Why don't modern cars have modern security features?
Posted by milifiliketz@reddit | cars | View on Reddit | 70 comments
I live in Canada and car theft has become a huge problem here. I won't even go into the political enabling factors behind it, but it boggles my mind that this is even possible from a purely technical perspective.
My brother in law owns a Lexus that he's scared to take out of the garage or leave in a mall parking lot. What's even the point of owning a car then?
A modern car is a computer on wheels. Hacking into someone's computer requires skill. And if we take out the low hanging fruit such as phishing attacks from the rquation, then it requires serious skill!
A modern car thief on the other hand can be pretty much anyone. They're mostly minors without any qualifications. Yes, they use some sophisticated tools, but still, they can drive away in a matter of minutes. Why is it even possible for an unauthorized user to gain access to the car computer? Why wouldn't a car in this day and age have a fingerprint scanner or a pin pad? This simply doesn't make sense.
NOLA-J@reddit
It's never been easier to steal a car. GM and Stellantis are the worst offenders.
AKADriver@reddit
Before the 1990s every car on the road just had a very easily manipulated physical key switch that you could bash and turn with a screwdriver. Before the '80s you could start most cars just by bridging the starter solenoid (and most cars you could open the hood completely from the outside). It was astronomically easier to steal cars back then.
PJKenobi@reddit
There is no incentive to stop it.
Some steals your buddies insured Lexus. He gets a check (along with higher insurance bill) Lexus gets to sell another one. Car thief gets paid when he ships it to Africa or SE Asia. Literally everybody wins.
Sounders1@reddit
The brother doesn't win, his premiums go up and he is inconvenienced by losing his vehicle. He has to deal with a police report, insurance red tape, and the hassle of getting another vehicle. None of that is smooth sailing.
Ran4@reddit
No, the premiums of everyone's car goes up a bit, but premiums aren't individual anymore. That hasn't been the case for years and years.
PJKenobi@reddit
No one that matters cares about the brother. Every that matters (in capitalism) Wins
Alexa_Call_Me_Daddy@reddit
The manufacturer loses a sale in whichever market it gets shipped to, the insurance company has to pay out. Definitely not an "everyone wins" scenario by any stretch of the imagination.
dhille01@reddit
You've been suckered into believing in the "broken window" fallacy. It's not real, and never has been.
A. The Buddy loses probably monetarily, and has to spend resources to find and buy another car.
B. Lexus loses in reputation potentially, and possible interest on loan payments.
Not to mention that if a car is easily stolen, it could as easily be stolen off of a lot as well as a driveway.
Literally no one wins except the thief.
Porshuh@reddit
This. I can’t believe people actually think hardened anti-theft systems are impossible.
FearlessTomatillo911@reddit
You build a 10 foot wall, someone makes an 11 foot ladder.
There is too much money in stolen cars, bad actors are motivated by both the challenge of cracking a system and the financial reward for it.
Porshuh@reddit
That’s not how it works.
There would be less money in it if it was prohibitively expensive to steal them.
JawKeepsLawking@reddit
Crime is an arms race, i dont think theres anywhere on earth that has solved organized property crimes.
FearlessTomatillo911@reddit
You can't just make a car prohibitively expensive to steal though, it's a much more complicated problem due to the nature of a car.
Porshuh@reddit
You absolutely can make a car that is sufficiently difficult to steal such that the average car thief can’t possibly manage it, even with tools made by their betters.
I’m not saying it wouldn’t be cost-prohibitive in the current market.
You really don’t know anything about the technological feasibility of this beyond platitudes about ladders, I’m guessing.
FearlessTomatillo911@reddit
I've been a software developer for about 20 years and cars are essentially rolling computer systems now. I know a little bit about cyber security...
Cars are a challenge because they are designed to move about. Cars also need to be worked on by independent shops, if shops have the tools to reprogram car keys then bad guys are also going to get these tools. The only way to make an uncrackable car would be to completely shut out third party shops.
