I wrote another comment saying I couldn't reproduce but since this is on the front page, I do have a lot of questions for the authors of this CVE. Under their "prevention" section they say manufacturers should use rolling codes. This implies these FOBs don't use them, but per my previous understanding, they do.
Perhaps there is more to the setup of this CVE than they're talking about. Is it possible they're doing a rolljam attack + replay?
The CVE is really scant on details, so while I believe they did manage to get this to work, they don't really say how.
If rolling codes are implemented, it should be pretty simple with the right gear to prove it.
"...To better understand the impact of this vulnerability and Honda's plans to address the flaw, BleepingComputer reached out to Honda.
Honda told us, multiple automakers use legacy technology for implementing remote lock-unlock functionality, and as such may be vulnerable to "determined and very technologically sophisticated thieves."
"At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner's key fob when the vehicle is opened and started nearby," a Honda spokesperson told BleepingComputer.
Note, in their statement to us, Honda explicitly mentions it has not verified the information reported by the researchers and cannot confirm if Honda's vehicles are actually vulnerable to this type of attack.
But should the vehicles be vulnerable, "Honda has no plan to update older vehicles at this time," the company tells BleepingComputer..."
Since there are various values attached to getting a CVE published, they just aren't always of the highest quality. Lots of "vulnerabilities" which are actually impossible to exploit or irrelevant in other ways in a real attack scenario, other low quality or misrepresented issues like we might be seeing here.
I remember watching the news like 20 years ago about garage doors where thieves were buying universal door openers and driving down the roads pressing the buttons to find houses where it opened to rob them.
2017 and 2018 vehicles. That's pretty surprisingly recent!
I understand that, in general, door locks aren't considered to be very high-security in vehicles: doors can be opened in other ways. But remote start is a very big deal. Article doesn't mention whether the car prevents people from driving away after it's been started. I would have loved to see a portion of the video where they tried to shift into D and move the car.
There was a limited time window in the early 2000s where many cars used only obfuscated access or a cryptographically insecure PIN code for key enrollment, but most modern cars use an attempt at cryptographic security with a centralized server.
If you want to see what's possible with modern cars, keywords like "VVDI" or "Abrites" and "All Keys Lost" will show you what aftermarket tools are capable of. Generally speaking, the capabilities in these tools are roughly equivalent to those the most sophisticated criminals have, as they're usually just stealing the techniques from one another in a big circle.
The level of security varies heavily from manufacturer to manufacturer.
For example, most modern VW cars require using an ECU exploit (which depending on the specific ECU, almost always requires physically removing the control unit and sometimes requires opening it) to extract encryption key data (CS/MAC) or physical extraction of the instrument cluster EEPROM.
However other manufacturers like Toyota seem to be more vulnerable to other exploits (I only research VW for the most part, so I frankly have no idea what's going on here), including a bizarre process which seems to require disassembling the steering column and unplugging a connector.
I look at the enrollment problem on Zigbee networks and similar things and it's hard for me to resist the conclusion that the most practical architecture is to have a private key in the hub and a private key in the device and have these authenticate against a central server and have the central server give them both a shared key -- as much as people hate the central control, lack of interoperability, etc.
I think people hate mandated central control. Designing a system that is opt-in, and otherwise degrades gracefully to a reasonable state of functionality will win a lot of fans.
Automobile companies won't do that however, they'll serve you subscription spyware/adware laden services and you'll have no choice.
Car thieves don’t go out to program new keys on the cars the want to steal, they just lift them with a tow truck. Quick, easy and nobody suspects anything.
Does stealing a car without threatening violence have a lower penalty if you get caught? Ive always wondered why you get pickpockets in Europe and muggings in the US
Who said anything about guns? Knives or pipes are plenty common, and in some cities its simple overwhelming numerical superiority. One friend told me of being mugged by ten or so adolescents who were not fully grown or armed. But apparently quantity has a quality all its own. Another friend was in Madrid when pickpocketed, and ran down the thief and used force to retrieve it. He was later told by locals that if he had been seen by law enforcement his penalty would have been much more severe than the thief's. That is all amecdata, but something cultural or something in policy seems a more likely culprit. Some south american cities have pretty tight gun laws too don't they?
