Ask Hackaday: How are these thieves exploiting automotive keyless entry?

keyless-entry-vulnerability

A new attack on automotive keyless entry systems is making headlines and we want to know how you think it’s being done. The Today Show reports that vehicles of different makes and models are being broken into using keyless entry on the passenger’s side of the car. It sounds like thieves steal items found inside rather than the vehicles themselves which makes these crimes distinctly different from the keyless ignition thefts of a year ago.

So how are they doing this? Here are the clues: The thieves have been filmed entering only the passenger side of the car. They hold a small device in their hand to unlock the doors and disable the alarm. And there is evidence that it doesn’t work on 100% of vehicles they try. Could it be some hidden manufacturer code reset? Has an encryption algorithm been hacked to sniff the keyfob identifier at a previous time? Or do you think we’re completely off track? Let us know your opinion by leaving a comment.

[Thanks Mom]

Comments

  1. Phil says:

    I would say they approach the passenger side because it the glove compartment is nearer and seeing someone go in the passenger side briefly is less suspicious than someone trying to lean past the steering wheel to get something.

  2. roboman2444 says:

    My guess is either a jammer, or something that listens for the frequency generated by the remote key, and then reproduces the signal when the theif wants to.
    I have seen someone do that with garage door openers, so why not cars?

  3. Old'un says:

    Maybe they’re trying the passenger side because… that’s where drivers put things, and it’s a lot more convenient to reach in rather than open the trunk and climb across the back seats…

    So, we’re down to the cars are unlocked, and the thieves can tell left from right. Investigative journalism at its best.

  4. Curt says:

    I just bought a new car and it has the keyless entry where you walk up and when you put your hand on the handle it unlocks automatically. Taking this into account, I’m guessing that the car is constantly searching for rfid or some other passively readable code. So they have a powerful reader that is gathering all the codes it can read from within a hundred feet or so (even inside the house where the car is parked) then the handheld device repeats those codes as the device is held up to the car door. Does anyone know if all the cars being broken into have been within XX yards of the key fob? or is this happening at malls too?

  5. Buddy says:

    The passenger side observation may be a red herring. If there’s stuff to steal, it will most likely be on the passenger side. Reaching over the driver’s side takes more work.

  6. They probably enter the passenger side because it’s much easier to steal from the inside of the car without the steering wheel blocking you. In a theft, time is the most important factor. A big steering wheel in your way doesn’t help.

  7. This reminds me of a hack / article involving using common key blocks: http://www.cosic.esat.kuleuven.be/keeloq/

    The reports indicate that the thief does not need to be nearby – therefor not sniffing the remote or jamming the lock command.

    Always passenger side; just guessing (as I do not know where the car control module is in the affected cars), but if the CCM is on the opposite side of the car, an EMI device such as a Tazer or similar may cause an EMI/surge event that either sends a false unlock or simply resets the system, tripping the door?

    Sorry if this duplicates other insights – logging my thoughts while wading through pages of people explaining that their car does in fact auto lock.

  8. kgasper says:

    Not sure if anyone’s mentioned this yet…

    but based on recent reports about gov’t wiretaps and the FBI’s desire to expand that capability to include backdoor’s into all communications software…

    I propose the thieves are using some gov’t backdoor that is required of all automobile manufacturers so the FBI can easily get into your car if need be without leaving a trace. Furthermore, the perps probably work/worked for the FBI, NSA, CIA, …

    I’m just saying.

  9. Tron9000 says:

    actually, watch this and scroll to 3:16:

  10. Chris C. says:

    Dunno how they’re doing it. I do know that my car key will open a surprising number of domestic cars – curiously, on the passenger side only. But why that side? My car has keyless entry, and so do the cars that I’ve opened, so key/lock wear shouldn’t be an issue; it appears as if the passenger side lock is made differently. Seems like making different lock types for each side would be more expensive, and therefore pointless unless it was an intentional caveat. Wouldn’t surprise me at all if many such caveats exist, with some being easily exploited.

