Forgot your password?
typodupeerror
Transportation Crime Security

Keyless Remote Entry For Cars May Have Been Cracked 398

Posted by Soulskill
from the all-your-glove-compartment-are-belong-to-us dept.
WheezyJoe writes "The Today Show had a piece this morning showing video of thieves apparently using a small device to open and enter cars equipped with keyless entry. Electronic key fobs, which are supposed to be secure, are replacing keys in more and more new cars, but the evidence suggests that a device has been developed which effortlessly bypasses this security (at least on certain makes and models). 'Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.' Police and security experts say they are 'stumped.'"
This discussion has been archived. No new comments can be posted.

Keyless Remote Entry For Cars May Have Been Cracked

Comments Filter:
  • Stumped my ass (Score:5, Insightful)

    by Anonymous Coward on Wednesday June 05, 2013 @04:36PM (#43917757)

    Haven't we seen proof of concept hacks of these kinds for a while?

    Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

    • by ackthpt (218170) on Wednesday June 05, 2013 @04:44PM (#43917869) Homepage Journal

      Haven't we seen proof of concept hacks of these kinds for a while?

      Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

      Maybe the car is sentient, hates the current own and wants to be stolen.

      • Re:Stumped my ass (Score:5, Interesting)

        by girlintraining (1395911) on Wednesday June 05, 2013 @11:09PM (#43921065)

        Maybe the car is sentient, hates the current own and wants to be stolen.

        That, or the guy carrying the backpack in the video has something big enough in it to need a backpack; like a large coil, battery, and circuit board. People seem to forget that every electronic device is both a radio transmitter and receiver. With a powerful enough transmitter, any signal can be induced in any part of a circuit. Of course, physics also demands that any signal induced would be strongest along parallel wires -- power cables, to be specific.

        The reason why they're targetting passenger-side doors is probably because the control logic is in the driver side door, and the doors on the right-hand side would have the longest run of cable between the control board and the door's selenoid. of course, you don't run power cable from one side of the car to the other, you run a signal wire; which depending on what kind of logic gate is on the other side, may only require a tenth to a half volt of voltage across it to trigger.

        The equipment to generate a short, broadband pulse at a right angle should be sufficient to induce the required voltage, thus causing the door to unlock. Never attack the crypto system when you can go after the control interface. This is, for all intents and purposes, a side channel attack. It would only work on makes and models of cars that have a sufficiently long run of signal cable running along the longitudal axis of the vehicle. The attacker would need to be within about 5 feet to do this, and to not be obvious the car would need to be equipped with a lock that is along the window-frame or make an audible noise during unlock -- otherwise an attacker would have to visually inspect the interior of the car first, and the suspicious behavior of doing so in a parking lot filled with cars could attract law enforcement.

        Anyway, that's my suspicion for what's going on. To detect this, you'd need to be able to detect a sudden increase in broadband EMR, and triangulate its location, and the emission would only last a few milliseconds, if that. The police won't have the resources to find this, but the FCC might if the attacks are happening within a single metropolitan area... or if you had one of those multimillion dollar semitruck rigs with millimeter wave x-ray tech like what they use in airports to scan people (and their backpacks) for the tell-tale metal loop, which would be optimally placed around the circumference of the bag.

        Mind you, all of this ignores potential 4th amendment issues, along with all manner of other legal obstacles, including the fact that you'd be irradiating innocent people who are also unaware of your activities while in public. Failing that, you're tasked with swarming an area with officers and detaining anyone with a backpack within a certain radius, that radius being defined as the response time between signal acquisition and having boots on the ground.

        As to profiling them, you're probably looking for a van without windows, SUV, or similar vehicle where stolen goods can be dropped off and the attacker picked up quickly and removed from the area... statistically, he'll be within a few blocks. The equipment needed to generate a powerful enough EM pulse would take up most of the backpack and be very bulky -- even with high energy density batteries... it probably wouldn't have enough room to store much in the way of stolen items, necessitating a nearby collection point.

