I imagine improvements to the key fob could be made that would require a mechanical coupling with the car in order to start it. That would circumvent this attack.
I'm not sure if this is a joke about old keys being better, but I'd argue you could have the benefits of new keys and old keys combined if you just made it so that new keys have to be inserted into some compartment inside of cars, where they are authenticated by those cars. You can imagine a fob with a USB that has a different authentication code than the wireless one it sends out, and unless the USB is plugged into the car, you can only start the car up but you can't drive it.
In addition, you can make it so that the car doesn't unlock due to proximity with the fob, but rather, it only unlocks if you push the unlock button on the fob.
Does this not sound exactly like what I had back in the 90s where my physical key would need to be inserted to start the vehicle and to unlock I'd press the keyfob to activate the unlocking.
I imagine an smartphone with touch sensor + car remote app would be even safer than what we have now.
The difference is that you can start up your engine (read: have AC on so that your car is the right temperature when you get to it) and also unlock the doors for others from far away
If that functionality was encapsulated on a smart phone, that would be fine too.
My 2007 vehicle does this just fine. And any signal from the fob require a press of the button. These key fobs use rolling codes as well. So you would need to capture a button press while the remote is too far away from the car to receive it. Then replay it to the vehicle. Of course you still need the key to unlock the steering wheel and of you touch the break without inserting the key, the ignition cuts off.
I'm not sure why we are going backwards in the security department here. Seems like a lot to give up just to not have to stick the key in or press the unlock button.
> I'm not sure why we are going backwards in the security department here.
Consumer products nearly always go features that have whizz-bang "it's so convenient" demo value, until a problem like this becomes prevalent enough to end up on everyone's nightly news.
My mom used to be the same! It would take her 10 minutes to find her fob! But, there are typically ways around this. For example, now my mom has her keyfob in a small pouch of her purse, and she always knows where it is.
I imagine a lot of people don't use a key to get in their house, nor do they use the front door. Hit the button on the garage door remote, drive in, walk into house.
When I was in the states we were discussing this with a friend. He idly noted that after a valet gets into your car he can just select "drive home" in the GPS, open the garage with the integrated garage door opener, and just walk into the house.
He then added "It's good that I always lock the door in the garage too".
I also lock that door in case a second garage door is left unlocked. Then again, I lock doors during the day when I'm home out of habit. Did this before a recent break-in attempt, so hardly discouraged by that.
If I ever have a break-in I imagine it will immediately change my habits. Knock-on-wood, has never happened to me yet.
I do have auto-closers on the garage doors, however, because my kids do have a habit of leaving them open otherwise. Of course, they also keep leaving the man-doors unlocked all day as well.
I got a notice in the mail from our county's assessor because they left three door tags at my house. I almost never open the front door. I go in and out of the garage, and let my cat out the back.
For many people, there's no need to unlock the front door because it's never locked. Having to lock your door just means you're living in a terrible neighborhood.
Not sure about the US, but in the UK where I have more experience having my stuff stolen, if you rob a house and the door is locked it is a far more serious crime than if the door is unlocked. Big reason people made sure to lock their doors in my neighbourhood growing up since 90% of the yobs would just check if doors were locked, not actually dare to break in.
> in the UK where I have more experience having my stuff stolen, if you rob a house and the door is locked it is a far more serious crime than if the door is unlocked.
This doesn't make much sense from first principles. I assume everyone agrees that theft is equally unwelcome regardless of whether the door was locked. But the additional damages from breaking into a locked home are pretty minor compared to the damages of the theft. Why would there be a large difference in punishment?
So what? The claim is that it's a "far more serious crime" to enter your house and take the bicycle mounted on the wall, when the door was locked, than to enter your house and take the bicycle mounted on the wall, when the door was unlocked.
The bigger issue is insurance. If you have stuff stolen and there's no sign of forced entry (home or vehicle) then your insurance company will likely be asking questions about how exactly the thieves gained access.
Even if you live in a "good"neighborhood you could still be burgled by someone casing the neighborhood/home. Do people really not lock their houses when they leave? My parents always taught us to lock the house on the way out, even when we lived out in the country.
I don't get the downvotes for this. A dog who doesn't like strangers is a pretty traditional security system, and is much, much more secure than a locked door.
It really really isn't. That stranger can become an instant friend with some food. There was a show once where an ex-burglar would break into people's homes to show how easy it was. People would say, "there's no way he's getting past my dog!" and the guy would just open up the fridge and throw all the meat on the floor. End of problem.
Statistically, you are by far the most dangerous person in your life. You are far more likely to hurt yourself than a stranger is. Should some ne'er-do-well enter your unlocked door, remind them of this and start giggling. 'We were just waiting to see who will come!', works too though.
> Having to lock your door just means you're living in a terrible neighborhood.
Interesting. Is that an American thing? I do recall that most of my American friends don't lock their doors, whereas I can only think of a handful of people not locking their doors in Europe - and those live in remote outposts, where people are scarce and deer are unlikely to use the door handle.
Growing up, we did not even have a key for our house. Lots of places around the US, there is no need for keys. It is really hard for some people to grasp the idea based on how and where they grew up. My wife grew up in a gang riddled area and will not abide unlocked doors if we are out and about.
My parents never locked the doors growing up, but I still lock the door of my own house. My parents never gave me a key when I was a kid, so it was probably left unlocked so I could always get back in. I'm not sure why they didn't just make sure we all had a key so they could keep it locked. That's what my roommates and I do at our place now and it works fine.
She doesn't have her keys on her fob. Heck, last time I took her to get her oil changed, the key fob still had the little plastic removable key tag from the dealer she bought it from.
Yes, I was making a joke, but I was also semi-serious. I personally wouldn't mind that the car unlocks based on the fob's proximity, but requires insertion of the key for ignition. I currently drive a 2009 car with the usual key fob and my biggest issue with it is not having to insert it to start the car, but unlocking the doors while my hands are full. Once I'm seated in the driver's seat I'm not carrying anything and starting the car is no problem.
My problem with modern cars is that there’s no good place to put the keys. They’re uncomfy in my pocket when sitting down and I’m too warm for a jacket with pockets.
The old ignition hole was the perfect solution. You had a dedicated spot for your keys, you always knew where they are, were unlikely to forget them in the car, and it also happened to start your engine. Perfect
Unfortunately, that would be vulnerable to theives unlocking your car and taking everything in it. For me, the biggest convenience of fobs is the ability to start the car and have AC on so that the car isn't burning/freezing when I get to it
If they're stealing your car like in this article, then that's already happening anyway. At least if it was unlock only and not ignition as well then you'd at least still have your car.
Then the thief could hide in the back, and rob you while you were driving down the interstate (ie. he could hold a knife to your throat and force you to drive to ___location that was hidden from public view). I don't know how realistic this is, but it is far more dire.
If the objective is to steal your car, the thief is going to use the least risky way that he can come up with. If you take away his ability to do it without having you start the engine yourself, this is what he's left with.
Toyota Prius does that. (Or at least the 2007 version did) You have the key fob (with emergency key inside). You have to insert the whole fob into a port on the dashboard for it to start.
Thats essentially how my car works right now, it's push to start, but you've got to have the fob slotted into a thing in the dash for the push to start button to actually work.
Mine too! But only because the battery on my fob died and I am too poor now to replace it. Frankly I kinda like it that way, it makes me more conscious or the damn fob (I used to just drop it anywhere in the car).I have a Tucson 2011 FWIW
But that's the perfect fob! I keep it in my pocket and it has enough of a distinct shape I can press the buttons from the outside of the pocket. So I lock/unlock and open the trunk with no effort and yet am imune to this attack because a button press is always required. People I've driven were mistified how I was operating things because it's become so second nature you can hardly tell.
I have a 2007 BMW. It does have a slot to insert the fob. But it is not required to start or run the car. The slot acts as a charger and holder for the fob. But proximity is all that is actually needed.
Sounds like you've got the comfort access package on your car. Without that tech package (sadly not offered on my make and model year) you've got to actually put the fob into the slot to make the push to start work.
The key fob does use challenge-response, the thief just uses a glorified range-extender to get the car started with the key normally out of range. The car stays on once started. There's no MITM involved.
