Slashdot Mirror
Keyless Remote Entry For Cars May Have Been Cracked
WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"
I was under the impression that these things were always vulnerable to replay attacks and I wouldn't be surprised if there was a master code as well.
Haven't we seen proof of concept hacks of these kinds for a while?
Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.
Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).
Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?
My car is so old it doesn't even have door locks, so not really a problem for me.
If I were God, wouldn't I protect my churches from acts of me?
You can get a keyless universal unlocker from china for around $2000USD.
This is probably something that is not what is expected, like some of those steering wheel locks that can be removed by breaking them in half by hitting in the middle of them rather than trying to pick the lock. They are not breaking the encryption, they are breaking the system, going around the expected secure path, not through it.
You can't handle the truth.
Do we have the source to these remote key systems? Did they leave in backdoors? Its probably some kind of default dealership/factory key that people took when they got fired.
And getting access to the keys and/or algorithms that generate said keyfobs. How well are the companies protecting them?
Step 1: Set up lots of situations where surveillance shows a car getting "stolen." Do something no one can understand. Get it promoted to the news.
Step 2: industry professionals puzzle over this, finding and publishing some hole they end up finding.
Step 3: Steal cars using the newly published method, since most people are lazy and won't heed the software update/recall notices.
Convoluted? Sure. Plausible? Perhaps.
This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.
God spoke to me
What if the preference (or requirement) for doing this on the passenger side is due to the physical location of some wiring or other device that is susceptible to some kind of electronic signal or noise conduction into other circuitry that ends up causing the unlock?
They sited Hondas and Acuras. As Acura is made by Honda - it seems like they're exploiting a bug or vulnerability in a specific device.
I have an exploit that works on all cars and I am willing to share it!
Step 1. Apply brick swiftly to car side window.
Step 2. Unlock car.
Step 3. Gain entry.
On some models Step 1 will need to be repeated several times before progressing to Step 2.
Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.
What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?
As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.
unlock = true;
try {
if (!rxkeycode()) { unlock = false; }
} catch { }
if (unlock) { unlock_the_door(); }
Short of having found a "master keycode", I'd suspect something analogous to the above. Pretty much find any type of problem in the hypothetical rxkeycode() and you win, if that's how it's implemented. The cars it doesn't work on... either the triggered bug doesn't happen, or the logic starts with "unlock=false" blah blah blah.
Would be interesting to know, not that they'll ever tell.
help me i've cloned myself and can't remember which one I am
It had nothing in it.
Trollin the trolls.
My 1986 Nissan Maxima had a keypad. I keyed in a code(of my choosing, plugged in at the dealership) and it unlocked my driver door, all my doors, my trunk, etc. I loved it because I could stash my keys in the trunk when I was doing something where I didn't want to keep my keys with me(like going to the gym) and just punch my key in when I wanted access. Sadly, this never caught on. I like it much better than fobs(other than remote start in cold weather).
www.calcshop.com/images/Analysis_Keyless-entry.pdf
Someone found a way to weaponize the 2007 attack? http://redtape.nbcnews.com/_news/2007/08/28/6345961-researchers-say-theyve-hacked-car-door-locks?lite
A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.
Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.
It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.
Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.
Boring...
Guys guys, Acura is a Honda brand. If it's working on Acura, it likely works on all Honda cars, trucks, vans, bikes, etc.
In fact, watching the video ... all those cars mentioned are Honda brands.
Okay so that tells us the device works on Honda. Now what is in common with Honda that isn't with other brands? What is the significance of the passenger side?
If you have ever had a keyless fob, you'll know there's usually four things
1. Unlock drivers side door
2. Unlock all doors
3. Unlock trunk
4. Light/Alarm/Honk (to locate it in a parking lot)
Note there isn't a "unlock passenger side only"
Now look on youtube at how to program a remote. Clearly the car can be told to learn a new remote code without a dealer.
So this suggests to me that some of the following might be true:
a) The thieves are transmitting a code that the car already has, eg a "master key"
b) The thieves are transmitting something to make the car "add" their fob code
c) The thieves are transmitting a "debug" code or "dealer" code that isn't in a normal key fob
d) The thieves are transmitting codes something like the buffer-overflow bug in Honda brands's keyless entry systems to unlock the passenger side
e) The thieves are transmitting something to a component in the door that then unlocks
f) The thieves transmit something that makes the car itself unlock the door as part of the reset process
or g) The thieves cloned the transmitter.