Porshuh@reddit
Which absolutely should be a user-toggled option at the behest of already authorized keys.
FearlessTomatillo911@reddit
People need a key reprogrammed because they have lost their authorized keys.
The other challenge is even if it's locked to dealer only units the weakest part of a security chain is the human element. Crooks get their hands on dealer computers too because someone making 20 bucks an hour gets offered 10 grand to 'lose' one.
Porshuh@reddit
In the case that all keys are lost while the toggle is active they will have to go through the OEM. It'll be a compromise made for the peace of mind.
Anyways, I'm not saying that should be the extent of improvements by any means.
FearlessTomatillo911@reddit
Because of the nature of encryption it's not something you can just toggle off/on the canbus would have to come from the factory either with dealer encryption or other encryption.
This is also just solving one of many challenges which is where we are getting to the unsolvable problem.
Because it's a car, what they'll do is put it on wheel dollies, jam it into a shipping container, ship it to Dubai where they can reprogram the keys at their leisure from a compromised dealer.
Sambo376@reddit
That would make it prohibitively expensive to design/build and no one would be able to buy it.
ItsGizzman@reddit
Well, both the victim and insurance company lose in this scenario, no?
dfBishop@reddit
The second insurance companies start to lose money, they pull out of whatever market they're losing money in.
Multiple companies stopped insuring Kias over the last few years due to the Kia Boys trend of breaking into and stealing them.
They're jacking up rates now but I imagine will soon leave Southern US states due to the increased frequency and intensity of tropical hurricanes.
Insurance companies NEVER lose. Just their customers.
FearlessTomatillo911@reddit
That's not true in Canada, insurance companies are required to offer insurance to everyone. If you're in a very high risk group it's called facility insurance.
JawKeepsLawking@reddit
Sure, theyll offer you a premium of 4x the insured property is worth. The equivalent of a mechanic quoting an absurb amount to get you to go elsewhere.
the_lamou@reddit
First, plenty of insurers go out of business.
Second, insurance companies post losses all the time — it's very much a boom/bust industry where some years you lose big and since years you win big and you hope that it all comes out a wash.
Third, if they leave a market, that's also a loss, as that reduces their total market success and by extension their ability to earn more.
I know we all hate insurance companies because they charge us money, but the rain they have to keep charging more is because they lose pretty regularly.
ItsGizzman@reddit
100% agree. My point is more so that them losing money even once (like in OPs scenario) is the catalyst for them making those decisions.
dfBishop@reddit
That's just the cost of business for them. The same as a baker buying flour or a car manufacturer buying steel and rubber. Gotta spend money to make money!
Trollygag@reddit
Hacking into someone's computer remotely requires skill.
Hacking into someone's computer that you have physical access to is child's play, even for someone who doesn't know what they are doing.
I feel like you don't really know anything about technology. Fingerprint scanners and pin pads aren't secure. They are only designed to provide fast access, superficial screening, and have multiple bypasses for when they break or are forgotten, and since cars are bought and sold and no carmaker can brick a car by their owner forgetting their pin or never learning someone else's, they would require backdoor.
Physical access, backdoors, leaked keys, these are how car thieves get into cars anyways, so you are back at square one just with extra steps and expense.
RocketGuy3@reddit
I agree with most of what you've said here, but I'm curious what you mean by "hacking" or "physical access" when you talk about the ease of hacking a computer physically. Assuming you lock your computer with a secure password, and that you encrypt your drive, it shouldn't be easy to hack your computer. Especially for someone who doesn't know what they're doing.
zhululu@reddit
Different levels of security will obviously make it take longer to get in but in pretty much any linux system with physical access just reboot the machine, if you’re lucky there’s a recovery mode somewhere right there, if not google distro + recover root. Sometimes something as simple as pressing “e” in grub lets you edit the bootloader script and you can force it to spawn a shell as root before it’s even thought about passwords. If it’s windows download the driver development kit and boot off usb in safemode, same thing.