    Even the EMP/ESD theories seem somewhat feasible. Remember a car is a network, with all physical sensors wired to the nearest MCU. If you can disable the MCU in the door, then it’s not necessary to disable the alarm as a whole; since that MCU will not be able to report the opening of the door. Although I doubt that’s what is occurring in these videos.

  11. m1ndtr1p says:

    They do it on the passenger side because many stock “alarm” systems (they’re not really alarm systems imo as they only engage if someone tries to unlock the door without using the keyfob) will only go off from driver’s side and not the passenger, like when you use your keyfob to lock your doors, but then use your key to manually unlock it from the driver’s side, the “alarm” will go off… But if you manually unlocked the door from the passenger side, the “alarm” wouldn’t go off. As for exactly how they do it, I have absolutely no idea…

  12. ejonesss says:

    it could be possible that there is some kind of master key used by the police and other investigators to open and relock the car and maintain stealth.

  13. Peter says:

    Because people who use the passenger side, may not realise the car doesn’t have central locking and they are playing the odds of all cars. it may be a coincidence that modern keyless entry car owners are unaware their car is not locking as they would not have to manually inspect the door by pulling it, relying on the fact they had pressed a button outside an arbitrary range. older car owners may be more aware of if there car has physically locked by tactile sceptical feedback, new car owners may be simply
    unaware.

  14. Nik says:

    It could be as simple as passing an ac electrical voltage through the key hole and grounding it to the body. since this seems to work on a few cars and not others, it appears the exploit is taking advantage of some quirk in the wiring harness.or the power locking mechanism.

    I had a Honda Civic a few years back and the power door locks had a feature that locked all doors when the the drivers side door locked. This system sometimes developed a fault in the drivers side that would engage the auto-lock mechanism on the driver-side door effectively preventing the drivers door from being unlocked manually.

  15. highnoon says:

    Here’s thoughts on two possiblities: My BMW 528i E39 has trouble with the airbag sensor and controller.. EMI is triggering the CPU to think there is an accident. This does not deploy the bags since there are additional safeguards for that. But the controller does send a signal that turns on the interior lights, activates the emergency flashers and unlocks all the doors. I have tested this numerous times and there are particular spots where this will occur while driving down the road. It typically happens around power stations with lots of overhead wires or cell towers. My office has a tower on the roof (4 stories up) and transmitter is in the parking garage. Park my car in the garage and I find my car unlocked with a dead battery on occasion. SO, the theory is that Honda has a vulnerability in the airbag system that is easily exploited by an EM field. BTW, my issue is likely a faulty ground on the controller harness. I am too lazy to tear down my center console to fix it.

    Second possibility. Does anyone remember the laundry card hack from a few years ago on HAD? The MFG of the system never changed the encryption code for the cards. Is it possible the auto mfgs have done something similar? Despite the rolling/hopping codes if the random seed is the same in every key fob it could be possible to extrapolate one of the 256 codes in the sequence if one had the last used code.

    My money is on EMI though. I believe the issue with my car is because the system would rather be safe than sorry so any failure in the system triggers the unlock, lights on condition.

    Locks keep honest people out. All the crypto in the world will not fix poor electrical engineering.

  16. Andy says:

    In their country of manafacture, Japan, the Honda/Accuras passenger side door is the the drivers side door.

  17. mattadlard says:

    Thing is passenger side doors have less security and access electronics in order to allow emergency service access to vehicles, less know, so any electronic interference is better that side.

  18. Jonathan Smith says:

    I’m sure it’s been posted in this long list of comments, My simple answer would be figure out what the frequency or w.e. of the keyfob(should be relatively simple) have something that listens for and copies it, then replays it at the car.

  19. Bruce Boettjer says:
  20. Tom the Brat says:

    My guess: The software in the car refuses to unlock the car if the code is wrong, but a bug allows it to unlock the car if there is no code to be wrong. I coded one of these kinds of bugs myself just a couple years ago. “Why do you mean it lets you log in if you don’t put the password?”