Huh? The diagram in the article shows two men ("Thief 1", "Thief 2") between the fob and the car, with arrows showing communications going from fob to thief to car. According to the first sentence of the Wikipedia MITM article, that's the very definition.
the relay is of the radio signal, there is no inspection or tampering of the relayed messages. basically, the extender tricks the car into thinking the fob is closer than it is.
In other words, there's identification, there's authentication, but authorization is replaced by "if in range, then authorized." Two out of three is still game over.
Maybe it has something to do with the additional battery consumption that doing this incurs, probably something like double/triple consumption, with the hashing.
Lock receives signal from Key, writes down time and picks a random key and uses these to create a ciphertext, encrypts that with the public key of Key to create a second ciphertext and sends. Key receives message, decrypts with private key to first ciphertext and encrypts that with the public key of Lock and sends back. Lock decrypts message with private key and earlier random key, compares to current time and if it has taken more than a set time period does not unlock.
The clock has to be pretty fast, but you can get a secure time of flight measurement, so you can absolutely know the distance of the radio signal path.
This is basically the solution. Light travels about 1 foot in one nanosecond, so the car needs to reject latent replies.
I did research in this area a few years ago. Here's a research paper [1] from 1993 that goes into more detail about this type of "distance bounding" solution (i.e. authenticating received signal only if 1) it is received within a few nanoseconds AND 2) the decrypted received signal contains the previously sent random number) in order to defend against "relay attacks". The paper discloses many variations to this general solution as well.
[1] Brands and Chaum, "Distance-Bounding Protocols"
I realised after writing it that you don't actually need to send the time itself, but it was my first 5 minute stab. Plus it is sort of fun to have the time flying about.
edit - thanks for the link, having a read through.
Exactly - if I'm in bed for an optimistic 8 hours, then we're talking about a security feature that works for a third of the day. As for that time being at night when people are more likely to steal: https://www.nytimes.com/video/opinion/100000001423494/bike-t...
I'd much rather have a solution that precludes relaying; maybe something that involves a precise turnaround time in the radio signal between the car and key, and so the key physically can't work beyond some relatively short range.
Please yes. Traditional keys fit on my keyring, can survive the clothes washer, don't unlock doors by accident, can open a car with a dead battery, don't have their own battery issues, and can be brought into restricted work environments where radio transmitters are banned.
I want key holes in all doors. I want to insert a key to start the car.
About half of those problems don't really exist, in my opinion. I've washed the keyfob (it is waterproof), it has a built in key if the car battery is ever dead, I've never actually had to replace a fob battery. Personally I don't carry any keys so having a small round-ish object in my pocket that doesn't stab me in the leg when I sit down is a preferable situation.
Maybe I've just met an abnormal amount of lucky people, but in my role as one of the more mechanically inclined among my friends and family, I've seen three people completely locked out of their cars when under-door or other concealed keyholes have needed to be used.
I'm not sure if it's been from rust, lack of use + time, or ice, but unused or backup keyholes on vehicles seem to fail far more often than those used for normal entry.
That is a good point. I've never had to test the theory that my backup key would work in a pinch. Come to think of it, I don't actually recall anybody in my circle of friends and family having any issues either. Cars sure have become reliable in the past 30 years. I also live somewhere relatively mild where we don't put salt (for the most part) on the roads in the winter so corrosion is less common.
Counterpoint: much that is touted as waterproof tends to have smallprint saying "applicable in dry water only" (yup, had major warranty hassles on supposedly IP68-certified equipment, how could you tell?), and had to replace car fob batteries (unrelated incident; also needed to resync the token generator in the fobs, who knew there even was one?).
"I'm lucky" is not quite the same as "that's a nonexistent problem".
My fancy wireless fob/key has a 'hardware' fallback which I absolutely adore. If you click a very well hidden button, the fob separates exposing a plain old metal old-timey key ready to be used.
My local Lowes store offers key duplication via digital image as a service. You do need to insert the physical key but the machine creates a digital image for cutting the duplicate.
> A simple on/off button on the fob would work, and probably extend the battery life by a few years.
As well as taking away much of the convenience advantage that passive fobs have over active-only fobs (most fobs already can be actively used, as well as passively.)
I think the over-the-air updates is one of the big advantages that Tesla has right now. They can respond quickly to critical vulnerabilities like that.
I wonder how fast other car manufacturers are going to catch up? Volvo recently announced that they are working on an Android based system, but it's not going to be rolled out before 2020.
Yes, it was rolled out in a recent update - mainly in response to security researchers discovering they were using weak 40-bit crypto that had been broken back in 2005 that meant an attacker could just outright clone their fobs. They couldn't fix that in a software update so they stuck a PIN on as a patch.
I dread the day when cars update over night. Drivers become testers, and anyone participating in traffic (aka everyone) has to fear a minor point release introduces a bug that might kill them.
A simple button on the fob (rather than in the car) that you must press to open the doors and to start the engine would mitigate the attack. No need for coupling
> A simple button on the fob (rather than in the car) that you must press to open the doors and to start the engine would mitigate the attack.
Yes, reverting from passive-supported to active-only remote entry/start would eliminate the attack by eliminating the feature on which it is based. OTOH, the handsfree nature of passive remote entry is a major selling point.
Selling point for some. For others, either a "do not buy" point or "crammed down your throat" point.
There is a general trend that car electronics is increasingly acquiring behavioral features that annoy me, that cannot be disabled. This is all across the board; if you don't like it, you have fewer and fewer options: pretty soon, you will have to drive a used old beater if you don't like what new cars are doing.
Mount the receiver to a drone and park it on the roof of a garage you want. Even hop around the neighborhood and capture - a whole new level of war-driving.
Fly the drone into gated estates, or better yet a country club drive-up near the valet and record many high-value signals.
This happened to a family member of mine, here in Toronto. Lost their gorgeous M5.
Their kid normally wakes up in the middle of the night, except this time, he freaked right out like he was scared. They were wondering what was going on with him, when one of the parents heard the M5 turn on (it's pretty distinct). "That's my car!" His wife said, "Naw, you're crazy, no way."
Sure enough, enough, key fob attack and theft. Caught on their video cameras. Filed the police report, claimed insurance, cried internally about the loss of a gorgeous vehicle. In all seriousness though, it's just a car, so no big deal, but nothing will fix the violation you feel, and the fact that you were being targeted.
If I were the insurance companies, I'd be putting pressure on the car companies, but hey, maybe it's just the cost of doing business for them. Better to pay out for a vehicle theft, vs. actual injuries from a collision. That's probably why there's little incentive to fix it, especially if fixing it makes your product less convenient.
> If I were the insurance companies, I'd be putting pressure on the car companies
And also give car owners an incentive to keep their keys safer, given how many vehicles out there are vulnerable to this. Just fixing this for new cars is only half the solution.
I remember back in the 80s my parents got a discount on their insurance for installing a third brake light in the back window of their old Camaro. If my insurance gave me a discount, I'd get a faraday cage for my keys. I'm considering doing it anyway, even though my house is pretty far from my driveway, and we have cameras.
I've searched for nice-looking faraday cages but haven't found anything good. I think there's a market for fashionable key/phone faraday cages, between this car theft issue and the push to digital detox.
EDIT: curious why this is downvoted? I'm not saying that this shouldn't be fixed by car manufacturers going forward, but we need to do something about the millions of cars on the road already. Is there another solution that would make more sense? Or is there something I'm missing here?
It's unclear how the insurance company would verify you're using the faraday cage. Presumably you're not willing to accept responsibility for the loss.
Sure, this wouldn't mean I'm responsible for any theft of my vehicle, just that it would reduce the likelihood that it would happen — benefiting both the insurer and insured.
The companies could even give away nice-looking faraday boxes that cost them next to nothing to make, and which would probably have decent adoption among people who have requested them. That would cut the hard costs to be very low, and give them a branding/perception benefit.
Imagine seeing "Mercury Insurance is giving away a Fob Box to any customer who wants one." It wouldn't make me switch to Mercury, but it would make me think more highly of them. And if I were just out of college and choosing my first insurance company, I'd undoubtedly choose them.
Given the spate of thefts and the likelihood that it continues, a promo like this could resonate for a long time and get mentioned in lots of news stories.
