[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.
The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob. One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.
The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.
A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk. We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.
Modern smart keys allow you to keep the key fob in your pocket or purse while you simply grab the handle and tug the door open. [Phil] decided he would rather ditch the fob altogether and instead implemented a passive Bluetooth keyless entry system with his Android phone. It’s probably unlikely for car manufacturers to embrace phone-based keys anytime soon, and [Phil] acknowledges that his prototype poses a landslide of challenges. What he’s built, however, looks rather enticing. If the car and phone are paired via Bluetooth, the doors unlock. Walk out of range and the car automatically locks when the connection drops.
His build uses an Arduino Mega with a BlueSMiRF Silver Bluetooth board that actively searches for his phone and initiates a connection if in range. Doors are unlocked directly through a 2-channel relay module, and an LED indicator inside the vehicle tells the status of the system. A pulsing light indicates it’s searching for the phone, while a solid ring means that a connection is established.
We hope [Phil] will implement additional features so we can make our pockets a bit lighter. Watch a video demonstration of his prototype after the break, then check out the flood of car-related hacks we’ve featured around here recently: the OpenXC interface that adds a smart brake light, or the Motobrain, which gives you Bluetooth control over auxiliary electrical systems.
Continue reading “Passive Bluetooth keyless entry system”
[EdsJunk] loves the outdoors and using his Jeep Wrangler to get him there, but hiding a key just to go for a swim makes him nervous. After a friend showed him how convenient it was to have keypad entry to his vehicle, [EdsJunk] decided it was time he built his own.
The build uses a spare waterproof keypad attached to an Arduino Micro. [EdsJunk] simplified things by cannibalizing his extra keyless entry keyfob; if the ‘duino receives the right code from the keypad, it presses the unlock button on the keyfob to grant access. [EdsJunk] admits that the Wrangler’s soft top is easy enough to get into, but explains that the goal of this project is to keep the alarm activated, which would presumably go off if someone tried to break in through the soft top. You can watch a video demo of the keypad access below. This is another great addition to the multitude of hacks he’s performed on one vehicle.
We do, however, hope that there’s some kind of lockout built into the code to prevent brute forcing: it should be easy enough to activate the car’s panic button after a set number of failed attempts. Car hacks are popular this summer: check out the Real Car Remote Control if you missed it.
Continue reading “Custom car keypad entry”
A lot of higher end cars are now coming out with RF fobs that unlock and start the car. There is no longer a physical key that is inserted in the ignition. It turns out that for BMW this means stealing the cars is extremely easy for a sophisticated criminal. We always liked the idea of metal keys that ALSO had a chip in them. The two-tiered security system makes sense to us, and would have prevent (or at least slowed down) the recent rash of BMW thefts that are going on in the UK.
So here’s the deal. A device like the one seen above can be attached to the On-Board Diagnostic (ODB) port of the vehicle. It can then be used to program a new keyfob. This of course is a necessary feature to replace a lost or broken device, but it seems the criminals have figured out how to do it themselves. Now the only hard part is getting inside the car without setting off the alarm. According to this article there are ultrasonic sensors inside which are designed to detect intrusion and immobilize the vehicle. But that’s somehow being circumvented.
You can check out a keyfob programming demo, as well as actual theft footage, after the break.
Continue reading “Keyless BMW cars prove to be very easy to steal”
[Fileark] has instructions for reprogramming keyless entry devices for your car. His demonstration video, which you can see after the break, shows how to make one key fob work for two different vehicles. In this case he’s working on a couple of Chevrolet trucks but there are instructions for GM, Ford, Dodge, Toyota, and Nissan. If you need to reprogram one of these you may find this useful, but we’re wondering how it can be incorporated into a project. If you can sniff out the communications that are going on during the programming you should be able to build and pair your own devices with a vehicle. Wouldn’t it be nice to incorporate your keyless entry into your wristwatch?
Continue reading “Key fob programming”
[Nate] hates keys. He’s gone through a lot of effort to remove them wherever possible. He has a keypad at home and a keypad at work, but he still has to carry car keys. His solution is to build a device he can carry in his pocket that will unlock the car via RF. To do this, he’s utilizing the guts of a Nike iPod puck along with an Arduino and an iPod serial board. He has managed to get this all working, but still has to carry his key to actually start the car. We know what his next project will be.