IP-based Engine Remote Enable Switch

remote_enable_switch

[Mariano] owns a late 90’s Jeep Wrangler, and had no idea just how easy it was to steal. Unfortunately for him, the guy who made off with his Jeep was well aware of the car’s vulnerabilities. The problem lies in the ignition – it can be broken out with a screwdriver, after which, the car can be started with a single finger. How’s that for security?

[Mariano] decided that he would take matters into his own hands and add a remote-controlled switch to his car in order to encourage the next would-be thief to move on to an easier target. He describes his creation as a “remote kill” switch, though it’s more of a “remote enable” switch, enabling the engine when he wants to start the car rather than killing it on command.

The switch system is made up of two pieces – a server inside the car’s engine bay, and a remote key fob. The server and the fob speak to one another using IPv6 over 802.15.4 (the same standard used by ZigBee modules). Once the server receives a GET request from the key fob, it authenticates the user with a 128-bit AES challenge/response session, allowing the car to be started.

It is not the simplest way of adding a remote-kill switch to a car, but we like it. Unless the next potential car thief digs under the hood for a while, we’re pretty sure [Mariano’s] car will be safe for quite some time.

28 thoughts on “IP-based Engine Remote Enable Switch

  1. Actually, I’d rather it came as standard. Car manufacturers just don’t want to be liable when it fails. Can you imagine a proprietary system like this? It’d probably be based on SecurID.

  2. I imagine a simple RFID tag would be enough to protect this vehicle. Only high tech thieves would bother trying to defeat such a system (and I’m sure that the type of thief that wants the Jeep won’t even understand why it won’t start after the ignition is broken out)

  3. I did something like that, but use bluetooth module in car and mobile phone with software as a key.
    I get simple car alarm with central lock (lock it’s the only functionality I use), take out PIC16F72 and replace it with a pin-to-pin simulation made from PCB with BT module. It’s possible to write your own program and reflash nearly any bluetooth module with CSR BlueCore Flash(or External) chip on board using BlueLab software. So, I write a simple program for bluetooth module to emulate PIC16F72 pins using PIO of BT module to drive all that relays in alarm. And a small BT utility for the phone to open and close the car. Works great over the year.

  4. @mike

    I considered RFID as well (I do RFID dev. also — I have a OSHW board based on the trf796x that I will be releasing soon. Code for it is already available here: http://git.devl.org/?p=malvira/trf796x.git;a=summary )

    Anyway, there are a few complications with RFID. The first question is were does the antenna go? The most convenient place would be to put a reader in the passenger compartment. This would require running wires from there into the engine — which is a giant pain. Secondly, it’s not as good since you still have wires an attacker could mess with. You could do a secure digital link, but you still have the wires to run…

    So I ended up with the solution most people have which is just a key fob you carry around.

    -Mar.

  5. Pull the fuse for the fuel pump and the car won’t run. Put in a switch, in an inconspicuous location to control the power going to the fuel pump as a permanent solution.

  6. One of the beauties of @Mariano’s Jeep is that (like all soft tops) there’s really no point in locking the doors. Therefore, unless the next potential thief is on autopilot, he won’t have to add a new window to his repair bill.

    If he’s using a hard top in the winter, then never mind.

  7. @Eddie

    I wanted to avoid running wires from the engine into the passenger compartment as it’s a giant pain (esp. when you have all of these wireless microcontrollers lying around).

    I also wanted something “somewhat” secure as opposed to just hidden.

    -Mar.

  8. When I had my convertible I never locked the doors and never left anything important in the car. One razor blade is all it takes to ruin the top, so he can steal my fast food change…

    Sisters car was broken into to steal a empty back pack. Shattered the passenger side window. Door locks serve no purpose other than to lull the minds of the users into thinking their car is safe.

    Biometric authentication is the way to go.

  9. Also @ Eddie, hidden kill switch on fuel pump is the KISS idea of the day.

    Old truck had leaky fuel injectors so before you stop the engine you turn of the fuel pump and let the injectors run dry to prevent flooding the cylinders. And provided a extra security level since the doors had no locks.

    Old hard drive magnet on a keychain, hidden reed switch inside dashboard. Use a 12v relay in series with the starter solenoid fuse.

  10. A single toggle switch cutting power to the fuel pump will do the same thing. Hide the $0.59 switch in a location that is not obvious and the thief will be foiled.

    Contrary to belief, thieves will not take hours looking for things in your car, IF they can not do what they want in seconds, they take off.

  11. Another solution. Place a 100 ohm resistor switched in parallel with the coolant temperature sensor. With the engine cool and the sensor reading below 100 ohms the ecu will think the engine is hot and try to start it with a leaner mixture. Trust me it will not start that way.