> And also give car owners an incentive to keep their keys safer, given how many vehicles out there are vulnerable to this. Just fixing this for new cars is only half the solution.
Why is it always up to us to deal with the consequences of all this poorly thought out new crap?
It sort of reminds me of the way they want us to believe that "identity theft" should be our problem to clean up, when its really caused by banks poor security practices.
I do exactly this. I lined a cookie tin with foil, and tested it by holding the closed box (with the keys inside) next to the car. It didn’t unlock. Then I opened the box, and it did unlock. The box has to be closed (lid fully on, no gaps) or the car will still unlock.
Of course this only foils overnight theft. I imagine it would be trivial for someone to follow me from a car park to a public ___location and sit next to me to get the key signal from my pocket.
I would imagine the signal emmitted from the fob is time sensitive. The codes should be invalid within a few seconds. If not, shame on them for such a terrible step backwards in security.
I've watched some DIY videos and am considering doing just this. I'm not sure how tight a seal you need though (one video said you want overlap from lid to sides/bottom), and the draws we have there aren't super tight. Maybe we'd make an enclosure within the drawer and be able to line that sufficiently?
If anyone knows how much leakage there would be for fobs/phones, and whether it makes a difference for this application (where the sniffer/attacker would be 10+ feet away), I'd love to know it!
What strange is, I can see unlocking the car and even starting it with this attack -- but do the cars not continually (or at least every minute or two) revalidate the presence of the key?
Once they got very far away from the house, the car should shut off. Or so I would think.
> but do the cars not continually (or at least every minute or two) revalidate the presence of the key?
Mine will beep for a bit if I leave the car with the key. But the vehicle also works when the fob's battery is depleted (it has an RFID tag and an embedded physical key for the door). Having the car randomly shut off based on something so potentially flakey seems like a worse idea.
> Once they got very far away from the house, the car should shut off. Or so I would think.
In the event that the actual owner of the car left their fob at their previous stop and discovers this fact 40 miles down the highway later, if the car were to stop, the driver is now stranded with a car that won't start. As it is now, as long as there is enough gas in the tank, the owner can just drive back and get it.
That's why the car should stop after less than a mile, or even not go into drive at all, rather than driving 40 miles. In your scenario, how will the driver discover that the key is missing without turning the car off and then finding herself unable to turn it back on?
So if you accidentally drop your keys while entering, or your passenger departs with your key, the car should lock itself 2 minutes later while you are driving?
Yeah, sounds reasonable to me. Either of those situations should already be solved. My car at least yells if the key goes away when the car is on and if you’re dumb enough to keep driving and that’s kinda on you.
No, it is not reasonable for the car to stop suddenly without the key. Even if it stops by going into an emergency limp mode, this could seriously endanger the occupants by leaving them in a dangerous traffic situation, a dangerous ___location, or with other issues.
This is why every car company has examined it and chosen to not do it.
This feature actually saved huge inconvenience for us once. While visiting the other coast for wife's mom in the hospital, we used one of her parent's cars to drive to the airport with her brother to drive it back. We get out at the airport, get luggage, hugs, bye, head into terminal -- with the key still in her purse. Car running, doesn't notify him until too late to chase. If it stopped after 2min, he'd be stuck somewhere outside an airport 100mi away from anyone he knew. Instead, he just drove it home, got & used the other key for a few days, and we mailed back the first key when we arrived.
Well, it means that a simple presence of a key in the vicinity of a car isn’t enough to answer the question of “will this key be present there” by the ene of the journey.
It means the key has to he inserted somewhere. That makes it both safe and predictable.
As someone who turns their car on by inserting their key into a slot in it, all this seems quite convoluted just for the convenience of pushing a button. I don't understand why the car would even let you accelerate at all if the key isn't inside the actual car (even if it's just in your pocket, if you insist on pressing a button).
Sorry, perhaps I should've put my commment higher up. I was referring to the general problem of the article, which I understood to be enabled (among other things) by the possibility of unlocking, turning on, and driving a car without the car having a means of verifying the key is inside/very close to the car.
I got myself in a bad situation where I set my key fob on the top of my car after a run, changed, jumped into the car, and got onto the highway before realizing my mistake. The fob fell onto the road and was run over and destroyed before I could get to it. Thankfully I left my car running during this time and was still able to get home.
The way it works is reasonable. Maybe tighten up the proximity. But honestly, I miss my classic keys.
In the article, the first car mentioned the car was found in a parking lot, contents emptied. If they wanted to take it to a chop shop, easy enough to take it far enough to put on a flatbed.
> Better to pay out for a vehicle theft, vs. actual injuries from a collision.
What do you mean? It's not as if anyone will be driving less... the insurance company will pay for a new car, the family will buy a new car (presumably they need it), and still be just as statistically likely to collide with the new car.
Sure, if a car theft for one car spread the cost to _all_ insurance companies, but it doesn't. So to stay competitive, companies have to 1) insure good drivers so the rates stay low and 2) invest in customers who have good car security (note the discount one gets for having their car garaged).
Insurance companies pressure drivers who have these misfeatures, drivers pressure car manufactures. See also: discounts for anti-theft tech and airbags.
The latest insurance "incentive" is a tracking device in your car that tracks when and where you drive, how fast, how hard you corner and stop, etc.
I've declined this but expect that insurers will push for it to become mandatory. They would love to be able to charge unsafe drivers more money, and in the abstract I don't have a problem with that, but the tracking is creepy.
No no no, they would love to charge everyone more until they prove to be safe drivers — ready to withdraw the discount at the first doubt.
This is why I am not going to get one, nor a “smart” water or electricity meter: give more data to corporations, and you can be sure that they will use it against you.
This is an idea that I do not see getting enough attention. “Big Data” has a lot of possible benefits but only if companies collect limited and relevant data. I’m comfortable telling my insurance company where and how I drive as long as they cannot share that or combine it with any other data.
Wait until your insurance suspends their coverage for 24 hours because the road conditions aren’t meeting their requirements, or you didn’t evacuate quickly enough, or there’s a forest fire nearby.
Does the mileage number have to be accurate in terms of wheel rotations? Can a hard braking event add miles? Is miles just an abstract representation of risk?
Whats the yield on the secondary markets for these hot vehicles since the VIN is compromised, a new license plate is needed and a thorough scrubbing has to happen
Selling parts. Usually chop shops, then to shady body shops and mechanics. With exotics, many are exported to less principled markets, with minimal vin mitigation needed. Notice how the top stolen cars on every annual list are always ones with popular body styles (accord, etc), it is no accident. The parts are often worth more than the car, and can be sold at full market value, unlike a stolen car.
I use these Faraday cage pouches for my new car keys (I got the two-pack listed "Amazon choice" in the above link) and they are excellent. As far as I can tell anyhow - my car hasn't been stolen (yet!) and if I keep the key in it's pouch I can neither open the doors or start the engine even if I'm right next to the vehicle.
An added bonus, it also makes the keys much more comfortable to have in a pocket, holds them in a fairly flat orientation - and stops them from scratching a phone!
I've had these. They worked for a while. But then I guess the metalized fabric wore through or something, because after a while they no longer kept the car from starting.
The smallest ones I could find would actually hold two fobs, but when filled were large and uncomfortable enough in my pocket that I preferred to just keep the fobs naked.
I still haven't found a good solution that actually works for keeping passive fobs secure while they are actually in my pocket.
Since most car manufacturers seem to be vulnerable (to my knowledge), I assume all or most buy the same COTS keyfob + electronic lock product. Much like Takata airbags or Bosch ECUs.
Being a step away from the problem probably helps keep that OEM manufacturer from strapping in and solving it. They don't feel any pain from it.
The vulnerability is pretty much inherent to the idea. No amount of encryption can protect you from a relay attack. The only foolproof mitigation is to enforce a short round trip time to ensure the fob is actually close to the car, but with the short distances involved that means the fob has to generate and transmit a response within a few nanoseconds.
As long as the fob's own delay is very consistent, I don't see why you couldn't time the signal.
Edit: there's a discussion down the page somewhere. The issue seems to be that (for power reasons) they use low-freq radio, on which it's hard to get timing accurate enough for 10m distance changes.
"but with the short distances involved that means the fob has to generate and transmit a response within a few nanoseconds."
