I’m going to take a few posts to talk about security, and specifically how hard security can be sometimes. I enjoy collecting tech (and non-tech) security stories, so I’m going to share some of them here over the next few posts.
So to kick this series off, here’s an interesting brute force attack against the keyless entry codes used to unlock some cars. I saw this linked from kottke.org. The problem here is that the attack isn’t nearly brute-force enough: in only 3,129 keypresses, you can open any car door using a standard 5-button keypad. The article estimates that it will take you 20 minutes to enter. And, in fact, that’s the max length of time it’ll take; the average would be 10 minutes.
There are a couple of problems here. First, the 5-digit code would seem to be chosen from a keyspace of 100,000 potential keys, but unfortunately, there are really only 5 buttons labeled 1/2, 3/4, 5/6, 7,8, 9/0, so it’s really 5^5 possibilities, or a mere 3,125. Furthermore, instead of it being 5 times 3,125 button presses, as the article points out, you wind up needing only one button press to test a code, leading to an 80% reduction in brute force time.
The other problem here is that the computer allows keys to be tested as fast as the attacker wants, with no regard for the number of missed key tries. Most secure login systems either lock the user out after a number of unsuccessful attempts or at least add enough delay between attempts to really slow brute force attackers down.
So, is 10 minutes, on average, enough time to make you comfortable that someone would notice the attack in progress?