foe84

for some reason, i was thinking about how car theifs hot wire cars to be able to drive them. I guess i looked at the push start and thats what popped in my head. anyway, the IS works w/ the sensor in the key if not it just gives the "no key detected." so, what if it was hot wired..would it not start? i mean, would the system would be spazzing out.

i know its weird, but i kinda want answer so i stop thinking about whether it would happen seeing how i would never try it on my car(plus, i have no clue about wires)

PhilipMSPT

iTrader: (5)

Theoretically, the car will not start.

Even if it's hot wired, the engine is still electronically immobilized via computer program. You would have to hack the program itself...

llamaboiz

haha hot wired... you dont need to 'hot wire' a normal car, just shove a screwdriver in the key slot and turn, it works. I like the push button/fob cuz the screwdriver wont work.

ben_r_

LOL well you could try and shove the screw driver behind the button!!!

cc16ue

iTrader: (1)

"hot wiring" is touching two wires together to get the car to start, which is EXACTLY what a button does when you push it. so what happens when you try pushing the button w/o a key?

PhilipMSPT

iTrader: (5)

It will turn on the lights, but it will not start the engine (hence the engine immobilizer part). That's a computer program issue, not a "hot wire" issue...

lobuxracer

iTrader: (2)

There is a certificate ECU in the car that handles all engine start requests by authenticating the key. If the key does not respond to the certificate ECU challenge correctly, the certificate ECU will not generate the necessary code for the engine ECM to start.

It may be possible to hot wire the starter and get it to spin the engine, but you will not get the engine to run until the ECM receives a proper code from the certificate ECU.

No key, no start. End of story.

FWIW, I am a CISSP, so I was very keen on understanding the security mechanisms built into the smartkey system when I bought the car.

MLevinson

I'm not sure what version of RFID the IS [Lexus] uses, but there are lengthy articles how to "capture" the signal that is being emitted by the transmitter [constantly] - break the encryption and gain access to the vehicle including driving off.

There was an article/video that I watch several months ago - someone hacked into a subject's BMW in literally 10 minutes time. The test subject was unaware how or when the RFID signal coming out of his fob was hi-jacked.

More advanced RFID automotive applications have moved to 128Bit and 256Bit encryptions, but I'm not sure what Mfg is doing this, and at what speed.

lobuxracer

iTrader: (2)

Encryption doesn't solve the problem. Any encryption can be broken, it's just a matter of time. The ideal system uses encryption and a challenge/response from the RFID. The certificate ECU sends an secret to the RFID, the RFID decrypts the secret, modifies it using an agreed upon protocol, and encrypts the response before returning it to the certification ECU. The certification ECU decrypts the response and compares it to its own calculation of the correct response, then generates a certificate which it sends to the engine ECM to allow it to start.

This is the way I've been led to believe the system works. If anyone knows better, please jump in and correct me.

Drunkebuda

you know what if they wanted to steal my car and have the tech to do it then all for them cuz i will get a new car then from the insurence

MLevinson

This is the crux - yes encryption(s) can be broken, but how long does it take and has the PSK changed at the other end..? As I understand it, the keys are "roaming" - so in essence, you have only one shot at doing this. As soon as that fob is sent a request [in this case from the ECU] for authentication, a new key is then generated thereafter. So even if someone did grab and hack the RFID encryption, it will be useless unless this can be transmitted back before the fob is returned.

Make sense...?

MLevinson

...or they just lift it by towing it away, then they can work on it at their leasure.

Drunkebuda

true that but who has a tow truck lying around and not have people see them tow it

MLevinson

Funny you say that: My Father's Volvo was ripped off that same way - I'm sure on-lookers thought it was an AAA vehicle towing it, when what really happened someone ripped it off spoofing as Roadside Assistance.

No one even looked twice.

lobuxracer

iTrader: (2)

Makes sense, but that's not how it works. Let's say I want to authenticate who you are. I have a preconfigured algorithm for handling a secret. You have this same algorithm (you also may have a number of algorithms and I tell you which one I want you to use in my initial message). I pass you a message and you process it with the algorithm we agreed upon. You send me the result of this process. I run this same algorithm with the same secret I passed to you. I compare the result I got with the result you gave me. If they match (true=1), then I can say with reasonable certainty it is you.

If someone knows the algorithms and encryption used, they can play either man-in-the-middle or they can impersonate you. The average "rolling code" is fairly simple to manipulate because they (especially the older ones) use a single fixed algorithm that the attacker knows. More modern systems use multiple algorithms and select one of them randomly that the receiver also has and can identify using a flag send with the original request. This helps prevent predicting the new code by introducing additional uncertaintly.

Whether Toyota has adopted this methodology is a good question. One of the things in their favor is they are the only remaining major manufacturer whose ECM code has not been cracked. They do take IP security very seriously at Toyota, so I would not at all be surprised if the authentication technology they use is cutting edge. Besides, all of us who specialise in IT security know that any authentication system can be spoofed, it's just a matter of cost.