Assignment 5: Cars and Key Fobs (2021)

Original Article ↗ Hacker News Discussion ↗

Hands-on RF and key-fob hacking

  • Low-cost SDRs make RF jamming/relay/replay experiments accessible; people replicate the assignment’s attacks as student/hobby projects.
  • Some note that legacy automotive ciphers (HiTag2, Megamos) were weak hand-rolled designs; modern hardware could run AES, but protocol design (replay, relay) is still the hard part.

Smartphone / “Apple-style” car keys

  • One side imagines an “iPhone on wheels”: FaceID, secure enclave, MFA, easy digital key sharing, Express Mode, and backup tokens (PIN, card, fob).
  • Others worry about usability and edge cases: loaning the car when far away, phone dead, car battery dead, being injured or drunk, or non-technical relatives.
  • There’s skepticism that automakers/app developers won’t “enshittify” flows with roles/permissions and cloud dependencies.

Remote override and government control

  • A speculative idea: authorities could remotely unlock and route a car to a hospital.
  • Strong pushback: any remote hijack channel is seen as dangerous and ripe for abuse by police, insiders, or attackers.

UWB, distance-bounding, and relay attacks

  • BMW-style UWB keys measure distance via very short pulses, addressing “mafia fraud” relay attacks.
  • Commenters say UWB digital key standards now exist and some new cars require the fob to be within centimeters to start.
  • Others note this is largely for passive keyless systems; older designs only checked liveness, not distance.

Mechanical keys, immobilizers, and easy physical attacks

  • Traditional car locks are often trivial to rake; some brands historically reused key cuts across many vehicles.
  • Immobilizers and OBD/CAN “emergency start devices” shifted theft to electronics rather than pure mechanical entry.
  • Stories highlight alarms sometimes (but not always) ignoring mechanical key unlocks.

Owner workarounds: Faraday cages and “sleeping” keys

  • People use Dutch ovens, microwaves, Faraday pouches, or tins to block RF when keys are at home.
  • Some manufacturers implement motion-triggered key sleep or manual “disable keyless entry” sequences, which are appreciated but depend on user diligence.

Aftermarket hardening and tracking

  • A “gold standard” stack mentioned: CAN-bus lock (IGLA), hidden fuel-pump kill switch, and hidden GPS tracker with backup battery.
  • Others counter that tow trucks, onboard Faraday cages, and cheap GPS jammers can defeat trackers; determined thieves strip cars quickly.

Convenience vs reliability: keyless and phone-as-key

  • Pro-keyless commenters rave about never touching keys: walk up, grab handle, press start; ideally just carry a phone.
  • Critics see it as a Rube Goldberg answer to a minor inconvenience, and dislike adding the phone as another single point of failure.
  • Debate centers on trade-offs between everyday friction (bulky keys, gloves in winter, lockouts) and rare but severe failures (lost/broken phone, dead batteries).

Why isn’t this “solved” with simple crypto?

  • Several propose straightforward challenge–response with shared secrets and hashes.
  • Others explain complications:
    • Many fobs are transmit-only for power/cost reasons.
    • Relay attacks still work if the car doesn’t verify distance/time-of-flight.
    • Key provisioning, replacement without an original, and keeping complexity aligned with the car’s inherently low physical security all matter.
    • Early systems were more secure when you had to press a button; passive keyless flipped the initiation and opened new attack surfaces.

Insurance, theft patterns, and manufacturer responsibility

  • Some models (e.g., certain luxury SUVs) are reportedly stolen so often that insurers raise rates sharply; there’s a suggestion manufacturers should subsidize or fully cover insurance until they fix vulnerabilities.
  • Others note operating costs (including insurance) should be part of purchase decisions, but acknowledge that new vulnerabilities and rate hikes often appear after purchase.
  • Commenters point out that simple physical theft (windows, tow trucks, opportunistic “Kia Boys”-style attacks) still dominates, so “good enough to stop crackheads” may be sufficient for many buyers.

Cost, lock-in, and dealer monopolies on fobs

  • Modern encrypted fobs are expensive to replace; examples include ~$550 for a single replacement at a dealer.
  • Manufacturers often restrict programming to dealers; independent locksmiths rely on gray-market tooling and play cat-and-mouse with new immobilizer systems.
  • Some hope security research and protocol exposure will eventually reduce monopolistic pricing without weakening defenses.

Misc course-related notes

  • A few past students praise the Stanford class; one wonders why only two slide decks are posted, speculating the instructor stopped uploading material.