Hahaha it’s so nice to read why? And it’s because of crime. Huh? I ask why ban these. They say again crime. I go ah like guns then. Like you ban the engines of death not used in hunting ever but used to mow down kids in schools at an alarming rate? No? Ah. What do you mean then? Oh. You are saying there’s legitimate use for an extended mag uzi that says kill kids on the side. But not something that can emit fm waves or whatever. Not the tech we use for literally all kind of wireless communications. Because why again? Because only the people that work with these things should have them? Oh so you mean the police and military should have assault rifles… Oh. No okay the child slaying stays, the electromagnetic hacker devices are satanic. Got it. Yeah I’ll get right on that.
Tell me you didn’t read the article without telling me you didn’t read the article.
So, only criminals will have them?
Dang, there went all my legitimate plans for signal jamming.
A microwave can be classified as a signal jammer. Yes, there are microwaves for cars and camping.
And jamming signals can be useful in general for testing stuff, like mitigations for jamming. I did this at a physical security company I worked for where we needed to alert guards to jamming attempts.
I’m sure the people stealing cars will be right on that…
Next they’ll ban stealing cars
As long as I can download one, I’m happy.
I won’t speak to how the UK does things, but in the US this would make for an easier criminal charge.
It can be difficult to prove that someone stole (or is about to steal) a car, or broke in to steal the contents. This is especially true if they weren’t apprehended in or with the vehicle itself. But if they are arrested on suspicion, and one of these devices is found on them, they can very easily be prosecuted for possession of criminal tools. It’s similar to how we normies can’t legally own a lockpicking kit unless we’re locksmiths.
That doesn’t make it okay.
And you can’t own lock picking tools? Like, buying from this website is illegal? That’s ridiculous!!
I can, and it’s incredibly useful to DIY access locked doors in my house. I’m not calling a locksmith unless I can’t figure it out, because that’s expensive.
The proper solution is to require car manufacturers to reimburse customers for any losses due to poor design. Same goes for lock makers.
It’s perfectly legal to own any type of lock picking tool in all of the states in the US, as long as you are not using it for malicious purpose. But there are four states that have increased scrutiny on if you are caught out in public with them: Ohio Nevada Virginia and Mississippi, but it’s completely legal to have lock picking as a hobby(although some states require registration to do it professionally)
some states require registration to do it professionally
That’s totally fair, though I think a bit excessive. I understand requiring registration for dangerous things like working on gas lines or high voltage electricity, because you could cause a ton of damage. But for a locksmith, the risk is really low, _especially if you’re picking instead of the more destructive and faster methods most locksmiths use because they don’t want to spend the time manipulating pins.
I’m guessing in those states where you need to be registered/licensed, it’s more about raising the barrier to entry to protect existing locksmiths than any kind of actual concern for the safety of the public.
I was on board with your post until the last line.
However in the majority of the US it’s perfectly legal to own lock picking tools as long as you’re not using it for malicious intent, there’s only four states in the US that has restrictions on them similar to what you describe, those states are Mississippi where if it’s concealed / you don’t tell them that you have the pick and they find it on their own, you have to provide counter evidence in court of why it wasn’t you; and Nevada, Ohio and Virginia which states you must provide evidence directly countering the claim.
All states have it legal to own and use the tools, it just those four states have increased regulations on the tools that make it harder to defend in court if you’re caught out in public near a crime with them
back to stealing bikes I guess
And nothing will be done about cars being sold with faulty security. We had methods of preventing these attacks in the last millennium.
Typical BBC reporting of anything technical.
Keyless repeaters and signal amplifiers scramble the signal from remote key fobs inside people’s homes, enabling criminals to unlock cars.
No, they don’t. The situation described is a relay attack on keyless entry/start. Jamming is used in a two stage attack, where the device intercepts the first signal and stores it without allowing the car to ‘see’ it by jamming. The user then tries a second time.
This time the signal is intercepted the same way, and the first signal is played back to the car from the device. The second signal is stored and can be replayed later to bypass a rolling code setup.
It’s very niche and the stored signal quickly becomes obsolete anyway.
Sophisticated electronic devices used by criminals to steal cars are set to be banned
Making or selling a signal jammer could lead to up to five years
Jenny Simms said the possession, manufacture, sale and supply of signal jammers had provided an “easily accessible tool for criminals… for far too long”.
These devices have no legitimate purpose
Basically, fuck you if you happen to have or build a Software Defined Radio (SDR). Again with the UK ‘clamping down’ on something that does have plenty of legitimate use.
I use an F0 for toying with my own equipment, as an interface for my smart devices and as a general purpose keyfob. I may be arrested just for possessing it.
The crims will not care a jot and this only serves to restrict/annoy legitimate users.
The fault and solution lies with the manufacturers who implement insecure tech, and with the users who blindly sacrifice pounds of security for ounces of convenience.
An SDR is not a signal jammer and the flipper zero can’t clone a rolling code remote.
An SDR can be made to jam, even if that is not the normal purpose. Just like a kitchen knife can be used to murder people, instead of its normal culinary purpose.
Of course an F0 can’t clone a rolling code as-is. I never said it could. But it can harvest and replay a single or multiple consecutive codes just fine, providing the original key is not used in the meantime. Only need physical access to the key while it is out of range of the vehicle.
This alone puts the F0 on dangerous ground as an “electronic device (such as a signal jammer) for use in theft of a vehicle or theft of anything in a vehicle”
People have locked out their original keys by messing with this before.
The point is that our laws are reactionary, vague, and open to too much interpretation.
If someone gets shit stolen out their car and I happen to be nearby, then I will become suspect merely through possession. Even without intent.