As for why the passenger side and not the drivers side. Drivers side's often have tones or signals (eg door is ajar) where as the passenger side does not until a key is in the ignition.
BMW Hacking
I know with my Nissan, and I believe that all cars are the same, you need to press on the unlock button twice to unlock the passenger doors. Perhaps there is something in that sequence that allows them to create a shortcut sequence that opens the passenger doors.
For example, maybe there is something in the "lock" code that is sent to lock all of the doors that triggers the start of the "unlock passenger doors" sequence and all it is waiting for is the extra code from the second key press.
DSI - one of the largest manufacturers of 3rd party Security and Remote start equipment fobs are still fine.
They probably go for that side because the glove box is on that side.
NXP, google it yourself, don't believe me. NXP's Mifare is insecure, used in Oyster, OV-Chip and a few other very large deployments. Similar weak chipsets are found inside key fobs. Similar problems. Trivially exploitable. Just listening and some knowledge of the platform is enough to predict the next 'secure' exchange. And steal the car. Embarrassing: the next car could as well be a extremely expensive Mercedes Benz S-class.
From what I've read, this is how the attack works: Keyfob on certain cars unlock your car where you "in range" of the car. For example, you leave key fob in your pocket, and when you get to your car, in unlocks. I have heard that this attack is being done by "amplifying" the keyfob signal. The keyfob is in the house, on a nightstand, who knows. If you can "boost" the signal of the key fob with some device, so its range is, say, 30 feet longer, then you should be able to unlock those cars, hell, even start them. once you are out of range, you could never re-start the car. This is an interesting theory.
It was in a paper I read not too long ago that thieves use a radio jammer so that the car never gets the signal to lock. Some cars lock the doors silently and some do it with a short honk of the horn. So, if its the type that is silent, then most people never notice the car did not lock when they pushed the button and walked away.
Presumably the way this works is that the car and the key fob are loaded with an algorithm and a short key. It is possible by brute force to find the key, given a recording of a few transactions and knowledge of the algorithm.
But a micro SD card can store four gigabytes of key data now, which should be good for the life of the system, so maybe the next step is to embed a one time pad in both the key fob and the car security system.
http://michaelsmith.id.au
Here's a thought; these guys don't have some magic tech. They've pick pocketed keys and are actually using the correct device to get into the car. They walk around the area hitting the button until a car (or the right model if they're smart) lights up and then go take stuff out of it. They don't take the car because it's bigger criminal charges and it's difficult to offload unless you do that sort of thing for a living.
Slashdot gets a story from the Today Show.
I have created some amazing new software that will allow entry to virtually all vehicles. It's called Crowbar 1.0 and it is available in your trunk today.
Mean what you say...say what you mean.
People have been using these for at least a decade. People used to walk through my neighborhood at 2am and screw around with these things and unlock random cars. They'd hit the button and every few tries a random car would respond.
A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :)
A small device with a 2W amplifier could cover a range from 500mts easily.
"And they always seem to strike on the passenger side"
Because that's where the glove box is! If that correlation is so hard then no wonder they are stumped.
In fact, I'd say none of it is.
April 5, 2013: http://news.msn.com/science-technology/high-tech-car-thieves-break-into-vehicles-without-leaving-a-trace
May, 2013: http://www.kpho.com/story/22176874/new-auto-theft-device
And it is perennial:
July, 2012: http://www.mnn.com/green-tech/transportation/stories/computerized-cars-are-easy-prey-for-high-tech-thieves
2008-2011, Snopes: http://www.snopes.com/autos/techno/lockcode.asp
Today is the last show I would consider to have current news. (Used to watch it daily... now CBS This Morning is the closest thing to real news in the AM, IMVHO.)
Obviously there is a back door in it. The thieves have figured out the code that is embedded in there that will open up to that.
I prefer the "u" in honour as it seems to be missing these days.
Once I locked my Nissan Primera and the alarm in another car went off. At first I thought it was just a coincidence but when I went back and locked the doors again and the same thing happened, it became evident that my key indeed interfered with another car triggering its alarm. A friend and I then got the chance to have some fun when the owner of the other car showed up and we could make him wonder why his car alarm went off every time he touched a shopping cart.
If the owner of the car is near enough that they see their car's headlights blink from the unlocking, seeing someone standing by the driver's side door would appear to be intent to steal the car. Someone standing by the passenger side could more realistically feign ignorance or claim they were just going to steal belongings from inside the car (likely avoiding the grand theft felony).