In the USA, the answer is generally, yes. Using a gun to commit a crime can add 5, 10, 20 years to the crime. For instance, murder in Illinois is a 20-year minimum sentence, but 45 year minimum if committed with a gun.
That is assuming murders get caught, convicted and sentenced.
"Among the nation's largest cities, Chicago stands out for both its high murder rate and for the number of its murders that go unsolved. In recent years the police have been solving about 4 of every 10 murders in the city, but police data show the rate is even worse when the victim is African American."
I agree that diagnostic-port reprogramming at the point of theft is uncommon (although absolutely not unheard of).
I'm not sure what the effect of that observation is, though - key and immobilizer security is extremely important still, because cars which are stolen by any mechanism (tow, stolen key, transponder relay, etc) then need to be resold or broken down for parts. Especially in Europe where control module security is generally both more robust and more insurance regulated, many parts on a stolen vehicle are increasingly not valuable unless the immobilizer / key enrollment system can be bypassed.
This has the added advantage that once the front of the car is lifted past a certain point the car assumes it's being legitimately towed and disables its alarm...
But that would track any kind of theft. Most cars do not have that kind of tracking built-in and I would guess that most new cars don't have it either. If you could get the car into a shipping container asap, it might be enough shielding to block GPS or the cell signal for tracking the car and then it's off to some other country where the SIM card won't work before cops could catch up.
Do you have a citation for this? In my experience, pairing a new key requires either providing a cryptographically signed certificate or having an existing paired key within range before a new key can be added.
there isn't much citation needed; it's common practice at many dealerships for certain eras of cars.
the 90s era hondas up to about 2001 use various key-turn-rituals to enroll/program keys into the immobilizer, the later ones use the Honda HDS system which is just a specialty Toshiba/Panasonic ToughBook with an obd dongle and special software.[0]
I've enrolled keys myself for my 04 BMW with bootleg 'BMW MODIC' and 'BMW Rheingold' software packs pirated from The Pirate Bay.
You don't need existing keys for either system.
The trick (used to be) at the time that BMW keys were difficult to cut, and the key cutters were well controlled. This isn't the case any more, and in reality if a key was the deterrent you could always just program an immobilizer chip from another key, tape the key/chip to the column, and then use a pry bar and screwdriver to break the key tumbler and turn the switch without a key. This is neither rare nor hard to do -- and it used to be the defacto way to steal pre-immobilizer Hondas (breaking the column/tumbler, that is).
It was common enough that an in-joke at the Honda dealership I worked at was that a flathead screwdriver could be referred to as a 'lazy CRX key', a majority of those era cars encountered were so worn that a flat head would turn most of their tumblers by the time I got to work on them.
I used the key from my 84 Accord to get into my 98 Integra when I locked the keys in it. Similarly, my 89 Accord would unlock using pretty much any other Honda key. One day, I locked myself out of my 81 Accord... but it uses the short, old school style Honda keys, so I didn't have another car to take keys from to try... so I called a locksmith. He comes out and goes "Oh I haven't done one of these in a while..." pulls a blank key out of his toolbox, sticks it in the door tumbler, and opens it right up.
So now I have an 80 and an 81 Accord... and I have also interchanged keys between them. The 80 doesn't open as easily, as I think it's less worn out. But there's practically no security on these old Hondas.
Doesn't HDS require you to obtain a number from the cars ECU to then pass that into an Internet-connected HDS terminal where you have to sign in with your dealer and technician credentials so you can put in a request for another number from a Honda server somewhere for you to input back into the ECU in order to program another transponder?
It’s a legal requirement. Or at least used to be, maybe they realized the loophole it opened up. To allow third party shops to issue new keys, preventing official dealers to charge usury fee for giving you back access to your own car if you loose your key.
I was in the situation of trying to "steal" my own car after a cat knocked the keys in the trash without me noticing.
I could get in the car, but it was not possible with the security system enabled without a currently working chipped key to program a new one without the dealership to do some I think cryptographic pairing of a new key to the car.