And the challenge-response pair must be different for every transaction, otherwise the thief can easily grab a SDR with tx capabilities, get to the car and ask for a transmission, record the spectrum, then go near the car owner door, transmit the car challenge and record the key fob response, go back to the car, wait for another challenge transmission and time the response accordingly. Not even need for a second thief.
I disagree. A physical switch on the key itself which opened a circuit to the decryption key would mean the key would need to physically be in the possession of the driver.
“The idea” here refers to having the key operate automatically without having to manipulate it. If you require the driver to push a button on the key, the problem is trivially solved.
You suspect that the average person is going to give up a convenience that benefits them multiple times daily to ever so slightly mitigate the risk of an incredibly rare problem? I do not agree.
Isn't "keyless entry" basically same concept as "not locking a door"? You can trivially implement it on every vehicle without using any electronics at all.
Uh, no? When you touch a door handle when the car is locked, the car will try to detect a keyfob near the door and then unlock itself when the keyfob is detected. The car won't unlock if a keyfob is not detected.
It is a convenience feature -- you don't have to fish your keys out of your pocket/handbag and press a button to unlock your car doors or to start the car. So long as you have the key somewhere on you (bag/handbag/pocket), you can unlock and start the car.
Is getting your keys out of your bag or pocket really that hard? In comparison to the security risks?
To think of it another way: before keyless entry was a thing - how many people were thinking 'damn I wish I didn't have to get these annoying keys out of my pocket?'
To think of it yet another way: How many people buy the upgraded trim on their car mainly for the keyless entry?
Like with anything to do with security and convenience, there is always a trade off (longer passwords are more secure but harder to type, etc...). I don’t think this is a big enough security issue right now for car manufacturers and insurance companies to really do too much about.
I used to have a car without this feature and it was sort of annoying for 5 seconds each time I have to unlock the car. I do get annoyed when I get a rental without this feature too.
Additionally, this also helps when I am carrying bags or other large items with two hands. I can simply make a kicking motion at the bottom bumper of my car and the trunk will open automatically instead of me having to put the bags down and fish for my keys.
I agree that it is minor and not a real deal-breaker, but it is a nice to have.
Is it true that encryption cannot proetect from a relay attack? If the encrypted payload is passed based on some kind of pre-shared secret (pairing) then each message should be unpredictable to a third party right?
Hm, good point. I guess I don't really know how these systems work. I assumed there was some kind of rotating value but I have no reason to believe this. Based on these attacks it seems the keys are really just sending the same signal every time. That appears to be a real shortcoming of the design.
I think you’re not understanding the attack. It could be a unique, unpredictable signal every single time and the relay attack would work just fine. The devices intend to use distance to prevent this, with distance determined by strength of signal. The relay captures the challenge, passes it to the fob and then passes the response back to the car, boosting the signal if necessary. The timing on this is fast enough that it is within the tolerance of the system. As long as these devices are acting as proximity sensors and your fob isn’t electromagnetically isolated, this attack will work. No amount of key rotation will help.
The modern ones send a unique value each time, so capturing the transmission and playing it back is useless. But that doesn’t save you from an attacker that just amplifies the signal and otherwise lets the two ends communicate normally.
Can't you stop the car if the key is not present in the car? I guess the thieves could fake it with long distance transmission of the signal, but that would be more difficult and the further the car drives away from the actual key, the easier if becomes to detect the timing delay.
No. Safety-wise you can't just shut the engine off and lock the steering because the RF connection to some keyfob is wonky.
These thefts have been going on for years and they will not stop until key-less go is dropped or changed such that the key requires interaction (like every higher security transponder has for, like, always).
Obviously you would not use that absurd shutdown procedure. You'd give a warning and tell the driver that the engine is going to shut off in X minutes, and after X minutes you decrease its max speed to 10 km/h for Y minutes before shutting down completely. Cars already do way more dangerous stuff if you assume that arbitrary components fail.
It also depends on the reliability. You could also say that you can't just shut the engine off if the electrical contact in the keyhole is wonky.
Before the keyfobs become poplar there were transponder keys with embedded RFIDs. While still attackable, they aren't actively pinging their car and revealing their presence like the fobs do.
Yeah this has been a thing for years in the UK. Myself and my wife put our keys into a metal lunch box in the hallway which mitigates this problem, which was prompted by both next door neighbours getting their cars broken into.
Exactly. Luckily i've got a Kia which nobody wanted to steal, but it's definitely a well known attack vector. A car on one side got stolen, the other side 'just' had stuff stolen from it.
Wait until bad weather. I had an utterly clapped-out Jeep Cherokee stolen one cold-as-hell winter night. Sure enough, found two neighborhoods over... a fair walking distance from where the last late night bus would have dropped someone off. So, yeah, a stolen beater is just fine when it's freezing cold outside...
Good point. We've got a new (year old) Kia Ceed, and a 15 year old Ford Focus. I'd imagine if somebody needed a ride they'd just take the Focus. Either way we've got the cameras outside which, along with the fact we don't have a Jaguar or a BMW outside probably makes us less likely to be turned over.
> Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.
Why is it transmitting without the user pressing a button? Is that a feature? As you walk up to the car it automatically starts like magic? I'm not familiar with these newer cars.
Yes, it’s a feature, so you don’t have to remove the key from a bag or pocket to enter or start the car.
In typical designs, the car continually transmits a low-frequency (e.g., 135 kHz) radio signal to wake up any wireless keys within range. When a key receives this signal, it replies with a VHF (e.g., 315 MHz) signal, and the car unlocks or starts when a door is opened or the start button is pressed.
The reply signal, at least, is uniquely coded to the car. The attack is to extend the range of the LF wake-up signal, causing a key stored away from the car to transmit a valid reply.
In some models, besides the transponder described above, the key also has a passive RFID tag, which works with a reader in the car to allow starting even if the battery in the key is dead.
(The article is wrong about the broadcasts, by the way; if the key transmitted continually, its battery wouldn’t last long.)
This is insane. Please tell me this is an option that non-insane consumers can get their car without. Fortunately I drive an old car so this does not affect me—yet. If I ever have to replace mine, this looks like yet-another-misfeature I’ll have to look out for to avoid.
On many models keyless entry and remote start are options, rather than standard. If you park in a garage at night, then this particular attack isn't much of an issue.
I'm sure you didn't intend it that way, but "let them park in their garages" seems to imply the hoi polloi who don't have covered parking deserve to have their vehicles stolen...
Thankfully, the 2019 Honda Fit I got does not have this feature. The Sport model had it, and was one of the reasons I decided against it. Old school keyless entry via fob button and traditional key ignition
Every run of the mill garage door opener using rotating keys or nonces to prevent replay attacks. I assume any fob design worth its salt would implement something similar.
It might not matter. If the point of the amp is to reduce the effective distance between the car and the fob, whatever messages are exchanged will look right to the car and the door will open.
With my car, as soon as you touch the door handle (with the keyfob in your pocket, or within a couple feet of the door) it unlocks, and to start the car you push a button. It doesn't work from even 4' away (eg, someone else touches the door handle while you're close) and it doesn't work from the other side (eg, when the keyfob close enough to driver's side door, the passenger side won't unlock).
The really nice feature is when you walk away (a few seconds after you're out of range), the doors automatically lock. However, the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.
> the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.
My brother in law did this on a ski trip with a borrowed Range Rover. It was only at the end of the week he realised he'd left his keys in a jacket pocket in the car the entire time and it had been sitting unlocked in the car park half a mile down the road from the apartment. Thankfully it was fine but stealing it would've been a case of getting in, pressing the start button and driving away.
>so at least half of the time when I am driving it I forget and leave it unlocked in parking lots
This is the problem with a lot of the newer tech in cars like backup alarms. You become used to various features in your own car and when you rent a car you need to consciously remember that the vehicle doesn't have $FEATURE. Effectively, cars are becoming a lot less standardized. A car I rented a few weeks ago beeped at me a couple times and it took a while before I realized it was the lane departure warning triggering on a couple turns.
It's a problem going the other way too. I drive an older vehicle and rented a car. I nearly had to ask the attendant how to start the car. Then I was entirely surprised when I stopped at a light and the engine turned off.
