Ask HN: Why do we still have replay attacks on our cars?

[qmsdfjkc]

So today my car got stolen in front of my house. It was a 2021's Hyundai Tucson.

We clearly see on some cameras in the street that it took less than 1 minute for the thief to take it.

I was not aware that the "replay" attack (as I understand consists simply in listening to my keys signal through my door and replicating it to open and start the car), so my key was not far at all.

So my question is, why is my worthless github account secured by a free android 2FA app which makes replicating attacks impossible, and my 50K€ car secured by the dumbest only-one-forever-the-same key ever?

Is it not possible in the car keys to make some pgpsign-like technology?

(Also I am now aware of the tiktok trend of stealing these Kia and Hyundai car because their security is so easy to abuse)

[mecklyuii]

I'm confused.

I thought normal replay attacks are solved and the issue here is more to do to forward they key range close to the car to simulate the car.key being close.

That's what I can't easily just solve if not needing a button on the key which defeats the purpose of the said feature

[qmsdfjkc]

OH that's clever ! It is probably what they did to start the car and then leave.

[Scaevolus]

It probably wasn't a replay attack. You can steal a Hyundai with a screwdriver and a USB cable. https://www.hotcars.com/kia-boyz-easily-steal-base-kia-hyund...

[badpun]

I thought these attacks work on a much lower layer - by adding a repeater, which is essentially extending the range of your fob? I.e. they just pass the radio signals back and forth, without analysing their content at all. Can anyone confirm/deny?

[nikau]

Yes likely a relay attack, best way to mitigate is to store keys in a RF blocking container.

[pajko]

Worse. https://www.bleepingcomputer.com/news/security/hyundai-app-b...

[badpun]

Why don't the producers just add a physical button you have to press in order to open the car? It sounds like much less hassle than remembering to store your keys in a proper container always. It looks like it's just marketed to lazy and uninformed people.

[nikau]

Because people value walking up to the car and just opening it vs finding the fob in their pocket and pressing a button, and that convenience outweighs the small risk their car gets stolen which is replaced anyway via insurance.

[Guest9081239812]

Why not just require motion from the key in the past 30 seconds for it to be active? If I'm walking to my car, the key is bouncing around in my pocket, so make it active. When it's sitting in a drawer in my house, it's not moving, so make it inactive.

[giantg2]

Part of why insurance is so expensive is the mindset that insurance will just cover everything, leading to a lack of vigilance by some.

[rit]

In point of fact, Insurance companies have been refusing to cover some of these Kia and Hyundai cars because they're "too easy to steal". The lack of immobilizer chip apparently is the culprit.

https://www.cnn.com/2023/01/27/business/progressive-state-fa...

[t-3]

What incentives do automakers have to provide you with a secure product? "Old-school" key ignitions work perfectly fine, so why were they replaced with the obviously-flawed dongle?

How complex would a device have to be to not be trivially defeated by a replay attack? How do you get both ends to reliably communicate without requiring an always-on internet connection in both the dongle and the vehicle to sync timing or some other state? What do you do when the manufacturer no longer exists or doesn't want to pay for servers to enable people to drive "old models"?

[toast0]

> Old-school" key ignitions work perfectly fine, so why were they replaced with the obviously-flawed dongle?

It's more convenient to leave your keys in your pocket or your bag, then to rummage around for them.

There's a terminology problem here. I don't believe this is a replay attack (same open command is replayed later and works), those are largely solved with rolling codes. This is most likely a relay attack, the distance from the car to the key is bridged with a repeater. That's harder to solve --- you could measure distance by round trip time, rather than by limiting tx power, but the distances in question are small, and the timing difference between keys at car door and keys at house door isn't very much. Probably the crypto takes longer and may vary more than the difference in transmission time.

[qmsdfjkc]

Actually the said car has a continuous internet connection, using a sim card, so I guess syncing time wouldn't be that difficult.

Also I remember some Renault Espace in France which had a dongle but then you had to put it somewhere specifically in the car to start it. Adding an NFC/RFID chip could solve part of the problem maybe...

But yes you are right this require maintenance.

[giantg2]

If you had to put it somewhere specific, why not just put a key in an ignition?

[qmsdfjkc]

Oh I don't know, it looked futuristic maybe? No idea

[c7DJTLrn]

>How complex would a device have to be to not be trivially defeated by a replay attack?

Not very.

>How do you get both ends to reliably communicate without requiring an always-on internet connection in both the dongle and the vehicle to sync timing or some other state?

You don't need an Internet connection or server. TLS would do the job just fine.

[wruza]

How complex would a device have to be to not be trivially defeated by a replay attack?

Around $5 complex (though I lost track of actual prices for few years).

How do you get both ends to reliably communicate

You choose a suitable networking stack and communicate. Secure messaging is a solved problem and doesn’t require “internet”.

[afiori]

I guess that the major source of complexity would be that both the car need both a transmitter and a receiver, instead on only one each.

But it seems like a risible source of complexity.

[kypro]

For anyone interested in replay attacks and ways in which manufacturers protect against them this is an excellent video on the topic, https://www.youtube.com/watch?v=5CsD8I396wo

[giantg2]

I don't have to worry about this.

My car is cheap and doesn't have a wireless key.

[deafpolygon]

Insurance.

[qmsdfjkc]

I don't see really how insurance would profit from that. Now they have to give me the value of the car in money

[deafpolygon]

It's not about insurance profiting from it. Carmakers are able to pass off certain things like this due consumers having more or less mandatory insurance on this.

Why do we lock our doors when it's proven doors don't stop thieves (putting aside the fact that locking does prevent people from just simply walking away)? Why haven't we improved our security systems? Because people will still buy homes, and insurance covers loss and damage in case of theft.

Without that, we would demand houses that are harder to break into. So it is for cars.