• FiniteBanjo@lemmy.today
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    4
    ·
    8 months ago

    I don’t see any argument for vehicles, tbh. HVAC tinkering is almost exclusively high voltage so that makes just a little sense, don’t want people swapping a 350 volt AC capacitor with a 250 volt DC capacitor and having it blow up, but Vehicles means a manufacturer can do everything imaginable to limit part availability and kill aftermarket parts purely for profits.

    • atrielienz@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      8 months ago

      I do for things like ECUs that are programmed to the vin to prevent theft or tampering that would allow an attack vector for the vehicle.

    • bluGill@kbin.social
      link
      fedilink
      arrow-up
      5
      arrow-down
      12
      ·
      8 months ago

      Vehicles need it because the keyless entry radio needs to pair with the engine start. Otherwise a thief can steel a car in a few minutes by bringing their own computers.

      • FiniteBanjo@lemmy.today
        link
        fedilink
        English
        arrow-up
        28
        arrow-down
        1
        ·
        edit-2
        8 months ago

        I guarantee you keyless start cars aren’t more secure because of paired parts. The encryption for the fob’s signal isn’t the result of a paired part.

        • T156@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          8 months ago

          Particularly as a lot of newer thefts just use an amplifier to boost the key signal, and fake the key being in the car. Part pairing wouldn’t help at all there.

        • atrielienz@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          8 months ago

          Define more secure. More secure than what? A non-keyless entry car of the same year and model? A car from ten years ago that doesn’t have parts and modules that do a handshake and will immobilize the vehicle if the system is tampered with?

          • FiniteBanjo@lemmy.today
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            8 months ago

            I’m not arguing that it is more secure. That’s what others said. I’m arguing it is a non-factor in security. Nearly unbreakable encryption methods exist without any reliance on physical part-pairing. The only benefit from it is the manufacturer profiting more off of it as users become more reliant on the manufacturer in case of device failure and replacement.

            • atrielienz@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              8 months ago

              I think the immobilization is key here and not something I would trust from any third party. If a third party has access to the encryption method, so does a hacker with the right tools.

              Additionally, it’s configured to the VIN specifically so you can’t steal or buy genuine parts with a key you have access to and swap them into a vehicle that those parts don’t belong to. Chop shops have the ability to do this in the event that these modules aren’t configured properly and don’t require the right validation from other modules.

              • FiniteBanjo@lemmy.today
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                2
                ·
                edit-2
                8 months ago

                Encryption can be done purely between first and second party if you want to rely on the manufacturer for some reason, or if you’re really the complete owner you should have full access to the vehicle’s systems via physical connection and credentials. There is no need for third parties, for a comparison you don’t just give out your email account access or computer password do you?

                • atrielienz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  2
                  ·
                  8 months ago

                  The government doesn’t as heavily regulate your email password or computer. The government does regulate automakers and the vehicles they produce. Included safety and security regulations.

                  • FiniteBanjo@lemmy.today
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    arrow-down
                    3
                    ·
                    edit-2
                    8 months ago

                    So you’re implying Google Email is not secure? You think that because your computer is not physically paired to a google server that the Google encryption can easily be cracked, or that vice versa it couldn’t be if it were?

                    If those are your stances, then you are wrong on all accounts.

      • Passerby6497@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        8 months ago

        Otherwise a thief can steel a car in a few minutes by bringing their own computers.

        …you mean like they do currently?

        • bluGill@kbin.social
          link
          fedilink
          arrow-up
          3
          arrow-down
          2
          ·
          8 months ago

          Which is why manufactures are now putting those pairs in so you cannot do that anymore.

      • themoonisacheese@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        8 months ago

        If the security was so bad that removing part pairing would crash this, then it wasn’t secure to begin with. Same argument as apple pairing the fingerprint sensor, the emsensor is only doing the reading, not the authentication.