Exactly!
To add to this, I used to work at a physical security company, and we needed to alert the guards of someone attempted to jam signals. How do you properly test that? By jamming signals!
I guess this scenario could be resolved through licensing, but that’s a ridiculous solution since criminals could still get it.
It should be illegal to use a jammer maliciously or negligently. It shouldn’t be illegal to posses one. Car manufacturers should also be held liable for losses due to lack of protection against jamming.
Car manufacturers should also be held liable for losses due to lack of protection against jamming.
Did you mean something else here? You can’t “protect” against jamming. That’s like protecting from too much noise in a conversation.
I meant they should have failsafes in place so jamming isn’t an effective attack.
A simple analogy is locks. Instead of making lock picking kits illegal, design better locks to increase the time and knowledge needed to defeat a lock.
Car remote unlock design is lazy: you push the button and it generates a key, which is invalidated when used. There’s nothing more complex here than a defined order. To protect against that, add a time element (like TOTP in Google Authenticator). Your fob and car would keep time independently, so an attacker would have a very narrow window (i.e. under a second) to attack the car, if that. Resync the fob with the car after a successful challenge/response process so they don’t drift too much, and allow resyncing with physical entry.
Car companies should pay when their laziness leads to compromise.
Totps only works when both source and recipient are synced pretty much identically in time. Meaning the car and fob would need to receive their time from an external source.
Not that hard in many places, just grab the time from a radio broadcast. But what happens when that broadcast isn’t available? You fall back on a known inaccurate time. I’ve seen cars with a bum RTC chip, which lost about a minute a day. That would be enough to kill off this kind of system.
Not to mention that an external time source would be larger, cost more, require more power, and would be vulnerable to brand new attacks.
There is no perfect system. Take your physical lock for instance, there is no unpickable lock. They just plum don’t exist.
I’ve seen cars with a bum RTC chip, which lost about a minute a day.
Not the customer’s problem. If car manufacturers want to cheap out on components, they can pay the price when cars get stolen.
Even cheap watches keep the time really well, as in less than a second drift in a given month. I have a physical TOTP device that works for years, and that needs to be accurate to <30 seconds (realistically, <10 seconds drift). How much do those cost? $10-20, and they have way more features than a basic time crystal.
You don’t need an external time source, you just need non-crappy parts for your cars and fobs. That’s totally reasonable given the cost of those devices, so spending $1 more or whatever for a reliable time crystal isn’t an issue. Sync them periodically, such as when starting the car, and it won’t be an issue.
If you rely on an external time source, you have the same problem, but a little higher tech (e.g. blast your own network time), and you introduce privacy concerns (tracking).
My suggestion requires no privacy violations, prevents replay attacks, shield your time crystal in a Faraday cage), and keeping time synced with the car can be entirely done without the user noticing. It might fail in some crazy scenarios, like not driving the car for a year (possible if you never use one of your fobs), and it’ll need to be resynced after a battery swap, but you have the easy fallback of resyncing when you insert it into the car. The time doesn’t even need to be accurate, it just needs to tick the same way on both ends.
Yes, there is no perfect system, but there are real world systems that are way better than what we have. Car manufacturers just don’t care enough to implement them, the same way banks don’t care enough to use proper security (why is my email more secure than my bank??). Hold them accountable and they’ll fix it, create regulations and they’ll do the bare minimum.
Like banning kitchen knives because somebody got stabbed with one once.
More like banning USB sticks because between 2011 and 2021 KIA and Hyundai removed engine immobilizers from their car designs to save a few dollars which allowed their cars to be started by turning the ignition with literally anything.
If your car gets stolen, get a new one!
Not removed - never added to the US designs. They were added afterwards to models being sold in places that require them.
Which is like, the rest of the world
There’s definitely also fault to be had for US not requiring them
Still, what the fuck is kia/hyundai doing trying to penny pinch on that, it cost them a lot of reputation, meanwhile in Europe they are some of the best value cars and are reliable
Here in the us too. They were definitely still cheap but respectable and their reputation was catching up with everyone else
Now we have to wonder about their EVs. In many ways they’re the most compelling of the few choices we have, for those not wanting a swasticar. But did they learn their lesson about cheaping out?
“These devices have no legitimate purpose, apart from assisting in criminal activity, and reducing their availability will support policing and industry in preventing vehicle theft which is damaging to both individuals and businesses.” She added
Yeah how about fuck off with this nonsense.
So now only criminals will be able to steal peoples cars. Well done.
They wont even be banned (which would be stupid) Its on the owner to proof they have it for legitimate reasons. The end result will mean the devices will be more hidden in everyday seeming devices. And if they do eventually ban them fully that legal local technological knowledge will be dragging behind criminal innovation.
You want these devices out there to increase awareness of their existence and to pressure manufacturer to make their devices more safe.
Example: Remember how Tesla can remote (un)lock cars? Exploit waiting to happen and the potential ban on encryption is going to make it so much worse.
Ostrich politics.
The article seems very non-technical. From what I read about the Flipper Zero, Playback attacks aren’t supposed to work on modern cars that use rolling codes. The only way the attack can work is if you intercept the signal from the keyfob while also preventing the keyfob’s signal from reaching the car. Much easier said than done.
Grab some keys out a bag in the office while the owner isn’t looking.
Grab a code (it’s out of vehicle range, being inside).
Go to the car park, replay the code and loot the car.
You’d be caught quickly, but it’s doable.
As if that would stop them. The problems are at this side, it is the complete ignorance and disregard of operational security in the automotive industry.
All these new police powers, but do we even have enough police to use them? Lmao