        • Oh, and P.S., if you're trying to catch this crew without the multimillion dollar anti-terrorist equipment or the FCC, you should canvas upscale shopping malls and retail establishments that cater to people who make an excess of $40,000 per year and are aged 45+; Look for lots filled with cars that are 2007 or newer, SUVs, etc. That's the most lucrative target for this type of criminal. Prioritize for surveillance areas with a lot of vehicle traffic, but not a lot of foot traffic. You already know their M.O

    • Re:Stumped my ass (Score:5, Interesting)

      by Trepidity (597) <.delirium-slashdot. .at. .hackish.org.> on Wednesday June 05, 2013 @04:45PM (#43917879)

      Yeah, the fact that it works only on certain makes/models, if anything, makes it much less mysterious. Compromises that exploit particular broken implementations of a cryptosystem are by far the most common kind of vulnerability, more common than fundamental breaks of a cryptosystem. If this device is opening only certain kinds of Hondas, it's likely Honda screwed up its implementation in at least some models.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Also, "adding to the mystery", also my ass. Different keyfobs work with different algorithms and protocols. Someone's hacked a particular subset of them.

      The linked article on Today is horrible. They also talk over and over about how "The Police" are stumped. As if "The Police" was some kind of borg mind. Better articles with more facts and less made up stuff can be found [msn.com]. It's the Long Beach Police Department, btw.

    • Re:Stumped my ass (Score:5, Interesting)

      by chuckinator (2409512) on Wednesday June 05, 2013 @05:16PM (#43918195)
      An older engineer I worked with once told me a story about a car manufacturer (don't remember which one) using the CAN bus to control the side view mirrors. Well, the CAN bus is an electrical bus without any form of authentication or security, and car thieves started to make a habit of busted off one of the side mirrors and issuing the unlock doors message on the bus. Note that the authenticity of this story is what you should expect from typical water cooler gossip.
    • Re:Stumped my ass (Score:5, Informative)

      by greg1104 (461138) <gsmith@gregsmith.com> on Wednesday June 05, 2013 @05:47PM (#43918569) Homepage

      Most manufacturers outside of the German cars are using systems developed by KeeLoq [wikipedia.org], so a vulnerability in that would impact a large number of vehicles. Parts of the encryption method have been attacked by researchers, with papers like How To Steal Cars [kuleuven.be]. Some of these papers point out [emsec.rub.de] that the exact security mechanisms used by manufacturers on top of KeyLoq's hardware are not public, so turning the theoretical hacks into a working device is still hard even with these issues identified. Based on that FAQ, KeeLoq itself seems secure against anything but very knowledgeable attackers with significant resources--they're quoting months of work to find a real-world vulnerability. However, we can't be sure that a specific implementation of the security approach wasn't weakened by a manufacturer mistake. I wouldn't place a large bet on that though. Someone like a car manufacturer wants to be able to say they passed the risk to someone expert in this area. If they start customizing things to add back doors, they're going to lose any ability to blame KeeLoq if there's a nasty vulnerability.

  • Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).

    • by Trepidity (597) <.delirium-slashdot. .at. .hackish.org.> on Wednesday June 05, 2013 @04:46PM (#43917899)

      As far as I can tell, the compromise discussed in this article is only keyless entry, not related to starting a car. The thieves are using it to steal stuff like cell phones and GPS units from inside parked cars, not stealing the cars themselves.

    • by cdrudge (68377)

      The keyfob works to start or keep the car running only a matter of a few feet. If you get out of the car, or someone forces past you to get into the car when you're not in it they aren't going to start it with you standing outside the vehicle. Worst case, they might get a few feet before the car shuts down.

      It's a convenience feature that isn't necessary, but some people want it. They can keep their keys in their pocket or purse and not take them out to start the vehicle.

      • by klubar (591384)

        At least on the Prius once the car is running even if you move the key fob out of range, the car keeps running (actually a good safety feature as you wouldn't want the car to shutdown on a key fob failure.) On the Prius (and maybe other Toyotas), there is a metal key for mechanically unlocking the driver's side door and a electronic slot for starting the car. You can use the electronic slot if the key fob batter is completely dead so I suspect it's a passive NFC device. There is also a mode that you can

      • You can drive my Lexus all over creation without the key, but you can't restart it once you turn it off.
    • by Hadlock (143607)

      It's a lot easier to fence a laptop, cell phone, digital projector, petty cash, company credit card or whatever other sales materials/samples a business traveler might have in their car, than driving an entire car (and it's easily traceable serial numbers) back to a chop shop. Plus you have to go back (taxi?) to the scene of the crime to get your car. The logistics just don't make sense.

    • by jon3k (691256)
      I'm sure keyless start will cause carjacking rates to sky rocket.

      Wait, no it won't.
    • On the other hand, if a carjacker pulls me OUT of my running car and drives away (I keep my doors locked, but still)... the keyfob is still in my pocket and I can even hit the alarm for whatever good that will do (I don't know if the car shuts off if I get too far away, once I started it up to fill my tires but I never went too far), but more importantly he can't shut the car off or he can't start it again.

