https://www.express.co.uk/life-style...olen-safety-UK

How can a key wrapped in tinfoil even open a car?


--
There is nothing a fleet of dispatchable nuclear power plants cannot do
that cannot be done worse and more expensively and with higher carbon
emissions and more adverse environmental impact by adding intermittent
renewable energy.

The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK

How can a key wrapped in tinfoil even open a car?

You misunderstood...

The key is read remotely by the thief, which then allows the thief to
send the correct code to the car, to open it, start it and drive it
away. Owners keeping the keys in tinfoil, or a Faraday screen, prevents
a thief from remotely reading the key.

Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my cards
in my wallet, inserted into the outer pocket of which, is a sheet of
metal foil.

Yes I'm sure for once they can. I got the exact same info from a
metropolitan Police newsletter sent to our local neighbourhood watch.
The keyless systems, ie not the ones where you have to press the button,
but the ones that work on proximity have the car pinging and seeing if a
matching fob is nearby. Normally it is not, so the crims. have two
interlinked devices, the guy walks down the road and then when he finds a
car he knows has one of these opening systems, he records its pinging and
sends it to the person going down the row of houses, when the person gets a
ping back from a fob in a house, he then records this and sends it to the
other person who proceeds to get into the car.
I think nowadays even some fobs where you have to action pressing a button
the two can communicate first to see if they are a match.The idea of the tin
foil is to make a faraday cage, the same advice has been given out for
contactless payment cards for similar reasons of course
I personally think something a bit more substantial than foil is a good
idea though. Say a small tin box.
The thing that annoys me with both contactless cards and car opening
systems is that so little security is built in for these systems. One might
expect that some kind of secondary system might be in place that somehow
stops people just recording signals and repeating them when you consider the
cost of a car and the need for security for your bank account. I'm not sure
I'd ever be comfortable using a phone as a payment card.
Brian

"The Natural Philosopher" wrote in message
news


https://www.express.co.uk/life-style...olen-safety-UK

How can a key wrapped in tinfoil even open a car?


--
There is nothing a fleet of dispatchable nuclear power plants cannot do
that cannot be done worse and more expensively and with higher carbon
emissions and more adverse environmental impact by adding intermittent
renewable energy.

On 14/07/2018 15:04, Harry Bloomfield wrote:
The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK


How can a key wrapped in tinfoil even open a car?

You misunderstood...

The key is read remotely by the thief, which then allows the thief to
send the correct code to the car, to open it, start it and drive it
away. Owners keeping the keys in tinfoil, or a Faraday screen, prevents
a thief from remotely reading the key.

Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my cards
in my wallet, inserted into the outer pocket of which, is a sheet of
metal foil.

That won't stop the RF.

Bill

Total enclosure is the only way and even then if the transmitter is powerful
or the receiver very sensitive it might still get through. Perhaps we all
need switchable jammers on our person.
Brian

--
From the Sofa of Brian Gaff Reply address is active
Remember, if you don't like where I post
or what I say, you don't have to
read my posts! :-)
"Bill Wright" wrote in message
news
On 14/07/2018 15:04, Harry Bloomfield wrote:
The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK

How can a key wrapped in tinfoil even open a car?

You misunderstood...

The key is read remotely by the thief, which then allows the thief to
send the correct code to the car, to open it, start it and drive it away.
Owners keeping the keys in tinfoil, or a Faraday screen, prevents a thief
from remotely reading the key.

Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my cards
in my wallet, inserted into the outer pocket of which, is a sheet of
metal foil.

That won't stop the RF.

Bill

The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK

How can a key wrapped in tinfoil even open a car?


I defy anyone on the group to purchase tin foil on their local high street !

(they will undoubtedly be able to buy ALUMINIUM foil used for cooking)

Loose terminology leads to confusion not education

Andrew

Bill Wright has brought this to us :
That won't stop the RF.

It will stop the majority, more than enough to defeat a thief. Try it
with your car key.

It happens that Brian Gaff formulated :
I personally think something a bit more substantial than foil is a good idea
though. Say a small tin box.

True, but that would be a bit unwieldy for carrying round. Cooking foil
works well enough, I have tried it.

