Ask Hackaday: How Are These Thieves Exploiting Automotive Keyless Entry?

A new attack on automotive keyless entry systems is making headlines and we want to know how you think it’s being done. The Today Show reports that vehicles of different makes and models are being broken into using keyless entry on the passenger’s side of the car. It sounds like thieves steal items found inside rather than the vehicles themselves which makes these crimes distinctly different from the keyless ignition thefts of a year ago.

So how are they doing this? Here are the clues: The thieves have been filmed entering only the passenger side of the car. They hold a small device in their hand to unlock the doors and disable the alarm. And there is evidence that it doesn’t work on 100% of vehicles they try. Could it be some hidden manufacturer code reset? Has an encryption algorithm been hacked to sniff the keyfob identifier at a previous time? Or do you think we’re completely off track? Let us know your opinion by leaving a comment.

[Thanks Mom]

368 thoughts on “Ask Hackaday: How Are These Thieves Exploiting Automotive Keyless Entry?

  1. The TV programme mentions nothing about if the owner has CHECKED that the car is indeed locked. I would guess the thieves have a jammer, preventing the owner to lock the car, as most people just lock it with their backs turned at the car, and they don’t check if the car locks… That would allow the thieves to open the car and get the items.

      1. Exactly. If you can prevent then you don’t have to overcome. It’s like an old episode of MacGyver where there was a science contest based around ‘locking a room’ and the winning student used a system that made you think it was locked when it wasn’t and wasn’t when you thought it was.

        Additionally a remote jammer could account for the few that it didn’t open (jammer signal picked up interference) but does nothing for the ‘always the passenger-side’ aspect.

          1. You only need to use noise if it’s an intelligent system that can “burn through” like fire control radar.

            For simple radio communications or data transfer, all you need is a loud enough tone to drown out the signal.

        1. Good episode. I believe he used a miniature model of a garage door opener, visible through the peephole, but another student cheated by using a parabolic listening device to hear his plans. Then there was something about speeding up the clock in the other student’s time-based lock.

          Anybody know what episode and season that was?

          1. I just watched this episode the other day. Been going through MacGyver lately. I really enjoyed that one. Made me wish I had fun contests like that back in school.

        2. Actually,
          it does. Think about it. You’re jamming a lock signal, you’re not going to hop right into the car. You’re going to wait for the owner to leave your sight in case he turns around.

          They might be hiding behind the car until that point, then just using the closest door to them.

          1. Yeah.. the one student cheated by peeking in the door and realizing that the ‘room’ you saw inside the door was a mini-model.. and it was inverse of what the door was already. e.g. the mini-model looked like it was locked.. so you’d try to unlock it and slide the piston back… but by doing that, you’d make the REAL door LOCK and unlock the model.

        3. I believe the attack always being on the passenger side is a coincidence. It is very unlikely it is a jamer. You can see the lights come on and even hear the locks move when the device is activated. They are actively unlocking the car when the device is turned on. I assume that the random rolling code generator algorithm has been compromised.

          1. SCANNING, perhaps, and for the ALARM? Passenger side approach makes things seem more innocuous if you trip up

            As to disabling the lock, possibly jamming the locking signal from fob, and possibly an old-school approach of priorly vandalizing the passenger lock in such a way that it ceases to function – in an earlier attack – and letting the owner do the work for them by opening it… Then, it’d be because the passenger lock glitching has a far lower % chance of detection.

    1. This, a friend of mine was auto burgled and his car left unscathed. He insisted that the car automatically locks itself after a timeout when he walks away with his remote. I have never heard of such a thing (while I don’t doubt it exists – My old SaaB would auto-arm itself after 10 minutes of inactivity, but not lock the doors).
      So the next day I asked him if he locked it after having not used it in several hours and he said “yup”. I walked over and sure enough it opened right up! He was dumbfounded. Now I always poke fun at him to make sure he uses the remote and hears the armed acknowledgment from the car.

          1. I’m using Benito Amilcare Andrea Mussolini’s definition of fascism: Merger of Corporation and State, though he meant that the State controls the corporations and not the other way ’round, like it’s in most of the western world today. Still, competition and a free market are part of the definition of capitalism², so whether it’s fascism or corporatism is of little consequence (fascism is better known though), it still isn’t capitalism.

            ²) http://www.merriam-webster.com/dictionary/capitalism

        1. Most keyless entry cars I’ve encountered will re-lock the doors after a timeout if the door hasn’t actually been opened, so he could have misinterpreted that.

