Code grabbers or scanners (devices capable of intercepting a signal between a key fob and an alarm) appeared in the last century, almost simultaneously with the first electronic security systems. The fixed code used at that time was incredibly difficult to pick up at that level of technology. But an unchanged signal is easy to enter into the memory of a special radio receiver (code grabber) - it is enough to be close to the “native” key fob once at the time of arming or disarming. And to reproduce the team, of course, already in the absence of the owner.

In response, they invented dynamic code, which, with each sending, changed according to a special algorithm embedded in the memory of the key fob and alarm. Therefore, reproducing the intercepted code could no longer help the hijackers. But they did not stand still. We will not go into the mathematical subtleties of decryption, we only note that by writing down several commands sequentially transmitted from one key fob, it is possible to decrypt the algorithm for generating the "secret" part of the dynamic code - this is a matter of time.

To date (and for a long time to come), full-fledged protection against electronic hacking is provided only by a conversational code with individual encryption keys. The system, having received a dynamically encoded command ("password"), does not execute it immediately, but sends a confirmation request - a random number, also dynamically encoded. The keychain accepts it and with the help secret key and complex algorithm generates a "feedback", again dynamically recodes and sends to the system. If the feedback is correct, then the system executes the command, and the process takes a fraction of a second. Unlike a keychain, a code grabber in the hands of even the most seasoned hijacker does not know the algorithm for changing the code, the encryption key and is not able to generate a response in the allotted time. But even these measures are not the limit of protection.

Features of the dialogue code implemented in StarLine alarms and immobilizers guarantee absolute protection against hacking using any known code grabbers. Each system uses an individual encryption key, transmitted only once when registering a key fob in the system. The key length is 128 bits, which gives 3.4*1038 combinations. Even if you sort through billions of options per second, it will take more time than the universe exists to solve the problem. It is impossible to solve this problem “head-on” with the current computing facilities.

When generating feedback in the dialog code, a hardware random number generator was used, which additionally protects against code hacking. In addition, the transmission of information packets is accompanied by short pauses, and the operating frequency of transmission within the authorization cycle changes abruptly. These measures make it difficult to both intercept and decrypt the command - despite the fact that the selection of an individual key is generally impossible. In short, the death of Koshchei in a needle, a needle in an egg, an egg in a duck, a duck in a hare, a hare in a chest, a chest on an oak ...

We often hear that the command sent by the remote control can be intercepted special device- the so-called code grabber or scanner.

A good example is a car alarm.

The radio channel through which data is transmitted between the alarm and the key fob has one big drawback - the radio waves do not propagate in a direction and the exchange can be listened to while being far from the car owner. Such communication channels are called insecure and the data transmitted through them is encrypted.

Data is transmitted over a radio channel in the form of small sequences - packets. Each packet can be thought of as a command such as "Open the lock", a response to a command such as "The lock is open".

The very first signaling with a radio channel had a static code - each command had its own command packet. The package format was chosen by the user (or the installer), switching the engines inside the key fob, or soldering the jumpers.

Since there were few code options, sometimes you could open someone else's car with the same alarm with your key fob - the packet formats matched. Of course, such coding did not provide any protection - it was enough to listen to the packet corresponding to the "Disarm" command once, so that later, simply by repeating it, you would gain access to the car.

Probably, it was then that the first code grabbers appeared - technical devices, intended for interception, decoding and code repetition. The ultimate goal of an attacker who uses a code grabber is to disarm the car they like, and then steal it from the passenger compartment or steal it.

Even for the very first code grabbers, static code was not a problem, so soon all alarm manufacturers switched to dynamic encoding.

Dynamic code differs from static code in that each time you click on the button, the package format changes.

The package changes according to a certain law, which is known only to the alarm and the key fob programmed into it. This means that it is impossible to simply repeat the recorded packet - the signaling discards old packets.

Figure 1. Dynamic code

At first, it seemed that this would be enough, and that the problem of codegabbers was solved - but it was not there! Dynamic coding also failed to resist the new code grabbers.

The most famous dynamic encoding algorithm is Keeloq.

Rumors about the Keeloq hack have been circulating on the Internet for a long time, but this is not true. Analytically, the Keeloq algorithm has not yet been cracked - its unsuccessful implementations have been cracked. For example, many car manufacturers "sin" by using the same key for all systems, which allows you to create so-called "manufactory" code grabbers.

Hack dynamic coding in several ways.

The first way: analytical. This method is based on "holes" that the developers of the system accidentally or deliberately left in the algorithm. An example is given above - the same keys for regular security systems of some cars.