And don't get me started on center consoles. At least my last rental supported CarPlay and I was pleased to discover that it pretty much just worked. Other systems I've had seemed far more intent on downloading all my contacts rather than doing something useful from an entertainment or navigation perspective.
Heh, that reminds me of my last rental, where, not half an hour off the lot, the touchscreen sound/navigation/??? system got stuck in some sort of reboot loop. Cursory online research suggested the problem was a known firmware bug that was unfixable without a service appointment.
A reasonable person would probably have turned around and exchanged the car with the rental company at this point.
I am not a reasonable person.
Instead, I headed directly to a truck stop and purchased a heavy-duty power inverter, dropped the back seat, and crammed my portable PA speaker into the trunk, connected to the car's trunk-mounted battery through the inverter and to my iPhone through a shielded audio cable run from the trunk to the front seat.
The result sounded far better than it should have, and what it lacked in convenience (I had to pop the trunk to power it down) and channel separation (one speaker = mono), it more than made up for in dB SPL.
(for the record, I've also repaired eBay purchases that arrived in worse-than-advertised condition rather than returning them, for no other reason than that learning how to fix things is more fun than going through the hassle of returning them)
This is also the kind of 'hacker' mindset that got me interested into technology. But instead of fixing to see how it worked, I broke it apart to see how it did.
>>Why is it transmitting without the user pressing a button? Is that a feature?
It's not transmitting anything, it works pretty much the same way NFC works. Both the key and the car have their own public/private key pairs(which were obviously set by the manufacturer) and when you touch the handle the car transmits an unlock request to the key, encrypted with the car key's public key(this is going to get confusing lol) - when the key receives the message, it decrypts it using its own private key, if it's correct then it replies with an "ok" message encrypted with the car's public key. When the car receives that it decrypts it using its own private encryption key and opens the doors. Simple, and in theory unbreakable. The issue is that the car doesn't measure how far away from vehicle the key is - it only relies on the fact that the transmitters used by the car and the key are super-low range(like, within 50cm). Which is obviously defeated by using signal boosters.
This is kind of a nitpick, but it's unlikely that the keyfob is doing public key cryptography. Those things have to be as energy-efficient as possible in order to maximize battery life. An HMAC would accomplish effectively the same thing, and is much more efficient to compute.
Yup, but it's not very lucrative vs. risk, thus rare. This doesn't happen all that often because the payments need to also go somewhere, and following the money is apparently easier in electronic form. Plus there's a safety/security layer - you need to authenticate payments above a certain low limit, bank vouches for what's below the limit, etc.
It doesn’t start automatically, but unlocks automatically as you approach the car. Tesla Model X even opens the door for you.
Newer vehicles are already mitigating this attack, eg by measuring signal timings. Signal relay introduces a delay which can be identified and rejected.
Ford is really bad with this. The Fiesta and Focus, you can program a new key with the ODB2 port in under 60 seconds. Blast the key with a booster, get inside the car, plug your laptop in, program a new key, drive off. People have had to lock the ODB2 port, disable it, put keys into aluminum foil (my method). https://www.youtube.com/watch?v=dvmSOEKfkug
This seems like as good a HN thread as any to ask this, since I've been looking into it recently. What are some cars to look into if I'm interested in the following things? Or what are some cars that I should specifically avoid?
- Low appeal to thieves interested in stealing the vehicle itself, due to the hardware (locks and whatever else) being exceptionally difficult to deal with
- Some sort of secure/hidden compartment for concealing valuables (I know, I know, don't keep anything valuable in your car, but let's say it will still be more secure than keeping it outside of the car)
- Following up to that, an especially secure trunk (if such a thing exists)
- A wagon or smaller, so no minivans/crossovers or anything bigger
- Under $25k used for something recent, maintainable (was looking at Audis but I don't want to risk maintenance issues), and with low mileage, which puts Teslas out of the picture (sadly)
I think convenience here is fundamentally at odds with security.
The convenience here is that the system requires no confirmation from the driver, no physical interaction with buttons, handles, keys, etc. The driver just opens the door and starts the engine. This allows for a trivial remote sniff-and-replay attack, not unlike copying a key temporarily.
I bet not having a lock on the door would be even more convenient. But for some reason it's not widely practiced.
Leaving a car unlocked is sometimes safer, while not foolproof it reduces the likelihood of getting your window smashed to loot the vehicle for valuables (and non valuable items)
Leaving car doors unlocked is SOP in urban corridors with high incidence of petty theft. I.e. don't leave attractive objects in your vehicle, and leave it unlocked so that would-be thieves can learn it themselves w/o smashing a window. The problem here being able to start the engine wirelessly, not simply getting in.
My neighborhood just got hit with a string of robberies from inside cars. Not one window was smashed; the thieves can simply use a thin piece of metal slid between the window and door to enter vehicles about as quick as someone with a key, just like what police do if you locked your key inside the car.
> Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.
It's a poor design for the system to take any access-escalating action without an explicit command from the user that initiates a secured transaction that is resistant to MITM.
It's poor design to assume that the range is based on raw signal strength; it should use round-trip-time measurements (for packets exchanged with MITM resistance).
I see I made a naive statement here. Let's consider the access-reducing action of the vehicle locking itself when the fob becomes distant. That is also open to exploit; if the attackers boost the signal when they spot a driver walking away from the car, then the locking neglects to take place as the driver enters a building and goes out of sight.
However, auto locking a car based on proximity is justifiable as a fall-back measure to explicit locking with a button. The rationale is that if the user forgot to lock, it is probably better to do it for them than to do nothing.
RTT measurements are hard to make reliable with wireless systems. You don't want to set the bounds to tight, to avoid locking out the car owner in circumstances with a lot of interference. But neither do you want a signal booster to be in those bounds.
But there are better solutions. I've heard about a car maker (I think it was BMW, but don't quote me on that) that put an acceleration sensor in the key fob. It would only broadcast the signal while the key fob is moving.
RTT measurements can give proof-of-proximity (due to relavity), but I think they're quite hard to get right (you'd need nanosecond RTT resolution in a cheap keyfob) -- I think analog signal repeaters would't add significant RTT. It's not impossible though, GPS decoders work in a similar fashion.
Requiring user iniciation seems like the adequate solution here...
The Apple Watch manages to handle RTT measurements to prevent exactly this attack.
You don't need complexity in the FOB; the car starts the clock, sends the signal, measures the time taken to reply. If it exceeds some threshold ignore the response.
There is no way to spoof this if the request/response itself is using proper cryptography.
My car was recently “broken into”, it’s a Mercedes C400, i thought it to be fairly secure so my assumption has been that i forgot to lock the car. I just double checked, and the car has an “auto-lock” feature and it is already turned on...so...did this happen to me?
I just want an off switch in my fob, so i can disable it at night. More fancy solutions would be a motion sensor on the fob to only power it when had recently moved, or for retrofits, this technology in a battery?
Hmm ok yeah, that wouldn't be it then. However it's still good to know! I'd love to be able to just disable the remote without taking out the battery or storing it in some faraday cage.
I wonder how hard it is to measure the delay between challenge and response... Any distance extension would increase the signal flight time that should be measurable.
This has been proposed in the past yet I haven't seen any implementation of it - perhaps because of increased power consumption of accurate timing components needed? Any EEs able to comment on this?
There is a lot of great technical discussions here of ways to possibly solve the issue. The real problem points back to the lackluster security the auto industry is used to. Only if some sort of accountability or software security testing requirements are enforced this will get fixed.
They have to have a mandatory recall if your Audi accelerates quickly by itself (that was in the early 80's i think), but no recall for a possible vulnerability in a jeep where someone can hack into the machine and control the acceleration (and other items).
This would be worse with centrally controlled autonomous vehicles, they are always sending and receiving data. Image the firmware on your car not being updated after 2 years and being stuck with the still open vulnerabilities.
IIRC for the Audi 5000s it was because the brake and throttle were too close and your foot or floormat frequently got stuck on top of the throttle. People would shift out of park not realizing this and go flying, not any kind of software or security issue.
You are correct it was mechanical, I was just drawing a connection that mandatory recalls exist for issues the auto industry is use to (I.E. mechanical), but nothing exists to track and force updates to software issues (like a CVE database, Perhaps something does exist and I have not heard of it) and have not in the past been the best at software assurance.