          1. I think that you, like so many other people in this half of the comments section are misunderstanding the difference between keyless entry, and keyfob remotes.

            this keyless entry thing is where the keys just need to be in your bag, you walk up to the car and it unlocks, you don’t need to get the keys out your bag, don’t need to press a button, the re-lock feature of cars etc happens when you press the button either on the key or on the keyfob. – hence you need to touch the keys, it’s not keyless entry.

            you can’t check that a keyless car is locked. you walk away, and when your key transponder is far enough away the car locks itself, obviously if you try to go back and check this then the car will unlock itself. unless you leave your keys on the ground or send someone back to check for you!

          2. @dan ^: sorry mate, but it’s _your_ definition of ‘keyless entry’ that is mistaken. The definition that you are promoting is a technology that is relatively new, yet cars have been equipped with ‘keyless entry’ systems for over a decade.

            ‘Keyless’ is meant to imply the lack of need to physically insert a key into a lock (ie: 30 feet away walking across the parking lot). I’m not sure of the preferred marketing term for the proximity keys that you describe, but as mentioned earlier… ‘keyless entry’ is a term that has been used to describe your ‘keyfob remotes’ for more than 10 years.

          3. @dan
            Some people are clearly confusing the two (the news story didn’t help in this regard given it showed both types…) but I have a car with the new style keyfob system. The doors do not unlock simply because the keyfob is in range. It waits until you actually grab the door handle. If you then let go of the handle without opening the door it will re-lock.

          4. Dan,

            YOU have confused “Keyless Entry” with “Smart Keys”. Keyless entry is a KEY FOB that allows you to unlock (aka “Enter”) the vehicle without putting your key in the door. Smart Keys allow you to unlock and start the car just be being present.

        2. My 14 year old Smart City Coupe locks itself after a timeout if the doors haven’t been used after unlock.
          I’ve even experienced it locking automatically after parking, but I’ve yet to verify this by trying again. Just Lazy I guess :)
          Its immobilizer also rearms after a few minutes if the car has been opened but not started.

        3. I work on Mazda’s. The ones that do not use “cut” keys ( credit card, advanced keyless, and smart key systems) do in fact, lock and arm themselves when you walk away from the car. If that feature is programmed. For almost 10 years, I worked on Cadillac’s. They too, automatically lock and unlock, when you have that feature…..

        4. @JamesInCA Well the upper Class Mercedes had a system called Keyless entry since the 1990s. It works like this: You don’t have a Key to the Car, you have some kind of a card with you. If you have that card with you, you can enter the car and start it without turning a Key. When you leave the car, it locks itselve after an ammount of time.

          But to the Case. I think it is a jammer preventing the locking of the car. That doesn’t explain why the thiefs always get in the passenger door. Another thought is: What will a car do if a teaser is fired in something like a door handle? I know that some cars have savety-features like if the battery is low, the car opens the doors.

          My Skoda locks automaticaly if i unlock it with the remote and i do not open any door for a certain ammount of time. Usefull but not working with jammers.

          1. If you fired a taser at it, you would pass electricity between the electrodes along the skin of the door handle (or through the metal, if you puncture properly.

            That will do exactly nothing to any electronics nearby (except perhaps a brief amount of RFI while you do so).

            You’ve been watching too many movies :P

        5. I’ve worked retail many years. It’s a feature that’s available on many aftermarket alarms or remote starters. Turned the feature on for customers quite frequently.

        6. a lot of doors automatically re-lock.

          so if you’re in the house and press the button, the car unlocks outside. if you don’t open the door the car re-locks after about five or ten minutes.

          however, if you unlock the car and open the door it shuts off the car re-lock mechanism, this means you can’t unlock a car, and leave the keys in in, shut the door and have it re-lock itself with the keys on the inside.

          similarly after a drive the car won’t re-lock itself. car re-lock only works when the car has been locked, and is unlocked but the doors have not been opened, because then it’s a certainty that the keys are still on the outside of the car!

          1. Note you need functioning door switches for that.

            The switches on my Hyundai had gone out, causing it to auto-lock whether or not the door had been opened.

            Drove me absolutely nuts, as whenever I had to leave it for oil changes or service I had to remind them to keep the windows down so they could get back inside.

        7. Mine does this too. But I’m not entirely sure under what conditions it does it. Quite often I’ll unlock the car only to hear it lock itself after a few minutes while I’m standing there. I’m 95% sure I don’t hit the button again but I couldn’t be 100% sure and I am 100% sure it doesn’t always happen so I make sure it’s locked.

          1. It will be relock again if you press unlock but you *didn’t open any one of the door*. It is a timer against accidental/unintentional unlocking.

          2. I’m genuinely glad someone has cleared that up. I’ve been curious about it for years every time it happened. It never bugged me enough to look it up but now I know.