At that point you’re free to mount the root partition, enable/disable any extra layers of security that start after the kernel (most corporate windows security layers run as drivers you can manually remove from loading), change local file permissions as a temporary root/admin user, disable network access to force any recent remote users to use the local cached credentials and easily googleable clever ways to persuade the system to accept no password for those accounts, etc.
The more layers of extra protection you wrap around it, the more steps are involved and the longer it takes and the less data you’ll easily gain access to but it’s still child’s play relative to remote access escalation. That’s usually what people mean when they say local access is root access. The time it takes to gain control of a physically accessed system is peanuts compared to the effort involved in discovering a new remote escalation exploit.
RocketGuy3@reddit
Lol you and I clearly have very different definitions of "child's play" for someone who "doesn't know what they're doing" lol.
Also system level encryption (like BitLocker in Windows, FileVault in MacOS, or LUKS in Ubuntu) should be very difficult to bypass. Not to mention that much of the sensitive application data on the system will be stored in a keychain or encrypted file.
zhululu@reddit
Bitlocker and so on are one of the things I was alluding to about adding more layers of security. I wasn’t going to go through every thing that might be done and the most common ways around it.
The relative difference in difficulty is so extreme that using “child’s play” as a metaphor to express how easy one option is relative to the other. One requires even seasoned experts may never uncover a chain of exploits that allow remote privileged access. The other is googling what systems are already in place and built in for when people forget their passwords and following the top answer on stack overflow.
RocketGuy3@reddit
I'm still not sure I agree. I would argue that once a computer is unlocked, and a drive has decrypted access, there are some exploits that could in fact make it easier to get remote (or semi-remote) access to a computer, depending what ports you have open, or whether you're using the default router password, or whether you can remotely communicate with the human on the host machine and social engineer them.
I don't think it's that easy to google search how to bypass drive encryption.
zhululu@reddit
Did I say it was? I said specifically drive encryption are the things I was alluding to that make the above more difficult.
RocketGuy3@reddit
You replied before I was able to edit into my above post, but overall, yes you're right, it's of course easier to do malicious things with physical access, but I just took issue with how easy the poster I was originally replying to made it sound. Modern operating systems and hardware give us pretty secure consumer devices when used properly.
zhululu@reddit
Ah sorry I happened to be sitting here staring at my phone and saw the notification pop up. Didn’t mean to snipe you before you could clarify your post.
Let’s just cut it off here. I think the phrases used to indicate how easy it is were accurate enough for casual conversation, you think it makes it appear easier than it really is. At this point it’s just a judgement call on an opinion for phrasing that the OP likely didn’t think too much about.
Have a good one my dude or dudette. Let’s get back to talking about cool cars.
FearlessTomatillo911@reddit
There is a saying in the cybersecurity world that if you can touch a device or get your device on a network you can own it. Physical security is super important for cybersecurity posture.
zhululu@reddit
pretty much. It’s like a safe. It’s not if someone can get in, it’s how long it’ll take them to get in. Sitting them down in front of the safe with unlimited physical access the game is already over, just waiting for the clock to run down. Your best security protocol is stopping them from getting there to begin with.
WorldlyAdvance698@reddit
What? Manufacturers could easily build systems that are much harder to hack. If they did you could still break a window or bypass a lock to physically get into the car, but you wouldn't be able to drive it without the keys
They just don't care enough to do anything though, their responsibility ends the second you drive off the lot
stoned-autistic-dude@reddit
So cars were still stolen back in the day when keys were required to drive off with the car. You even had to put the key in the ignition and start the car.
hehechibby@reddit
Newer Lexus do have an updated encrypted CANBUS, so the 'pry-off-fender-and-hijack' method shouldn't work; just until the day cars come standard with like bulletproof glass, they'll always be susceptible to the 'ol windshield glass-hammer method
0_throwaway_0@reddit
As someone who’s car has been subject to the ol’ smash and try-to-grab (there was nothing to grab), I would love to see carmakers figure out a way to balance egress concerns in accidents with more secure windows.
