undefined | Better HN

0 pointsphire7mo ago0 comments

You don't even need a physical connection.

As long as you have two-way wireless communication (which any keyless entry/start system does), then you can simply do a Diffie-Hellman key exchange during the pairing process.

Diffie-Hellman is designed for exactly this usecase, allowing two parties to derive a shared secret key over a public channel without exposing it.

0 comments

tux19687mo ago

That allows the conversation to proceed in secret from listeners, but it provides no authentication to ensure that only legitimate parties are involved. The reason for physical contact is to "prove" that you are legitimately in control of the vehicle, not a random passerby.

kube-system7mo ago

Physical possession isn't enough to prove someone is legitimately in control of the vehicle, though. If a physical connection under the dash will hand out the key, you can bust the window, and get the key.

Part of the utility of the baked-in manufacturer key is that it is unable to be extracted by thieves.

userbinator7mo ago

Clearly it isn't "unable to be extracted" as the other comments here have remarked.

Having to break into the vehicle already raises the bar significantly and makes the security equivalent to a physical lock.

wat100007mo ago

It works well enough to just require some action to be taken on both ends. Push a button on the opener (or an already-paired remote), then pair the remote while the opener is in the pairing state. It’s possible for a passerby to intercept, but they’d have to have very good timing.

tux19687mo ago

Pressing a button on the opener is physical contact. That's the entire idea that the OP was trying to relay, that you need some physical way to prove that you're eligible to pair. Not that the key itself had to be hard-wired for the process to proceed.

1 more reply

phireOP7mo ago

I'm not sure you should be that concerned about man-in-the-middle attacks.

If someone does successfully MITM while walking by the key is going to stop working as soon as they are out of range, and you will notice.

I'm just wanting a system that could be implemented with the hardware that's already there. I guess you could use the RFID chip that most keyless start cars already have as a secondary channel. Still Not 100% secure, but the MITM device would need to be physically in your car to intercept the pairing request, and at that point you have bigger problems.

tux19687mo ago

Sorry, I didn't mean to make it sound like the problem was MITM. The issue is initiating a pairing request, you can't allow just any key to request it, that allows bad actors to pair a key with your car.

While I worry that it's not really secure enough, the OP was suggesting that physical contact is a way to "prove" that you are indeed eligible to pair, by excluding everyone who lacks physical contact.

2 more replies

jandrese7mo ago

In theory, but since this attack has to happen at the time of pairing and leaves evidence--the key you are trying to pair doesn't work afterward--I don't think this is a realistic concern.

amy_petrik7mo ago

>In theory, but since this attack has to happen at the time of pairing and leaves evidence--the key you are trying to pair doesn't work afterward-

You're assuming the goal is to discretely enter the vehicle and leave no trace. If we consider the Kia challenge [https://en.wikipedia.org/wiki/Kia_Challenge] then the goal is to take possession of the vehicle in an immediate and opportunistic fashion. If the possession fails and the key FOB now stops working, whatever, not the thiefs care. If the possession works, now there's a sweet car to abuse. Or, in the case of a crime syndicate, a sweet car to take to the chop shop.

This type of attack is not to mention a simple relay attack. If radio waves of a home (say near the front door, where the keys are stored) are relayed to another location (the car, 30 feet away), then the exact crypto and protocol is irrelevant, the car "sees" the real life actual FOB as nearby. That's another attack used in the wild.

aDyslecticCrow7mo ago

I think you're overcomplicating it. The primary purpose of field programming is manufacturing logistics. Produce a billion identical devices with identical firmware, and then pair the key once to the car.

So it just needs to block rewrites, and the risk of any security barrier breach is negligible since it's done in factory.

tenacious_tuna7mo ago

> The primary purpose of field programming is manufacturing logistics

Or if I lose my car key

numpad07mo ago

I think this is technically correct but a bit confusing, since "pairing" processes usually require user actions at both ends. A keyhole that reprograms to any key from the outside makes little sense.

conradev7mo ago

A PAKE scheme with a passcode communicated out of band during pairing feels more appropriate to make sure no one is snooping.

A one-time out of band authentication (usually some form of trusted physical interaction) is key if you don’t want to trust intermediaries.

theamk7mo ago

Given how bad the "single master key" idea is, even simple update like "transmit secret key in the open, but with reduced power, during paring mode", would be a great improvement.

It'd instantly mean there is 0% chance of someone figuring the key based on day-to-day operation.

j / k navigate · click thread line to collapse

0 comments

tux19687mo ago

kube-system7mo ago

Part of the utility of the baked-in manufacturer key is that it is unable to be extracted by thieves.

userbinator7mo ago

Clearly it isn't "unable to be extracted" as the other comments here have remarked.

Having to break into the vehicle already raises the bar significantly and makes the security equivalent to a physical lock.

wat100007mo ago

tux19687mo ago

1 more reply

phireOP7mo ago

I'm not sure you should be that concerned about man-in-the-middle attacks.

If someone does successfully MITM while walking by the key is going to stop working as soon as they are out of range, and you will notice.

tux19687mo ago

2 more replies

jandrese7mo ago

In theory, but since this attack has to happen at the time of pairing and leaves evidence--the key you are trying to pair doesn't work afterward--I don't think this is a realistic concern.

amy_petrik7mo ago

>In theory, but since this attack has to happen at the time of pairing and leaves evidence--the key you are trying to pair doesn't work afterward-

aDyslecticCrow7mo ago

So it just needs to block rewrites, and the risk of any security barrier breach is negligible since it's done in factory.

tenacious_tuna7mo ago

> The primary purpose of field programming is manufacturing logistics

Or if I lose my car key

numpad07mo ago

I think this is technically correct but a bit confusing, since "pairing" processes usually require user actions at both ends. A keyhole that reprograms to any key from the outside makes little sense.

conradev7mo ago

A PAKE scheme with a passcode communicated out of band during pairing feels more appropriate to make sure no one is snooping.

A one-time out of band authentication (usually some form of trusted physical interaction) is key if you don’t want to trust intermediaries.

theamk7mo ago

Given how bad the "single master key" idea is, even simple update like "transmit secret key in the open, but with reduced power, during paring mode", would be a great improvement.

It'd instantly mean there is 0% chance of someone figuring the key based on day-to-day operation.

j / k navigate · click thread line to collapse