Brazilian mandatory vehicle anti-theft and tracking regulation

[Santiago Aguiar]

Hello,

I have been following this list for some time, and I wanted to comment 
on one of the projects I'm working on, just to hear your comments about 
it (and because I think is quite interesting for its security 
implications...).

Starting on August 2009, all new Brazilian vehicles will need to include 
a mandatory anti-theft device, installed from factory, that will be 
activated on demand by the vehicle owner. The device (TCU) will connect 
with an owner selected service operator (SO) by using a standard 
protocol defined by the National Department of Traffic (DENATRAN), 
closely based on Motorola's ACP protocol, over GPRS. The main functions 
of the anti-theft device are vehicle tracking, and remote blocking of 
the vehicle by the service operator on request of the owner or of the 
police department.

As you may notice, the risk of not implementing this in the right way, 
are enormous. Not only because of privacy concerns, but because anyone 
could just block/unblock your car engine or doors remotely, and 
massively (think hundreds of thousands cars in some SO). In my present 
opinion, there's no way they are going to do it correctly.

One of the issues is how the TCU will be activated. The idea is the the 
owner will be able to switch SO whenever he wants, and for that an 
activation protocol is needed. The current 'high-level' proposal by 
DENATRAN is here

http://www.gristec.com.br/disco_virtual/SMS_Proposal_ACP_245.pdf

In few words, there's a default authkey installed on every device, and a 
'secret' key for each SO. When a SO needs to activate a device, it sends 
an SMS message to the TCU so it connects to the SO server through GRPS, 
then the SO configures the TCU with it's authkey, and from that point on 
the TCU only answers messages that include that authkey. To change to 
another SO, the current SO sends a message that sets the authkey to the 
default one, and repeats the process.

I can think of many of ways to defeat an scheme like that (from just 
getting the SIM card from the TCU and playing the protocol against the 
SO to get it's key,   eavesdropping some weak point, replaying SO->TCU 
commands, etc.).

The reasons of why they say the proposal is OK are based on assuming: a) 
the secrecy of the SO authkey, which is sent in clear to every activated 
device b) the secrecy of the ICC-ID associated to each phone number (at 
least to do something massively), which is known by, at least every, SO, 
c) the security of the network (TCU->(GRPS/GSM)->Telco->(VPN)->SO to 
avoid eavesdropping/spoofing, which is compromised by any compromised SO).

My company started to participate on the working groups that are trying 
to define all the technical and process issues of the regulation, and 
I'm personally deeply concerned. We are not security experts (though we 
build the tracking units and develop it's firmware and server side 
components), but we want to contribute as much as we can to the process.

Do you know of any similar experiences we can base on? Do you think this 
is doomed to fail? Am I being too paranoid and things are done this way 
normally and attacks 'just don't happen';)? 

Any comment is welcomed! Thanks!

--
Santiago

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com