        8. Honda, GM, Jeep. All of them will do an auto lock if you walk away and not lock it and the keys are not within the vehicle. Hell even the 2006 Ford Minivan I have at work will self unlock if the keys are inside the vehicle and you press the lock button on the door.

        9. My 1999 Ford F350 has that feature. Once you kill the engine and close the doors, it will lock in 60 seconds *IF* the keys are not in the ignition. You have to program the factory system to do it as it is not a standard option.

        10. My 1999 Toyota 4-Runner will lock itself after about 30 seconds…
          sometimes…
          I think it happens if I manually unlock the driver door, get out and close the door without
          using the “Unlock” function of the key fob.

          1. my ’03 Jetta has some weird aftermarket thing that the original owner added. Hidden toggle-switch and LED under the dash. Sometimes the LED is on solid. Sometimes it flashes. I have no idea how it works. It locks itself automatically. Sometimes. Sometimes not. Sometimes, the alarm just goes off. Sometimes, I try to start it, and the alarm goes off. The behavior changed radically after I had to replace the stereo headunit because the CD player failed. I pity anyone who tries to steal it. :)

        11. Kia and Hyundai models with the smart key(push button start) will auto lock only if you pressed the unlock button and never opened the door after unlocking. Once you open the door it won’t lock unless you lock it.

        12. Ford makes cars with outo lock featues, at least for the luxury vehicles, I had a 1995 Lincoln Mark VIII and the doors would auto lock once you stepped out of the car and closed the door.
          Also my dad had a 1992 Grand Marquis, and it would do the same, both had the 5boton keyless entry thing on the driver side door.
          The 2012 ford explorer does the same thing, however i live in mexico so maybe its an upgraded security feature because of the level of crime down here….

        13. They make em. I am a mechanic and when I run into auto locking cars it is a royal pain. Some cars not only lock themselves with the keys still in the ignition but they also put up any open windows.

      1. My father’s ’09 Honda Accord will lock itself after a few minutes no matter what. Locked and then proceeded to go off when I was chilling in the driver seat with the car off.

      2. My car alarm system automatically locks the doors around 30 seconds after closing all doors (and trunk), regardless if you are inside the car or not. It is a programmable feature that I activated and has been very useful to me. I hear when the car locks the car when I leave and instinctively I stop and return if I don’t hear it locking the car (actually, briefly honks twice when locking it). So, the comment above is possible.

        1. I disabled the lights/horns as I don’t want to disturb neighbors or provide indication that my car is being unlocked. Paranoia :)

          I can tell though when the doors lock or unlock, and if it was just one or all, just by sound.

      3. I’m more suspecting user error. One of my clients has a fancy new car with all the bells and whistles. If you leave the car unlocked and unarmed, it will lock itself and arm the alarm, making the remote for it beep when it does this (if your in range). Well as he learned when his computer got stolen out of his car, the seats have weight sensors, if there is enough weight on the seats it will not automatically secure the car.

          1. I agree, especially in the area I live in where people will break into your car or house during broad daylight with obvious forceful means (like kicking the door in). However it wouldn’t hurt if they configured the sensors for at least 60lbs before it triggers. And it was a desktop computer, stolen in the store parking lot down the road on his way here. Jokes on them however, from his description of the problem with it sounded like the power supply gave up the magic smoke.

      4. My Toyota auto locks itself – but not under all circumstances. If I get out of the car and walk away, it doesn’t auto lock. If I lock the car, and later hit the unlock feature, it gives me 30 seconds to open a door, if I don’t within that time period, it locks itself.

      5. my 2001 Jetta will auto lock the doors and arm the alarm after 5 minutes if left sitting with all doors closed. it doesn’t have the key is in the ignition or not it’s going to lock an arm.

        I was lucky the first time it happened the car was running and the drivers window was down and I was able to open the door with the inside handle which immediately set off the alarm. But I was able to open the door and after that I never trusted it… I just always made sure I had the keys in my hand or the window down to keep from being locked out.

    2. They have wireless key fobs that can copy signals from your current keys. I can’t imagine it would be to difficult to make a device to store multiple codes. Either that or they could be tripping something with an emr based attack. All you have to do is find a way to trigger a relay and the door will open. Maybe those cars have a vulnerable in that specific region of the car.

        1. Rolling codes can be circumvented sometimes, imagine you push the button while you are away from the vehicle. Now they are out of sync. In security testing, we replayed back 3 successive codes from a remote we sniffed, and got it to resync, and we were able to defeat.

        2. Expensive garage doors have static codes. Otherwise if you pressed the door button in your car while you were away you would not be able to open the door when you got home.