    • by CAIMLAS (41445)

      I believe the key actually has to be present only for the initial start of the car, though I might be mistaken. That would be how I'd design it, at any rate. I see no point in the key needing to be present while the vehicle is in operation.

      On a whole, keyless start is an irritating and stupid feature, I think. For those of us who work out of our vehicles, it's irritating to have to lock/unlock the vehicle frequently just to make sure it's not jacked.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Maybe not so much the remote lock/unlock feature, but to be able to start it without actually inserting the key? A carjacker can push someone into their car as the door is opened and start it without fumbling for a key. Depending on the behavior of the car when the key becomes too far away, it can shut down during operation - dangerous - or be immobilized at its next destination (think a couple arrive at home, keyholder enters home and driver goes to run an errand).

      There are several systems involved here.
      First of all you have the remote lock/alarm/window fobs. These are powered by a small watch-style battery in the fob, and allow the car to be locked/unlocked (or roll down windows) from a pretty good distance away.. sometimes as far as 50 yards or more. This is basically a coded message using a pre-shared key stored on the FOB and in the car's computer system. Unless you have a specific remote-start system added to the car (or builtin to a few luxury models) this won'

  • Just a thought. (Score:5, Insightful)

    by Capt.DrumkenBum (1173011) on Wednesday June 05, 2013 @04:39PM (#43917793)

    they always seem to strike on the passenger side

    Maybe because people commonly stuff things like their GPS into the glove box, which is located on the passenger side?
    My car is so old it doesn't even have door locks, so not really a problem for me.

    • Re:Just a thought. (Score:5, Insightful)

      by dkleinsc (563838) on Wednesday June 05, 2013 @04:48PM (#43917923) Homepage

      Also, the passenger side is right next to the sidewalk if the car is parallel-parked. That makes it a lot easier than trying to break into a car while traffic is barely missing your tush.

      • by wile_e8 (958263)
        Also no steering wheel on that side. As long as they are just stealing valuables from the car, it's one less obstacle to pull stuff around and no chance of hitting the car horn and alerting the people in the house.
    • by gl4ss (559668)

      maybe they should try to find which device it is.
      here's a thought though, maybe it causes induction in the lock relay itself.
      a more realistic reason though is this: it's less suspicious if someone goes to a car on the passenger side, gets something and gets out again, like picking something up from the car he's supposed to be picking up.

      or cars are just parked with the passenger door towards sidewalk....

    • by CAIMLAS (41445)

      Add to the fact that most in-vehicle theft is performed with a broken window, it's kinda stupid. I'd prefer to leave my doors unlocked so I don't have to shell out $300 for new glass - and a broken window is a much more visible sign of B&E than someone fiddling with a coat hanger or gaining access keyless.

      • I just wish thieves would check to see if the door is locked before breaking the glass. I had a quarter glass shattered in my unlocked car.

        PS: Never, ever, lock a soft-top convertible.

      • by ThePeices (635180) on Wednesday June 05, 2013 @05:37PM (#43918427)

        Add to the fact that most in-vehicle theft is performed with a broken window

        Isnt that kinda dangerous for the burglar? Walking around with a broken window to be used to break into a car is unwieldy, and they can easily cut themselves on the glass of the broken window they are carrying.

        Not to mention it would look pretty suspicious walking down the street with a broken window.

  • kits for sale online (Score:2, Interesting)

    by Anonymous Coward

    You can get a keyless universal unlocker from china for around $2000USD.

  • This is probably something that is not what is expected, like some of those steering wheel locks that can be removed by breaking them in half by hitting in the middle of them rather than trying to pick the lock. They are not breaking the encryption, they are breaking the system, going around the expected secure path, not through it.

    • by mindwhip (894744)

      You are probably right... Either that or its a brute force attack and they just throw lots of codes at it in a short time and hope one works which is unlikely.

      My guess is they have radio/microwave transmitter that is causing a computer reboot/corruption or messing with the sensor information being fed from the mechanical parts of the lock and tricking the computer into thinking the mechanical key was used which triggers the central locking to open. As for the passenger side thing it could be that side is mo

  • And getting access to the keys and/or algorithms that generate said keyfobs. How well are the companies protecting them?
    • by h4rr4r (612664)

      Having access to the algorithms should not compromise security.

      • Having access to the algorithms should not compromise security.