I could start the car and it would after one second shut itself off after buying a replacement key and tried many things with many scan tools before giving up and getting towed to the dealer.
There might be some sort of cracked tools out there but I was not able to find them, or get a straight answer if the very expensive software packages out there could actually solve the situation.
I'm on the fence about this sort of security. Do we really really want to make things completely locked down to the point that the manufacturer can close up shop and leave you totally screwed, in the name of "security"? I see that argument pushed a lot when it comes to computers and building stuff the way Apple does - soldering everything down lol.
Would you rather a car where you could reprogram the keys yourself with a small chance it might be stolen? Or a car where if the keys get damaged you have to spend several thousand replacing all of the computers?
Why are the two options "manufacturer has exclusive control" and "insecure"? The manufacturer could just supply the access code to the purchaser when the car is sold.
I like that it is hard. Moving forward I actually can set it up so i can program new keys from third parties, it just isn’t possible while the car is locked without a functional key. There are also ways to permanently bypass the security but i don’t really want to do that either, it’s nice that it’s very hard to steal.
Rewiring the pins doesn't necessarily do much these days as there are devices which will figure out the input pinout and route signals to the proper output pins. Think of it as a MITM device.
A better way is to use a different kind of connector but you'll have to build yourself an adapter and to keep in your place or something.
Pretty sure their Wordpress site is compromised, it tries to load a malware ___domain sometimes. I accidentally lost the ___domain off my clipboard, but my uBlock rules caught it once. It had the word 'great' in it.
Does the hood or hood latch lock? If so just disconnect the battery negative after parking. Anyone that plugs anything into the OBD-2 while you're gone is going to get an unresponsive system. I doubt they're going to take the time to troubleshoot, pry open the hood and reconnect the battery, etc.
Amusingly, you can and probably SHOULD lock a doorless wrangler. On a JL and even on the JK, the alarm system still locks out some functionality. And most people don't take the tailgate off, which when locked, kinda keeps people from getting at the little compartment under the cargo floor. It's not really an effective safe place, but just a neat thing.
You can also put a lock on the hood, which is a good idea since that way nobody can disable the security system lol.
Edit: Also of note, the JL wrangler uses an RFID chip for the ignition startup itself. It's separate from the rest of the keyless go system.
Could rig up a switch somewhere inside the car near the driver's seat pretty easily. I had an old motorcycle with some kind of electrical issue that would drain the battery if I left it off for more than a day at a time.
But instead of spending days and weeks chasing it down, I spent maybe $30 on a battery cover with a little hidden flip switch. It was originally designed for turning on (illegal in my state)under lights, but I modified it slightly and had the switch connected to the ground terminal instead, so whenever I got off the bike I'd flip the switch and boom, problem solved, no more dead bike.
All cars sold in the US since 2008 use ISO 15765-4 OBD over CAN for emissions diagnosis, and almost all use ISO 14229 UDS for manufacturer/dealership diagnosis.
The intent of OBD-III is to use some kind of wireless mechanism to notify the state that your check engine light is on. In California, for instance, you have to pass a smog check every six months, so people driving four months with a failed emission control system are contributing a lot of emissions.
It's been hung up forever because of privacy concerns, fears about rent seeking (being forced to buy a cell phone plan for your car), etc.
are also hung up indefinitely because the cell phone industry is pushing "secure" solutions that involve cellular infrastructure but not promising to invest enough in their network to cover all the places you might want them. That and the rent seeking, privacy, etc.
If your car has a check engine light on, you can also unplug the battery overnight, connect it in the morning, drive 40 to 70 miles in a mix of city and highway conditions, and take it immediately to the inspection station before the check engine light comes on.
There is usually a window between when the car will report there is not enough data to pass the emissions test, and when the car reports a failure of the emissions test. Maybe try unplugging the battery every night for a week and you can get a good idea of when you can get it inspected and passed.
Any scan tool can show "readiness" which is what occurs after the necessary amount of driving has been completed, so someone looking to do this can just watch for that instead of guessing. Shops like AutoZone will even let you scan for free if you don't have one.
