[bmitc]

Do those arguments really hold up though? I get that these devices are sort of the “messenger” in “don’t shoot the messenger”, but still. Security is about appropriate security. A general teenager or thief wanting to cause issues would not know what to do with an SDR and laptop, versus something like the Flipper making it point and click. So now that something is made so readily available, we need to increase the cost and complexity of various locks?

I’m not arguing for or against anything here, but what I am arguing is that the discussion seems more nuanced.

Is there an easy solution to improve locks on cars?

[theshrike79]

There are a bunch of semi-easy tools for lockpicking too and a good percentage of American locks are reeeally bad at thwarting even a novice picker. In worst cases you just need a flat piece of metal.

Too many fancy electronic locks can be bypassed with a single magnet placed correctly.

https://www.youtube.com/@lockpickinglawyer

These devices are the electronic equivalent of a lock-pick. They still need skill and intent to use, by itself they shouldn't be illegal. They should motivate companies to make proper security measures.

You can grab a $10 ESP32 and a battery pack, load some ready-made software on it and flood everything in a 50 meter radius with so many fake Wifi-APs most devices will go offline. Or you can deauth every wireless device within range.

The tech is available and doesn't require much skill to use.

[weinzierl]

Exactly, and in regard to the parent comment mentioning teenagers: They are exactly the group that needs the Flipper least because they have might not have money but they often have plenty of time.

If anything the Flipper helps to spread the knowledge where the frontier of practical feasibility is to a wider demographic. This demarcation line is far from trivial but the world would be a better place if all of us knew more about what they should be afraid of and where they can chill.

[bmitc]

> and in regard to the parent comment mentioning teenagers: They are exactly the group that needs the Flipper least because they have might not have money but they often have plenty of time.

That was my point.

[milkshakes]

if your security model can't stand up to teenagers with plenty of time, it might be time to reconsider it.

[bmitc]

I was more addressing the idea that the Flipper device, while cool, seems to stand to do more harm than good by making its functionality so readily available to a wide class of people. Yes, it is generally a good idea to not oversupply teenagers with things that do things they otherwise couldn't but do harm.

Cars are trivially broken into. Increasing the safety of the locking mechanism would do some good but not prevent. This is what I was referring to by appropriate. Maybe that weakens my argument about at least considering the Flipper as a potentially harmful device, but the Flipper can do a lot of things.

There is a lot of security that relies on things simply being inconvenient.

[wolrah]

> There is a lot of security that relies on things simply being inconvenient.

Remember how in the mid-00s it was pretty trivial for any nerd with a Linux laptop to sniff traffic on a WiFi network and intercept passwords? For years the security-aware community was making a point of this, but major web sites just kept using unencrypted HTTP for their logins and such.

Then someone released a Firefox extension which made it literally point and click for almost anyone on any OS to capture and reuse passwords over the air. Suddenly it went from trivial for nerds with the right tools and a bit of training to trivial for anyone who wants to try, and very soon after that we started seeing the "HTTPS Everywhere" movement explode in popularity, sites like Facebook locking down at least their login endpoints if not the entire site to only work over HTTPS, etc.

Insecure communication was always a problem, but it took the combination of popularity of WiFi and point-and-click tools to make the world care enough for the problems to get solved. Until that happened, those with the ability to solve it didn't care enough because it didn't impact their bottom line because not enough of their customers cared.

[milkshakes]

> There is a lot of security that relies on things simply being inconvenient.

Good, this will hopefully lead to less of that.

edit: Like Firesheep, as my sibling comment pointed out.

[windexh8er]

> A general teenager or thief wanting to cause issues would not know what to do with an SDR and laptop, versus something like the Flipper making it point and click.

This is where the story falls apart. I own both a HackRF One and a Flipper. I thought it would be a great teaching tool for my kids to show them physical world insecurities. While it's a great device it's nowhere near as potent as the HackRF as a real tool. And straight out of the box the Flipper does very little from a nefarious point of view.

The "influencers" did a great job of hyping it up on YouTube and Twitter. And my guess is that the majority of the devices sold will be used to pop Tesla charge port doors for giggles. I've gone through a few different firmware and repos and you've got to have just as much interest to learn and use compared with an SDR. And in fact in many cases the Flipper is harder to use because it's limited by its physical footprint.

It's a fun little tool but it's not making much "point and click" besides a handful of known replay attacks that shouldn't have existed in the first place. If anything I hope the Flipper pushes the likes of physical access systems manufacturers / integrators to be questioned on why their systems fail to authorize access correctly against trivial attacks. This is not the fault of tools like Flipper.