          1. …Not usually static codes. There is a rolling code with a ‘window’ that allows re-sync. They are made that way exactly so that if you hit the button while too far away you will not lose sync with the receiver. The window is typically the next 256 rolling codes. I programmed our built in vehicle transmitters via one remote. I can go weeks opening the door with one vehicle only, then try it on the other and I’m still within the 256 code window.

            Back to the original question – I’d like to know how this hack works. Typically hitting a key fob once unlocks drivers door first, while double taps unlocks all. Why the passenger side, unless that’s where all the good loot is (laptops, purses, purchases)…

          2. Could it be that the thieves are picking up signals from owners who are away from their cars, and then using these to get in as they are one of the future 256 codes? Seems a bit contrived as either forcing a person to accidentally press a button would be difficult.

          3. @Extraneous: yes, with one way systems you can capture valid rolling code messages and replay them as long as the receiver doesn’t hear them to move the window forwards. With two way systems, you can relay the communications over longer distances as most of the protocols don’t care about latency.

      1. Could it be as simple as those coded door locks that failed? The code was fine, but the door lock was a solenoid, and a magnet in the right place… Our baseball-cap wearing friend might just have an electromagnet or a neodymium one.

        I haven’t really talked to any car thieves in years, and the ones I knew were idiots. Still, plenty of money in crime, no wonder the odd rogue genius gets inspired. I’d be half tempted just for the hack.

        1. Magnets don’t work through a sheet of steel.

          All the car thieves I knew were idiots, yes, but even idiots know how to get things to open car doors on the black market.

    3. In the second video the guy was clearly walking along trying all the cars. If he was walking along trying all the cars then it doesn’t work on all of them. The fact that all three cars in the video were Honda/Acura suggests a weakness in Honda design.

      From the looks of things you have to be really close to the car for it to work, maybe even touch something to the piece of bare metal around the keyhole.

      I’m guessing it’s lower tech than people are thinking – a taser to the keyhole or something like that. Maybe pull the insides out of a battery powered bug zapper (they contain a high voltage sparker that fits in the palm of your hand).

      1. There’s a whole swath of cars in the local casino carpark that are vulnerable to a plunger over the doorlock (auto-unlock on submersion I guess?) could it be that?

        1. Are you saying the same hack as the tennis ball with a hole cut in it? Because that was an internet viral video that someone was standing off camera with the key fob.

      2. Door locks are not affected by outside em spikes. While the lock cylinder looks like it is in contact with the metal door skin there is actually a rubber isolator separating them. Should the isolator degrade and fail the links between the lock cylinder and the lock rods,or lock cables, and motor are separated by plastic clips. The majority of modern cars don’t even use metal cases on the lock actuators. Most likely these thieves are looking for cars with after market security systems, then, when found, they use the manufacturer code schema(probably bought from a disgruntled security system designer) to replicate the second unlock feature that unlocks the passenger door with no siren beeps or horn honks. I install key-less entry, security, and remote start systems professionally and have inquired about this subject to DEI, Panasonic, and Code alarm techs, all have been suspiciously silent.

    4. I was an auto mechanic for 10 years, there are some telling signs that say they have some type of RF transmitter.

      When you unlock MOST power door locks this is the logic table for the Body control module (AKA the BCM, aka security module)

      Status: Car sits locked
      Press unlock fob 1 time = unlock only drivers door 1st.
      press fob button 2 times = unlock all dors command.

      Carefully reviewing the tape clearly shows the interior/dome lights coming on RIGHT BEFORE the PASSENGER door is opened. this is a clear indication that they are somehow accesing the Body control module to acces the power door lock module and the security module.

      This explanation would also explain why the older cars without BCM or security modules cannot be opend as easily.

      I worked for Ford for several years, each auto builder has their own different way of doing the same thing. This may only be an exploit that works on a certain make, model, year range. Which is also why the auto manufacturers they interviewed are clueless.

      1. Give an up to date GM Tech2 bcm programmer with a wireless Candi module to a disgruntled coder who knows the system, and it would only a matter of time before GM cars become targets. I’m not saying this is how it’s being done(not all affected cars are GM products) but there is a reason the Tech2 diagnostic tool and its add ons are not available to the public.

    5. Hey, Hackaday, why not make a jammer, leave it at a lamp post in a parking lot. Wait for a friend to arrive. When they walk away, check it the car is still unlocked? Most keyless entry systems are based on 2.4GHz chips like TI’s CC24xx range and Nordic NRF2401 range. I have used these for wireless lights and there it was easy to jam the receivers.

