| ▲ | dylan604 6 days ago |
| Proper security is a total pain in the ass, and makes things nigh impossible to use in the manner people want to use them. This naturally makes things more expensive to recover from oopsies. This is why YubiKeys will only ever work for people technical enough to understand them. Normies will loose it at the first chance, and then be locked out of everything. At that point, YubiKeys will be banned by Congress from all of the people writing in demanding something be done about their own inabilities to not be an ID10T |
|
| ▲ | theamk 6 days ago | parent | next [-] |
| As far as car security is affected, "normies" really don't care what the algorithm is. The entire UX is "press button to open car, go to dealership if you need new key" and it allows a wide variety of choices re algorithms. The only reason they use KeeLoq (with whopping 32 bits of security!) instead of something normal, like I dunno, AES-128 or something, is because they are trying to save $0.50 in parts on the item they sell for $100. Oh, and because they don't like any change and don't have organizational ability to use anything recent, like other poster says. |
| |
| ▲ | fc417fc802 6 days ago | parent | next [-] | | > The entire UX is "press button to open car, go to dealership if you need new key" Ironically proper security in this case would likely improve the user experience as well. The car provides a 64 bit (or larger) secret value and you manually program a standardized fob with it. No need for custom parts that are only available from the dealer. | |
| ▲ | Terr_ 6 days ago | parent | prev | next [-] | | I wonder if it's less about the cost of silicon, and more about the energy budget for a device that uses a button-cell battery. Even if it's a problem with off-the-shelf stuff, I imagine a car-manufacturer could easily get something all nice and tiny and special-purpose. | | |
| ▲ | theamk 6 days ago | parent [-] | | The encryption only needs to happen when button is pressed, and I am pretty sure the radio energy consumption will be much higher that CPU one. Airtags transmit much more frequently than car remotes, use similar batteries, and yet do proper security. | | |
| ▲ | selkin 6 days ago | parent [-] | | Modern keyfobs keep listening and transmitting all the time, as you no longer need to push a button. Just get close enough to the car and it opens. | | |
| ▲ | Terr_ 6 days ago | parent | next [-] | | A terrible "feature", since it means someone can steal your car just by relaying the signal from outside your home at night, or an accomplice walking near you as you're entering the grocery store, etc. I've become a big believer in leveraging some security features of the physical world, as it seems it's been long enough that everyone's forgetting Therac-25-style problems. (Or, perhaps more accurately, nobody cares because they aren't liable.) | | |
| ▲ | imp0cat 6 days ago | parent [-] | | It's not as bad. Modern keyfobs actually detect motion and if they are motionless for a while, they stop transmitting the signal to both save battery and prevent such attacks. For old keyfobs, you can get a battery sleeve with integrated motion sensor which does the same (cuts power when fob is not in motion for a while). Alternatively, some cars let you disable the feature and just use the keyfob as you would use an older one - then you habe to push the button anytime you want to unlock the car. |
| |
| ▲ | 6 days ago | parent | prev [-] | | [deleted] |
|
|
| |
| ▲ | dylan604 6 days ago | parent | prev [-] | | > (with whopping 32 bits of security!) Ha! DVDs at least had 48 bits. /s |
|
|
| ▲ | giantg2 6 days ago | parent | prev | next [-] |
| Proper security doesn't need to be perfect security. In the case of car manufacturers, most of their fob implementations are borderline negligent. |
|
| ▲ | glitchc 6 days ago | parent | prev [-] |
| You're right. Sometimes I get tired of typing my sudo passwords and wish there was a faster way. Biometrics are not bad. |
| |
| ▲ | jeroenhd 6 days ago | parent [-] | | It really depends on the way biometrics are implemented. If you're doing it Apple style, where a dedicated chip validates biometrics and uses encryption and signatures to prove to the OS that the user is who the say they are, they're as good and trustworthy as the software you're running on them (which in the case of macOS for instance requires full trust). If you're doing the "fingerprints implemented as a webcam" or software based facial recognition from a shitty webcam, you're risking quick and easy bypasses. Still good enough for a computer you leave at home (as long as you don't need to protect yourself against shady law enforcement) but definitely not that secure. From what I've been able to gather online, nobody but Apple and phone manufactures seem to care much about actually doing biometrics securely, including the biometrics hardware companies. It's such a shame because it's definitely possible to do better. |
|