That's what most people do for a repeatable issue, but there are "gremlin cases" where a car in otherwise good repair will somewhat randomly set a MIL code.
Wife's 2005 CR-V will around once per year set P0325 (knock sensor, bank 1). I've replaced the knock sensor [twice], rang out the wiring, and checked/cleaned all the connectors. It's a 17.5 year old car with ~225K miles on it that sets a code once a year. It's not going to get any more fixed than it already is.
Catalytic converters are an expensive fix. It might not be worth it to fix the car.
Alternative option is to sell the car to someone in a state that does not require emissions testing.
Also, if someone steals your catalytic converter, and there is not much damage, it is possible to “straight pipe” it for cheap and just not put in a catalytic converter. Although, I would assume inspection stations have cameras or mirrors where they can see the bottom of the car, so this might only be worth it in states that do not do inspections.
Prior to 2008, OBD-II had several allowed wire protocols - SAE J1850 PWM (Ford), SAE J1850 VPW (GM), ISO 14230 KWP2000 (most other vendors), or ISO 15765 (OBD over CAN). In 2008, the US requirement switched to exclusively ISO 15765 OBD over CAN.
I would be shocked if OBD-2 is used for any key programming. They're almost certainly using a CAN bus (modern cars have both, OBD-2 strictly for legacy emissions testing and multiple CAN buses for everything else). Not that a CAN bus is any less accessible or more secure, but in almost all cases to do anything non-trivial over CAN like key programming requires the $20k dealer computer system (which is specific to every manufacturer and sometimes even model of car) or some serious reverse engineering chops and weeks of time to figure it out.
The OBD port exposes diagnostic interface on most cars, either K-Line or CAN.
And indeed, many cars in the early 2000s supported key enrollment without cryptographic material using diagnostic tools, so it was only a matter of sniffing a dealership tool.
More modern cars from most manufacturers require cryptographic material from a central server to enroll keys. These systems are still often broken (look up XHorse for a popular product in this space) but generally require more in-depth physical access or complex software exploits to bypass the signing process or extract private key material from hardware.
My '05 Holden has multiple buses and I imagine every car of that era and beyond is the same. One is OBD-2 and accessible under the steering wheel. It _only_ has the mandated emissions equipment info connected to it, like oxygen sensor readings and such.
It has an entirely separate and different physical connector for a CAN bus, one in the engine bay and another under the driver seat IIRC. This one has all the goodies--locks, entertainment system, full engine diagnostics and sensors, etc. I actually have the full factory service manual for the car and key programming is only possible with GM's tech 2 computer system connected to the CAN bus, not OBD-2.
This split-connectors model is actually quite uncommon. Many newer cars have either a single CAN bus, a "Gateway" module which bridges Diagnostic CAN accessible through the OBD port to the various CAN buses used inside of the car, or Ethernet / DoIP exposed over "unused" pins on the OBD connector.
For example, on modern VW AG cars, key programming is performed over the OBD connector, using specific UDS readLocalIdentifier and writeLocalIdentifier requests, but the data involved in the Immobilizer is both signed and encrypted using secret keys on a VW server (called FAZIT) over a subscription system called GeKo. The dealer diagnostic tool essentially sets up a tunnel over UDS between the Immobilizer software module in a control unit and the FAZIT server.
I'm in the industry and most cars 2008-2017 or thereabouts have multiple CAN buses exposed on the OBD2 port. One (powertrain CAN) on the regulated 6/14 pins which is guaranteed to answer the emissions messages but probably exposes other stuff too, and then others (body CAN, infotainment CAN, etc) on other pairs of pins.
Post-2018-ish, they tend to have a gateway module, and accessing anything interesting requires you to get into the wiring "behind" the gateway where all the internal buses are. But that's also trivial, in most cars it takes about 20 seconds once your wrist knows the way.
> requires the $20k dealer computer system
Or knowing the messages it sends. It's only $20k because it can be.
> or some serious reverse engineering chops and weeks of time to figure it out.
Which someone then packages into a $500 car-stealer they sell on aliexpress and then all the criminals have to do is buy that thing and push a button.