    6. News FAIL. this should have never made the news .. all three cars shown were unlocked. The crooks walked up and touched the door handle and it opened. The last one in the video was clearly checking cars as he walked by, and it must have clicked so he backed up and opened the door….. I have lost all faith in law enforcement and the media.

    7. From someone who’s had this happen to him twice in one month – both were the same guy (which narrowed it down to only a million or so middle aged males wearing sweat pants in the Queens, NY area). Both times he had something in his hand. Both times the car was definitely locked. Both times the lights blinked when he unlocked the car, which happened right before he reached out to open the passenger door. The first time he stole about $10 in change and a set of headphones. Second time about $2 (which is one reason why the cops just didn’t care). My car is a 2012 Ford Escape and was purchased brand new. In the same month we know of 3 other Fords in our neighborhood that were broken into the exact same way. The car doesn’t have any on-going electrical issues.

  2. Either they have the codes, or their using a mini EMP device to short out the system. Since they aren’t stealing the car, they don’t care if it fries the computer.

      1. I could see this physically opening the lock, since ally you need to do is get enough current to the transistor that pulls in the solenoid to turn it on; that would even explain why some models are vulnerable and others not depending on design. Clearing the alarm would have to occur because the car’s computer gets reset. Seems a bit dodgy though since you might get the lock solenoid to actuate without resetting the master computer, which isn’t in the door… ?

          1. Could one use a key that is not made for that exact car, but is made for that same make/model…in combination with the mini-emp in order to gain access to multiple models of the same vehicle?

          1. @draeath clearly you never saw any shielding on the RF circuitry of wifi adapters or routers! A Faraday cage is nothing more than a metallic chicken net with the hole diameter tuned for the frequency you want to block. Make it solid and it will block pretty much any frequency.
            So yeah, given that the car door is already solid metal, you would only have to shield the other side of the door. What is so difficult about that?

      2. Your on to something with EMP. Whatever they’re doing it’s happening inductively. I don’t think they’re digitally communicating with the car, it’s too quick for a brute force and it’s too complicated for anyone to spend good money making a record/playback kind of thing. They’re not attacking the digital receiver or the digital technology. Could they be inductively zapping the cable connected to the switch that unlocks the door? A bigger electro-magnet forcing a relay to shut or something? Or is it a one-wire sequence they’ve figured out?

        I’d have to say that maybe there’s less shielding on the passenger door, it’s also where the fusebox is generally located in cars. But perhaps most importantly, there’s not a bunch of other switches and wiring on that side.

        They’re using an electro-magnet to activate the unlock as if someone is sitting inside of the car pressing the unlock button. My guess is they’re attacking the cable/switch assembly that unlocks the door somehow. Or the unlock solenoid itself? Since the passenger side has less controls it would be less likely to activate all kinds of other stuff they don’t care about or shield the signal because the wire is wrapped in other wires. They stand nearby and hold the handle because the same action that triggers the unlock could trigger it to lock again. So I bet it pulses just like the device in the video and they try to catch it on an unlock pulse.

        1. Among car thieves that’s haute couture. You’d be amazed how much people pay for shitty tracksuits and baseball caps.

          Since there’s no traditions for style among the lower classes, it’s a simple combination of buying what’s advertised on MTV, multiplied by the price you can say you paid for it. Yes, capitalism is that simple and that effective.

          1. Let’s not forget the “White T” syndrome where all the homies wore white t-shirts to make it harder to identify “a black male in a white tshirt”. Ya can’t arrest the whole corner lol. you are 100% correct on the fashion sense. These folks aren’t usually operating above a 6th grade education and it is always easy to spot the nouveau riche lol. The tags on your clothes mean you are gonna return them later lol. Where most of us would just see a letterman jacket on some idiot that obviously hasn’t played sports in years, the dude is thinking I look great in this sheepskin and pleated denim lmao.

          2. I can only assume you were joking because you just sound ridiculous. The “white bread” answer is because they are cheap. The ghetto answer is so the cops can’t tell who you are easily.
            Go visit the dirty south and ask around.

    1. I agree, applying a voltage to the line coming from the key lock both unlocks and disarms the alarm in most cars. That’s how my remote ignition works, it hits the line with 12v, the car thinks it has been unlocked via key, disarms the alarm, and unlocks the passenger side door electronically. But then again, they’re on the passenger side.. I don’t even have a key lock on that side. And when the car thinks it’s empty and something touches the interior lock switch it triggers the alarm.