The thing that annoys me with both contactless cards and car opening systems
is that so little security is built in for these systems. One might expect
that some kind of secondary system might be in place that somehow stops
people just recording signals and repeating them when you consider the cost
of a car and the need for security for your bank account. I'm not sure I'd
ever be comfortable using a phone as a payment card.
Brian

The only time my cards are exposed to RF skimming, is when they are out
of my wallet, when I pay for something. At such times, I make sure
there is no one near enough to skim my card whilst it is unprotected.

The Natural Philosopher wrote:

https://www.express.co.uk/life-style...olen-safety-UK

If the car has keyless entry, and you leave the key in the hallway, it's
probably out of range as far as the car is concerned, but the crooks can
put a transceiver midway between the car and house and gain entry then
start the car, sort out another key at their leisure ...

On 14/07/18 15:04, Harry Bloomfield wrote:
The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK


How can a key wrapped in tinfoil even open a car?

You misunderstood...

The key is read remotely by the thief, which then allows the thief to
send the correct code to the car, to open it, start it and drive it
away. Owners keeping the keys in tinfoil, or a Faraday screen, prevents
a thief from remotely reading the key.


So how does the thief read a key that doesnt transmit? Until you press
the wotsit?


Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my cards
in my wallet, inserted into the outer pocket of which, is a sheet of
metal foil.


--
Future generations will wonder in bemused amazement that the early
twenty-first centurys developed world went into hysterical panic over a
globally average temperature increase of a few tenths of a degree, and,
on the basis of gross exaggerations of highly uncertain computer
projections combined into implausible chains of inference, proceeded to
contemplate a rollback of the industrial age.

Richard Lindzen

The Natural Philosopher wrote:

how does the thief read a key that doesnt transmit? Until you press the
wotsit?

Keyless entry constantly transmits, you just keep it in your pocket, no
pressing to enter or start.

On 14/07/18 16:38, Andy Burns wrote:
The Natural Philosopher wrote:

how does the thief read a key that doesnt transmit? Until you press
the wotsit?

Keyless entry constantly transmits, you just keep it in your pocket, no
pressing to enter or start.

Ah. THOSE things. yep. seen those. Not a great idea

--
"Socialist governments traditionally do make a financial mess. They
always run out of other people's money. It's quite a characteristic of them"

Margaret Thatcher

The Natural Philosopher was thinking very hard :
So how does the thief read a key that doesnt transmit? Until you press the
wotsit?

Some keys are passive and can be interrogated by the car. In fact most
modern car keys have a tiny chip built into them, which has no button,
no power needed, which responds to interrogation by the ignition lock.
The chip is the size of a grain of rice.

Andy Burns wrote:
The Natural Philosopher wrote:

https://www.express.co.uk/life-style...olen-safety-UK

If the car has keyless entry, and you leave the key in the hallway, it's
probably out of range as far as the car is concerned, but the crooks can
put a transceiver midway between the car and house and gain entry then
start the car, sort out another key at their leisure ...

Our cars need a transducer in the key fob to be present in the car for
them to start. So there are two 'layers' of security, firstly you
need to transmit the required code from the key fob to open the car
doors, then the transducer (presumably passive) in the keyfob needs to
be present in the car for the immobiliser to allow you to start the car.


--
Chris Green
·

On 14/07/2018 15:58, Andrew Mawson wrote:


The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK


How can a key wrapped in tinfoil even open a car?


I defy anyone on the group to purchase tin foil on their local high
street !

(they will undoubtedly be able to buy ALUMINIUM foil used for cooking)

Loose terminology leads to confusion not education

Andrew

Aluminium foil should be better than tinfoil, though: higher
conductivity. Although IIRC tinfoil was probably thicker.

Chris Green wrote:

Our cars need a transducer in the key fob to be present in the car for
them to start.

Once they can get inside the car, they plug something into the OBD port
that bypasses that, no doubt what they can get away with varies by
manufacturer.

"Andy Burns" wrote in message
...
The Natural Philosopher wrote:

how does the thief read a key that doesnt transmit? Until you press the
wotsit?

Keyless entry constantly transmits, you just keep it in your pocket, no
pressing to enter or start.