Remote start just turns on the car but you're not able to drive. For drive requires the key to be near, thats the PKE system referenced in the article.
My cars have a remote start timer where the cars shuts down after a period of time. That would be a crazy crime... hide in the bushes for an hour or two continuously restarting the car every 10 minutes.
We have a 2019 Honda Pilot. The remote start will work for two 10-minute cycles, but then it will not work again until you start it via the primary ignition switch inside the vehicle. Other manufacturers may differ on this behavior however.
This assumes the target's attached garage is part of the conditioned space making up the rest of the home (i.e. that there's no air sealing around the door between the house and garage, but the garage door itself is perfectly sealed). That would be a pretty spectacularly bad house design.
Old houses can be pretty leaky between the garage and living space. Or doors can be left open. But many vehicles’ remote starters have a timeout exactly for this specific safety concern. Between this and modern catalysts, remote starting a car in the same room as you isn’t even likely to kill you.
Hi all, the POC does not use rolljam attack+ replay. It is solely based on the replay attack. Unfortunately, these key fobs do not implement rolling codes, I had tested the same on the 2022 civic and it does seem to have rolling codes, but the 2018 does not. I highly recommend that you test out the same vulnerability using GNURadio, the reason why I cannot explain every step is due to the fear that this could be used with malicious intent. Please note that you CANNOT drive away with the vehicle since that relies on the PKE system which is separate. As someone pointed out, it could be possible to drive the car using other methods, but this exploit solely focuses on the RKE. I would be more than happy to explain and clarify any doubts, you may email me at [email protected] :)
My dad had an early 1990s Renault Espace that used an IR remote opener with fixed codes. I know this because my best friend had one of those cool Casio programmable IR watches and we cloned the opening code from the Espace key fob, and the watch was able to reliably open the car years later… even after it had been sold to a neighbor, who, yes, woke up to find all his car doors wide open one morning after we were old enough to drink alcohol but also old enough to know better.
I own a Honda model just prior to this date range — but I assume it's not necessarily the case that pre-2016 Honda vehicles used a more secure system? It may just be that they aren't specifically vulnerable to the exact same RF signal type as 2016-2020 vehicles?
Owner and modder of a nearly-classic Honda here. Yes, the older models have the same vulnerability. Please forgive the awful pun based on the author's mistranslated Japanese and focus on the technical part: https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patt...
(Honda does not mean "Original Rice Patty." It literally means "Original (as in older) Rice Paddy", but you wouldn't translate Henry Ford's surname as "Shallow River Crossing.")
Honda enthusiasts commonly store their cars in private garages, install hidden killswitches and avoid keeping items in their cars.
Yes you should be able to, or with slightly more friendly software like gQRX or SDRSharp. It also looks like you can receive and decode the key signals using rtl_433[0] with option -R 64. Although it's a bit confusing looking at the source for the honda key rtl_433 decoder, as the author states it does not decrypt the rolling code.[1] According to the CVE there is no rolling code.
Instead of using a faraday pouch to prevent this kind of attack, I added a kill switch to my key fob, a few years ago, and still use it: https://www.youtube.com/watch?v=02M57GPix-4
The problem is that manufacturers are using strength of signal to detect keyfob proximity, which is, of course, defeatable with a (somewhat expensive) amplifier.
I wonder how hard could it be to measure response latency instead? That should solve the problem.
I thought about selling those for a while (and got a few requests), but realized I can't easily design them for the many kinds of key fobs out there. I suppose the manufacturers are not adding them themselves because that would hurt the image of "security" of these key fobs.
> A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle
I think those guys shall make some research before. Starting the engine requires either an immobiliser or a Passive entry functionality.
Rolling codes are implemented from a long time. (from some time the RF communication is also encripted usually with AES-256) Will be nice to tell us if those are original dealer vehicles or modified.
Basically all the keyfobs produced in the last 15 years have rolling codes, relay attack protection and most of them also encription.
At the level at which this article is written i see no need for Honda to make any comment.
Source: worked on keyfobs in automotive. Honda is a customer with strict requirements.
I used to leave my windows open on sunny days, to stop the car getting too hot or anyone breaking in to look for stuff to steal.