  21. Stoutlimb says:

    The passenger side likely has nothing to do with the hack. It’s a prudent legal strategy. These guys aren’t stealing cars (grand theft), but rather contents (petty theft). In many jurisdictions, catching a criminal breaking into the driver’s door indicates intent to steal the entire vehicle, which is a much harsher penalty. These criminals simply don’t want to risk being charged with attempted grand theft auto for trying to steal a bit of change from the cup holder. They’re stupid for being criminals in the first place, but somewhat smart in the execution.

  22. Tom says:

    I think this is a case of the power of suggestion. I have watched the video several times and still do not see anything in anyone’s hands. The guy in the second video looks just like he is walking down the street grabbing door handles as he walks.

  23. Mad Myche says:

    There is so much we don’t know about what the method was…

    Could it be we are trying some sort of an EMP to energize the unlock solenoid?
    Could we have sniffed enough of the encrypted sequences from the car to the transmitter to figure out the keys?
    Could we be using the somehow getting into the CAN bus via owner additions of bluetooth or wireless apps?

  24. Dave says:

    I’ve always assumed that manufactures build a “back door” access code into their car security system as a fail safe and as a way of allowing law enforcement to get into a locked vehicle. My guess is that someone has gained access to that code and is selling it to the car thief market.

  25. Zero says:

    I agree with the “over thinking” statement… Way back when in the phone Phreaking era… Free calls were possible by simply unscrewing the phone and shorting out a few stuff with a paper clip.. (there is your 007 style right there, i mean they DID pay $1000 and upwards for a paper clip in those days)…

    But seriously.. Think about it.. MOST cars have electronic windows these days.. where is the ground/negative in a car? There where how many thousand cars recalled in south-africa in the past few years by MAJOR manufacturers for issues caused by production or during production..

    Pulling a sensor high or low is not hard.. Possibly there is a “ground” fault in the passenger side door.. The spring in the handle might touch a wire inside and if wiggled correctly.. with an added 9 volts maybe… who knows…

    all the guys babbeling about 12v and 1000000A needed.. Sure.. thats why the car battery is there.. tricking the system into unlocking the door is not hard.. Think about a keypad, all you need to do (in the simpelist form) is to get the relay to supply (or remove) current to the magnet keeping the door shut.. you do not have to try ALL the combinations to “get the right one” in regards to the “getting the key code” babble…

    Think about all the electronics in the passenger side door… I think it is just a “short” that is created, to help unlock the door.. disabling the alarm… It might be an “error” in the programming.. non of the “trigger alarm” conditions are met.. we can debate this in circles.. but I agree with the “low tech” approach.. Can’t wait to read all about the “miracle device” used to break into these cars.. It will be interesting to know what they did… That is if we will ever find out… As I am 99.9% sure it is a manufacture fault that is being exploited here.

    Interesting…

  26. Andy says:

    Were all these cars outside their owners houses while the owner was inside?
    If so I’ve got a theory;
    The owner may have placed the keys near the front door, had them on their person while sat in the front room or on a side dresser in the front bedroom.
    The keys were in-range of the car when the door handle was tried and, thinking it was the owner, the alarm deactivates and releases the door interlock.

    The thieves are not exploiting keyless entry they are factoring that X amount of cars have keyless entry divided by Y chance of an owner leaving keys in range of car.
    Nothing a little education could’nt fix.

  27. cyberee says:

    Just checked something, I tried this on a Subaru and an Acura, roll down the passenger window lock the car, unlock the car using the knob. The Subaru tripped the alarm the Acura did not. I looked over the wiring for the car the way it is wired you can drive the lock solenoid using an EMP device and it will disarm the alarm!!!