        Assuming that they are using some actually-competent cryptosystem, and didn't add a 'convenience feature' somewhere foolish to make it easier to create replacement fobs.

        Given the historical enthusiasm in lock and key circles for 'blind codes' that are super-magical-secure and can only be turned into bitting codes with the equally super-magical-secure codebooks that Trustworthy Authorized Locksmiths are supposed to have access to, I wouldn't be 100% optimistic about the market being handled according to the

        • by h4rr4r (612664)

          Valid, and stupid on their part. That is why I said should.

          • Valid, and stupid on their part. That is why I said should.

            Fair enough. I'm just deeply pessimistic that the (wise and superior) "knowledge of the algorithm Must Not compromise the system" standard that crypto systems are held to prevails with keyless entry systems.

            For whatever reason(whether it be power/gate constraints, cultural sharing with the world of locksmithing, or vendor lousiness uninhibited by the ruthlessness of the internet), keyless-entry/RFID auth/etc. seems to be one of the last major bastions of vendors talking about 'Proprietary Encryption' as tho

      • by Spritzer (950539)
        Unless the algorithms are flawed and exploitable
  • by GoodNewsJimDotCom (2244874) on Wednesday June 05, 2013 @04:45PM (#43917881)
    This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.
    • This tempts me so bad. I don't want to steal cars. I just want a button that sets off everyone's panic alarms.

      Have you thought about trying a wiffle ball bat with a thin lay of foam on it? Sure you have run up and down the row or vehicles to make it work but it's 100% reliable and much cheaper.

      • by h4rr4r (612664)

        That sets off car alarms, most cars do not have them.

        He wants to trigger the panic button, which just uses the normal horn and pretty much all cars with keyless entry have.

  • by cruff (171569) on Wednesday June 05, 2013 @04:45PM (#43917885) Homepage
    What if the preference (or requirement) for doing this on the passenger side is due to the physical location of some wiring or other device that is susceptible to some kind of electronic signal or noise conduction into other circuitry that ends up causing the unlock?
    • by Dynedain (141758)

      Good guess. All you need to do is trigger the relay which could be electronic/magnetic instead of digital.

  • by bradgoodman (964302) on Wednesday June 05, 2013 @04:52PM (#43917961) Homepage
    They sited Hondas and Acuras. As Acura is made by Honda - it seems like they're exploiting a bug or vulnerability in a specific device.
  • I have an exploit that works on all cars and I am willing to share it!

    Step 1. Apply brick swiftly to car side window.
    Step 2. Unlock car.
    Step 3. Gain entry.

    On some models Step 1 will need to be repeated several times before progressing to Step 2.

    • by chrismcb (983081)

      Step 1. Apply brick swiftly to car side window.

      That doesn't always work either.

      • by h4rr4r (612664)

        On which cars?
        Even armored vehicles should just take longer. Possibly a lot longer.

  • Thumb (Score:4, Informative)

    by jklovanc (1603149) on Wednesday June 05, 2013 @04:56PM (#43917987)

    Did anyone even really watch the video? The "object" in his hand was his thumb. He was opening a door where the handle is embedded in the door . His palm was up and his thumb was out. The door was not locked in the first place. Did anyone see him try the door before he supposedly used the "device"? The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

    What is the evidence that the vehicles were locked? Statements from the victims who would loose the insurance award if they admitted that they forgot to lock their vehicle?

    As another poster put it, these criminals are targeting vehicle contents; most of which are in the glove compartment.

    • Re:Thumb (Score:4, Insightful)

      by workactnumberfive (2778027) on Wednesday June 05, 2013 @05:05PM (#43918089)

      The incident with the guy with the backpack is even more telling. He was walking along trying doors till he found one unlocked. Notice we took a step back when the door opened.

      He is walking by cars, hitting the button on his device. If you watch it again, you'll see that as he walks by, the lights in the car go on before he touches it...just like they do when you hit your unlock button on the keyfob. When that happens, he then backs up to enter the vehicle, as it is now unlocked.

      • by jklovanc (1603149)

        His hand is on the door handle as he walks by. The inside lights come on when the door is unlatched as well as when the remote is used.

    • by AmiMoJo (196126) *

      Maybe the guy was just looking for a car vulnerable to this attack, trying each car in turn. It seems to be very short range. Trying the handle might just be the device not working the first time and having to trigger it again. The video quality is too poor to really see anything.

      If there is no-one in my Mitsubishi it locks itself after about a minute. Unless you leave something heavy on a seat so it thinks there is someone sitting there it is impossible to leave it unlocked.