My impractical proposal - a thin metal window covering that sits in the same pocket your windows roll down into, that can be actuated with a separate switch. When driving, no metal shield. When parked, hit the button and your windows are covered.
deleted_by_reddit@reddit
[removed]
AutoModerator@reddit
Your comment has been automatically removed because you posted a shortened or redirected (usually google) URL. Post a direct link to your source, not search results, AMP, or MSN.com. Please see the rules in the sidebar, or by clicking here.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
JawKeepsLawking@reddit
When parked and you thought you dropped your kid off at daycare but theyre really in the backseat and now theyre locked in a cage for 9 hours and no one knows.
MurphysRazor@reddit
I think as an option it would end up a "tanked" effort.
Aurashock@reddit
They also can’t program new keys like thieves do with dodges, they need to have access to Toyota’s TIS, GTS, and have the necessary paperwork to even have TIS generated an encrypted key code
ConsistentWish6441@reddit
the problem with software is that at the end of the day its just 0's and 1's. tech over the internet is more secure only because the lack of physical access. something you have physical access to is extremely difficult to secure since they can just take it apart beyond the 'point of security' and go from there.
tech is modular, so, to say so, if there is a secure gate, if they have access, they'll just remote the gate altogether and go from there.
regardless of what I said, I still believe carmakers are doing similar things to old life insurace, health insurance etc companies: they simple never needed to really be up to date with tech and so they ever undersfunded tech. It's beyond me why 5-10 year old cars gps's are so utterly terribly shit and can't be updated properly.
JawKeepsLawking@reddit
Electronic security is no match for physical security and physical access trumps all.
Hugh-Jass24@reddit
Sentry mode on Tesla's have been pretty good and it is one of the hardest vehicles to steal.
FearlessTomatillo911@reddit
That's also partly because there is no market for stolen Tesla's.
Most stolen cars get shipped to Africa or the Middle east which don't have the charging infrastructure.
Also there a very few third party repair places so they can't even really strip them for parts.
Hugh-Jass24@reddit
Thats interesting. Cars in my city usually get stolen by hoodlums looking for joyrides or looking to commit other crimes.
FearlessTomatillo911@reddit
It's an entire industry, I live in Canada and cars get stolen here and put into a container and shipped overseas in a matter of a few days.
WyoGuy2@reddit
I saw a CBC special on that years back. I’m surprised they still haven’t gotten a handle on it.
Any ship with cars on its manifest should be immediately inspected to make sure the title holder is aware. Or ban their export entirely. It’s not like Canada has a giant surplus of cars they need to be shipping overseas.
redgrrr@reddit
My 2007 Sedona has an intrinsic anti-theft device.
Burgershot621@reddit
Buddy and his wife went to Montreal in their newer Highlander. They’re from Vermont. Parked it on the street overnight, someone stole it. Smashed their window and took off. Cops said if they didn’t recover it in 24hrs it was already on a ship to Africa. TLDR: agreed it shouldn’t be that easy to steal a car in 2024.
Elianor_tijo@reddit
And as a result has a lot of attack surface. Remember how some CR-Vs were stolen a lot. Well, turns out there was a vulnerability where you could come to the car with a brand new non-paired key fob and make the car think it needed to pair with it. No need to break anything and on your way you were.
Manufacturers could do better, but the tech is both a blessing and a curse in terms of security. It makes some things more secure, but provides new attack vectors.
By the way, have you ever heard of malware as a service? You have hackers making businesses of selling plug and play tools to hack computers, etc. No, I am not talking about the flipper zero. I mean, software/hardware designed specifically for criminal purposes that comes with licenses and support.
Because, then you'd just have the human malware issue. Wait for the owner to come back and threaten them to get them to unlock the car and then steal it. Those sensors, pins, etc. will also have other attack vectors. There is only so much you can do.
Also, Kia boys aside, the minors may be the ones stealing the cars. That does not mean there isn't an organized group behind providing the tools. The issue with cars being stolen in Canada, put in containers and shipped overseas is from organized crime. The low level thieves are doing the actual stealing, but there is a well oiled machine behind them.