I would provide the car companies with the technology and method with which I have been able to bypass the security but then you'd proceed to put me in jail for hacking into the system.
It's a shame too because there's such a simple way of closing off this security hole.
Perhaps the company will figure it out too... In 5+ years.
In related news I've also figured out how to isolate and block all cyber attacks from around the world, what the Colonel's 11 herbs and spices are and most importantly... How cadbury gets the caramel filling into their caramilk bar. True
The device uses an EMP to trigger the unshielded electronics in the car, that's why it has to be brought near. Else there's a back-door in these devices that the criminal element got hold of.
AccountKiller
Set up honey pot cars, catch the thieves, charge them for the honey pot expenses and some more: Profit!
Self-financing mechanism to reduce car thefts.
The encryption on these devices was not broken. It was bypassed due to a software vulnerability.
Only the State obtains its revenue by coercion. - Murray Rothbard
Dealerships often install a box to override some car's functions, like preventing it from starting, in case the lessee stops making their payments. They also give the dealership GPS locations for the car. (This was featured on Car Lot Rescue recently.) It wouldn't surprise me if there was also a door-lock override so they could more easily do a repo.
For that matter, what about OnStar? So keeping score, I'm counting 6 ways to get into a car: it was unlocked (duh), physical key entry, regular remote fob, remote dealership, remote OnStar, and accident detection. I guess you could throw into the mix forced entry (breaking window, slim jim, sun roof, etc.)
"Police and security experts say they are 'stumped.'"
Let me help: Car makers just don't give a fuck and they have zero background in security. It's the combination of that.
I talked with several guys in Germany who did this more than two years ago. Nice to see the mainstream media catching up.
I saw that report and the first thing I thought was "have any of these 'baffled' people done some searching online?" I'm guessing these thieves aren't technological geniuses who all come up with the same amazing technology all on their own. Chances are, there's some underground site that either shows you how to make this device or, more likely, sells it.
Sure enough, someone here posted a link to a "universal unlocker" sold from China for $25. If that's the device these crooks are using then they just "invest" a small amount of money and can quietly and quickly rob valuables from dozens of cars.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :)
A small device with a 2W amplifier could cover a range from 500mts easily.
I have the habit of always hitting the lock button twice, and making sure I hear the horn. That way I know my truck is locked.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
maybe it's just a high voltage spark from a piezo device, like a gas oven lighter or cigarette lighter. It upsets the electronics and causes the door to unlock. Used to work on a type of public telephone, why not some types of alarm systems?
There was an unknown error in the submission.
Car thieves have been doing this at the Jersey Gardens Mall in Elizabeth , NJ for at least 2-3 years. Security and presumably the local police know about it.
From what I have heard, the advice is -not- use your remote control to lock the doors. Apparently, the door unlocks immediately after you lock it with the remote. After you lock it again, they can then unlock it later.
Hopefully the publicity will finally force all of the car manufacturers to implement proper security, and retrofit it to all vehicles made since the time they were first notified of the problem.
Security through obscurity has never worked for mass production goods.
just have a wide spectrum receiver, enough samples and a powerful enough computer and you are in. Just leave a datalogger connected to the receiver, collect the sample, decrypt it with a laptop, set up a transmitter to run through the possible challenge & response codes and you're in.
Keyless entry that uses proximity to a wireless fob, and that explicitly does not require a button press to activate, has been well and thoroughly cracked and the exploit published. The basic idea to use two bent-pipe analog repeaters to fool the car into thinking your fob is right beside the car and not currently inside Wal-Mart (or in this case, Tessco perhaps?) where the accomplice is standing somewhat close to you and the fob in your pocket.
Oh lookie... here's the popular-press article right here.
Okay, I'm biased, and I'll admit it but I don't get the fucking point of keyless entry security, much less car alarms. Unlike some of the well-to-do persons who drive vehicles expensive enough to have/justify security systems, I've been under, on, and inside the components of a car for far too long. I don't care what the automotive industry likes to say, no new advances have come to cars in the last 30 years. The last new item was airbags (and they are of questionable usefulness for the amount of a pain they are to service), and those are from the late 80s. Once you take out the shiny in dash stereo/gps/dvd-player, a car is still just an internal combustion engine, connected to a twelve volt battery (by bolts if your lucky, alligator clips if your not, and crumpled sheetmetal the closer you get to hicksville), and turning some kind of gearbox, with a clutch if they can drive, and a slushbox if they can't. This is connected to wheel hubs, and spins as fast as regular gasoline and regular air can enter the intake manifold times the ratio of teeth on the gears. Nothing fundamental changes between a new bugatti, and an old beetle, though the interior might need to get some crap peeled away first.