    Bonus points: While you are in there you can add a 1k ohm resistor switched in series with the sensor. When you flip the switch the ecu reads the engine as cold and runs a richer mixture. Awesome when your crawling.

    Another security flaw is that the engine can be started without damaging any components either. Bypass the ignition relay, unscrew the starter wire from the distribution point and touch it to the battery. Veroom. Had to start my XJ that way once. Make sure it isn’t in gear first!

  12. At the end of the day if a theif wants to steal the a specific vehicle, they will know the wiring and electronics. The ONLY way you can make this reasonably secure is if you drop the standard wiring and put the security code in the ECU software itself – without that it’s just a matter of time to find the correct wires to bridge/remove. there’s no point having an ultra-secure switch, it still has 2 wires going to the /insert chosen items/ and so is easily defeated.

  13. “Contrary to belief, thieves will not take hours looking for things in your car, IF they can not do what they want in seconds, they take off.”

    Not true, if your car isn’t a rot box they will actually invest some time in the process. I know of at least one car who had most of the ignition and fuel pump circuits re-wired to defeat the security.

  14. What?

    The screwdriver trick is THE hack. That’s how you start your car when your 1987 Cherokee chief car keys break. I used a pair of plyers…..

    I’m sorry, but unless its a really important car for you that is top shape, no rust after 25 years then by all means go for the anti-steal hacks.

    Other than that, if a guy stole your car – he probably needed it more than you:)

    Anyways, just leave little gas in the tank, have problems like the need to double-clutch every speed and general car trouble will keep any thief within a 10 mile radius. You’ll get it back.

    Only problem with the no car key ignition – true story – just make sure no damn cop fool pulls up to your right side, looks inside, sees no keys, calls backup, follows you while waiting for backup and then BAMM they strike…

  15. @frank

    “I’m sorry, but unless its a really important car for you that is top shape, no rust after 25 years then by all means go for the anti-steal hacks.”

    actually what is important to me is that my car is there and ready to drive when I wake up in the morning to go to work.

    It was a huge pain in the ass to have it stolen.

    Other then the bother of the whole thing, I have a custom rack I made for it which I was sad about losing. Buying a car is also a giant pain and I wasn’t looking forward to it.

    I held your opinion for 8 years — going through the hassle of having it _actually_ stolen changed my mind.

    I’m not sure I understand the readership of this site either. Really, the screwdriver is the hack? You would have rather read a blog post that said “look how easy I can break stuff with a screwdriver?” and then a bunch of pictures of me breaking things with a screwdriver?

    Well, breakstuffwithascrewdriver.com might be a fun site after all, but I didn’t think it qualified for hackaday

    Similar with all the “just wire a switch” suggestions. That’s what you come to this site to read? Wow. Ok. Maybe next time I’ll blink and led or something.

    -Mar.

  16. I would never mess with the wiring of my car because I’m not very good, but if I could, I’d love to have an ignition system that was simply a scale embedded in the driver’s seat that sensed my precise weight and knew it was me. Then I wouldn’t need to do anything beyond “sit down in the car” and have it start. The theif would have to be exactly my weight to take it, and I could recalibrate it after I gained / lost lbs.

  17. Mariano, I would just like to say thanks – you’ve made me aware of a technology I was unaware of – Contiki. I’ll have to do some more research.

    Also, Stanson – More info please!

  18. More on the fuel pump fuse…

    Pulling the fuse works on any car that has an electric fuel pump. Even a rental. On my last car, a VW Golf, the fuse panel was in the passenger compartment, near my left knee. I understand that some cars have the fuse panel under the hood, or some hard to reach location.

    The VW Golf used a relay that on one side was low current, the relay controlled the high current (4 Amps?) that powered the fuel pump. So ideally you would add 1 or more switches (AND) to control power going to the fuel pump relay. I never put a switch in my car, I just pulled the 4A fuse going to the fuel pump. I also thought of using a magnet to control a reed switch that would switch power going to the fuel pump relay.

    You can use any higher tech RFID/encryption to control the fuel pump relay.

    I also like the idea of messing with the coolant temperature sensor.

    How about using a cellphone to remotely control the fuel pump or some other basic function (Mass Air Sensor). I think some cellphones have GPS. Use a cellphone to disable a card, have it call home with the GPS of the stolen car.

    I also thought of adding an audio recorder, video camera to record the thief, so it can be arrested, add some timer so the car runs for 30 seconds and then stalls out in the street – 555 timer – but if the theif abandons the car, will it roll into another parked car, person???

    Car theives must DIE!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.