  28. Dale says:

    This is simple. The Keyfob is always in transmit mode. The owner walks away with the keyfob. Perp #1 is close to the car owner and calls Perp#2 who is near the car. When Perp#2 answers, the keyfob signal is transmitted via cell phone to the car. Perp#2 has to touch the door handle for the unlock feature to unlock. The reason to use the passenger side is: people approach the driver side and would get a better look at Perp#2 if Perp#2 was on the driver side of the car, plus most items a Perp would want to steal are mpre commonly stored on the passenger side.

    My car has this keyless entry feature but it can be disabled via the car’s user setup – so that the keyfob button must be pressed to unlock the door or trunk.

    If the car owner is inside the house asleep or otherwise unaware, Perp#1 needs to go to different areas of the house while Perp#2 tries the door handle to see if the signal has been picked up by Perp#1.

  29. Ken says:

    My thoughts…
    Maybe the device in the guys hand does 2 things
    1 – interferes with “lock” signal from drivers remote so the car remains unlocked
    2 – makes a loud click noise similar to door locks operating, making the driver think it is locked
    OR
    Maybe the device sends a strong signal that could be picked up by the cars CAN bus (for controller area network) system. This signal could be for unlocking the passenger door so the thief has to stand close to the car for the signal to be picked up by the CAN bus system

  30. Matt says:

    My guess would be that they are manipulating the ground plane. If the car is using a VREF sample or pull up/downs when measuring signals on the CAN bus then it may be possible to induce a message on the bus by changing the reference voltage. The same trick has been used to bypass on-chip security in the past. Why the passenger side door? On newer models which would have a CAN bus, the passenger side lock is still usually going to be a standard auto lock with the housing grounded to the car body/frame.

  31. Koplin says:

    Why are so many people thinking this is a hack on the keyfob, rolling code etc. There are other radio and communication paths to attack in a car, and for that matter in an aircraft.

    for cars

    http://arstechnica.com/security/2010/08/cars-hacked-through-wireless-tyre-sensors/

    for aircraft

    http://www.cnn.com/2013/04/11/tech/mobile/phone-hijack-plane

    One could have found a defect in another system in the vehicle. Just saying that what ever it is you would think this kind of thing would be being exchanged in communications online between parties trying to acquire the tech. If its a hack and someone is trading that info for money. The thief’s may just be building or buying the device exploiting the hack. aka script kiddie vs the designer of the exploit. Given a typical large police department, finding a snitch shouldn’t be too long in the waiting. Most criminals will rat out someone else to reduce their own troubles.

  32. Nandom says:

    I love how the most plausible answer is the doors are unlocked/owners are liars but I have learned 3 very promising ways to unlock newer cars
    Nothing criminal just curiosity really

  33. ThisIsSomethingIWouldntTry says:

    The issue is with some of these cars, If they have a second system. Example ‘remote start key less entry’ simply because the original fobs have come up missing. The way these aftermarket installs are they disable the old security system by jumping out the key chip (if its installed) to fool the car to think it has a key so it can start. they then attach other wires from the new box to the key less entry system and so on. Some of these add on’s the frequency of the receiver is generally easy to manipulate.
    it really dont take a rocket scientist to figure out what cars and what ones dont have that little add on.

  34. friginshiny says:

    Who needs a lock… I’m getting one of these-

  35. M says:

    The truth is that the algorithm for the lock is not the weakest point in the system. If the thieves were smart enough to crack that, they would have been smart enough to not bother and instead choose to exploit one of the weaker mechanisms. Additionally, they would have been smart enough to get a lucrative job instead of relying on petty theft for minimal gain.

    I expect that they’re just (ab)using induction to drive the motor hooked to the lock. This could be remedied by simply adding an interlocking to the system.

  36. mopster says:
  37. burrin says:

    For the first two burglaries it looks like it is not incredible or super noble tech, it’s just a simple jammer that may jam multiple cars at once:
    -If you see the way the first thief slides his hand after opening the door then it’s obvious that they have nothing in the hand opening the car.
    -From the second thief you can see how confident he is after his fella already opened the first car. And his left hand is not even close to the car.

