeability in mobile phone technology.
In cars, they solve this with dealer systems, that can reprogram the crypto whatever inside your key and your ECU in order to re-key your car. They charge a token fee for their time and perform a series of steps that anyone could do using the right proprietary equipment. If they sold that equipment to anyone, then anyone could steal and re-key your car. If they don’t sell that equipment to anyone, then they’re an obstacle to repairability.
Cars are also built on a venerable old tech called CAN, that apparently has a design flaw for security uses as described here. It’s not necessarily uncorrectable, as the author notes, but preventing it at a design level requires rethinking how immobilizers use the same open CAN system as the headlights. I’ve seen it said that Toyota is now using encrypted CAN in certain 2022+ models, so clearly they’re aware of the defect and responding to it, but their cheaper, easier solution may well be to pair everything on the CAN system using a proprietary dealer tool. So, if they’re smart, they’ll pair the headlight control module, but not the physical lens and bulb-like elements, because there’s a line too far and having to go to a dealer to swap a crushed corner light would likely cross it.
So Toyota takes one step closer to Apple’s world, and now more modules in the car have to be re-paired by a proprietary dealer tool. This is, as commented above, an obviously necessary step against theft. It also prevents home hacking on the CAN network, which is now locked out from meddling by pesky thieves and vehicle owners and third-party repair shops who haven’t paid $7500/year for a software license from Toyota.
I appreciate the anti-theft protections in my mobile phone and car, and I understand that they are compromised in various ways. But I wish I had a magic technical solution for how to let owners repurpose their objects, letting owners repair their objects, in ways that require interacting with the magical cryptographic security seals on their device, that does not easily allow thieves to do the same.
I don’t have a simple, effective answer for this. I dont really have an answer at all. How many of us still have the tiny metal plank that came on a keyless-entry car’s keyring from the dealer, that has the reprogramming code for new keys? How many of us could find it in less than a week of searching if we needed to repair our vehicle? Could we issue that same little metal plank for our phones, so that we’re able to get our screen repaired by a third-party — but couldn’t they then just sell the plank code on the black market to thieves and include our home address?
The recent news clamor about Apple laptops going to landfills is another variant of this problem: Apple won’t accept mail-in recycling of locked laptops from end-users, and requires a photo ID and signature in person to accept hardware for recycling at their stores. The owners of those laptops don’t have any way to break the lock without showing their purchase receipt to Apple, and any tool provided to them that could do so would immediately enable theft and resale of stolen laptops.
I think that we need stricter controls around security rekeying for devices; that rekeying services are offered at a fixed rate, that a “transfer of ownership” process exist to ensure that during a legitimate sale power of rekeying is authorized to the buyer; and, critically, that recycling/disposal of locked objects is paid for by the manufacturer if a security lock is not lifted after a one month waiting period.
I’m not certain that this will solve everything, but it would solve a lot. I’m not certain it’s the right solutions. Maybe we should buy devices with the option of a one-time unlock fob, that is enough to enable repair when present during the security processes — but only works on our specific device, and has a fingerprint sensor in it so that someone else can’t steal it and use it in our phone, and if lost has to be replaced by a manufacturer rekeying process? How would that process be secured? Who would be authorized to perform it?
Every solution I have ever come up with ends up circling back to the same problem: How does the owner of an object prove that they have the right to bypass security on an object, and what degree of financial and time inconvenience is acceptable to place in their way for anti-theft purposes?
Car repair is going to become a little more Apple-like, and that’ll make car theft a little more difficult, and that’ll make car repair a little more expensive, and that’ll make car owners a little more inconvenienced, and car manufacturers will hold a little more power over the fate of your car. It’s a good compromise for today, but I wish more debate would focus on why the compromise has to be made, and whether it should be, and to what degree this compromise is necessary, from both the owner’s rights perspective and the owner’s security perspective.
Should purchase of a device with security seals require either a signed attestation from the owner that they accept the security seals and acknowledge the limitations they carry, or a signed refusal of those seals from the owner that acknowledges the risk of theft they carry? Would that be enough guidance for buyers to make reasonable risk-reward tradeoff decisions about their purchases? Would manufacturers be permitted to deny functionality that requires security seals to protect the integrity of regulated systems, such as emissions controls — or their own systems, such as gaming consoles do for multiplayer gaming?
This is the kind of discussion I keep hoping to see people having about security seals, and maybe it’s occurring in fragments here and there, but the news media hasn’t grasped the full implications and focuses instead on “you can’t repair your own car anymore”, and the “repairability” movement doesn’t seem to care at all about anti-theft or regulatory protections, and there just isn’t any discussion happening at all. This article almost goes there. It’s the best I’ve seen yet from the technical crowd. I remain hopeful.
posted by Callisto Prime at 8:24 AM on April 10, 2023 [10 favorites]
> This is kinda asking for cars to become like Apple devices, where there is no real parts market because you can't swap out anything due to it not being paired correctly.
