[kw71]

This is possible with the RFID transponders used in ignition keys by most carmakers. However, BMW had the foresight to prevent this.

Maybe the downmarket carmakers have gotten smarter, but for a long time BMW stood out as the one that did not permit simple duplication of the data in the RFID transponders (each transponder has its data changed every time it is used.)

As far as mechanical key bittings go, any locksmith should be able to clone a key with a photograph of it.

[kxo]

TOTP and HOTP have been standards for how long now? (HMAC has been in papers since 1997 or earlier, HOTP since 2005)

We have 2FA devices like the Yubikey (https://www.yubico.com/prodcts/yubikey-hardware/)

that are so incredibly small. Why is this not something you'd implement via RFID challenge/response to stop any attack?

[kw71]

I was puzzled by this too, and surprised at how simple it was. Remember during the 90's we had ISO7816 cards that were a lot more difficult to attack (for instance, payphone cards permuted a challenge from the phone with a shared secret and a secret algorithm, and additionally had some good anti-reading protection, and an irreversible counter)

As far as I know all the technology able to fit in a 7816 card has been put into contactless cards too.

I think that carmakers are lazy, they go to a vendor who designs a system with off the shelf parts and implements it poorly, and we end up with our $30,000 car secured by a PCF7930 or something weaker and if it has security features they are not fully utilized.

I think they also have to design these things within the constraints of being able to service them in the field and not upsetting the customer. Vendor doesn't want to be responsible for a bunch of cars not working if reliability is low, and carmakers wouldn't want the bad press. On the other hand, when criminal activity is involved, it's real easy to blame the criminal.