authentication – Why don’t car keys use algorithms like RFC 4226?

RFC 4226 (HOTP) would still be vulnerable to replay attacks in some situations. In the case of old fashioned key fobs, where you have to press a button to unlock the car, imagine someone who has brief access to the key fob while you are out of range of the car. The attacker can press the button once, record the code transmitted by the fob, and then hurry out to your car, replay the recorded code, and gain access to the vehicle.

For more modern key fobs, it gets more complicated. These are designed so that you don’t have to press any button for unlocking the car. As long as the fob is in your pocket, the car will unlock itself when you walk up to it and lock itself when you walk away, no interaction required. Nice, right? Except the implementations of these (at least the early one’s) turned out to be completely insecure. Now if you use HOTP in this case, well then all the attacker has to do is pretend to be the car and request a code while you are out of the car’s range. Then record the code, go back to the car, replay it and profit.

In fact, it turns out, these modern key fobs took a lot of effort to secure. Early manufacturers decided to implement proprietary challenge-response mechanisms. A cryptographically secure challenge response system, what could go wrong?

Well, guess what the car thieves did?

Easy. They simply amplified the signals transmitted by the vehicle and the fob to make the challenge-response mechanism work over much larger distances than it was meant to. So your BMW is parked outside your house and you are snug in bed having a good night’s sleep. Someone walks up to your window with a special device. The device relays an amplified challenge from your car to the key fob in your room. The fob thinks the car is nearby (how else did it receive the challenge?), so it computes the response and transmits it back. The device amplifies the response so it reaches the car, and BOOM, when you wake up in the morning, your shiny new BMW is gone.

So then, the manufacturers had to apply further security measures, like measuring the time it took for the key fob to respond. If it took too long to receive the response, the car would conclude that the fob was out of range. But I guess the car manufacturers have learnt their lesson by now and have more robust security.