    -From the third burglar you can see he is just trying out which cars have left out their passenger doors unlocked.

    This is a really common scenario. I drive my car with a friend in the passenger seat, when I get to my destination I just step out of the car and automatically lock the car. While my friend in the passenger seat is a lazy*ss and stays in the car for a few minutes checking his tablet/smartphone then he unlocks HIS door from the inside walks out and leaves it unlocked.

    Cops and reporters are not the sharpest tools in the shed, y’all know.

  38. hizzo3 says:

    My bet is that a simple logger is being used here. Much like packet capture. Hang outside some place with the car you want, catch the data packet, follow home, then replay the code after the owner is gone. This is a fundamental flaw in car security.

  39. Pancakes says:

    I am really disappointed. I Cntrl+F’d for “cell” and got one excellent.
    You can transmit key-less entry fob signals through cellular devices. This is an intended feature, so that if you get locked out a friend/family member can unlock it remotely if you lock yourself out, etc.

    I am a mechanic and when I suggest this method to a customer (usually over the phone) they report it works, about 90% of the time.

    Additionally, I am not aware of there being any lockout period between key-less entry fob bad combinations. ie you could send 1000 different fob codes and not get locked out of the system. and if you are doing this with a small cell/radio receiver device, you could launch thousands of fob codes while walking up to the door.

    as to why its only happening on the passenger side, my guess would be for the glove-box, or for some sort of security exploit on that side of the car. It could just be physical obfuscation, to throw viewers off-track and look for something it is not.

  40. Cliff says:

    I think what they do is fooling the system into thinking the key is locked in the car. Some systems may unlock the car if thats the case.

  41. clin23 says:

    I think they exploit the feature that some cars will unlock if the key is detected in the car. they must be using some tricks to activate this feature.

  42. clin23 says:

    I think they exploit the feature that some cars will unlock if the key is detected in the car. they must be using some tricks to activate this feature

  43. Dr. DFTBA says:

    I think the passenger side is a red herring. They want people to fixate on that.

  44. Boilerbots says:

    I was researching Keeloq last week, looking for a decoding receiver that I can connect to a computer for a home project. I ran across a module that said it has partial knowledge of the master codes for honda in the unit and can unlock car doors. I can’t find the product now that I am actually looking for it. Will traverse my browser history when I get back to work.

    However I found a similar device:

    http://www.pndglobal.com/html_products/auto-remote-control-blocker-pnd-arcb002-132.html

    and a newer model:

    http://www.pndglobal.com/html_products/auto-remote-control-blocker-pnd-arcb001-131.html

    If you left a device that could learn codes hidden in the parking garage for a few hours and then retrieved it to replay the codes I am sure you would be able to access a few cars.

    The key here is to target a particular make of vehicle so that the “manufactures code” portion of the crypt key is know if the manufacture always uses the same code across all vehicle makes and models. Read the HCS301 data sheet for details.

  45. Eric Wolf says:

    WATCH CLOSE!! The small flash of light reflected off of the second persons clothing, they show a close up that shows the flash just an instant before the interior light comes on from the door being opened. This is absolutely a emp device because on the import vehicles there is a hole that is filled with a composite handle not a solid metal door that would “ground” the emp like in the heavier American made vehicles. its a no brainer

  46. spuder says:

    Why the passenger side?

    1. They don’t plan on driving the car
    2. Most valuables are kept in the glove box or center console. It’s easier to reach them from the passenger side.

  47. JerryV says:

    Not sure what the frequency could be, but could they be picking up packets sort of like an RFID clone device? then using them to unlock the car? also, as far as some of them not working, it could be due to custom alarm system?