Any actual car is precisely what I described, and contrary to popular belief, engines like to burn gasoline and run, so if you provide one rotation of the flywheel, and fuel to the fuel rail, the car will go, security systems/steering wheel lock/automatic transmission, with gear lockout be damned. The doors of a car also haven't changed, and though sufficent to keep out the lazy, or unwilling, will open with a crowbar, and some force, and the alarm system is toast if the battery is already disconnected. All this can be done with physical access, simple tools, and knowledge of the fact that a car/van/truck is still just an ICE with a steel cable that moves to let air in.
People keep bringing up self driving cars, except we already have those. A Prius or a Smart-Fortwo actually needs computer intervention, because you have to manipulate current to make it move, though the brakes, transmissions (CVTs are an oddball, but it's still basically helical gears and a slushbox), and cooling haven't changed. Every time a new form of traction control, or ABS, or cruise control, or the stupid Prius "you can't push the gas and brake at the same time" bullshit comes out, they just take one more driver function, and automate it. The car doesn't change, but the people slowly lose the ability to think or operate an ICE independently. Finding people who can drive a manual is hard, and finding people who can understand the idea that the engine can spin while the wheels don't is even harder. God help the drivers who get to drive with this new breed of morons, who don't understand that brakes on a car don't have any magic in them that makes them any better than bicycle brakes, and need to be treated as such or that, no matter how shiny the interior is, the engine still needs oil, water, and gasoline to make it move and will believe it or not, let you know it's health by the level of fluids it needs, and the color of its exhaust.
A hacker, but I forget who... someone said If it has code, it can be hacked.
I have simpler explanation that doesn't require a wall of text. They are opening the passenger side, because that is where the glove box is and people typically stash valuables on or under the passengers seat.
My Mazda6 w/ keyless start has a rare second factor to prevent theft.
See, after you get in, there's a kill switch on the floor in the form of a 3rd pedal.
Further, once the car is started, the operator has to both hold down that pedal AND select a particular gear with a completely different lever . . .
This keeps my car safe from not only theft, but from my wife or anyone else borrowing it as well. Totally safe as long as I stay in North America.
The assumption in the article is that the thief has a device that contains the "magic code" to open car doors. In 2011 the Network and Distributed System Security Symposium presented a paper titled "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars ( reference http://www.internetsociety.org/events/ndss-symposium-2011-0) discusses this very topic. A direct link to the paper is http://www.internetsociety.org/sites/default/files/franc.pdf The relay attack seems more feasible to explain this phenomenon, where parking locations or specific vehicles are targeted rather than randomly targeting vehicles. In the paper, section 5 does the best to describe an attack scenario that might best explain the thieves mechanism. A thief will exploit with what is readily available. Apparently, like a card scanner, they are able to capture the original key fob signal and present it in another form.
Years ago, if I recall...
I'm certain I read a story a few years ago about people whose cars were stolen. Because the cars had radio key fobs, their insurance companies refused to pay out, claiming they must have left their keys in the cars, as everyone "knew" that RFID key fobs were perfect security that no crime ring could ever overcome.
IIRC the police eventualy located a stolen car that had lo-jac GPS installed, much to the surprise of the insurance companies.
When you click once the driver door is unlocked. You have to click twice and all doors unlock. Must be two different programs and the hacker only needs the one. PureWaterHQ
RKE fobs are usually made by different manufactures that use 315 MHZ (for North America). The one I tested with was made by Texas Instruments which I assume most Ford vehicles use. The signal usually consist of 3 parts; small amount of Bits for the manufacture code, followed by a large security code which is encrypted and rolling, and another small amount of Bits for the function (unlock, lock, panic, trunk). The rolling code only cycles so many times and would not be easy even if you had a device that was able to brute-force it. Since they are using the passenger's side door they are probably using a new method exploitable to flawed vehicles or just people doing insurance fraud. I would assume this method involves overloading the circuit. If anything I would reach out too Texas Instruments and see what they have to say, since they probably created most of the technology behind the RKE fobs. Below I posed a link to an example of a RKE fob made by TI and a link to a video I made in 2009. http://www.ti.com/lit/ds/slws011d/slws011d.pdf http://www.youtube.com/watch?v=l24mgY2Ro8g
They can have my POS TSX. What a lemon...