I run a simple little blog here. I don’t make any money off of my site even, although I’m not adverse to doing so as long as it isn’t obtrusive. I don’t sell anything, nor do accept submissions other than comments. The posts here are my own: they aren’t scraped, syndicated from, or re-posted from anywhere else. Mostly, this site is a vanity site, like a billion others on the Internet.
Despite the complete lack of commercial value to my site, it gets spammed. Comment spam was a problem a few years ago, and I’ve managed that via Akismet and Bad Behavior plugins for WordPress. There are still about about 100 spam comments a day hitting my site, but only one or two make it through my watchdogs. Lately, however, there has been a new irritant: spam users.
I have had a rough couple of weeks at work. I won’t go into the details other than to say “security reviewer”, which should give some sense of how little fun I’ve been having.
A lot of folks these days have at least part of their home network on wireless ethernet, or WiFi. I have two wireless access points in my house, for example, and plan on adding a third. Wireless networking has security considerations: unless your WiFi network is encrypted, someone outside your home can use your bandwidth or, potentially worse, intercept your data. Wireless security was improved significantly a few years ago with the introduction of WPA (WiFi Protected Access) after the previous security method, WEP (Wireless Encryption Protocol) was “cracked”. Since then, wireless networking has been pretty much secure against any intrusion. Until now…
As a Canadian, I suffer from every little twitch our American friends make. And as I see more and more evidence of the devolution of that once free (if somewhat arrogant) nation into fear-crippled police state, I feel I have cause to worry.
If you buy an upscale new car today or in the near future, say a BMW, Mercedes, or Cadillac, there’s a good chance that you won’t have a key. Instead, you’ll have a little fob- sort of like the keyless entry control you are likely used to. To start the car, you’ll just push a button- the car will have confirmed that you have the right fob and will allow you to start the engine (or not). No key to pull out of your pocket or fuss with. This all sounds very high-tech and convenient. Unfortunately, the
methods used by the car and the keyfob to validate each other are pretty porous….easily crackable. Even easier than the keyless entry system. And unlike the keyless entry system, they let you start the car and drive away as if you own it. The article I link to above lays things out pretty clearly, but here’s the gist of it. Remote keyless entry fobs are “active”: they have have a battery and broadcast a signal only when you press the button on the fob. The new keyless ignition systems work the opposite way: the fobs are passive, and the car continously sends out a signal looking for the authorization response. Someone with some basic computer equipment can pick up that signal, identify its nature, and try a simple brute force attack until the car responds. The encryption code (key) used by the cars is a relatively weak 40 bit cryptographic length- for comparison, your web browser supports a 128 bit key. A 40 bit key can be broken by a laptop in a matter of hours: possibly much faster if the thief has some clues such as those given by the car sending out its query signal. Since getting a response means the thief can actually start and drive away in the car without a hitch, and since most cars with this system today are in the $60,000 + range, hacking the code is worth the effort. David Beckham of soccer fame has had his BMW sport utility vehicle stolen this way not once, but twice. Apparently, the manufacturers of the cars using these systems don’t think their vulnerability to hacking is worth worrying about. For myself, I’ll probably think twice if I happen to one day be looking at cars with this keyless ignition feature…