Do they constantly transmit? I thought they were dormant until they received
an interrogation signal from the car - or from a thief's cloning device. I
think also most keys transmit a unique code (different every time the car
challenges the key) to turn off the immobiliser - so even if the key's
serrations or the electronic unlock/start code work, there is a second line
of defence that will not admit fuel to the engine. Evidently whatever
technology car thieves use can also cope with the unique rolling immobiliser
code.

In article ,
Bill Wright wrote:
On 14/07/2018 15:04, Harry Bloomfield wrote:
The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK


How can a key wrapped in tinfoil even open a car?

You misunderstood...

The key is read remotely by the thief, which then allows the thief to
send the correct code to the car, to open it, start it and drive it
away. Owners keeping the keys in tinfoil, or a Faraday screen,
prevents a thief from remotely reading the key.

Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my
cards in my wallet, inserted into the outer pocket of which, is a
sheet of metal foil.

That won't stop the RF.

Quite. Neighbour had a car stolen and never recovered. The infamous
Jaguar/Land Rover keyless entry.

They now keep the keys in a 'safe' bought specifically to screen them.
Quite a substantial device. And earthed.

--
*Do infants enjoy infancy as much as adults enjoy adultery?

Dave Plowman London SW
To e-mail, change noise into sound.

NY wrote:

Andy Burns wrote:

Keyless entry constantly transmits

Do they constantly transmit?

Maybe the car constantly transmits and key constantly listens and
responds when they 'hear' the car, either way thieves have worked out
ways and means ... hence the recommendations for a biscuit tin in the
hallway to put keys into.

In article ,
Chris Green wrote:
Andy Burns wrote:
The Natural Philosopher wrote:

https://www.express.co.uk/life-style...olen-safety-UK

If the car has keyless entry, and you leave the key in the hallway, it's
probably out of range as far as the car is concerned, but the crooks can
put a transceiver midway between the car and house and gain entry then
start the car, sort out another key at their leisure ...

Our cars need a transducer in the key fob to be present in the car for
them to start. So there are two 'layers' of security, firstly you
need to transmit the required code from the key fob to open the car
doors, then the transducer (presumably passive) in the keyfob needs to
be present in the car for the immobiliser to allow you to start the car.

And, of course the key itself. So actually three levels.

But your type only transmits when the button is pressed. All that probably
does is just unlock the car. The chip in the key disables the immobiliser
when the key is put in the ignition switch.

Keyless entry - such an essential thing to have ;-) - transmits all the
time. When the transmitter is in range the car opens. I assume these code
readers are somewhat more sensitive than the receiver in the car.

--
*The statement above is false

Dave Plowman London SW
To e-mail, change noise into sound.

In article ,
NY wrote:
Do they constantly transmit? I thought they were dormant until they
received an interrogation signal from the car - or from a thief's
cloning device.

Sort of makes sense. But can't be totally dormant if it can receive a
signal.

--
*INDECISION is the key to FLEXIBILITY *

Dave Plowman London SW
To e-mail, change noise into sound.

On 14/07/2018 17:31, Tim Streater wrote:
In article , Harry Bloomfield
wrote:

Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my
cards in my wallet, inserted into the outer pocket of which, is a
sheet of metal foil.

I have two of those metallic wallet jobbies that can each hold one
card. I don't put the contactless card in them, just have one either
side of my card in the wallet.



They read it when you use it. They only have to next to you in the queue
when you use it at the tills in a shop.

--
mailto : news {at} admac {dot} myzen {dot} co {dot} uk

On 14/07/2018 17:44, Dave Plowman (News) wrote:
In article ,
Bill Wright wrote:
On 14/07/2018 15:04, Harry Bloomfield wrote:
The Natural Philosopher pretended :

https://www.express.co.uk/life-style...olen-safety-UK


How can a key wrapped in tinfoil even open a car?

You misunderstood...

The key is read remotely by the thief, which then allows the thief to
send the correct code to the car, to open it, start it and drive it
away. Owners keeping the keys in tinfoil, or a Faraday screen,
prevents a thief from remotely reading the key.

Likewise, the contactless debit/credit cards, they can be remotely
scanned and the data used to make purchases by thieves. I keep my
cards in my wallet, inserted into the outer pocket of which, is a
sheet of metal foil.

