[emidln]

It's been a long time since I worked building ECUs responsible for RKE (Remote Keyless Entry) and SKIM (Security Key IMmobilizer), but IIRC, only one of the three used ciphers and systems that I recognized (it was an RC4-derivative).

They all had features to disallow brute-forcing though. The RKE system would track the number of requests for each authenticated FOB. If the FOB had too many requests or had been pressed too many times (either the stored count or the sent count being off), various features would be frozen until the FOB was repaired (by synchronizing via insertion into the key cylinder and/or successfully starting the engine).

Nobody talked about how good the encryption was or wasn't. I wasn't doing cryptography and we were just given things to implement. The protocol also wasn't really up for discussion, as we were just implementing a spec given to us.

It doesn't surprise me to learn that you can break this. We noticed a bunch of vulnerabilities during validation that required some knowledge to expoit (implementation details that you'd have to gain via fuzzing).

Another scary part is how lax ECUs talking on the CAN bus were w/parsing network messages. I'd like the opportunity to spend some time attacking various controllers on common systems (does GM still use their Common Architecture? if so that'd be a gold mine), but I'm now in a different field without funding or resources.