-2

Why do we need keys ... Let's make an app that works on an ad-hoc network and can control our basic functions replacing our key.... And bdw how does key helps in getting car started

Zaif
  • 1
  • 3
    This is not a greatly written question. Also the app-vs-keys question really belongs on Mechanics Stack Exchange, not Security Stack Exchange. – 700 Software Aug 01 '16 at 13:27
  • 2
    I think this question exists on UX along with all the reasons why it's a terrible design choice – MattP Aug 01 '16 at 13:57
  • 2
    Why would you want to? – pppp Aug 01 '16 at 15:54
  • 1
    Because car makers are notoriously bad at making secure software (Tesla is the only exception so far). – André Borie Aug 01 '16 at 19:22
  • 2
    I take it that you are unaware of the *numerous* keyless entry systems that have been available for many years. And keyless start systems. Unless your true point is that you want to start your car with your phone and no key or dongle or any car maker-provided device at all. In which case, this truly is not a security question but a UX question. – schroeder Aug 01 '16 at 22:09
  • Near dupe http://security.stackexchange.com/questions/97333/why-do-we-still-use-keys-to-start-cars-why-not-passwords – dave_thompson_085 Aug 02 '16 at 07:32
  • Secure technology exists, but car manufacturers don't want to spend the money/time to implement it. Also, lawyers probably told them of liability issues for vulnerabilities and the project was cancelled. Cars with internet connections can and have been hacked remotely from any where. It would cost millions to design, implement,test, and get past hundreds of governmental testing/approval world wide. – cybernard Aug 06 '16 at 06:06

3 Answers3

4

All you have really done is changed the form-factor of the key (from a physical device to a virtual connection with an app).

this has several implications:

  • Virtual keys are easily duplicated, Hardware keys are a lot harder to duplicate.
  • Ad hoc networks are notoriously unsafe and would pollute the airwaves with unnecessary WI-fi signals if all cars would use this, to the point that WI-Fi simply breaks.
  • in case of catastrophic failure (on the car part), a physical key can still 'work' while a virtual key simply breaks.
  • A virtual key is much harder to (safely and securely) share with another. a physical key is easily passed on.

As to what function does the physical key fulfill,
a physical key is just a means to identify that the 'driver' is in fact someone authorized to use the car. It holds some simple technology to make sure that only the rightful keys can be used, a problem that would entail many hours of programming to make work in another way.

Remember, 'A Simple solution that fulfills all technical requirements is often the cheapest and the best to use.'

LvB
  • 8,217
  • 1
  • 26
  • 43
  • Current hardware keys are still bad. The mechanical part can be duplicated just by taking a picture of the key, and the electronic "immobilizer" part is a pathetic joke since the car's ECU will happily accept a firmware update with the immo code patched out (there are no signature checks or anything). – André Borie Aug 01 '16 at 19:24
  • This requires a targeted attack (on the person) with specialist application for the car itself. Much easier to just steal the car keys. Remember [XKCD - Security](https://xkcd.com/538/) – LvB Aug 02 '16 at 13:04
  • Not necessarily. A lock can be picked and I'm sure there are universal tools on the black market which would work for a long range of different cars, and where you can buy "updates" with new exploits available as new cars get reverse-engineered. So while most low end cars won't be targeted, I can't be so certain about higher end ones. – André Borie Aug 02 '16 at 13:31
  • such a tool would be quite expensive since in order to make it work you need to tweak the program to specifics for each Model, make, version, build year/month/day, build factory (yes this can change the software), Options. something that is easily t do for a trained mechanic. but quite another thing to do for a 'random thief in the night'. Getting this sort of access often requires physical access to the interior & under the bonnet. And it is simply easier to either use a threat (like a gun) or covertly obtain the keys to said car and steal it that way. Its a social problem not a Technical 1. – LvB Aug 02 '16 at 13:39
  • Whoever makes this tool won't be a thief. It would most likely be a legitimate company making tools for "lock smiths", and their business would be based on buying the relevant car parts (ECU, blank keys, etc) and employing engineers to crack them. Such a tool could retail for tens of thousands and would make the business profitable. Thieves just have to buy a license which again wouldn't be that expensive if they steal high end cars. I disagree and believe it is a technical problem. If you're gonna put a key and security you may as well make it secure, if not don't bother putting a key at all. – André Borie Aug 02 '16 at 13:48
  • Licensed Brand-garage already has the specialized Diagnostic terminal. Not at all fast, but does allow you to upgrade the firmware. The physical key while unique to your key to start, is not so unique to open your car, the garage has a 'garage-key' that can open the cars. To do what you suggest with this setup would require around 3 hours per car. not really feasible on the road side. as the device is in 2 parts and 1 is basically a server-rack, maintained by the brand itself. It is designed to have the possibility to replace the key-set. but make it a slow and painful process to do so. – LvB Aug 02 '16 at 14:03
  • It doesn't matter if the official procedure requires 3 hours and a server rack. I've used one of those grey-market tools before and was good to go in a matter of minutes (not counting the physical key which was still good in my case). So it is definitely possible, once the securiity by obscurity has been reverse-engineered and software written to exploit it, it takes just a couple of minutes. – André Borie Aug 02 '16 at 14:09
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/43364/discussion-between-lvb-and-andre-borie). – LvB Aug 02 '16 at 14:21
3
  • If you have complete electrical failure in your car (as can happen from time to time) then remote-controlled locks don't work. You will always need a physical key at least as a backup option.
  • Also apps just aren't as fast to use as a dedicated remote control, or even a physical key.

That being said, having a smartphone app is certainly a possible option for convenience if it were fully automated. (i.e. you don't have to pull the phone out of your pocket)

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • 4
    I hope someone actually looks at the first 30 seconds of the video so they get the joke. :-) – 700 Software Aug 01 '16 at 13:38
  • 1
    How would you handle the automation of the app? Unless you're using something like RFID tags, you'd probably have to pull out the phone, or are there other possibilities? – A. Darwin Aug 01 '16 at 15:36
  • @A.Darwin, Good point. Bluetooth and WiFi currently have too great of a range to be used as proximity detectors. RFID or NFC have too small of a range. I suspect a new hardware detection would need to be introduced for this to work. But if alternate hardware is necessary, then the car-makers might as well keep on using the dedicated remote control, even for the fully-automated approach. :-) – 700 Software Aug 01 '16 at 15:53
1

It certainly is possible to create an smartphone app to unlock a car and if you check features on current new cars I'm sure you'll find some where this is an option. Off hand I recall seeing some Kia commercials advertising this ability.

As others have already pointed out a physical key is still a very good idea as a backup option if nothing else and every smart key system I've seen has this. I've had my car stuck at a gas station because the alarm went crazy from a dying battery it certainly wasn't any fun to be locked out of using my car from that.

From a security perspective I think the physical vs virtual key is an interesting discussion. Theoretically a virtual key can be much more secure than your typical physical key by using cryptology to ensure the actual key is never actually exposed and is extremely difficult to copy. This is certainly harder in an app based system than with a dedicated key fob but is still at least theoretically possible. The downside of a virtual key is the scalability of an attack. If you can find a weakness in a virtual key system you can exploit it many many times. Often not just for that particular model of car but for all models from that manufacturer or family of manufacturers or even multiple families as they often share component suppliers. That makes them very appealing targets.

Just saw this news article tonight and thought it was relevant to this discussion.

http://wwmt.com/news/nation-world/surveillance-video-showing-a-case-of-high-tech-grand-theft-auto

Evan Steinbrenner
  • 393
  • 1
  • 7