When I did this at my office car park, well-meaning people would call security and ask them to help the person with open windows by earning them they were open. Or if they knew it was my car they’d seek me out to warn me that my windows were down.
The reason they gave was always that they were worried someone would steal stuff from the car. There was nothing in it to steal.
Eventually I got sick of wasting other people’s time for them and left my windows closed.
So many of them complained that their cars were hot, and/or had them broken into by people looking to steal things.
I think the only real solution would be for me to buy a car that lets me take the roof off. If your car is roofless, no-one comes to warn you.
I’ve owned a few convertibles and I always left the doors unlocked and/or the top down. I’d rather someone steal the $100 radio than cut through the top or break a window. I did always keep the glovebox locked but that only contained my registration and proof of insurance. I have had a radio stolen once but it was just the faceplate. Not sure what they’re going to do with that.
It is very common for Miata owners to leave the doors unlocked if they need to put the roof up because the roof is more valuable than the interior. (Since it is a common track/race car, every interior piece has an aftermarket replacement.)
How so? To me it seems like a general acceptance of things outside of your control. The idealist in me wants to agree, but I don't see a utopia emerging out of the bushes imminently.
There are people who are just scum; there are people who have morals but sometimes do scummy things, possibly due to circumstance; there are people whose morals differ from your own.
I would not choose a future where everyone shares my own moral values - that would be bleak.
One rationale I've seen is, "If my car is likely to be broken into, I'd rather not have to replace the window."
For example, "they stole my $20 from my center console, but broke a $200 window to get to it."
I also wonder if potential thieves think a car with open windows is a bait car or something. Probably not often enough in its own right to justify leaving things open?
I commented earlier that I left the top down or doors unlocked on my convertibles. A window or a cut top is far more expensive to replace than my $100 aftermarket radio. I’ve actually had a radio faceplate stolen once.
The idea behind it is that the criminal will not have to break the windows which is more costly to replace than what was in the center console.
Sort of violates the idea of a "smash and grab" though. You want to minimize the noise generated and time spent and maximize the potential profit gained. Typically, you just inspect what is in plain view of the vehicle and if there's anything that has value (ie, backpack, clothes, cell phones) then it's a good target. If there's nothing in plain view, then there's no point in attracting attention and increasing the chances of getting caught.
Of course, there are some municipalities that have decriminalized or refuse to prosecute this type of theft so that negative reinforcement no longer applies and you just get people that smash all windows and search entire vehicles.
Anecdotally, just following the idea of "nothing in value being in plain view" has worked wonderfully for me. Works locally in my somewhat big city and when traveling to other big cities.
Unrelated but does anyone know of a good and available replacement for the HackRF One? The LimeSDR Mini looks good but is impossible to source because of the chip shortage.
HackRF is getting a little long in the tooth these days.
The ADALM-Pluto a.k.a "PlutoSDR" is a pretty good alternative; it's similarly spec'd to the LimeSDR Mini and appears to be in stock at Mouser. It's currently $230 but I think it occasionally goes on sale for significantly less.
people also do this on a DIY approach with old cars that are easy to steal (like a 2002 subaru or something) by wiring an ignition kill switch into the ignition fuse, and hiding it somewhere not obvious...
Not a direct answer but something that might mitigate. I have these motion-activated alarms on my bike, moped, and in my backpack, and activate the alarms when I'm not within view of them.
I imagine you could probably ziptie one (or maybe a few, though you'd have to carry a few remotes) onto an inconspicuous ___location on the car. It would be a good deterrent for car thieves and possibly also towing companies.
I actually want to work on a modification of this device where it shoots out fart spray in addition to the loud alarm.
There are fuses for each door lock actuator. You can open the car with the physical key inside the key fob in this case. You always need the keyfob to start the car because the immobilizer requires its presence.
I think this only helps against relay attacks. To use the key to open the door the owner probably has to take the fob out of the pouch and then replay attacks might be possible.
I'm assuming it attenuates the signal so that someone parked nearby has a more difficult time capturing the code. Downside is you can't use your remote start from inside the house anymore - you'll have to be very close before the remote will work (which raises the question of what good is having a remote if you're close enough to just use the physical key). But with the faraday pouch, at least the car won't have been stolen.
