undefined | Better HN

0 pointsthe_mitsuhiko7mo ago0 comments

> Pretty much any proprietary encryption algorithm is going to qualify as "rolling your own".

It came out of a university and was acquired.

> I hope that products manufactured post 2005 use strong publicly available cryptography.

A lot of the challenges are related to key pairing and relaying of wireless information in combating with jamming. It’s a tricky thing to secure given the circumstances.

> I don't follow?

Cars stand around 99% of the time and easy to get into. pairing protocols assume that physical access is restricted / not possible. That’s why it’s so much harder to secure car key pairing. What would make it more secure is delegating the security to a remote service which is secured. Eg: what Tesla does with their keys.

0 comments

fc417fc8027mo ago

That changes nothing. The idea behind not rolling your own isn't just deliberate expert design but also open review by other unrelated experts.

> It’s a tricky thing to secure given the circumstances.

You are hand waving and you are wrong. If you are going to make claims then be specific and make solid points. The various algorithmic solutions are simple and common knowledge these days. I went into more detail in adjacent comments.

By your own logic the physical entry key isn't secure either. After all the car is just sitting around - anyone could jimmy the lock. Similarly all it takes is a decent photograph or two with a telephoto lens to reproduce your typical physical key that will get you in the door.

But all of that is entirely off topic. The broken and outdated wireless algorithm has nothing to do with the criteria used by the vehicle to decide whether or not someone is authorized to enroll or revoke a key. Tie that to possession of the physical key and problem solved. If you can't drive off with the vehicle then you can't pair a new fob either.

the_mitsuhikoOP7mo ago

> The various algorithmic solutions are simple and common knowledge these days.

Honestly I'm not really sure what you are trying to get to. If you think this is a solved problem, it's really not. [1]

> The broken and outdated wireless algorithm has nothing to do with the criteria used by the vehicle to decide whether or not someone is authorized to enroll or revoke a key. Tie that to possession of the physical key and problem solved.

It has something to do with it in the sense that key pairing that just requires physical presence through the key is susceptible to rolljam type attacks. Likewise the NFC attacks against Tesla also involved enrolling a new key on the car via a relay attack to a present NFC key. You're saying this is so easily solvable, yet time and time again it's shown that this is just a really hard problem to solve.

[1]: https://arxiv.org/pdf/2505.02713

j / k navigate · click thread line to collapse