[bmitc]

> If anything I hope the Flipper pushes the likes of physical access systems manufacturers / integrators to be questioned on why their systems fail to authorize access correctly against trivial attacks.

That's a good point on it moving the needle where there's reason and capability to.

[uconnectlol]

Yes it holds up. Those poor billion dollar companies selling stuff with critical flaws should have been fined many decades ago (all the issues talked about in this tweet are literally 20 years old, I can probably go find a Defcon video from 20 years ago where they exploit the same bugs on the top 5 vehicle vendors).

> A general teenager or thief wanting to cause issues would not know what to do with an SDR and laptop, versus something like the Flipper making it point and click

This is just your imagination. Flipper is barely less obscure than running some scripts on a Linux laptop, both of which general teens can do.

[sschueller]

Many solution exist (rolling codes, encryption, tight timing etc.) that make it difficult to open a vehicle quickly. The main issue is that there are still cars being sold which might as well have no locks at all.

[adolph]

No locks means people are less likely to break the windows and leave a mess or get injured themselves.

[nextlevelwizard]

Your average teenager or thief won't know how to pick a lock either, yet everyone installs pick resistant locks instead of cheaper alternatives.

Yes. Your security might have been good enough, but world moves on. Back in the day Triple DES was good enough, but you are very irresponsible if you use it today.

I get that whenever you are looking anything from inside the industry there is constant need to make processes faster and cheaper. I am sure all car manufacturers would immediately remove seat belts and air bags if they could. However is maximizing profit really what society needs? I think we should have more laws and regulations around product security. *All* products should meet some minimum security standard, but until we have some governing body that can enforce this we will from time to time run into issues like with this device where the large company is decade or more behind the world due to neglecting R&D and now they don't want to pay for their mistakes.

[D13Fd]

> everyone installs pick resistant locks instead of cheaper alternatives.

What geographic area? In the northeast US I've noticed that the cheap, easy to pick locks seem to dominate.

[pantalaimon]

How would you even tell? Is there some kind of independent certification of pick resistance?

Of course all lock companies will say that their lock is secure.

[jsjohnst]

> How would you even tell?

It’s pretty easy to tell if you know what you’re looking for. Most reputable quality pick resistant locks use a different style key or are a specific identifiable brand.

[fragmede]

You're thinking too hard. Most locks aren't anything more complicated than a simple pin and tumbler setup, so anything more than that is more secure. Who cares if a Schlage Primus key is better or worse than some medico lock, you've successfully made it more annoying to break into your house/office/warehouse.

[D13Fd]

Based largely on the keys and certain brands and easily recognizable kinds of lock (e.g., kwikset). Even in commercial buildings the default often seems to be cheap locks.

[nix23]

>Is there an easy solution to improve locks on cars?

Public/Private Keys? You know a secure protocol like SSH?

[out_of_protocol]

or even simple HMAC if you want to go low-power and brain-dead

[weinzierl]

Doesn't help against a common attack possible for all reasonably modern luxury cars (which happen also to be the most interesting targets).

For these cars it's enough that the key is near and it is considered a feature that no user interaction (like pressing a button on the keyfob) is required. This can be exploited by relaying the signal from the original key to an attacker who is near the car. Cryptography alone cannot protect against this attack scenario (which is called a "relay attack", not to be confused with a "replay attack").

[mimimi31]

>No cryptography can protect against this scenario

I remember reading about how MITM is prevented in U2F [1] by using information about the connection as part of the challenge that the authenticator has to sign. Could something similar be possible in this scenario?

[1] https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-ove...

[bradknowles]

To defeat the relay attack, you need tight restrictions on time-of-flight. That restricts the allowable distance between the vehicle and the actual real key fob.

[tionis]

Wouldn't measurements of ping between keyfob and car be able to detect such attacks?

[weinzierl]

There are mitigations, my point was mainly that there is more to it than a implementing a tried and proven protocol but developed for a completely different use case (like SSH). Keyless entry systems are what they are because of a complicated trade-off between convenience, reliability, security and other factors and not necessarily because all engineers at car companies are idiots.

[nix23]

>convenience

True, if you don't care about security upload you password to the cloud or open your Car without any manual action ;)

[m-p-3]

> Is there an easy solution to improve locks on cars?

Expose their flaws and let the manufacturers properly mitigate their creation.

[criddell]

> Is there an easy solution to improve locks on cars?

Turn off keyless entry and use the mechanical key.

[waste_monk]

The challenge/response mechanism still occurs when using the key. Try opening most cars with a dead keyfob battery - on pretty much any recent car I've seen doing so triggers the alarms and turning the key in the ignition will not disarm the immobiliser.