      It could be a key-fob retransmission. Even with a rolling code the car will watch a set amount of other codes in case the two get out of sync (like pressing the unlock button a bunch of times for fun while you’re away from your car). Don’t think it works “backwards” though, once an iteration is used it’s used. Hmmm

  3. Maybe it is magic, or maybe they just go from car to car until they find one that isn’t locked, would also explain why they failed to open some of them

    Insurance doesn’t cover if the car isn’t locked so of course everyone will say the car
    was locked they must have hacked it

        1. Given the relatively small sample size we have to work off of, and the fact that these are fairly popular, massively produced cars, seems like coincidence. There isn’t much data on this issue to work with, and the data we do have is… Spotty, at best.

    1. I agree. In the second video especially, it looks like he’s just walking by pulling on door handles until one happens to open. He stops and almost looks somewhat surprised when it does.

      Also, the passenger door just makes sense if they’re after valuables and not the car itself. The glove box is on the passenger side.

      I’m not saying there couldn’t be some device they used, but the videos don’t really show much to suggest that, and an unlocked door just seems the more obvious explanation. (Occam’s razor and all that…)

      1. Totally agree and if it were a wireless hack, then why don’t the thieves have directional antennas and unlock the cars 20 minutes before (we can’t see the recording that far back) but that would filter all the unlockables and still be “secure” for the thieves.

        1. The reason for only using the passenger side is because it should have a larger diversity of fingerprints, that the driver door and the back seats.
          (Sorry for replying to my self can’t edit)

          1. Oh c’mon, like people that steal stuff from cars think of fingerprints or care. Even if they did they would just use gloves. Also about all the wireless hacks suggestions; riddle me this, why do they only use passenger side? Yeah. So it’s not a wireless hack. What it might actually be is somehow triggering the passenger side solenoid to open the door.

          2. Anon So you would credit them of making a device able to activate the solenoid trough a plastic handle without using wireless technology, rather than using than worrying about finger prints?
            If it were some kind of direct contact electric measures, you should be able to find it somehow or at least somebody would be able to given enough time.

          3. @trndr – Just because they are using the device doesn’t mean they made the device. If I went through the process of making a device that allows entry without evidence of use, I’d wear gloves and pick cars/locations which do not have cameras.

          4. Seriously? Some folks are putting too much thought into this.

            Fingerprints? This isn’t CSI. Nobody but you actually cares that you had something stolen from your car. You file a report (around here, the cops won’t even show up at the scene for this — you must come to the station) and/or an insurance claim, and move on with life. There is no investigation to speak of.

            They attack from the passenger side because the steering wheel is not in the way. This allows them greater mobility within the car, while allowing them to get in and out quicker.

            This is the same reason why window-smashing thieves -always- attack a rear window: They don’t want to sit in broken glass. Break window, reach inside, unlock car, and then move to wherever the pile of glass isn’t, open that door, and begin looting.

            Just because they’re thieves, doesn’t mean that they’re any less lazy or clever than the rest of us.

  4. Probably some sort of fuzzing attack… where they use High voltage to confuse the computer. My car door handle serves to alert the computer I want the doors to unlock if I am next to the door… and there is a button to lock as well.

    It would be interesting to know if it is a particular manufacturer or if it works across the board on several manufacturer’s vehicles.

    1. I bet your right looking at the video it appears that the thief was unaware that which car was going to unlock. I bet that he has some random process that has a low probability of opening the car door and so he walks back and forth slowly until he finds a vulnerable car. It unlocks and he’s in.

  5. I think they have an accomplice near the owner who is not very far away. The accomplice has another device which emulates the car, the unwitting owner’s key is fooled into thinking it is close to the car and begins unlocking it.

    The signal is forwarded to the first criminal’s device, which is emulating the key opening the car. Then then pull the handle and enter. Possibly only from the passenger side to remain out of sight.

      1. Clever criminals? It only takes one smart person to figure this out. Then she/he shares the technology for a cut. I am thinking about the international ATM scam last year orchestrated by a few very technical individuals but the actual ATM withdrawals were done by an army of grunts. Millions were withdrawn over the course of hours.

    1. Close, they actually don’t need a car emulator. The concept works by fooling the key in thinking that it is close to the car by retransmitting the LF part of the car-to-key communication. This LF communication is normally used to ensure the key is in/close to the car. This tricks the key in sending the car unlock code over the HF communication channel that ranges some 10’s to 100’s meters. This was proven to work by Swiss researchers some time ago, see
      http://www.isoc.org/isoc/conferences/ndss/11/pdf/2_1.pdf

  6. maybe they wait nearby with a pc and a software radio designed to sniff for the key presses from the original fob then return later with a remote programmed to emit to recorded/transmitted code.