The tl;dr is that there is no way to completely secure something like a car. Any technological solution will just provide additional attack vectors, so you may block some and provide new ones. Now, car makers also have a pretty poor track records at doing a proper job of securing things too. It's less about them adding more tech and putting together a proper team to design security in the car.
StandardCicada6615@reddit
No way in hell I would ever buy a car that requires me to enter a password every time I want to start it. Completely and utterly asinine idea.
SlingingSpider@reddit
Security is simply a deterrent.
Dangit_Bud@reddit
I do find it funny that my 20 year old car with a physical key with a chip is harder to steal than a brand new one that someone just needs a couple of antennas to relay the signal from.
Rented a car the other night and literally had to find a metal box in my house to put the key into just on the off chance that that's the one night in 15 years I lived there that someone thinks "Hey, I ought to steal a car from this dead end street in a safe and quiet part of town".
handymanshandle@reddit
Is it “harder to steal” or is it not worth stealing? My Mercury Montego wasn’t worth stealing because there’s no point in stealing an underpowered boat when a Scat Pack is a quarter of a mile away and far more desirable.
Dangit_Bud@reddit
Fair point, but what I am saying is that even 20 years ago when they were new, they were harder to steal than a new car today.
Sure, you can break a window and get in, you can defeat the steering lock and turn the ignition but all it does is start and shut off immediately. Yes, you could bring a security module and the ECU with the security features disabled and swap them in and then drive away, but that requires planning and hardware specific to each car. Alternatively, you are sitting there with a laptop recoding modules on the spot ... it all takes significant time and knowledge.
All you need now is a couple of antennas with receivers and transmitters and 2 people to stand near the FOB and near the car ...
handymanshandle@reddit
More often than not a lot of the more desirable cars to steal nowadays that aren’t Kias without immobilizers are stolen with tools acquired from a dealership. That’s how a bunch of Chevy SSes were stolen in Houston. Not saying that you can’t get the tools necessary to make your own transmitter to steal a car that functions like that, but those who were looking to steal were already watching for your car in practice.
jcforbes@reddit
Actually literally harder to steel. Any car with the type of system where you can leave they key in your pocket and unlock and start the car is basically only slightly more safe than leaving the keys in the ignition. The key is constantly sending out a signal. If the car is in the driveway and the key is just inside the house (most people set them on a table or a key rack inside the door) you just need to get close to the door with a receiver which then re-transmits that key signal to a transmitter which acts like the key and tada, you walk up, open the door, start the car, and off you go.
DrZedex@reddit
Vehicle security is a walls and ladders game, and it's all a moot point when a used repo truck sells for cheap.
The real question is why doesn't Canada have security features?
HashtagSkilletTime@reddit
Car development is slow, and until recently, the software was pretty much fixed from the day it was made until it died.
Your computer or phone is updated monthly or more.
Currently, jack steals a car with a laptop. Tells Jim, 6 weeks later they're selling a phone app to steal that model of car. Big problem, makes the news.
Most new cars can get over the air (remote) updates. So, jack steals one, lexus pushes an update in a few weeks, and only one or two cars were stolen that way.
Theft tools out paced the protection until people got upset.
Vict0o0o@reddit
When a car is stolen, they can sell you a new one. Insurance companies don't care, the customers are the one paying higher premiums, their profit margin stays the same or increase.
ursastara@reddit
Because that would increase the costs and eat up profit
Craziest part is these stolen cars are exported by the boatful, if there isn't a market for these stolen lexus's then there would be less incentives to steal
mortalcrawad66@reddit
Locks keep out honest people. People have opened up cars with a hundred dollar toy, and you can build one for a lot cheaper. It's just the way of things. Come up with a lock? Someone invents a key.
Ford's have a keypad by the way, and they own the patient.
FearlessTomatillo911@reddit
The sophisticated tools would be able to defeat the pin or fingerprint scanner, since they get access to the cars computer they'd just reset that stuff.