It is kind of an apples to oranges comparison, but nonetheless it gets the point across.
They don't issue recalls for every mechanical catastrophe, and they don't ignore them for software issues either. When an automaker has a problem that merits a recall, it's because very careful accounting has indicated it is cheaper to roll out the recall than it would be to litigate or settle in court, not from any kind of good faith action. Even Audi would have never had that recall if only just a handful of people were injured or died from the issue.
> It’s disturbing that a vulnerability like this isn’t caught as a show-stopper before the technology is sold to consumers.
Everyone knew about this for many years. Interactive transponders are quite old (late 90s? early 2000s?) and were designed to mitigate attacks like this one (because the user has to interact with the transponder, i.e. press the button it has for it to work, all passive attacks fail).
Ah, so the convenience feature of "not having to take your key out of your pocket or purse" now requires "you have to take it out and put it in a sealed case when not in use".
> All you have to do is keep the fob inside a shielded case at home and you're fine.
Because we all have Faraday cages in our homes, and I'm sure the salesman who sold the car also made the customer aware of this vulnerability. /sarcasm.
So you have to pull your keys out of your pocket and stick them in your microwave every time you enter your house just to have the convenience of not needing to take them out of your pocket when you approach the car.
Tesla recently added a good workaround. They added a setting where you can turn auto unlock or auto start off, which blocks this remote access hack. You have to use your key fob button at least once, say to unlock the car and then it just works wirelessly without further action.
My car is unlocked at night but in my garage. If they got in my garage somehow and had the signal repeater they couldn't drive off unless I pushed the keyfob button. In the morning I just have to push it once to go. You can also en/disable auto door lock if you walk away.
Of course a general solution that blocks signal repeaters would be best. Tesla has so many fun tweaks it's truly the programmer's car.
True, the solution isn't perfect. Just brainstorming ideas that can potentially be coupled with other layers of security. The advantage of the idea is it doesn't rely on the user activating a secure mode or knowing about the vulnerability. The protection is automatic when you're asleep. Arguably if you're walking, not a large amount of that time is near your front door - although I understand your ___location may still be predictable.
It seems car manufacturers are eager to be "cool" but not thinking about the consequences of their actions
Center "touchscreen" consoles with awful usability, shifters that are not obvious (coupled with people that are too lazy to pull the parking brake) and now this
A touchscreen is a terrible interface for anything in a car, since you must look at it to operate it. Tactile dials/knobs you can feel for—and ideally feel different to each other—are the best interface for anything in your car that you want to use while driving.
Voice can be sort of ok, as long as your speech models are locally stored (no internet blackspots), but deny access to those who cannot talk, or for whom you haven't bothered to build a speech model that matches their language/accent.
>"The vehicle will continue running in perpetuity until it runs out of gas or until you shut it down," he said.
>"They do that for safety so that if you lose the key fob or if it loses signal the vehicle doesn't shut down while you're driving, but that right there is part of the vulnerability."
Anecdata, a few years ago my wife had a Renault "Megane" that used a sort of "card" that worked with proximity.
She opened and started/drove it without ever taking the card out of her bag.
A couple of times I was driving it with her in the passenger seat, we arrived to a shop, she got down in front of the door and went into the shop while I was going to park it when the car some 20-30 mt away "locked itself" (cannot remember if it stopped or just didn't allow more than - say - 5 km per hour) with the display saying it couldn't find the card.
When she changed cars, her new Renault (using the same kind of card, at least visually, but a different car model) had to be inserted in a slot to allow the Start/Run button to operate.
Two factor authentication for cars, here we come! Though, searching for this phenomenon shows articles at least 3 years old warning to get Faraday cages or otherwise wrap fobs in aluminum foil.
But do they really transmit all the time, or do they contain accelerometers or something to prevent battery from being wasted?
For the 2nd factor, they should have some kind of non-electronic device which when inserted and turned, would allow the activation of the door and ignition of the car.
Yeah so funny how all this modern tech can be compromised more easily than an old fashioned mechanical lock and key. And now I need to worry about putting my car key in a Faraday bag when I'm at home? Ridiculous.
And if you lose your key? $$$ to get a new one. Want a copy for safekeeping or because you have additional drivers for the car? More $$$.
If someone wants to get into your car they will. They will just break a window. If they want the whole car they will get it. The only person who is having a more difficult time is the owner.
2FA seems to make sense. Maybe a 4-6 digit pin that would be optional for those in high risk areas/situations.
> But do they really transmit all the time, or do they contain accelerators or something to prevent battery from being wasted?
I'm curious about this as well. A family member has an older Nissan with a keyless fob and I don't recall them ever having to replace batteries/keyfobs.
The fob for my 2007 Altima with keyless start (not entry) has required at least one battery change since I inherited it and is now complaining that the battery is getting low.
2fa on a car would be a disaster. I can't wait to whip out my phone in the pouring rain, trying to unlock it while my hands are full and I have no signal.
I used to have a numeric lock immobilizer on 3 vehicles starting way back in the early 90s. You had to dial in a 4-6 digit PIN code on a pin pad in the vehicle in order to enable the ignition. You'd need to rip the whole dash apart to enable the ignition to bypass it.
Were these types of immobilizers never a thing here?
Car manufacturers have never put a lot of priority on security in the US. I once unlocked a car, got in, and started the ignition with my key before realizing that the reason the seat and mirrors felt weird was because it was not my car.
I shut it off, exited the vehicle, re-locked it, and saw that my own car was actually the next one down the row. There are only so many combinations of pin heights in a car lock.
I have been paranoid about not keeping valuables in my vehicle ever since. That door lock is only keeping someone out for a few minutes, at best.
How battery intensive are accelerometers? The last fob I had required a battery change once every year or so already, increasing that frequency could be quite annoying. And I'd rather not have yet another device I need to regularly charge.
Anecdotaly, I have a remote that lights up everytime it's moved (to assist finding it at night as it's a remote for a bed). I've had it for well over a year and haven't changed the batteries yet. Granted, it runs on three AAA batteries. Not entirely sure what tech it uses, but it's not necessarily a full blown accelerometer.
Edit: some / all of the power drain would be offset because the RF transmitter would be off while the sensor is on.
Apple claims that they use time-of-flight for their "Unlock with Apple Watch" feature on macOS, so it seems like something that a car maker/supplier could pull off, especially if they're willing to throw dedicated hardware at the problem.
That said, the fob is much more battery-constrained than a watch that you charge on a daily basis.
Indeed, the last time this attack vector came up on HN, it was pointed out that one company has patented using time of flight to validate keyless entry.
Nice find. Looks like Apple cites it in some of its own patents ("Enhanced automotive passive entry" from 2018-08-16) so maybe they already have rights to it and that's why unlock with Apple watch can work correctly.
It also describes RADAR, or even LIDAR for that matter. It doesn't seem like one should be able to patent something that is merely an application of a well known physical principal. Maybe I misunderstand what "novel" means.
The speed of light shouldn't be too fast if the fob is just returning a ping. The car can almost certainly wake up the fob, ping it, then compute the distance. Unless my brief calculations [1] are too simplistic, a 2Ghz processor would have a resolution of increments of 15cm. That should be plenty of resolution to decide if the key is in a certain spot.
So the test for amplitude is aided by the fact that the signal strength received at the car increases by a factor of four if the distance is cut in half. Thus, you have a nice margin for setting your threshold.
With measuring the time, however, presuming that radio signal will travel on the order of one foot per nanosecond, you have much less of a threshold tolerance. If the unlock takes place within two feet of the car, that is two nanoseconds. If the key sits 20 feet away, that is a 20-nanosecond one-way travel. So this solution would need to be able to distinguish between a four nanosecond gap (round trip time) and a 40-nanosecond round-trip time.
Add to that the turnaround time in the car CPU which I would imagine to be some number of milliseconds, would 10 ms be reasonable?
Thus, the electronics in the car needs to distinguish between 10ms + 4 ns vs 10ms + 40ms. And given jitter in any modern CPU/memory/OS/electronics device, I would bet that the jitter totally swamps that.
Yeah, for the thief, maybe. This is a classic example of tech attempting to eliminate a mild inconvenience that no one really complained about before, and clumsily engineering a 'solution' that causes a dozen other novel and catastrophic problems in the process.