That won't stop the RF.

Quite. Neighbour had a car stolen and never recovered. The infamous
Jaguar/Land Rover keyless entry.

They now keep the keys in a 'safe' bought specifically to screen them.
Quite a substantial device. And earthed.


Just put them in a biscuit tin.

On 14/07/2018 16:36, The Natural Philosopher wrote:


So how does the thief read a key that doesnt transmit? Until you press
the wotsit?


The modern world has cars with keyless entry.
they transmit when they receive a signal from the car.
the thieves use a radio relay to trick the car into thinking the key is
there.
Then they press the start button and drive off.
The car won't turn off when the key is out of range for safety reasons.

Its hardly surprising you are having trouble understanding if you don't
read the bit where it says keyless entry.

Andy Burns wrote:
The Natural Philosopher wrote:

how does the thief read a key that doesnt transmit? Until you press
the wotsit?

Keyless entry constantly transmits, you just keep it in your pocket, no
pressing to enter or start.
No it does not continuously transmit.

It only responds when illuminated by a specific RF signal

Dave Plowman (News) brought next idea :
That won't stop the RF.

Quite. Neighbour had a car stolen and never recovered. The infamous
Jaguar/Land Rover keyless entry.

They now keep the keys in a 'safe' bought specifically to screen them.
Quite a substantial device. And earthed.

Well, if that makes them feel their car is secure...

dennis@home expressed precisely :
Just put them in a biscuit tin.

Exactly !

Some people get some rather peculiar ideas..

After serious thinking pamela wrote :
In reality, how easy is it for a thief to use RF to read your credit
card? Surely they need to get very close.

Within a yard or so, assuming there are no confusing signals. So they
don't need that much screening, to prevent them responding in your
pocket.

Dave Plowman (News) was thinking very hard :
Keyless entry - such an essential thing to have ;-) - transmits all the
time. When the transmitter is in range the car opens. I assume these code
readers are somewhat more sensitive than the receiver in the car.

If you are suggesting that the key transmits all the time, think about
it and how much battery that might need. They transmit, or more
correctly respond only when intergated by the car.

"Dave Plowman (News)" wrote in message
...
Keyless entry - such an essential thing to have ;-) - transmits all the
time. When the transmitter is in range the car opens. I assume these code
readers are somewhat more sensitive than the receiver in the car.

I hadn't realised the keyless entry unlocks the car automatically as soon as
you get within range. I thought you still have to consciously press a
button, to give you control over when you unlocked it. There are many times
when there are dodgy-looking people around and I wouldn't want to unlock the
doors (preferably just the driver's door) for any longer than I had to.

I can understand you wanting the car to start as soon as you press the
button on the dashboard, but not that one would want the car to unlock
itself as soon as you get within range. Is it something that is
user-configurable - whether the doors unlock automatically or whether you
still need to press a unlock button as with a normal central-locking key.

My car's central locking has a very useful feature which I've not seen on
other makes (though I've not tried many). If you press the lock button as
you approach the car, it flashes the car's indicators so you can find it in
a car park. It remains locked until you press the unlock button. On other
cars it's necessary to do a quick unlock-lock to make it flash the
indicators for locating the car, which is a little less secure.

On 14/07/18 15:24, Brian Gaff wrote:
Yes I'm sure for once they can. I got the exact same info from a
metropolitan Police newsletter sent to our local neighbourhood watch.
The keyless systems, ie not the ones where you have to press the button,
but the ones that work on proximity have the car pinging and seeing if a
matching fob is nearby. Normally it is not, so the crims. have two
interlinked devices, the guy walks down the road and then when he finds
a car he knows has one of these opening systems, he records its pinging
and sends it to the person going down the row of houses, when the person
gets a ping back from a fob in a house, he then records this and sends
it to the other person who proceeds to get into the car.

The thing is, there is no non-action proximity device that you could not
insert a dumb relay between the key and the car.

Even if you have a normal challenge-response crypto system between Car
and Key, if you stick a relay device with two ends: A and B:


C=A----------------B=K

If A-B faithfully relay a copy of the signals (NFC, radio, it doesn't
matter) - there is no way C doesn't know it's not next to K


They could have the most complex chat possible and it would make no
difference.


