[luch]

Honestly it's a bit of both in this situation : they are good RF protocols that are secure enough (e.g. Calypso has not been broken yet) but they are not used by vendors since the insecure version is "good enough". Now that Flipper Zero exists, they have to adapt.

However, there is an ongoing discussion about offensive security tools such as Flipper Zero, IMSI-catchers, phishing frameworks, meterpreter lookalikes, etc. and their consequences on the overall security landscape. It used to be that tools were just tools, but now legislators and the general public ask for more responsibility from tools vendors. For example publishing a complete n-day exploit for a major vulnerability (windows/Linux RCE, O365 RCE, etc.) is becoming more and more frown upon since it primarily enables attackers.

[nibbleshifter]

That "ongoing discussion" is largely a small group of extremely loud people in the defensive tooling space who keep getting clowned on that their expensive products don't work.

While the offensive side keeps innovating and improving, defense seems to have stopped bothering and instead is resorting to twitter trolling, pissing, and moaning.

[nine_k]

Responsible disclosure exists for serious exploits, and it sort of works.

Auto makers had ample time to learn that their current radio-operated locks are insecure by design. They had years while everybody even slightly interested knew e.g. how a replay attack can be done. Did they need any more responsible disclosure time in order to act?

BTW there's no need to radically invent anything in that space; say, SSH offers a working example of a tamper-proof, eavesdropping-proof establishment of a secure connection (after a secure initial pairing, expected between a key and the car anyway).

[weinzierl]

Opening (and mobilising) a car is a vastly different scenario from opening an SSH session and your typical Mercedes or BMW driver is not your average SSH user. Customers want their cars to unlock on approach and they've become used to it. They expect the trunk to open when they swipe their foot under the tail bumper while they are holding their groceries in both hands. Keyless entry systems are useful and the most important target group of buyers of cars that are worth stealing is accustomed to them.

Keyless is not going anywhere and you need more than an SSH-like protocol to protect it.

[nine_k]

A keyless system can use the kind of exchange with pre-shared keys which SSH uses (TLS uses a similar system). As I don't have to type a password when I ssh to a remote box with my key on it. a car user won't need to type anything, and even to press a button on anything.

That is, the current proximity-based keyless access would work the same, from the customer's POV: you're around and you have the key, the car grants you all access. You're away, and the car beeps and locks up.

It would just require somehow larger and more expensive components in the keyfob, which is anyway a rounding error compared to the price of the car. But, more importantly, it would require to make a fuss and change something in an area which "just works" now, which is always a hard and thankless task in a large corporation. Beside that, car manufacturers have little interest in making your car harder to steal (unless they look excessively bad compared to every competitor); they'll gladly sell you a new car instead.

[weinzierl]

I don't know if I understand you correctly but I don't see how this helps against a relay (not replay) attack.

"anyway a rounding error compared to the price of the car. But, more importantly,"

For car manufacturers rounding errors start many, many digits behind the decimal point. At their volume a cost down of a fractional cent is significant.