The new car thief

[richlevy]

This article presents a good argument against buying convenience without considering security.

I now know which Ford model I'm not going to buy.

Quote:

Gone in 60 seconds--the high-tech version

Let's say you just bought a Mercedes S550, a state-of-the-art, high-tech vehicle with an antitheft keyless ignition system. After pulling into a Starbucks to celebrate with a grande latte and a scone while checking your messages on a BlackBerry, a man in a T-shirt and jeans with a laptop sits next to you and starts up a friendly conversation: "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes, then the man thanks you and is gone. A moment later you look up to discover your new Mercedes is gone as well.

Quote:

Like vehicle immobilization, keyless ignition systems work only in the presence of the proper chip. Unlike remote keyless entry systems, keyless ignition systems are passive, don't require a battery, and have much shorter ranges (usually six feet or less); instead of sending a signal, the keyless ignition system relies on a signal emitted from the car itself. Keyless ignition systems allow you the convenience of starting your car with the touch of a button without removing the chip from your pocket or purse or backpack. Given that the car is more or less broadcasting its code and looking for a response, it seems possible that a thief could try different codes and see what the responses are. Last fall the authors of a study from Johns Hopkins University and the security firm RSA used a laptop equipped with a microreader. They were able to capture the code sequence, decrypt it, then disengage the alarm and unlock and start a 2005 Ford Escape SUV without the key; they even provided an online video of their "car theft." But if you think that such a hack might occur only in a pristine academic environment, with the right equipment, you're wrong.

[Kitsune]

Now if only people would understand that RFID chips are just as vulnerable (same thing, really), the state department might understand that putting them in passports is a really bad idea.

[glatt]

Very good article in Wired this month:

Quote:

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won't be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen's back pocket.

"I just need to bump into James and get my hand within a few inches of him," Westhues says. We're shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues' palm, then disappears.

Van Bokkelen enters the building, and Westhues returns to me. "Let's see if I've got his keys," he says, meaning the signal from Van Bokkelen's smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm's door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues' hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen's card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.


follow link above for more...

[xoxoxoBruce]

Should have hired a Mexican for a few bucks to guard the door.