        • atrielienz@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          They’re right though. The security in newer cars and anti-theft features require that a couple of different modules talk to and validate each other. That’s how it’s designed to work to prevent theft or hacking. When your ECU talks to your keyless entry module or what have you they perform a handshake. That ECU and keyless entry module talk to the vehicle’s starting system to validate that yes the correct key at the correct range is being used to send the signal to start the vehicle.

          • themoonisacheese@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            8 months ago

            Again, if you’re so deep in the car that this matters, this is not the part that’s going to stop you, unless the car is so poorly built that the keyless entry module is readily available without taking apart the entire car. This is a non-problem.

            • atrielienz@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              8 months ago

              It isn’t just one module. That’s what I’m trying to tell you. There’s a handshake. So replacing the Electronics control module or the Powertrain control module those modules have to be configured to the Vin. In my mother’s escape the PCM is in the wheel well behind a liner held in by plastic clips. None of those parts can be replaced without being configured to the VIN.

              As for poorly designed cars, yeah. They’ve been making them for years and security has been evolving. Doesn’t mean we should set ourselves back in that arena because Joe wants to swap out his PCM with one from the junk yard.

              CAN network injection can be achieved through the headlight well on some cars.

              https://www.autoblog.com/2023/04/18/vehicle-headlight-can-bus-injection-theft-method-update/

              • themoonisacheese@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                8 months ago

                I know that it isn’t just one module. What is the handshake achieving exactly? Because it’s not additional security from an attacker trying to replace the keyless entry module with a hacked one, and if it is doing that then this is a terrible security design and the actual solution is not to get to keep using this ‘security’ threat model.

                • atrielienz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  8 months ago

                  According to the diagram I’m looking at? The front door handle receives the entry signal from the key that’s in proximity to the vehicle (I think it’s something like within three feet). That signal is sent to a BCM (ECU), that then talks to other PAssive entry antennas on the vehicle to unlock the door. Simultaneously it talks to the PCM and IPC through the Gateway module, sending a Passive Entry enable signal. Those modules talk to the ignition switch allowing the vehicle to be started. Looks like this happens on what’s called the High Speed CAN network. So the question is, if I can access this network via something like the PCM and the PCM isn’t properly configured to prevent this, can I override the network without having the key with sufficient tech? That’s problematic for a lot of reasons. So no. I don’t think you should be able to go to a junkyard or pick and pull and buy a module that could compromise your network and I don’t understand why anyone would want that. You absolutely can buy a module from the manufacturer and get a shop (not even a dealership, just an independent shop with the right tools) to configure a module.

          • FiniteBanjo@lemmy.today
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            edit-2
            8 months ago

            You don’t have to have paired parts for secure authentication. You just need parts that have been set up and authenticated beforehand. That is not the same as part pairing.

            • atrielienz@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              8 months ago

              What’s to stop me from going to a junk yard, paying for a key and the modules in question, attaching them to a different car and stealing that car?

              • FiniteBanjo@lemmy.today
                link
                fedilink
                English
                arrow-up
                2
                arrow-down
                3
                ·
                edit-2
                8 months ago

                Literally nothing stops you from doing that with paired parts. Nothing. Keyless cars get hacked, stolen, dismantled, and rebuilt all the time, just like any other car.

                Encryption and authentication are equally secure with or without physical part pairing.

                • atrielienz@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  2
                  ·
                  8 months ago

                  That’s not true. The paired parts are attached to the VIN. Literally programmed with the VIN of the car and a lot of them are single use for specifically this reason. You don’t know and you’re very insistent.

                  • PriorityMotif@lemmy.world
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    ·
                    8 months ago

                    You can get whatever paired modules with a paired key from a wrecked car and plug them into a different car and start it.

                  • FiniteBanjo@lemmy.today
                    link
                    fedilink
                    English
                    arrow-up
                    3
                    arrow-down
                    2
                    ·
                    8 months ago

                    I guarantee you that the paired parts can and will be swapped out or stolen. It does nothing to protect consumers. Give me an example of a manufacturer who uses paired parts and I’ll find examples of thefts, hacks, and replacements.