What they need is something like an on-off switch on the key - like you
have to open it to activate and when closed (and it beeps once the car
is locked until it is closed) it does nothing.

NY submitted this idea :
My car's central locking has a very useful feature which I've not seen on
other makes (though I've not tried many). If you press the lock button as you
approach the car, it flashes the car's indicators so you can find it in a car
park. It remains locked until you press the unlock button. On other cars it's
necessary to do a quick unlock-lock to make it flash the indicators for
locating the car, which is a little less secure.

Every car I have had since remote locking appeared, has flashed its
indicators to confirm lock and a different pattern for unlock.
Many/most also make a bleep too. Mine doesn't, the idea being such
noise can annoy people late at night. Mine bleeps only when there is a
mislock, a door, boot or bonnet not properly closed.

Andy Burns wrote:
Chris Green wrote:

Our cars need a transducer in the key fob to be present in the car for
them to start.

Once they can get inside the car, they plug something into the OBD port
that bypasses that, no doubt what they can get away with varies by
manufacturer.

That's non-trivial though, hardly instant from what I've seen of using
that interface. If it was easy then it would make the immobiliser
pointless and I don't beleive that's true.

--
Chris Green
·

"Harry Bloomfield" wrote in message
news
NY submitted this idea :
My car's central locking has a very useful feature which I've not seen on
other makes (though I've not tried many). If you press the lock button as
you approach the car, it flashes the car's indicators so you can find it
in a car park. It remains locked until you press the unlock button. On
other cars it's necessary to do a quick unlock-lock to make it flash the
indicators for locating the car, which is a little less secure.

Every car I have had since remote locking appeared, has flashed its
indicators to confirm lock and a different pattern for unlock. Many/most
also make a bleep too. Mine doesn't, the idea being such noise can annoy
people late at night. Mine bleeps only when there is a mislock, a door,
boot or bonnet not properly closed.

Neither of our cars make a sound, presumably to avoid annoying anyone, but
they flash the indicators rapidly to show a pillock condition such as a door
not being closed. Both cars flash the indicators to indicate that the car
has been locked, but my Peugeot will do it even when the doors are *already*
locked (as a location device) whereas our Honda only flashes when going from
unlocked to locked, and not if the car is already locked, so you can't use
it as a location device when you return to the car, unless you do
locked-unlocked-locked in rapid succession, and hope that this is too
quick for a local scrote to seize the opportunity of a brief interval when
the car is unlocked.

Chris Green wrote:

Andy Burns wrote:

Once they can get inside the car, they plug something into the OBD port
that bypasses that, no doubt what they can get away with varies by
manufacturer.

That's non-trivial though

Seems to be 'easy enough' from CCTV footage on youtube of cars being
nicked, I think they use the OBD to disable the alarm, open the central
locking and pair their own key to the car

On 14/07/2018 20:31, Chris Green wrote:
Andy Burns wrote:
Chris Green wrote:

Our cars need a transducer in the key fob to be present in the car for
them to start.

Once they can get inside the car, they plug something into the OBD port
that bypasses that, no doubt what they can get away with varies by
manufacturer.

That's non-trivial though, hardly instant from what I've seen of using
that interface. If it was easy then it would make the immobiliser
pointless and I don't beleive that's true.


I have seen them do it on a ford focus (well on the cctv recording).
About 90 seconds.

On 14/07/18 20:09, Tim Watts wrote:
On 14/07/18 15:24, Brian Gaff wrote:
Yes I'm sure for once they can. I got the exact same info from a
metropolitan Police newsletter sent to our local neighbourhood watch.
The keyless systems, ie not the ones where you have to press the
button, but the ones that work on proximity have the car pinging and
seeing if a matching fob is nearby. Normally it is not, so the crims.
have two interlinked devices, the guy walks down the road and then
when he finds a car he knows has one of these opening systems, he
records its pinging and sends it to the person going down the row of
houses, when the person gets a ping back from a fob in a house, he
then records this and sends it to the other person who proceeds to get
into the car.

The thing is, there is no non-action proximity device that you could not
insert a dumb relay between the key and the car.