> Just security parts, not headlights.
These three comments above are, in a nutshell, a summary of the past ten years of debate around repairability versus repurposeability in mobile phone technology.
In cars, they solve this with dealer systems, that can reprogram the crypto whatever inside your key and your ECU in order to re-key your car. They charge a token fee for their time and perform a series of steps that anyone could do using the right proprietary equipment. If they sold that equipment to anyone, then anyone could steal and re-key your car. If they don’t sell that equipment to anyone, then they’re an obstacle to repairability.
Cars are also built on a venerable old tech called CAN, that apparently has a design flaw for security uses as described here. It’s not necessarily uncorrectable, as the author notes, but preventing it at a design level requires rethinking how immobilizers use the same open CAN system as the headlights. I’ve seen it said that Toyota is now using encrypted CAN in certain 2022+ models, so clearly they’re aware of the defect and responding to it, but their cheaper, easier solution may well be to pair everything on the CAN system using a proprietary dealer tool. So, if they’re smart, they’ll pair the headlight control module, but not the physical lens and bulb-like elements, because there’s a line too far and having to go to a dealer to swap a crushed corner light would likely cross it.
So Toyota takes one step closer to Apple’s world, and now more modules in the car have to be re-paired by a proprietary dealer tool. This is, as commented above, an obviously necessary step against theft. It also prevents home hacking on the CAN network, which is now locked out from meddling by pesky thieves and vehicle owners and third-party repair shops who haven’t paid $7500/year for a software license from Toyota.
I appreciate the anti-theft protections in my mobile phone and car, and I understand that they are compromised in various ways. But I wish I had a magic technical solution for how to let owners repurpose their objects, letting owners repair their objects, in ways that require interacting with the magical cryptographic security seals on their device, that does not easily allow thieves to do the same.
I don’t have a simple, effective answer for this. I dont really have an answer at all. How many of us still have the tiny metal plank that came on a keyless-entry car’s keyring from the dealer, that has the reprogramming code for new keys? How many of us could find it in less than a week of searching if we needed to repair our vehicle? Could we issue that same little metal plank for our phones, so that we’re able to get our screen repaired by a third-party — but couldn’t they then just sell the plank code on the black market to thieves and include our home address?
The recent news clamor about Apple laptops going to landfills is another variant of this problem: Apple won’t accept mail-in recycling of locked laptops from end-users, and requires a photo ID and signature in person to accept hardware for recycling at their stores. The owners of those laptops don’t have any way to break the lock without showing their purchase receipt to Apple, and any tool provided to them that could do so would immediately enable theft and resale of stolen laptops.
I think that we need stricter controls around security rekeying for devices; that rekeying services are offered at a fixed rate, that a “transfer of ownership” process exist to ensure that during a legitimate sale power of rekeying is authorized to the buyer; and, critically, that recycling/disposal of locked objects is paid for by the manufacturer if a security lock is not lifted after a one month waiting period.
I’m not certain that this will solve everything, but it would solve a lot. I’m not certain it’s the right solutions. Maybe we should buy devices with the option of a one-time unlock fob, that is enough to enable repair when present during the security processes — but only works on our specific device, and has a fingerprint sensor in it so that someone else can’t steal it and use it in our phone, and if lost has to be replaced by a manufacturer rekeying process? How would that process be secured? Who would be authorized to perform it?
Every solution I have ever come up with ends up circling back to the same problem: How does the owner of an object prove that they have the right to bypass security on an object, and what degree of financial and time inconvenience is acceptable to place in their way for anti-theft purposes?
Car repair is going to become a little more Apple-like, and that’ll make car theft a little more difficult, and that’ll make car repair a little more expensive, and that’ll make car owners a little more inconvenienced, and car manufacturers will hold a little more power over the fate of your car. It’s a good compromise for today, but I wish more debate would focus on why the compromise has to be made, and whether it should be, and to what degree this compromise is necessary, from both the owner’s rights perspective and the owner’s security perspective.
Should purchase of a device with security seals require either a signed attestation from the owner that they accept the security seals and acknowledge the limitations they carry, or a signed refusal of those seals from the owner that acknowledges the risk of theft they carry? Would that be enough guidance for buyers to make reasonable risk-reward tradeoff decisions about their purchases? Would manufacturers be permitted to deny functionality that requires security seals to protect the integrity of regulated systems, such as emissions controls — or their own systems, such as gaming consoles do for multiplayer gaming?