Not really, for some people it saves very little time, for most it's a small convenience, and for others it saves a lot of time, especially women who have their keys in their purse and don't have to search for them. Just because it's not useful to you doesn't mean that it isn't for others. Car manufacturers aren't going to change something for no reason unless people actually want it.
This is of course not limited to cars or even this type of key fob, but instead, anything that uses transmitter power as a proxy for distance/proximity, and that transmitter power has any chance of being signal boosted within reasonable means.
The only true solution is to stop using transmitter power as a proxy for proximity when houses/etc are not opaque to that signal.
Instead, use something that the house is effectively opaque to for the distance part of it.
IE include an ultrasonic receiver in the keyfob, transmitter in the car and require it output the distance to the car.
(or something, i'm just spitballing)
The problem is almost certainly the power requirement.
I work at very large OEM. We've run the numbers, and key fob exploits are _extremely_ rare. (most) Modern keys use rolling keys that are verified by the ECU, making cloning (let alone initial pairing) extremely time consuming. However, Keyless-go key fobs _can_ be captured and replayed (not necessarily exploited). 99.99% of the time that cars are stolen (which we find much more common in Europe due to small jurisdictions), someone will break a window, steal your keys, and drive your car away.
(wireless) Key fob capturing and replaying require far more equipment than NFC PVC card (credit card) cloning.
Your original comment is that cloning is nearly if not entirely nonexistent. Of course it has advantages. But it's difficult and doesn't happen in the real world. What happens is replaying. Which isn't difficult.
So besides relaying the key, you can just hack via the CAN bus. There's also a trick to use a second ECU to bypass the immobilizer, but that's probably too time consuming.
Many manufacturers (inc. Toyota) also allow bypassing immobilizers and other features using TechStream and a maintenance tool. If they claim you have to buy a new ECU if you lose your master keys, call bullshit: https://attachments.priuschat.com/attachment-files/2015/10/9...
Probably via some trick that put the car into service mode. There's a gang in Warsaw that specialises in Toyota's.
I know late 2000s Rav4s could be stolen by thrusting a wire through the left-front mudguard and disconnecting something(not sure what) inside this way. There's a clip of a Russian demonstrating this technique somewhere on youtube.
I already put mine in a metalic bag for the night, or just press the "lock" button twice which disables the keyless entry system entirely.
Manufacturers really need to hurry up and implement more accurate timing detection in the keys - it should be absolutely trivial to detect how far away the key is based on the response time, but for some reason manufacturers don't do this yet.
Edit: I also know people who take the exact opposite approach with their expensive vehicles - they leave the key in plain sight near the front door, so if someone wants to steal the car using this method they can do so without entering the house or if they do break in they will(hopefully) take the key and leave, without threatening and possibly harming their family. I'm not sure which way is better - preventing the thief from stealing your vehicle and risk that they will then decide to break in and get the key from you, or let them steal it and just deal with insurance later.
«it should be absolutely trivial to detect how far away the key is based on the response time»
It's not possible. A keyfob has a relatively slow R/F communication channel, less than 1 Mbit/s (at best) because it's constrained by power. Thus the "length" of a bit transmitted over the air is 300 meters or more. The receiver needs to demodulate "300 meters" of R/F signal to recover a single bit. A difference of +/- 10 meters when these thieves boost the signal across your front yard is therefore indistinguishable from R/F noise and not demodulable by the receiver. You can visualize this as a 300 meter bit that has a noisy beginning and a noisy end.
That's why the distance-bounding techniques (term we use in the field) used by car manufacturers are instead pretty primitive, such as measuring the strength of the R/F signal (which is easily defeated by a proper signal booster.)
It is absolutely possible. As I wrote elsewhere in the comments, you need to use radios with timestamping that can measure the distance (10cm accuracy is achievable). See for example Decawave DW1000 radios.
Use those and you can base your distance estimation on time measurement, rather than signal strength. Amplifiers won't help.
Nope, DW1000 can't work in an adversarial scenario.
Their ranging algorithm critically depends on the receiver time-stamping the "leading edge" of the first bit of the first byte of the PHY header. This bit is either always 0 or always 1 (it's part of the 802.15.4 data rate field), so an attacker can easily cheat by preemptively sending a 0 or a 1 just before the signal booster can relay the first legitimate bit from the keyfob. This legitimate bit will be received (by the booster) while the preemptive bit is still being transmitted, so the booster can smoothly transition to sending the subsequent legitimate bits, and the receiver will have been completely fooled that the keyfob is nearby.
DW1000 is nice but it only works in scenarios where both transmitters and receivers are being honest to each other.
Is there any reason that keyfobs couldn't use 2.4 GHz (aside from cost)? Apple claims to be detecting if your Apple Watch is close enough to unlock your computer using Bluetooth at that frequency. Bluetooth LE also seems to claim battery life that is competitive.
BLE beacons do a crap job of detecting distance and battery life is just OK (a few months typically). BLE can obviously be used to differentiate between in-range and out-of-range which is useful for some applications but you can't really use it to measure distance more granularly.
> it should be absolutely trivial to detect how far away the key is based on the response time
Is that true? Accurate, very low power distance detection has a lot of potential applications (e.g. your phone straying too far away) but BLE (for example) doesn't really work for measuring distance--through signal strength--at all. If it's possible, I'd be very curious how to build such a distance detector.
I think the timing method relies on a challenge response. In short, one side sends something and the other side expects a reply within some amount of time.
If you just simply add distance to the system with no additional overhead. The time it takes for the ack should go up in a measurable amount of time.
And if you did anything more -- like some of the system do today -- where they make a generic pipe that pipes it over the internet via LTE and back -- then for sure we would have a ack way out of the time tolerance.
To my knowledge most of these systems work but using some sort of out of band transmission over other wireless means such as WIFI/LTE/or simply another band.
The second method they use has to do with rolling codes. Where they jam the signal and intercept your keyfob code, preventing it from reaching the car. They store this and when the target realizes they did not actually lock/unlock they car they attempt to unlock it again. This time they jam the signal from the keyfob to the car, but replay the code they intercepted the first time, and saving the last code sent from the keyfob for later when the target is not around. This method works for more than just cars, it can be used for most rolling code systems.
Apparently UWB [1] is being touted as the solution to determining indoor ___location given that BLE and WiFi based on signal strength don't really work well. But development is still ongoing.
I used some Decawave UWB hardware years ago and even in somewhat complicated environments (though walls, multipath, other RF stuff going on) they were accurate within 5-10%.
If you are processing data with nanosecond precision(which is not difficult with modern microchips) then you can tell the distance to the key by just measuring the number of nanoseconds elapsed since the request was sent(accounting for amount of time taken to calculate the response). If you can measure the time in nanoseconds that's good enough to tell the difference between the key being 1m and 10m away.
I think that assumes that all the processing the key fob does internally is reliable constant-time down to the nanosecond. I don't know if that's true but my first guess is that it's doubtful.
Well, those chips are designed for this one purpose and nothing else - it should be possible to design them in such a way that the encryption/decryption process always ends in constant time.
I know how the mechanism would work. I am just not aware of what hardware would be needed to support this type of digital tether using only a small battery for perhaps a year.
I don't think it's the distance really, it's the relaying and the additional steps that adds latency. If the data rate is low, and the data is not trivially small (ie over some 10s or 100s of bytes), you are in the milliseconds area, which should be very easily tracked.
Perhaps if the keyfob needs to do some additional conditioning on the data (eg some decryption+encryption), or is very slow, the extra overhead of the relay is small in comparison.
I don't know how the keyfob conserves power, but I guess some kind of duty cycling the radio, in which the first wake-up latency of the keyfob is not necessarily know beforehand. But, just send a few packets back and forth and get the overall latency and it should be able to determine if a relay is used.
If you are measuring response time in nanoseconds then you have enough precision to tell how far away from you the key is, down to a metre. Even at the speed of light, the signal will travel slightly longer if the key is 10m away from you compared to a key that is 1m away from you.
> I also know people who take the exact opposite approach with their expensive vehicles - they leave the key in plain sight near the front door
This seems like the best strategy to me. If you have a desirable vehicle and someone decides to break into your house to get hold of the keys they're going to turn the place upside down trying to find them. If you're in at the time you're also putting yourself in a lot of danger.
