通过

Real world security by obscurity

  • 项目

I first heard about this issue on Car Talk the other day, and recently ran into this article on Snopes about it...

It turns out that on VW cars (and other manufacturers), the pattern for the door key is based on the VIN for the car.

What that effectively means is that the security of your VW (or other) car is based solely on the difficulty of cutting the keys for the lock - all the information needed to generate the keys is publicly available (and externally visible on the car).

Imagine if the same were true of an operating system - what would we say about the security of a system where the recovery password for the system was etched onto the outside of the case, and if any helpdesk technician could come by, write down the recovery password and, using that recovery password bypass all the system protections?  Of course, the technician would have to own a $5,000 hardware decoding unit that would know how to convert the etched recovery password into the real password, but once they owned that decoding unit, they could bypass all the protections on your computer.

Would you buy such a computer system?

Comments

  • Anonymous
    April 13, 2005
    The comment has been removed
  • Anonymous
    April 13, 2005
    Edward, that's where the obscurity comes in.

    They're saying that the only people who have the ability to cut keys for this lock are licensed dealerships. But there's still going to be a mapping between VIN and key configuration.

    And if you use the syskey tool (provided since NT 4) you can eliminate (totally) the issues associated with LM hashes.
  • Anonymous
    April 13, 2005
    I think a better analagy is convicing a customer support person to tell you a password because you know the (public) username of your target.

    This seems to me to be more an issue of an extremely weak authentication system (easily forged title documents) rather than security through obscurity.
  • Anonymous
    April 13, 2005
    The VIN is visible from the outside of your VW? Wow. They must put the VIN somewhere really odd on the US models.

    On all European VW models I've seen, the VIN is inside the engine bay, so you need to get that open to discover the VIN. Since the engine compartment release is usually inside the cabin of the car, you'll need to be about as good at breaking and entering as would be required to get into the car in order to discover the VIN.

    So by the time you're in a position to read the VIN, you're already in a position to get into the vehicle.

    I initially thought I must have missed some subtle point about how the VIN was being discovered, but going and reading that snopes article, it sounds like they really do put the VIN somewhere you can see it on the US cars. Wow. Really? I'm astonished. Why on earth would you do that?

    Still, even over here, where we don't put the VIN on display, it's a pretty stupid idea to base the key on the VIN. VIN information is used to track service history. Some VW-owned brands have VIN information in their web sites in order to provide an online service history facility.

    So the VIN is kicking around on several databases, not all of which are under VW's control, and some of which also have owner name and address information in them...
  • Anonymous
    April 13, 2005
    In the USA, all vehicles have to display their VIN publically; usually it can be found on the left-hand side at teh corner of the a-pillar and the dashboard.
  • Anonymous
    April 13, 2005
    Car security is a joke. There have been so many cases where a key from one car will unlock and allow you to drive a completely different car that you have to wonder why the manufacturers haven't been taken to court about it.
  • Anonymous
    April 13, 2005
    Still I wouldn't say the pattern for the key is based on the VIN, but if you do a lookup for the VIN in the manufacturers database you can retreive the key code.

    A potential theif would need to have both a portable key cutter and remote access to the manufacturers system to be able to generate the appropriate key on the spot.
  • Anonymous
    April 13, 2005
    Whenever I hit my car's remote's unlock button and I hear another car beep at the exact same time, I wonder if I did it or if it was just coincidentally perfect timing... :/
  • Anonymous
    April 13, 2005
    I know what you are talking about. Turning on the switch for a light outside your house also turns neighbour's light on. Coincidence, Timing, X Files, Aliens....I'm still searching ;)

    >Whenever I hit my car's remote's unlock >button and I hear another car beep at the >exact same time, I wonder if I did it or if >it was just coincidentally perfect >timing... :/
  • Anonymous
    April 13, 2005
    The comment has been removed
  • Anonymous
    April 13, 2005
    Although of course you are correct about Windows passwords you forgot that thieves don't need to touch the computer to steal Windows its self...

    It was very nice of the OEM to print my CD Key on the side of my laptop where anyone with a digital camera or a good memory can just take it. And as Microsoft like to remind us, you don't buy Windows you licence it and thus the CD Key is the product not the CD or any other material.

    As an analogy wouldn’t this be like locking the car but leaving the proof of ownership documents on the roof?
  • Anonymous
    April 13, 2005
    The comment has been removed
  • Anonymous
    April 13, 2005
    I had a similar issue with my motorbike recently. I needed to charge up the battery, but I forgot to put the alarm into "service mode" first, so when I reconnected the battery the alarm went off, and I couldn't silence it with my remote. After digging through some info on the alarm (DataTool Evo, if you're wondering), it turns out that there's a way to "re-synch" the alarm with the remote, by holding down both buttons on the remote for 5 seconds. I did that, and it worked. My spare remote (where I hadn't done the resynch) also worked after that, so presumably this modified the system on the bike. This does make me wonder whether I could gain access to any other bike that has the same alarm system as mine...
  • Anonymous
    April 13, 2005
    I physically secure servers as my assessment of risk is if someone steals it. It doesn't much matter (for local access) if they know the password or not as they can't get to the keyboard to enter it.

    But many people who are locked out of their home machines would prefer the password on the case.
  • Anonymous
    April 14, 2005
    Many European cars now have external VIN plates. In fact it's an old idea, as my 1975 Vauxhall Firenza has a VIN plate on the top left corner of the dash near the A pillar.
  • Anonymous
    May 31, 2009
    PingBack from http://portablegreenhousesite.info/story.php?id=5431