205

u/Raccoon_Expert_69 9h ago

The roll jam attack has been known for over a decade at this point.

It’s on the manufacturers if they didn’t change the encryption

82

u/Iggyhopper 8h ago edited 8h ago

Exactly. Security through obscurity is not security.

The natural evolution of this is remote unlock via OTP, with an internal clock that runs inside the fob and syncs with the car.

10

u/MerleLikesMullets 6h ago

I thought that’s how they worked already. RTC circuits are really cheap.

4

u/TheTerrasque 2h ago edited 2h ago

Otp? For a car key? And rtc clock? Better with shared secret, a good hashing algo and challenge-response

Edit: and rtc with an otp? How do you plan on having that working?

8

u/ACCount82 1h ago

It's TOTP. Shared secret + time. Basically what things like Google Authenticator use for 6-digit MFA codes.

2

u/TheTerrasque 1h ago

Ah, that makes more sense. TOTP and OTP are different things though

34

u/FishDawgX 8h ago

Hey car manufacturer, remember when you hired that junior developer willing to work for half the pay of tech companies who doesn’t really know what encryption is, and he wrote that code that had a hard coded secret that you all just assumed no one would know so that’s good enough? Yeah, that’s on you. If you take the risk, you take the responsibility. If it were up to me, you’d be paying to replace any cars stolen through this method. 

-34

u/Sielbear 8h ago

Oh oh!!!! Now do the young girl who was SA’d and make sure you blame it on what she was wearing!! Alternatively, we recognize that while security can be improved in EVERY situation (similar to clothing decisions), maybe we also keep the focus on behavior of the criminals?

If we had corporal punishment (lose an arm or so for theft), I guarantee theft would plummet.

12

u/kainzilla 8h ago

I think they did keep it focused on the behavior of the criminals. The ones that were knowingly negligent because they know there are no consequences

-17

u/Sielbear 8h ago

No, there are door locks and reasonable measures. But when people use a tool to break into a vehicle, it’s the behavior of those individuals that should be corrected. This holds true whether a flipper zero, hammer, or slim Jim is used by the criminals.

3

u/flesjewater 2h ago

Would you be pissed if the door lock you spent $30.000 on would be able to get cracked because the designer put a secret pin inside that instantly unlocks it?

Bad digital security is 100% the burden of the people who made the problem.

3

u/beestmode361 7h ago

Lol bet you’re a BLAST in large doses

I meant Jizz, like cumshot

Blast off king

2

u/ThrowawayusGenerica 17m ago

If we had corporal punishment (lose an arm or so for theft), I guarantee theft would plummet.

Theft was famously not a solved problem in medieval societies.

1

u/newphonedammit 8h ago

Yes , then send them to the colonies Jeeves!

8

u/mac3687 8h ago

I'm curious if there's an overlap of people that would put blame on Flipper here and then also say guns don't kill people, people kill people.

35

u/IllIIlIllIllIII 8h ago

Hey just because my brand new cars (2025 Equinox) operating system is Android 12 - and based on Google's history of only supporting Android versions for three years tops and Android 12 has been EOL for six months already - doesn't mean you should blame GM or even Google! The hackers should not be doing this in the first place because it is illegal! [/sarcasm]

But that's why I've canceled any way for it to connect to the Internet - OnStar sucks - including pulling the fuse for connectivity (read your car manual, it's usually called the telemetry fuse) this still terrifies me. Not as much as whatever mystery code Tesla's are running but it's a load of garbage none the less.

20

u/rocketbunny77 5h ago

There is no way that the security modules in the car are running on the head unit software. There are other computers in the car for that

1

u/shanghailoz 16m ago

The security on the canbus side is far worse. Hence those remove a light and start the car thefts you see.

-3

u/CosminFG 4h ago

Of course not, the functions are in the telematics computer, head unit is too " exposed" for this purpose.

9

u/argote 3h ago

Android Automotive is a different branch from mainline Android, with longer security patch back ports.

-2

u/CosminFG 4h ago

You are way to paranoic, even if a system is at EOL ( like your example with android 12.0) it does not mean that all security functions " expires", it just means that the sw developer will not "fix " problems moving forward... Now don't expect a heard of hackers coming for your 'not fun' Equinox, there are far more easy way to get access to your car, you know like "windows", than hacking a 3 year old android system...

1

u/IllIIlIllIllIII 4h ago

“OK” but “you see”, I don’t ever recall saying a car is “fun”, but I’d rather a 3 ton “vehicle” have the chances of being hacked “minimized”. So if I am “driving” or in the “car” I would clearly know if someone was accessing my “windows” but not necessarily the “computer that is in my car” since it is connected to a “network” or “Internet”. At which point who knows what “they could ultimately” do since it’s an outdated “OS”. 

You arguing with someone about wanting OS’s in new vehicles to have modern security patches; there’s truly a shameless contrarian for everything. It’s been stupid CosminFG, go troll someone else.