this post was submitted on 27 Mar 2024
938 points (99.4% liked)

Technology

58303 readers
12 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 6 points 8 months ago (1 children)

If the security was so bad that removing part pairing would crash this, then it wasn't secure to begin with. Same argument as apple pairing the fingerprint sensor, the emsensor is only doing the reading, not the authentication.

[–] [email protected] 2 points 8 months ago (2 children)

They're right though. The security in newer cars and anti-theft features require that a couple of different modules talk to and validate each other. That's how it's designed to work to prevent theft or hacking. When your ECU talks to your keyless entry module or what have you they perform a handshake. That ECU and keyless entry module talk to the vehicle's starting system to validate that yes the correct key at the correct range is being used to send the signal to start the vehicle.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

You don't have to have paired parts for secure authentication. You just need parts that have been set up and authenticated beforehand. That is not the same as part pairing.

[–] [email protected] 0 points 7 months ago (1 children)

What's to stop me from going to a junk yard, paying for a key and the modules in question, attaching them to a different car and stealing that car?

[–] [email protected] -1 points 7 months ago* (last edited 7 months ago) (1 children)

Literally nothing stops you from doing that with paired parts. Nothing. Keyless cars get hacked, stolen, dismantled, and rebuilt all the time, just like any other car.

Encryption and authentication are equally secure with or without physical part pairing.

[–] [email protected] 0 points 7 months ago (2 children)

That's not true. The paired parts are attached to the VIN. Literally programmed with the VIN of the car and a lot of them are single use for specifically this reason. You don't know and you're very insistent.

[–] [email protected] 3 points 7 months ago (1 children)

You can get whatever paired modules with a paired key from a wrecked car and plug them into a different car and start it.

[–] [email protected] -1 points 7 months ago

You can't. That's the point. Once those parts are configured to a vin they only work with that vin.

[–] [email protected] 1 points 7 months ago (1 children)

I guarantee you that the paired parts can and will be swapped out or stolen. It does nothing to protect consumers. Give me an example of a manufacturer who uses paired parts and I'll find examples of thefts, hacks, and replacements.

[–] [email protected] -1 points 7 months ago (1 children)

Wrong wrong wrong wrong. Go to literally any dealer and ask a tech.

[–] [email protected] 1 points 7 months ago (1 children)

I'll be waiting for when you find an example, mate.

[–] [email protected] 1 points 7 months ago

I'll log into all data for this. Give me a sec.

[–] [email protected] 2 points 8 months ago (1 children)

Again, if you're so deep in the car that this matters, this is not the part that's going to stop you, unless the car is so poorly built that the keyless entry module is readily available without taking apart the entire car. This is a non-problem.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

It isn't just one module. That's what I'm trying to tell you. There's a handshake. So replacing the Electronics control module or the Powertrain control module those modules have to be configured to the Vin. In my mother's escape the PCM is in the wheel well behind a liner held in by plastic clips. None of those parts can be replaced without being configured to the VIN.

As for poorly designed cars, yeah. They've been making them for years and security has been evolving. Doesn't mean we should set ourselves back in that arena because Joe wants to swap out his PCM with one from the junk yard.

CAN network injection can be achieved through the headlight well on some cars.

https://www.autoblog.com/2023/04/18/vehicle-headlight-can-bus-injection-theft-method-update/

[–] [email protected] 2 points 8 months ago* (last edited 8 months ago) (1 children)

I know that it isn't just one module. What is the handshake achieving exactly? Because it's not additional security from an attacker trying to replace the keyless entry module with a hacked one, and if it is doing that then this is a terrible security design and the actual solution is not to get to keep using this 'security' threat model.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

According to the diagram I'm looking at? The front door handle receives the entry signal from the key that's in proximity to the vehicle (I think it's something like within three feet). That signal is sent to a BCM (ECU), that then talks to other PAssive entry antennas on the vehicle to unlock the door. Simultaneously it talks to the PCM and IPC through the Gateway module, sending a Passive Entry enable signal. Those modules talk to the ignition switch allowing the vehicle to be started. Looks like this happens on what's called the High Speed CAN network. So the question is, if I can access this network via something like the PCM and the PCM isn't properly configured to prevent this, can I override the network without having the key with sufficient tech? That's problematic for a lot of reasons. So no. I don't think you should be able to go to a junkyard or pick and pull and buy a module that could compromise your network and I don't understand why anyone would want that. You absolutely can buy a module from the manufacturer and get a shop (not even a dealership, just an independent shop with the right tools) to configure a module.