This is the kind of discussion I keep hoping to see people having about security seals, and maybe it’s occurring in fragments here and there, but the news media hasn’t grasped the full implications and focuses instead on “you can’t repair your own car anymore”, and the “repairability” movement doesn’t seem to care at all about anti-theft or regulatory protections, and there just isn’t any discussion happening at all. This article almost goes there. It’s the best I’ve seen yet from the technical crowd. I remain hopeful.
posted by Callisto Prime at 8:24 AM on April 10, 2023 [10 favorites]
In cars, they solve this with dealer systems, that can reprogram the crypto whatever inside your key and your ECU in order to re-key your car. They charge a token fee for their time and perform a series of steps that anyone could do using the right proprietary equipment.
That token fee was C$500 three years ago when we lost the key to my daughter's 12 year old Toyota.
But at least it was available. What happens if say Tesla goes the way of SAAB and gets out of the car business? More generally is GM still going to be programming keys for 30-40 year old cars?
posted by Mitheral at 9:15 AM on April 10, 2023 [4 favorites]
That token fee was C$500 three years ago when we lost the key to my daughter's 12 year old Toyota.
But at least it was available. What happens if say Tesla goes the way of SAAB and gets out of the car business? More generally is GM still going to be programming keys for 30-40 year old cars?
posted by Mitheral at 9:15 AM on April 10, 2023 [4 favorites]
This is kinda asking for cars to become like Apple devices, where there is no real parts market because you can't swap out anything due to it not being paired correctly.
With one of those products, would-be thieves know that stealing them gets them something basically worthless, thereby reducing thefts by something along the lines of 80% compared to before the "pairing" started happen.
posted by Back At It Again At Krispy Kreme at 11:23 AM on April 10, 2023 [1 favorite]
With one of those products, would-be thieves know that stealing them gets them something basically worthless, thereby reducing thefts by something along the lines of 80% compared to before the "pairing" started happen.
posted by Back At It Again At Krispy Kreme at 11:23 AM on April 10, 2023 [1 favorite]
> What happens if say Tesla goes the way of SAAB and gets out of the car business? More generally is GM still going to be programming keys for 30-40 year old cars?
I don’t know. I wish I knew. Certainly there’s no regulation requiring it beyond ten years. There’s no “you’re required to divulge your proprietary software if you are no longer able to process unlocks” ruling. Nor is there any precedence from software licensing, either, where your “forever” license can be revoked without recourse by shutting down a webserver. It’s all completely unregulated and unconsidered, and that sucks. I’m sorry I don’t have better news, but I’m glad to see your question being asked.
posted by Callisto Prime at 11:49 AM on April 10, 2023
I don’t know. I wish I knew. Certainly there’s no regulation requiring it beyond ten years. There’s no “you’re required to divulge your proprietary software if you are no longer able to process unlocks” ruling. Nor is there any precedence from software licensing, either, where your “forever” license can be revoked without recourse by shutting down a webserver. It’s all completely unregulated and unconsidered, and that sucks. I’m sorry I don’t have better news, but I’m glad to see your question being asked.
posted by Callisto Prime at 11:49 AM on April 10, 2023
Why would the answer be different than the support of any other part on car or any other product? Sometimes the parts are unavailable, or extremely expensive, and you have to buy a new one. At least in car, the newer ones are legitimately generally far better. And if the desire is big enough, some 3D printing hacker will figure a way around it.
posted by The_Vegetables at 12:01 PM on April 10, 2023
posted by The_Vegetables at 12:01 PM on April 10, 2023
One quite obvious way to improve security is not to have headlights and smart key in the same CAN channel but to have a separate channel just for the smart key. But you can't do that with a software patch. You need a separate pair of physical wires. Once the attacker has physical access, it's quite hard to maintain security in any system.
posted by ikalliom at 1:09 PM on April 10, 2023 [1 favorite]
posted by ikalliom at 1:09 PM on April 10, 2023 [1 favorite]
The difference is anyone can supply a brake rotor or taillight assembly and for something harder there is a used market. If the jackass who runs Tesla decides to not program keys for 11 year old Teslas for the lulz and because the keys are cryptographically signed all those cars are going to become lawn ornaments. No one can supply a key new or used.
posted by Mitheral at 1:28 PM on April 10, 2023 [4 favorites]
posted by Mitheral at 1:28 PM on April 10, 2023 [4 favorites]
You crazy kids and your keyless this and that! Part of the reason I still drive my 2007 minivan is that I don’t want a car with a giant screen or a weird button to start it. I’m still kinda suspicious about power windows. I guess I’ll be assimilated soon ….
posted by caviar2d2 at 3:49 PM on April 10, 2023 [1 favorite]
posted by caviar2d2 at 3:49 PM on April 10, 2023 [1 favorite]
In older cars, you'd break the window to get into the car, then pull the wires out of the ignition to start the car.