  7. Has anyone analyzed these and published results? You comment “has an encryption algorithm been hacked”, but I ask because I wonder “_is_ there even an encryption algorithm at all?”.

    Are the affected cars from them same manufacturer? Is the keyless entry the same manufacturer or type?

    The “hack” used can only be used in the circumstances identified (passenger door only, unable to start the engine, possibly no access to trunk) which suggests it’s either a default setting that either the dealer or owner never changed, or (God forbid me even saying this) a “backdoor code”, but akin to the “valet key” some cars (used to) come with.

  8. I heard about jamming devices that jam lock signal of your car and you can’t lock it, most people don’t check if their car is properly locked and thieves come to steal things. But this method seems to be different…

      1. 99% of cars I’ve seen chirp when the /security system arms./ NOT when the car locks. Several people I know don’t arm the alarm, since it going off falsely will piss off the whole neighborhood.

        1. Alarms aren’t a standard option…many cars lock all doors on the first press but then beep on the second so you know. The beep has nothing to do with an alarm.

  9. My best guess:

    It does something to induce the “door open” message on the CAN bus, perhaps indirectly bu a voltage on the wires going to the lock-unlock button (think of it as a virtual coat-hanger).

    When you set security, it would be bad if the passenger could not exit without the alarm going off so there might be that as an exception in the code for the switches.

    It is also possible that the controller in the door will open upon reset, so a sufficient scrambling noise pulse will do so.

    One possibility would be if any had an ELM327 they leave attached to the J1962 connector…

    1. the induced current/ voltage on wires going to the unlock button is what I was thinking, And i know on modern Cadillacs if you lock the vehicle with the key fob the the trunk release and unlock buttons inside the car no longer function.

      If it were a device that functioned like that, it would explains the behavior of the thief who appeared to hold something up to the car as he walked past and jumped back when the door unlocked. as though he were trying it on every car on that street, making it look like he was just walking past if it didn’t work.

  10. It’s not just older cars. I rented a VW Jetta not too long ago. I noted the remote transmitted on 415MHz and I have a handheld transceiver that can tune that no problem. It’s just what sounds like an FSK stream. Didn’t have time to record it but I bet had I done so my radio would have unlocked the car.

  11. Police are “asking for help” but, unless I’m missing something, there’s no details. It would help to know the make, model and year of the cars broken into. I know a lot of cars now have keyless entry (you can just touch the driver or passenger door handle to unlock when the key is in range). If they’re boosting the signal they coud emulate that the key is in range. It would make sense why they’re just walking up to cars and touching the passenger handle. I know on our car that causes all the doors to unlock while the driver side handle just unlocks the driver door.

    1. Presumably the “help” they want is one of the thieves grassing on his friends for money. You don’t need technical expertise to solve this, and the police wouldn’t understand it anyway. You just need someone who knows the scheme, presumably learned by rote, to tell you what it is. It’s probable the thieves themselves don’t have a clue how it works, only that it does.

    2. The help they want is not ours. If you exposed a fault in one of these systems made by big AUTO they’ll probably arrest you for gaining access to a system that is not yours…. or “hacking”

    1. Some years back somebody busted my car’s rear window and “traded” a sunscreen and something else equally insignificant that I can’t remember with a couple of racquetball racquets that he probably used to break the window.

      I don’t remember what I did with the racquets; I don’t think I have them anymore.

  12. I once talked to a guy who designed ECUs for a motor vehicle manufacturer. When I asked him about how the keyless entry was implemented, he told me that it was based on a challenge response mechanism based on a seed hard coded into the security system of the car. If the seeds were compromised then the locks can easily be bypassed. Maybe its that. But more likely is the simpler explanation that the cars weren’t locked in the first place.

      1. Most likely some super stupid user error/security reason. How does the alarm trigger anyway? Maybe the same solenoid that unlocks also somehow disconnects the alarm.

        1. Most cars these days come with valet keys. If you unlock the car with the valet key, it automatically disables the alarm. It’s controlled from the lock solenoid. They have sensors positioned all over the car to sense for excessive vibration and forced entry. If you can remotely pop the lock open, using a strong magnetic field, you can disable the alarm system.

  13. After watching the videos here are some observations.
    * Even when two cars are in close proximity, unlocking one does not unlock the other.
    * In all cases the interior lights go on at the exact moment the door is opened.
    * In all cases the thieves do not seem to unlock the car remotely, they have their hand on the handle bar at the time.
    * In the case of Michael Shin’s car, it is quite obvious the thief is just walking past the car, his hand trails behind him when the interior lights go on, he seems surprised, stops and comes back, looks around then enters the car.