The second way: replacing the code, a method that at one time made a lot of noise and forced alarm manufacturers to spread the arming and disarming commands to different key fob buttons. When using this method, the code grabber records several messages from the user's key fob, and then uses one of them to disarm the car.

Many manufacturers automotive systems guards developed their own dynamic codes, making various improvements. Some of them have not yet been opened, and seem to be used in security systems. However, it must be understood that no dynamic code guarantees protection against hacking.

Dialogue coding is considered the most cryptographic and reliable, which requires a two-way communication channel, that is, the presence of a receiver and transmitter, both in the main module and in the key fob.

It is convenient to explain the dialog coding algorithm using the family: husband and wife.

Imagine that the “husband” is in the house and does not want to let anyone in except for the “wife”. There is no peephole in the door, and there are no windows in the house. After the “husband” heard a knock on the door, he needs to determine whether “his own” is really standing behind the door, i.e. "wife". Most The best way is to ask a question, the correct answer to which can only be given by "wife". If the person behind the door answers correctly, feel free to open the door - this is “your own”.

The alarm with a dialogue code works in the same way:

1. When you press the button, the key fob sends a packet with a request for authorization ("knocking on the door").

2. The main module, having accepted this package, comes up with a "riddle", the answer to which can be only one. The "mystery" is transmitted to the key fob via radio.

3. The key fob, having solved the "riddle", answers with a confirmation package.

4. The main module checks the answer and, if it is correct, executes the key fob command ("opens the door").

Figure 2. Dialog code structure

Now let's add one more "alien" character to our story, who really wants to get into our family's house. At certain conditions A "stranger" can eavesdrop on a conversation between a husband and wife, and find out the answer to the "husband's" riddle. Therefore, the riddles should be different every time.

In dialogue coding, the role of a riddle is played by a random number that is generated by a special algorithm. The "randomness" of this number is very high. In this case, the answer to the riddle must be received within a strictly allotted time interval - in a fraction of a second.

Imagine that the questions "husband" asks are dates historical events. What will the “stranger” do if he finds out about this? Prepare an answer and be able to get into the house?

In dialogue coding, the process of solving the "riddle" is unique for each "signaling" - "keychain" system. This is implemented - unique key encryption that is created when the key fob is linked to the system.

The system, having received a dynamically encoded command ("password"), does not execute it immediately, but sends a confirmation request - a random number, also dynamically encoded. The keyfob accepts it and, using a secret key and a complex algorithm, forms a “review”, again dynamically recodes and sends it to the system. If the feedback is correct, then the system executes the command, and the process takes a fraction of a second. Unlike a keychain, a code grabber in the hands of even the most seasoned hijacker does not know the algorithm for changing the code, the encryption key and is not able to generate a response in the allotted time.


Figure 3. Generalized view of the dialog code

As a result, today (and for a long time to come) full protection against electronic hacking is provided only by an interactive code with individual encryption keys.

Do you know how identification systems are arranged in military aviation? There is a request system “Friend or foe”, i.e. dialog coding. If the aircraft does not respond correctly to a request from the ground, it is shot down!

AT electronic locks"ARBAT" we use dialogue coding - an identification system, like in an airplane.

Let's start as usual with the backstory! Often on the forums there are such interesting phrases "Take the XXX alarm. Everything works fine for me for a year" and on the other hand "I have the same XXX alarm, they hacked in the parking lot, pulled out the money and the navigator and put it back on guard." So what's the problem? And what is the dialogue code they are talking about last years so much? Why are installers sometimes so reluctant to install and hold on to their usual alarms? We even singled out a separate section for dialogue alarms in our store, and it would seem that everything is simple, dialogue alarms are currently the most crypto-resistant ... but in practice, everything is not so simple, many do not believe, many say that this is a publicity stunt, and some never heard of dialogue alarms! So, the idea of ​​the article appeared, he (the director) said let's go, he waved his hand...

Let's start with theory! What is a car dialogue alarm?

A car dialogue alarm is an alarm in which arming is carried out using a dynamic dialogue between the key fob and the main alarm unit, the alarm unit gives the key fob a random number and they only convert this random number using a known algorithm and compare the answer, this procedure can be repeated repeatedly. How, simply put, does it actually work?

This article was written by us in 2011.
Would you like to choose an up-to-date dialogue alarm system or a security complex?

