Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
phire 6 days ago

I'm not sure you should be that concerned about man-in-the-middle attacks.

If someone does successfully MITM while walking by the key is going to stop working as soon as they are out of range, and you will notice.

I'm just wanting a system that could be implemented with the hardware that's already there. I guess you could use the RFID chip that most keyless start cars already have as a secondary channel. Still Not 100% secure, but the MITM device would need to be physically in your car to intercept the pairing request, and at that point you have bigger problems.

tux1968 6 days ago | parent [-]

Sorry, I didn't mean to make it sound like the problem was MITM. The issue is initiating a pairing request, you can't allow just any key to request it, that allows bad actors to pair a key with your car.

While I worry that it's not really secure enough, the OP was suggesting that physical contact is a way to "prove" that you are indeed eligible to pair, by excluding everyone who lacks physical contact.

phire 6 days ago | parent | next [-]

Modern cars already have a complex sequence to enter pairing mode.

You need to press buttons inside the car, buttons on the currently paired key (to prove possession of that) and buttons on the key you want to pair with.

So a passer by would have to press a button on their fob at just the right moment. Then when you go to test your new key fob, it wouldn't work, so you would pair again until it was your key that was paired.

tux1968 6 days ago | parent | next [-]

Yeah, it's the same for garage door openers today. I took the OP simply to be saying that physical access of some type needs to be available (ie. to stop anyone initiating a pairing). Some cars require the key to be physically inserted into the ignition switch, which requires the key to be correctly cut to match the car, before pairing; which is a nice extra hurdle to stop thieves quickly pairing after they break into your car.

Whatever the case, making it easier to pair, shouldn't be the primary focus, no need to help a thief doing it quickly. It would just be nice to have a way to do it, that didn't ultimately require the manufacturer to get involved; but that does remove a big hurdle for thieves, too.

monster_truck 6 days ago | parent | prev [-]

Which can be easily bypassed by accessing any obd2 connected port, which you can conveniently find in the headlight housing of most automobiles.

0x457 5 days ago | parent | next [-]

That's CANBUS not OBD2, and it only works on some cars because not moronic manufacturer prevent it. Try doing it, on a European car you will fail.

chipsa 6 days ago | parent | prev [-]

I promise there is not an OBD2 port inside the headlights of cars.

There is CANBUS to the headlights, but that is not a OBD2 port. And more securely designed cars can put that in a less secure zone, so it can only send and receive commands for exterior things like lights, and not be able to have commands for keys injected, because that bus will not accept those commands.

exe34 6 days ago | parent | prev [-]

you can press a button in the car, you don't need a cable.