      • by jklovanc (1603149)

        Hence the fact it works on some cars and not others. Opening an unlocked door does not work on cars that automatically lock their doors.

    • by 1800maxim (702377) on Wednesday June 05, 2013 @05:10PM (#43918135)
      A driver carries a pass, a credit card sized remote (or a keyless fob). As the driver approaches the vehicle, the vehicle scans the remote and is ready to unlock if you touch the handle. The door handle also has a sensor where your thumb goes. As soon as you touch it, and if the vehicle registers the keyless remote, the door is opened.

      Such cars (usually) have push-button start systems that also work based on the proximity of the keyless remote.

      It is very convenient if your hands are full and you want to open the rear door, for example, without having to search your pocket and fumble with buttons.

      Approach the car, open the handle, press the button - drive. No need to even touch the key/remote, which sits in your wallet or pocket.
    • by bobbied (2522392)

      Where are my mod points....

      Mod this post UP folks..

    • by Hadlock (143607)

      You still need to physically open the door? Presumably the device can be activated with the off hand.

  • unlock = true;
    try {
    if (!rxkeycode()) { unlock = false; }
    } catch { }
    if (unlock) { unlock_the_door(); }

    Short of having found a "master keycode", I'd suspect something analogous to the above. Pretty much find any type of problem in the hypothetical rxkeycode() and you win, if that's how it's implemented. The cars it doesn't work on... either the triggered bug doesn't happen, or the logic starts with "unlock=false" blah blah blah.

    Would be interesting to know, not that they'll ever tell.

  • Keypad (Score:4, Insightful)

    by bhcompy (1877290) on Wednesday June 05, 2013 @05:01PM (#43918057)
    My 1986 Nissan Maxima had a keypad. I keyed in a code(of my choosing, plugged in at the dealership) and it unlocked my driver door, all my doors, my trunk, etc. I loved it because I could stash my keys in the trunk when I was doing something where I didn't want to keep my keys with me(like going to the gym) and just punch my key in when I wanted access. Sadly, this never caught on. I like it much better than fobs(other than remote start in cold weather).
    • Re:Keypad (Score:5, Interesting)

      by organgtool (966989) on Wednesday June 05, 2013 @05:55PM (#43918669)
      My friend had a keypad on his garage door opener with a four-digit code. One day he invited me and another friend over, but he didn't answer the door when we got there. Calling his house line also proved futile. We figured he fell asleep before we got there (which turned out to be the case). However, while we were waiting, the friend who was stuck outside with me started punching numbers on the garage keypad. I tried telling him that there were 10,000 possible combinations, but that didn't dissuade him. After a few seconds, the garage door opened up. I asked him how he knew the code and he pointed out that four of the numbers on the keypad were very worn. I did the math and realized that his observation took the number of possible combinations from 10,000 to 24! The point is, be careful with those keypads and change the numbers periodically if possible.
  • I know with my Nissan, and I believe that all cars are the same, you need to press on the unlock button twice to unlock the passenger doors. Perhaps there is something in that sequence that allows them to create a shortcut sequence that opens the passenger doors.

    For example, maybe there is something in the "lock" code that is sent to lock all of the doors that triggers the start of the "unlock passenger doors" sequence and all it is waiting for is the extra code from the second key press.

  • NXP, google it yourself, don't believe me. NXP's Mifare is insecure, used in Oyster, OV-Chip and a few other very large deployments. Similar weak chipsets are found inside key fobs. Similar problems. Trivially exploitable. Just listening and some knowledge of the platform is enough to predict the next 'secure' exchange. And steal the car. Embarrassing: the next car could as well be a extremely expensive Mercedes Benz S-class.

  • by quilombodigital (1076565) on Wednesday June 05, 2013 @05:58PM (#43918711)
    A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.
    • by Nidi62 (1525137)

      A better theory would be that the guys just placed a device in the neighbourhood earlier, that JAMS the signal that closes the car door. Most users wouldnt notice, since they just turn back and start walking while pressing the lock button. AFAIK, it is easier to JAM a signal than to decrypt it. :) A small device with a 2W amplifier could cover a range from 500mts easily.

      I have the habit of always hitting the lock button twice, and making sure I hear the horn. That way I know my truck is locked.

  • by WindBourne (631190) on Wednesday June 05, 2013 @06:30PM (#43919057) Journal
    Obviously there is a back door in it. The thieves have figured out the code that is embedded in there that will open up to that.

God made machine language; all the rest is the work of man.

Working...