Even if you have a normal challenge-response crypto system between Car
and Key, if you stick a relay device with two ends: A and B:


C=A----------------B=K

If A-B faithfully relay a copy of the signals (NFC, radio, it doesn't
matter) - there is no way C doesn't know it's not next to K


One time key solves that.

Essentially there is a shared secret that means the codes are not reusable.

Example. You have 16K of 256 bit identical code pairs in the transmitter
and receiver.

Every time a code is transitted, the key responds with the pair. And
increments both a master counter and puts its value in a location
associated with the code pair. This means the code pair is now marked as
having been used.

Next time a new pair is used. The old pair no longer works. After 16k
door open/engine starts you reuse the codes.

The key (sic!) to a technique like this is that to fully replicate the
secrets you need to listen to all 16K pair exchanges. And the key is
that the secret is immensely large and random.

AS long as each fob and reciever are absolutely uniquely programmed as a
matched pair, it works.

Its not impossible to crack, but its hugely non-trivial



They could have the most complex chat possible and it would make no
difference.


As I said there are ways around that, so long as the conversation is not
reusable.

What they need is something like an on-off switch on the key - like you
have to open it to activate and when closed (and it beeps once the car
is locked until it is closed) it does nothing.

Or just better coding






--
There is nothing a fleet of dispatchable nuclear power plants cannot do
that cannot be done worse and more expensively and with higher carbon
emissions and more adverse environmental impact by adding intermittent
renewable energy.

On 14/07/18 20:35, Andy Burns wrote:
Chris Green wrote:

Andy Burns wrote:

Once they can get inside the car, they plug something into the OBD port
that bypasses that, no doubt what they can get away with varies by
manufacturer.

That's non-trivial though

Seems to be 'easy enough' from CCTV footage on youtube of cars being
nicked, I think they use the OBD to disable the alarm, open the central
locking and pair their own key to the car


Again this is crap design by the manufacturer.

Making conversations safe from 'man in the middle' attacks is standard
net security stuff

And the secret is to have a shared secret that is never fully revealed
in any given conversation, and the conversations never repeat.



--
€œBut what a weak barrier is truth when it stands in the way of an
hypothesis!€�

Mary Wollstonecraft

On 14/07/2018 21:58, The Natural Philosopher wrote:
On 14/07/18 20:09, Tim Watts wrote:
On 14/07/18 15:24, Brian Gaff wrote:
Yes I'm sure for once they can. I got the exact same info from a
metropolitan Police newsletter sent to our local neighbourhood watch.
The keyless systems, ie not the ones where you have to press the
button, but the ones that work on proximity have the car pinging and
seeing if a matching fob is nearby. Normally it is not, so the crims.
have two interlinked devices, the guy walks down the road and then
when he finds a car he knows has one of these opening systems, he
records its pinging and sends it to the person going down the row of
houses, when the person gets a ping back from a fob in a house, he
then records this and sends it to the other person who proceeds to
get into the car.

The thing is, there is no non-action proximity device that you could
not insert a dumb relay between the key and the car.

Even if you have a normal challenge-response crypto system between Car
and Key, if you stick a relay device with two ends: A and B:


C=A----------------B=K

If A-B faithfully relay a copy of the signals (NFC, radio, it doesn't
matter) - there is no way C doesn't know it's not next to K


One time key solves that.

Rubbish.
Good job you don't do security as you don't understand the problem in
the first place.

On 14/07/2018 22:02, The Natural Philosopher wrote:
On 14/07/18 20:35, Andy Burns wrote:
Chris Green wrote:

Andy Burns wrote:

Once they can get inside the car, they plug something into the OBD port
that bypasses that, no doubt what they can get away with varies by
manufacturer.

That's non-trivial though

Seems to be 'easy enough' from CCTV footage on youtube of cars being
nicked, I think they use the OBD to disable the alarm, open the
central locking and pair their own key to the car


Again this is crap design by the manufacturer.

Making conversations safe from 'man in the middle' attacks is standard
net security stuff

And the secret is to have a shared secret that is never fully revealed
in any given conversation, and the conversations never repeat.

More rubbish from someone who hasn't understood the problem and is
trying to look like he does.