7

I am wondering how car key security works.

Do cars keys just send a simple "lock" and "unlock" signal that works with any car from the manufacturer or any car of the same model? Or are specific keys registered to a car and then only those keys have the signal that unlocks that car?

I also have an idea for how the security should work. (Forgive me I know very little how encryption and radio signals and security works). Please tell me what you think.

Keys and cars are each given their own encryption key upon manufacture. Upon purchase of a car, the keys and cars are registered to each other.The car gets a copy of the encryption keys from the car keys and the car keys each get a copy of the car's encryption key. Then the unlocking process. Car key requests unlock from the car. Car verifies it is a registered key then asks for the special number it sent earlier (encrypted) to the key. Key sends special number back (encrypted using the key's encryption) and the car decrypts it using its copy of the car key's encryption key and verifies the numbers are the same. Then the car is unlocked.

Then the car encrypts a new special number and sends it to the key, which the key decrypts using its copy of the car's encryption key then encrypts using its own encryption keys. This new number will be used on the next unlock request. This ensures the unlock signal changes every time so that people cannot simply copy the unlock signal from the air and unlock the car.

If I was not clear on anything please specify in comments, I can provide more detail.

Remember that I have no background in computer security. I was just thinking about this after hearing about a major series of car thefts somewhere.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jay Schauer
  • 225
  • 2
  • 6

1 Answers1

7

No. Since in usual, theres single-direction communication with the car.

So usually, each key has its own "encryption key" and a "counter". In the car, theres a list of valid encryption keys and a counter for each key.

Each time you push a button, the key will send count + 1, encrypted with the key. The car simply encrypts count + 1 with its own encryption key and compares both.

To prevent that pushing the button without being near the car, causes the fob to stop functioning, the car will also check count + 1, count + 2, count + ..., all the way to like count + 50. If you accidentially press the key 50 times, without being near the car, the fob will usually stop functioning and you have to re-enroll that fob. Enrolling a fob is different on different wehicles, but sometimes the car re-enroll the remote when you use the associated ignition key, sometimes you have to do it yourself by using ignition key and then doing a sequence by pressing brake pedal, operating ignition lock, opening and closing doors and pushing certain buttons.

Here is a example: https://www.youtube.com/watch?v=mG3R58-24QU

When you do this, the fob will usually send out cleartext key, or key encrypted using a "manufacturer key" and count when holding the button for longer than a few seconds or something, just to enroll the key if the car is in "programming mode".

When you have successfully opened or locked the car, the car will update its count for that associated car key, with the count that successfully unlocked/locked the car.

Think like a HOTP token.

HOWEVER, for those "keyless and go" cars where you just walk near the car to unlock it, and also for most ignition keys (immobilizer), a "challenge response" protocol is used, because in that case, theres dual direction communication with the car and key.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33