This is just speculation but I do not think that the thieves in this case are doing anything particularly hard. They probably aren't reverse engineering the locks or cracking the encryption. What is probably happening is that somebody within the dealership or company is getting their hands on the digital keys and selling them on the black market.
The key difference (no pun intended) is that previous the thieves had access to physical master keys but they still had to go from car to car to find a suitable match. But with keyless systems they can probably find a way to scan a whole parking lot in a few minutes. Makes it far easier. Also, it's easier to copy a digital file without being noticed as opposed to "misplacing" a physical key.
Or a one time pad. Plug the key into a physical port inside of the car and it generates a million codes that are saved in the key itself and the vehicle. The vehicle can have a memory of several paired keys, which all require a separate procedure. Make the procedure take 30 minutes and require physical access to the inside of the vehicle.
I suppose the issue is that someone could still get you to press the button out of range and copy that value over the air, and then use it on your car. But perhaps there is a scheme to avoid that too. Maybe use a real time clock and use a new key every second.
Really, there should be open source hardware that can do this. Can't these vehicles be unlocked with access to the CAN bus? You could disable the insecure proprietary RF receivers and install an open source system on the CAN bus. They're usually locked down on ignition though...
> someone could still get you to press the button out of range and copy that value over the air, and then use it on your car. But perhaps there is a scheme to avoid that too.
I'm not educated in this field. But, I believe there are schemes to allow two parties to demonstrate to each other over untrusted channels that they share a secret (here, the codes generated when you physically plug your fob into your car), without leaking the shared secret.
If memory serves, connecting to SSH without a password uses such a scheme.
Yeah, there definitely are schemes in standard cryptography that allow for this, and any kind of true modern crypto should solve all these problems handily. I just have a feeling current crypto isn't as future proof as we would all like, and was thinking about a scheme that wouldn't rely on the strength of an algorithm to keep things secure. But then, I may be too paranoid...
The key difference (no pun intended) is that previous the thieves had access to physical master keys but they still had to go from car to car to find a suitable match. But with keyless systems they can probably find a way to scan a whole parking lot in a few minutes. Makes it far easier. Also, it's easier to copy a digital file without being noticed as opposed to "misplacing" a physical key.