Neat analysis. Do keyless entry cars not have some kind of "too many presses" sensor that would slow this process down or render it impossible by making you start over? I don't know, I'm just asking.
Given the huge security holes already known to be present in the median auto electronics system, my guess is "absolutely not".
There may be some additional consideration for luxury-branded models, but for the standard models, the consideration is primarily whether it works for the auto-buyer every time, not how this could be used as an attack vector.
That’s awfully cynical. It also happens to be completely wrong. I extracted the following form a horrible Answers.com FAQ that was spread over 75 slides (barf):
"If the wrong code has been entered 7 times (35 consecutive button presses), the keypad will go into an anti-scan mode. This mode disables the keypad for one minute and the keypad lamp will flash. The anti-scan feature will turn off after one minute of keypad inactivity."
The Ford Explorer is hardly a “luxury-branded model”, and I’d venture that Ford uses this same system on all their models, across brands.
Except that 35 consecutive button presses is actually the wrong code entered 31 times. That security feature only adds 101 minutes (and about 400 button presses) to the cracking process.
I think I am correct to be cynical.
And why would you subject yourself to answers.com just for that?
"That security feature only adds 101 minutes (and about 400 button presses) to the cracking process."
Only adds 101 minutes? I'm incredulous.
The claimed attack time is 20 minutes. By your assertion, this security feature increases the required attack time by a factor of 5. Were this a virtual system, that is trivial, but this attack requires physical presence, or at least the presence of a device.
I think you're cynicism is unjustified, as the extra time makes this an undesirable attack vector in light of the alternatives. Anyone willing to spend 100+ minutes at a car door is just going to use a slim jim or move on to an easier target instead.
In contrast, requiring that each unlock attempt be a separate sequence of five button presses with a ten-second timeout between attempts would make the brute force attack take 15625 button presses with 520 minutes of waiting for timeouts.
The security feature is a useless patch on a fundamentally flawed foundation. It is less effective than fixing the underlying problem, which is that a well crafted attack can rule out one code per additional button press.
Making odd and even numbers discrete buttons increases the attack difficulty by a factor of 32. These things are not difficult or unpredictable. Literally anyone with a calculator and 15 minutes to think about security could come up with ways to improve the system superior to the BS band-aid they came up with.
If someone is attempting this, they will have barely-detectable near-instant access to your vehicle's interior from that moment forward. This isn't just about using a slim jim to grab your valuables. That someone could also smash your window with a rock. What happens when someone wants to photograph your auto registration while you are in your office, and visit your home address at a later time? Perhaps you use the same 5-digit code for something else? The attack space for that something else is now just 32 attempts.
Thinking about security threats requires predicting criminal motives. Cracking the keyless entry system is not a simple robbery tactic. The person doing it is after more than the contents of your vehicle at that instant.
> Given the huge security holes already known to be present in the median auto electronics system, my guess is "absolutely not".
Which is provably false. There is a system to slow down attackers, and it results in a 5x increase in attack time. The rest is tangential to the point.
Yes, it could be better, but you're trivializing what isn't trivial. A 100 minute increase is not trivial. Yes, it'd be even better if it took hours. It'd be even better if it took years. If you're concerned about the security of your vehicle, why have this system at all? It's a trade-off in convenience for security, which many people can afford. All of these are tangents, but they do not qualify a response of "absolutely not" in response to the original inquiry.
Nothing else you've said is wrong, but it seem like you're grasping at other points in order to justify your cynicism, which was proven unfounded. I won't be baited in to an argument that the safeguards could be improved.