For the MITM attacks on the modern proximity car keys, drop your fob into a metal tin (like the Danish Butter Cookie ones) when you walk in the house to block the signal.
Some cars unlock when you're close, no button presses required. Relay attacks let the thieves use the keyfob inside your house by relaying the signal. A faraday pouch prevents this. It's not related to replay attacks on a traditional push-to-unlock keyfob.
Relay attacks seem to be in use in the wild by sophisticated car thiefs, although I'm not sure how commonly. Given general trends, it's probably more common in Europe than in the US. More to your question though, the issue is that proximity key systems rely on the limited radio transmission range. If a thief uses something like an SDR to "amplify" or repeat the transmissions, they can get the car to think the key is much closer than it is... and potentially unlock the car in your driveway by "using" your key fob inside your house. A faraday pouch makes this very difficult by significantly attenuating the signal from the key fob.
A faraday cage or faraday pouch blocks electric radio.
For example a cellphone will not be able to communicate with the base station if you wrap it aluminium foil and the new car fobs work similar. The fob just needs to be in close distance to the car for someone to open the door or starting the car.
A relay attack puts two radio devices between the car fob and the car, so thieves can open and start a car just by relaying the radio signal to the car fob behind the closed door.
A replay attack will record the radio signals transmitted between fob and car and just replay them.
And both attacks are absolutely possible. You can find videos on youtube for both.
It seems like there is a lot of security in just physical stuff. A car that needs you to use a key to unlock the door vs a signal that can be intercepted. A scrap of unimportant looking paper containing passwords vs a compromised password manager. It makes the attack surface so much smaller since, unless you are some VIP, chances are no one is going to ever root around your home for internet account passwords on scraps of paper. Software used by thousands of people presents an attractive target given the work vs reward ratio is so much more favorable, and imo its not a matter of if, but when, these systems do end up compromised.
Maybe security in the future starts looking less like obfuscated software solutions, and more like simple analog solutions that ultimately require an operator on ___location, and are therefore too expensive to carry out to the scale that electronic crime has taken place in the past few decades.
I had an issue where I could not unlock the car or disable the electronic theft prevention. I guess I pressed the alarm button too many times while I was away from the car, and it went out of sync with the car. This was a
tx only key fob.
This would mean that the car needed to keep track of the rolling code, but to not lock the user out if he accidentally press the button while away from the car, it will need to accept current rolling code state plus some more (a window of accepted codes). Once the car gets a code within the window, it knows the state counter on the key fob and can synchronize.
Not sure what to do, I kept pressing the key until I saw the car alarm turn off - it must have been hundreds of presses. But the code must in fact be rolling, because everything worked as normal after that.
This makes me think of another vulnerability with these door/key systems, this time actually acted upon by bad (yet creative!) actors: the creative relay system thieves used to nick Tom Cruise's BMW X7M - https://www.autoevolution.com/news/tom-cruises-bmw-x7-was-st...
That's assuming auto manufacturers will actually provide you with continuous updates and not just charge you for access to the core feature without ever bothering to update it. Much like how infotainment software can vary from one model year to the next while the hardware remains mostly unchanged--they're usually not giving you the option to just stop by the dealer for an update, much less let you do it yourself via USB or OTA.
To be fair though, my example isn't absolute--as far as infotainment goes, Chevrolet has done free Android Auto/Carplay retrofits in the past if your older model hardware supported it, and Ford SYNC is upgradable by the consumer via USB. I don't know of any Toyota models that offer that same though.
I'm a fan. It has great battery life, has more heft than I expected.
The second day I had it we went to my mother-in-law's new apartment building. Her call button wasn't working to let people into the building, so I asked if I could try to copy her FOB since we needed to get some things from our car and boom, it worked just like that.
Also had some fun mucking around with raw NFC and emulating them. Took a bit of tinkering, but it was pretty cool to see it work.