You don't even need pull wires out of the ignition for 2010-2021 Hyundais and Kias, which lack an engine immobilizer: Hyundai, Kia pushing updates so you can’t just steal their cars with USB cables. That's not a USB key loaded with special software; it's literally the USB cable.
I wouldn't dream of having a computer that doesn't get regular security updates, but the majority of cars are never going to get a single one after it rolls out from the factory.
Pwn2Own, a hacking contest, now includes cars as targets for hacking, just like Windows or Mac. Pwn2Own Hackers Breach a Tesla (Twice), Earn $350K and a Model 3
posted by meowzilla at 3:59 PM on April 10, 2023 [3 favorites]
You don't even need pull wires out of the ignition for 2010-2021 Hyundais and Kias, which lack an engine immobilizer: Hyundai, Kia pushing updates so you can’t just steal their cars with USB cables. That's not a USB key loaded with special software; it's literally the USB cable.
I wouldn't dream of having a computer that doesn't get regular security updates, but the majority of cars are never going to get a single one after it rolls out from the factory.
Pwn2Own, a hacking contest, now includes cars as targets for hacking, just like Windows or Mac. Pwn2Own Hackers Breach a Tesla (Twice), Earn $350K and a Model 3
posted by meowzilla at 3:59 PM on April 10, 2023 [3 favorites]
Modern cars are horrifying to me. Why does the headlight need to be networked in the first place?
posted by vibratory manner of working at 12:20 PM on April 11, 2023
posted by vibratory manner of working at 12:20 PM on April 11, 2023
Why does the headlight need to be networked in the first place?
Smart multi-part LED headlights. They are designed to do things like active lights to help with cornering, automatically adjust the beam to not blind oncoming traffic, automatic high beam dipping, that sort of thing. I have a 2023 model car, and at night you can see the headlight beams go through a little dance when you start up the car as they do a self-test and adjustment. They are kinda neat and provide much better visibility at night than old-fashioned lights, but they also scare the heck out of me as to what it will cost if they need fixing. I also wonder about parts availability years from now since they don't just have standard lightbulbs to change.
The new car is much, much nicer to drive than my old car which is the same model but 20 years old. But I don't believe I will get 20 years out of it like the old one. Way too many electronics, sensors, and computers to fail.
posted by fimbulvetr at 1:39 PM on April 11, 2023
Smart multi-part LED headlights. They are designed to do things like active lights to help with cornering, automatically adjust the beam to not blind oncoming traffic, automatic high beam dipping, that sort of thing. I have a 2023 model car, and at night you can see the headlight beams go through a little dance when you start up the car as they do a self-test and adjustment. They are kinda neat and provide much better visibility at night than old-fashioned lights, but they also scare the heck out of me as to what it will cost if they need fixing. I also wonder about parts availability years from now since they don't just have standard lightbulbs to change.
The new car is much, much nicer to drive than my old car which is the same model but 20 years old. But I don't believe I will get 20 years out of it like the old one. Way too many electronics, sensors, and computers to fail.
posted by fimbulvetr at 1:39 PM on April 11, 2023
The difference is anyone can supply a brake rotor or taillight assembly and for something harder there is a used market.
There is no difference. Someone can easily hack Telsa's keys, if they chose to do so....If it's profitable, Rock Auto will do it.
posted by The_Vegetables at 1:42 PM on April 11, 2023
There is no difference. Someone can easily hack Telsa's keys, if they chose to do so....If it's profitable, Rock Auto will do it.
posted by The_Vegetables at 1:42 PM on April 11, 2023
For a while I had this car security problem solved. I'd just take my tow truck and hook it to an expensive car with high tech security so they couldn't move my truck unless they moved the fancy, unstealable car first. This worked great for a while until I forgot to unhook the fancy car from the back of my truck and didn't notice until I was already home. Embarrassing.
posted by stet at 4:00 PM on April 11, 2023
posted by stet at 4:00 PM on April 11, 2023
Someone can easily hack Telsa's keys, if they chose to do so...
How?
posted by labberdasher at 11:31 PM on April 12, 2023 [1 favorite]
How?
posted by labberdasher at 11:31 PM on April 12, 2023 [1 favorite]
« Older Birds, drawn. | and if we looked out the window it would be all... Newer »
This thread has been archived and is closed to new comments
posted by slogger at 2:18 PM on April 9, 2023 [5 favorites]