  48. ronald bakker says:

    i’m wondering , they steal the cars in front of the owners home ?
    if so they might use some sort of one or two two way relayradios to make the car and the keyfob believe there within opening distance of the car
    if he can get one of those radio’s close enough to the keyfob in the house that should work even stuck to an outside wall
    all the thief then has to do is hold the second radio close to the car to pick p the cars responce and send out the responce from the keyfob touch the doorhandle to open the car
    all the code change stuff and wat not is straight of the original devices just over a longer distance

    • cutandpaste says:

      if so they might use some sort of one or two two way relayradios to make the car and the keyfob believe there within opening distance of the car

      You know, I’ve been thinking about this topic since it was posted in June. I’ve debunked all of the obvious ones that I’ve felt like debunking (the Razor says that they simply left the doors unlocked, even if they’re sure they locked them “just like they always do”), but I’m bored tonight and going back through some of the comments.

      You might actually have a valid attack with your concept: An RFID repeater.

      How does it work? Well, first, we have to figure out how a smart-key entry system is supposed to work on a normal day.

      Without, you know, actually looking:

      I imagine that the relationship between a smart key and a car that automatically unlocks its doors based on proximity is a challenge-response sort of arrangement. The car periodically sends challenges, and the key (if it is listening range) issues a response. If the car receives a response is cryptographically good, the door unlocks automatically.

      So, that’s how it ought to work in a perfect world.

      There may be an actual attack vector possible if one has RF access to the key (which might just be on a hook near the front door of the house, which -may- be close enough to access nonchalantly from the street) and the car (which is on the street and easy to get close-enough to).

      In other words, simply improving the range of a key inside of a house (using either passive or active methodology) might be enough to access a car parked just outside on the street.

      All that said: I think the documented cases in TFA and TFVs are still simply folks who left their doors unlocked. But it doesn’t seem impossible for a third party to unlock a properly-equipped modern car, if the key is within close-enough proximity and the third-party is properly equipped.

  49. Bobikas says:

    I think they strike the passenger side because that’s where the glove compartment is.

  50. NA says:

    When the President and his wife were visiting Avery Fisher Hall at Lincoln Center last fall, there were understandably a lot of secret service personnel on campus and around the neighborhood. The head of another theater’s security detail (who is a former detective and FBI member, etc) had his crown vic (same as the undercover/ unmarked crown vic’s many police departments have) parked nearby. He also had the security system on his vehicle upgraded when he purchased it.

    A secret service detail walking around the area thought his vehicle appeared suspicious. One of the agents pulled out a sort of large hand held device and in 30 seconds, the trunk popped open and so did the doors, and they searched his car. Four campus security guards saw this and were amazed. No one is quite sure what this device they had was or how it worked. The security head also had no idea how they did this, it almost seems like there must be some backdoor.

    • cutandpaste says:

      When the President and his wife were visiting Avery Fisher Hall at Lincoln Center last fall, there were understandably a lot of secret service personnel on campus and around the neighborhood. The head of another theater’s security detail (who is a former detective and FBI member, etc) had his crown vic (same as the undercover/ unmarked crown vic’s many police departments have) parked nearby. He also had the security system on his vehicle upgraded when he purchased it.

      A secret service detail walking around the area thought his vehicle appeared suspicious. One of the agents pulled out a sort of large hand held device and in 30 seconds, the trunk popped open and so did the doors, and they searched his car. Four campus security guards saw this and were amazed. No one is quite sure what this device they had was or how it worked. The security head also had no idea how they did this, it almost seems like there must be some backdoor.

      Did you observe this?

      Because, growing up, I’ve heard a lot of stories about cow tipping. It’s supposed to be the greatest thing ever: You sneak up on a sleeping cow in the middle of the night, and just sort of shove it over on its side. This results in tremendous hilarity, I’m told.

      Except, nobody I know has actually ever tipped a cow, but everyone knows someone who knows someone else who has gone about the act of tipping over a sleeping cow.

      Therefore, cow tipping must be a thing that is actually possible.

      Right?

      (Except, of course, for the fact that cows normally sleep laying down, so they tend to be tipped over when asleep by default.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,711 other followers