Let's try to explain, starting with the explanation "on the fingers"! The keyfob issues a request to execute a command (for example, disarm), the alarm unit generates a random number in response, depending on the encryption bit depth, it may differ in the number of digits, then transmits this number to the keyfob. We will not bring to fanaticism the bitness of the numbers used, we will take three-digit number. For example, 536 (let's call this number X). And we will create some simple algorithm by which we will convert this number, for example:

(A + X*B + X 2 *C + X 3 *D)*E = Y

A, B, C, D, E are arbitrary numbers that are unique for each signaling, moreover, the encryption method itself (that is, the type of the equation itself) may differ for the same signaling models, let's call these numbers unknown and try to mathematically clarify how can you figure out these numbers? That is, how can you crack the code and find out the next number? Let's start with the answer - what number will be the correct keychain answer? Here Y will be the correct answer. What do we have in practice? Instead of our unknowns, let's take ordinary arbitrary numbers, positive and negative. For example,

A = 2; B=-17; C=85; D=59; E=-44

Plugging in our unknowns, we get:

(2 + 536*(-17) + 536^2*85 + 536^3* 59) * (-44) = -400833829176

That is, our correct answer, Y = -400833829176

Having intercepted once the request and the response of the dialogue signaling once, in no way will we be able to find out what those very unknown numbers are. Having an even simpler case - a system of linear algebraic equations (slough), it will be necessary to intercept as many times as there are unknown variables in the equation, that is, in our case it is 5 times. Add to this the fact that after one correct answer, the dialog signaling can perform the same procedure several more times, but with a different form of transformation. The current most popular replacement code grabbers just work on the principle of the sufficiency of one interception - the code grabber captures one signal, gives noise to the signaling unit, and then uses the received code to open the car.

Naturally, we slightly simplified the situation with coding, starting to explain on the fingers how it works, how the dialog signaling works. In fact, the situation is much more complicated - there are so-called hash functions. A hash function is an algorithm that receives a certain value from a string of arbitrary length, depending on the bit depth of the encryption and the algorithm itself, the answer can contain up to 32 numbers and letters. This is how passwords are stored on forums. When, during authorization, you are sent a letter with a request not to lose it, since the password cannot be recovered, this means that the site or forum management system itself does not know your password. It does not compare the password, but only the result of the hash function of the password you entered and the same result stored on the server. How does such a system work?

We take our random number 536 and try to find out what connection the answer will have with some neighboring numbers! The most popular hashing algorithm is MD5:

MD5(536)=

MD5(535)=

MD5(636)=

MD5(546)=

Agree there is little in common in the results, given the similarity in the original numbers. Not necessarily in this way, but in a similar way, the same initial random number issued by the dialog signaling unit will be encrypted. It has been proven that for the reverse decoding procedure, current supercomputers will need about 100 years. Deviating from the topic, you ask - how then are accounts hacked in the mail, forum and in other places? Often, passwords are cracked by selection, of course, it’s easier to pick up by age, interests, nickname, wife’s name in a day or two is much easier than cracking one of the most complex algorithms. Sometimes it’s even easier to use server vulnerabilities to find out the password, but the whole point is that the password is a known value, but in our case we just need to find the way to reverse the transformation, since each time there will be not a constant password, but a new random number.

What do we get as a result? Even in the simplest case with path encoding slough- you need to intercept intercept exactly as many times as there are unknowns in the algorithm. In practice, in the simplest case, you will need to follow you for months to intercept your code dozens of times, and after that, knowing the shape of the conversion path (and note, even at the factory they may not know it, since it is unique for each model), it will be possible to crack the dialog signaling.

Given all of the above, we can safely say that those who claim that the dialogue alarm is a riffraff, a publicity stunt, or that they will be hacked in the next year or two, are either cunning, or do not even closely understand how the dialogue alarm works. What makes people say so? There may be several reasons:

  • personal financial interest in selling you a lower quality (crypto-resistant) signaling, because the cost of a fashion expensive two-way signaling goes one to one with the price dialogue alarms
  • banal misunderstanding of the essence of the issue, the difference between conventional two-way signaling and interactive two-way signaling
  • or personal reasons, when a person has already bought some simple alarm, considers it the best and tries to prove to you the correctness of his choice

Of course, the cryptographic strength of the dialogue code for car alarms is also popular with manufacturers of dialogue alarms (the main ones include Pandora , Magic Systems , Starline, BLACK BUG) are making significant efforts to promote. It got to the point that one of famous companies, specializing in the production of dialogue alarms, even approved a grant of 1,000,000 rubles (or converting 280,000 hryvnias into a commonly understood currency) to someone who can crack the Pandora car alarm code, which again confirms that the dialogue code for code grabbers is an unattainable goal.

Recently, we have been hearing more and more often that the command sent by the alarm key fob can be intercepted by a special device - the so-called code grabber or scanner, and then disarm the car without the owner noticing. How do modern systems counter this?