The #sub-ghz channel on Flipper Zero's discord blew up a little bit today with this news. So far though, the couple us with affected model years according to this CVE have been unable to reproduce. FCC ID matches. The precise frequency was added to a modified firmware, and we are using FSK modulation, but still no luck.
Back in the early 90s, my mom took me and my sisters shopping for winter clothes. After we were done (and us kids had stressed her out), she opened up the car, parked in the mall car park, put us in the back of the car, checked we put on the seat belts, and then started to reverse out of the parking space, when all of a sudden she stopped, looked visibly confused for some moments, drove back in and took us out of the car again.
Turns out it wasn't our car, just the same new VW Golf model in the same color, and her key worked for it for whatever reason. She only noticed because the actual owner had put some stuff on the rear window, which she only noticed when looking back to reverse out of the parking space.
I have no clue if VW had the same keys for all/many cars back then, or if it was a huge coincidence that the key fit well enough.
The story of "how mom almost stole a car" is still treasured family folklore :P
Did you lock your keys in your trunk and need your key to unlock the trunk release? No problem, just pull off the casing with your hand and poke the mechanism with a stick. Let's face it, car security is generally a game of rock, crowbar, towtruck.
Blew my mind when a locksmith, presumably taking some pity on me for locking myself out in the cold, showed me how I could pop the manual lock (this technique only works on manually driven locks, not electronic/automatic ones) on my pickup by unscrewing the antenna off the front and and using it to perform a rather simple maneuver in my door lock.
Not going to get all worked up over this because I remember that I owned a 1985 Mazda and the key for it would open and start every 1979-1985 Mazda in town. Objectively we've come a long way.
I'd say so, from the perspective of utility and persistence. 4 (maybe 5 including spare) uniquely serialized radio beacons make a good target for dragnet surveillance with zero risk to abusers.
I'm also more weary of scam extended warranties than I am of kidnap and ransom, even though one is obviously far more unpleasant than the other.
More disturbing to me is that most TPMS transmissions have a unique ID associated with them making it trivial to track a given vehicle. Many vehicles only transmit pressure when prompted, but I have definitely noticed those which constantly transmit. Usually Toyota.
Headline is confusing: the vehicles are not sending signals, key fobs are sending signals (on click) and those signals do not change, so if someone records & plays back your "door unlock" signal they can unlock your door.
The way this was written, I thought cars were sending signals to one another somehow.
Furthermore, the "vehicles sending the same signal" refers not to a single signal shared between vehicles. It means vehicle X consistently relies on "the same" (unchanging) signal X, vehicle Y consistently relies on "the same" (unchanging) signal Y etc. As written, it sounds like every single honda of the same year & make uses one, shared signal which is not what is meant, unless I'm mistaken.
Also, if you don't have replacement cost coverage you're either eating depreciation to buy new again, or hoping you can find a used one in the right cost/quality window.
This doesn't enable anyone to steal the car, unless they also have a tow truck.
It would let someone steal the contents of the vehicle, which may not be insured, and I suspect it would be difficult to collect on without signs of entry to the vehicle.
Eh, I’ve been there but decided to pay out of pocket because the deductible is there (and generally it’s smarter to have a higher deductible unless you really can’t afford it) and then you risk your premiums going up.
If I'm not mistaken, unlocking the doors is half the exploit. The vehicle can also be started which..means you just drive it away. This is very dangerous and crazy if true. 300 Bucks for tools is nothing -
Modern vehicles factory-equipped with remote starters prohibit the car from being shifted into drive when the remote starter function is used via the long-range remote. (so random people walking down the street can't hop in and steal it) Hondas are no exception to this. There is another radio exchange that happens inside of the car with the key before you are able to shift into drive. This example doesn't demonstrate that being broken.
Luckily, driving away with the vehicle is impossible unless you are able to mimic the PKE system, which incorporates a 4 way handshake. There has been some research where a similar system was broken but I haven’t had the chance to try it on the civic.
Perhaps there is more to the setup of this CVE than they're talking about. Is it possible they're doing a rolljam attack + replay?
The CVE is really scant on details, so while I believe they did manage to get this to work, they don't really say how.
If rolling codes are implemented, it should be pretty simple with the right gear to prove it.