Just leave the keys by the front door and let the insurance deal with it.
Criminals seeking to commit property crime generally go to great lengths to avoid possible confrontations with people. Stealing one more BMW that week is not worth the risk of a 9mm hole in your chest. Breaking into someone's home when you are all but sure they are there (because their car is in the driveway and you want their keys) is just begging for a confrontation. Someone breaking into your house with the expectation of a confrontation with you is probably after more than just your keys.
People who's threat model does not include home invasion can generally leave their keys wherever is convenient in your home with immeasurably little additional risk. If you feel your threat model includes home invasion then where your keys are if the least of your issues.
A few years ago, a local hospital reported a suspiciously bad hand injury to the police.
It turned out that the patient had committed a home invasion, only to be greeted by a homeowner wielding a replica katana. The invader tried to defend himself by holding the blade...
I can easily see that situation becoming lethal to the invader if the homeowner really wanted it to.
Another commentor describes the key handshake. The car emits a high frequency wake up signal, the key receives the signal and emits a low frequency unlock code. It is hard to restrict the time of the unlock code because it's low frequency limits the accuracy of your clock.
Could you Honeypot the cars wake up signal? If the car detects a delayed broadcast of it's wake up signal it could trigger an alarm or at disable keyless entry. The high frequency signal will have lower tolerances for a timing check.
Or car makers can provide Honeypot keys. If the key receives a wake up signal it can alert the owner and disable keyless entry. The owner would put the Honeypots where they don't want their keys to activate.
> Could you Honeypot the cars wake up signal? If the car detects a delayed broadcast of it's wake up signal it could trigger an alarm or at disable keyless entry. The high frequency signal will have lower tolerances for a timing check.
If the repeater is directional / shielded on the side toward the car, I'd think it would be impossible to distinguish echoes of a repeated signal from normal echoes.
But people still blindly trust carmakers to make reliable and difficult to hack fully software-based and with always-on internet access self-driving vehicles.
They can't even secure the thing that directly unlocks your car and enables thieves to steal it.
It is a legitimate point to a degree, vehicle makers have a long track record of terrible software, and now they want to go headlong into one of the most complicated software projects ever attempted by man.
It will be interesting to see how legal liability shapes up with self-driving.
That this vulnerability is being exploited in the wild isn't particularly new news is it? Perhaps it is the fact that I live in the Bay Area but I was walking with a home made Yagi (directional) antenna that I normally keep in the camper for picking up distant WiFi signals and the police noticed enough to stop and ask what was up. It does make me wonder if carrying around and SDR will get you in trouble at some point :-)
Car makers should use frequency/channel hopping rather than time of flight until doing time of flight gets cheaper. The car and fob would also broadcast on frequencies/channels that are not in the preshared set to detect someone trying to amplify.
The hopping pattern should be derived from a good cryptographic protocol that also contains mutual attestation.
To you and me, changing the batteries in a key fob isn't a big deal. But more than once I've seen people walk into the auto dealer's repair center because their fob stopped working, and all the tech did to repair it is replace the battery.
(If you think that sounds stupid, I work in healthcare, and we have employees who spend a surprising amount of time teaching people how to put AA batteries in their blood pressure and other medical gadgets.)
A good solution to that problem are UWB radios with timestamping (like the Decawave DW1000), which let you measure the time it takes for the signal to travel. You can then place physical limits on the proximity, rather than assuming that a strong radio signal means proximity.
Coupled with a cryptographic authentication protocol these solve the issue quite nicely.
It looks like the chips are about $10 each. That's quantity 1 but it's also just the radio IC. It's not immediately obvious what the power draw would look like in an application like this as the sleep mode draws far less power than when it's operating. There is an open source project based on the chip. https://github.com/lab11/polypoint
What I'd really like to be able to do is to wirelessly tether a Tile-like small long battery life device to a band (or watch) I wear with user configurable distance settings but it doesn't look like the tech is quite there today. UWB does seem to be the current approach you'd take though.
I've been surprised that no vendor has put a motion/vibration sensor in their keyfobs. I know they're pretty power constrained in keyfobs, but it seems like a pretty sensible protection to require the fob to be not sitting still on a table to do a proximity-only unlock.
Shower thought: make a system where you unlock and start your car using your iPhone’s Face ID or Touch ID, and you can drive the car via the phone, like in Golden Eye. That would be really cool. I don’t care about security. It just sounds really cool.
I'm convinced that time of flight analysis could solve this problem, and many others. If someone could beat that, then they deserve much more than just a new car.
I've currently got a blockchain "proof of proximity" idea on one of my back burners.
ive tested a couple of things to see if they would block the signal by putting the keys in the container and then standing next to the car and trying to open the door
kids Lunch box would not block, small metal garbage can, would not block, cookie tin would not block. All would block if you lined the edge with aluminum foil before putting the top on.
foil lined Potato chip bag would block.
Wrapping in enough aluminum foil will block the signal
Those faraday bags are convenient, but I park in the garage so Im not that worried. Garage door openers now have lock switches which prevent the door from being opened using any opener.
Both my audi Q5 and my roommate's Q5 mysteriously opened their trunk for a few times when parked close to our home. now I dare not park it very close to our home, assuming the issue is from the key fob.
Not to be pedantic, but wait, what about the security by design concept? It is at least astonishing that you implement a functionality without any thought to how to protect it ...
I’m honestly more amazed that there is enough of an economy for someone to design such a device and market it (ditto skimmers). I wouldn’t even know where to look for such a thing — alibaba?
This is ridiculous. I never understood why it's THAT needed for a keyfob to open a car by merely being close to it. Whatever happened to key fobs you had to PRESS to open a car?
I think it's the fault of the municipal government of Toronto. I mean really, if you nickname your metropolitan area "the GTA", what do you think will happen?!!
Measure how far away your car unlocks, then keep the keys as far from external walls as that.
But to be honest it’s easier to keep them in a metal box that shuts properly. That’s what i do (although my fob still needs interaction, so i should be a bit safer, in theory).
Also consider that keyless cars actually still have a way to enter, be it physical or remote: garage-supplied universal keys and software. VWs for example have an old-school keyhole under a thin plastic bit on the door, so that garages can access it when you lose the fob.
Easy fix: a thing called a "button" that you press before it broadcasts the private key. Even better, also broadcast a different key each minute, like GA
No, but it will unlock from just (apparent) proximity which allows the thief enter the vehicle where they are then able to push the "Start" button. Again, the car will think the key is present and will start. At that point, the thief can stop the signal relay and the car will keep running without the key being "present".
It's not entirely clear from the article and conversation, but they're talking about passive FOBs that use the (presumed) proximity of the FOB to unlock the doors and allow the ignition button to work. These were created to stop you from having to physically dig out your keys.
If you need to push the button to unlock this won't work, but they could still smash a window and then relay attack the ignition. Challenge would be determining prior to the break-in if the FOB is close enough to relay. Plus the most vulnerable cars tend to be the most expensive. From the article I'm a little surprised the RAV4 has passive entry.
Well I'm not sure that recommended solutions are better than the one I use. Just turn this feature off and use my car keys as normal (lock/unlock button).
I'm sure the car in these break-ins are like that too. The remote fob is inside the car, but they have an RF relay outside the car which proxies the keycode to the one inside the car.
The attack uses 2 antennas. One next to the keys and one next to the car. It transmits the signal from both sides. The car thinks the key is inside/near.
Triangulating it won’t help. It thinks it’s there.
Why are these fobs constantly sending a signal? Just make it so that the holder of the key has to push a button to open/start and this attack becomes much more difficult.
According to Bates, many of these thieves are using a method called "relay theft."
Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.
"The way that the thieves are getting around this is they're essentially amplifying that low power signal coming off of the push start fob," he said.
"They will prey upon the general consensus that most people are leaving their key fobs close to the front door of their home and the vehicle will be in the driveway."
The thief will bring a device close to the home's door, close to where most keys are sitting, to boost the fob's signal.
They leave another device near the vehicle, which receives the signal and opens the car.
Storing the keyfob in a faraday bag blogs the signal and prevents the relay attack from working.