Let's start with the fact that code grabbers appeared in the last century, almost simultaneously with the first electronic security systems. Then a fixed code was used, which was incredibly difficult to pick up at that level of technology. But an unchanging code is easy to enter into the memory of a special radio receiver (code grabber) - it is enough to appear once near the "native" key fob at the time of arming or disarming. And play the command. of course, already in the absence of the owner.

As a response, a dynamic code appeared, which, with each sending, changed according to a special algorithm embedded in the memory of the key fob and alarm. Therefore, the reproduction of the once recorded code could no longer help the hijackers. But they didn't stand still. We will not go into the mathematical subtleties of decryption, we only note that by writing down several commands sequentially transmitted from one key fob, it is possible to decrypt the algorithm for generating the "secret" part of the dynamic code - this is a matter of time.

To date (and for a long time to come), full-fledged protection against electronic hacking is provided only by a conversational code with individual encryption keys. The system, having received a dynamically encoded command ("password"), does not execute it immediately, but sends a confirmation request - a random number, also dynamically encoded. The keyfob accepts it and, using a secret key and a complex algorithm, forms a “review”, again dynamically recodes and sends it to the system. If the feedback is correct, then the system executes the command, and the process takes a fraction of a second. Unlike a keychain, a code grabber in the hands of even the most seasoned hijacker does not know the algorithm for changing the code, the encryption key and is not able to generate a response in the allotted time. But even these measures are not the limit of protection.

Dialog Code Features, implemented in StarLine alarms and immobilizers, guarantee absolute protection against hacking using any known code grabbers. Each system uses an individual encryption key, transmitted only once when registering a key fob in the system. The key length is 128 bits, which gives 3.4*1038 combinations. Even if you sort through billions of options per second, it will take more time than the universe exists to solve the problem. It is impossible to solve this problem "In the forehead" with the existing computing facilities.

When generating feedback in the dialog code, a hardware random number generator was used, which additionally protects against code hacking. In addition, the transmission of information packets is accompanied by short pauses, and the operating frequency of transmission within the authorization cycle changes abruptly. These measures make it difficult to both intercept and decrypt the command - despite the fact that the selection of an individual key is generally impossible. In short, Koshchei's death is a vigle, a needle in an egg, an egg in a duck, a duck in a hare, a hare in a chest, a chest on an oak tree...
StarLine is so confident in its brainchild that it officially offers all specialists in the field of cryptographic strength research a long-term contract in the amount of 5,000,000 rubles - let them try to Hack!

Every motorist sooner or later asks the question: which car alarm is better. To answer this question, it is necessary, first of all, to understand on what principle this or that protection system works. There are several types of control code used in car alarms: static, dynamic and interactive.

  • Static code is the most primitive type of encryption that was used in the first anti-theft devices. Static code is permanent, which means that it is not difficult for a hijacker to crack it.
  • Dynamic code uses a different principle of operation: each time you press the key fob button, a new code is generated. However, this type of encryption is gradually becoming a thing of the past.
  • The dialogue code used in modern car alarms is borrowed from military aviation. Its main feature is that the key fob is identified in several stages.

The principle of the dialogue code

When you press a button on the key fob, it sends its ID number to base unit. The base receives the information and checks if the key fob is registered in the system. If the key fob is identified successfully, a dynamically generated code is sent to it. The key fob receives the code, encodes a command with it (activate / deactivate protection) and sends it to the base unit, which, in turn, decodes the received information, executes the command and sends a confirmation to the key fob.

Benefits of Dialog Code

The main advantage of the dialogue code in comparison with the methods of data encryption adopted earlier is that it is not possible to disarm such a system using an external device, for example, a code grabber. This is due to the fact that the request is sent as a random number and this happens more than once.

Car alarms with a dialogue principle of operation

The most popular alarms with a dialogue code today are StarLine systems, Pandora and Magic Systems. Car alarms Star Line B6 Dialog (an inexpensive system with a dialogue code) and Star Line B9 Dialog (a system with a function remote start engine). In addition, not so long ago, StarLine developed a number of new products: StarLine A62 Dialog, StarLine A92 Dialog, StarLine B62 Dialog, StarLine B92 Dialog. Another line of reliable systems with dialogue code: Pandora car alarms. Pandora DXL 3000 and Pandora DXL 3300, among other things, have a wide range of functionality and an enviable range of work. There are new items in this line: Pandora DXL 3500, information about which will appear a little later. Magic Systems launches its line of systems equipped with dialogue code: MS 505 LAN, MS 600 Light Stalker LAN, MS 600 Stalker LAN 3, MS Dialog.