    In that last case, there is no doubt he has no “device”, he is simply walking past a row of cars, trying the handle on each door until he finds one that is unlocked. I think we’re all chasing a red herring thinking this is a technical exploit, as others have said this is simply owners leaving their cars unlocked, by accident or ignorance, then claiming the cars were locked in order not to miss out on insurance.

    1. Passenger side doors are more likely to be left unlocked unnoticed by a mechanical malfunction.

      A relative had a car that did not lock the rear driver side door, due to a jammed mechanism. This fault was only discovered when I happened to borrow the car; I have a habit of checking both doors on the side I get out from, after locking the car. If the non-locking door had been on the other side, it might have gone unnoticed for years.

      How often do you check that all doors did in fact lock, after you pressed the magic button and heard the locks latch?

      Then there are the cars that simply do not have automatic locks. Remembering to lock the passenger side door after the occasional passenger is hard, when they’re all used to automatic locks.

    2. I know this is an old thread, but I was sitting in a community college parking lot in my running 2009 Dodge Caravan , in “park”, all doors locked, when this happened to me. A man came up and tried to open the passenger side sliding door. My first thought, since he appeared to be holding a key fob, was he mistakenly had the wrong car. My locking system was making the noise it would make if the remote was unlocking it, but it wasn’t unlocking. He tried repeatedly. Push the button, try the door, push the button, try the door, and with each try, I heard my lock system respond, but thankfully it did not unlock. I dropped it into drive and drove off.

  14. Rolling codes or not wireless is wireless, it can be recorded and analyzed no matter how you protect it. The only thing manufacturers can do is make it take longer to crack. However, the fact that he acts surprised when the door opens may be a clue. What if they recorded a variety of door unlock codes and broadcast them in sequence in a crowded parking lot. Then they walk around to each car, check the handle and see if they got a hit. That could explain why he acts surprised that it worked.

    1. Of course wireless signals can be recorded and analysed. But how does that help you, if it’s using a rolling code where the next code is almost impossible to predict?

      It seems like you’re suggesting that all wireless systems must be inherently insecure, which is false.

      1. All security systems (wireless or not) are inherently insecure. Anything designed to let some people in and deny access to others can be fooled or finagled into granting unauthorized access. This is true of not only devices but people as well.

        Security in all forms exists as a deterrent- however the old adage remains true- ‘where there is a will there is a way.’

        1. I’m pretty sure they resync with each successful lock/unlock. Along with that I *believe* the valid code range is something like +/- 128. So so long as you haven’t pressed the button however wide the range is they should always resync.

        2. I’m not an expert, but my after market alarm can sync with 4 fobs. I assume that there are 4 rolling code banks.

          According to a pbs episode on security i saw years ago, most garage door openers can be pushed 256 times (while out of range) before it becomes out of sync. (Unverified)

      2. I quite agree with you Angus. My Holden Astra ’05 model (which is also called Vauxhall/Opel Astra in some other countries) has a unique code transmitter built in where it only allows my 2 keys to work with it and no other devices.

        It also has a rolling code, which sends out a one off random entry code to both keys and can only be received by the transmitter/receiver in my car if the correct 2 keys stored in its memory are identified as the senders for each unique code,

        The door locks cannot be broken due to its titanium like bolts and doesn’t have those old 90’s – early 2000 locks which go up and down for locking/unlocking. If the door locks get a surge of electricity they will automatically shut down the car which will result in the door locks not opening at all.

        Now this might all seem like a dream security car, but as with all things near perfect, this car does have a major flaw where the locks can be unopened very easily if you know the Astra 2005 range. But none-the-less, once my car is opened, there is no way of locking it again unless you use the 2 keys provided by the dealership.

        So overall, i will know if my car had been broken into and the best thing to do is not keep anything valuable in it. :)

          1. I’m not sure you appreciate rolling codes or the flaws that can be found in them.

            Generally rolling codes are not one-off. They use a psuedo-random function. It would make it easier to break of the code was one-off – each code that is known to be sent would result in a reduction of the potential codes the next time.

            Very, very few of the rolling code systems in use only allow one chance. This is because they are not bi-directional. You can send multiple codes from the key when it is out-of-range of the car. Each time the code rolls forwards. For this reason, the car normally has a window of ~256 codes that will work.

            So many of the sytems have subtle flaws, but even the ones that don’t seen to often use the same seed/key across a wide range of cars. Recover a key for one Astra, use it for all of them.

  15. Could it be something that’s common to Honda/Acura cars? The 3 cars they showed that were broken into were all Honda/Acura. The other 2 where the burglars failed were a Ford and a Cadillac.

  16. My bet is that they are using either high power inductive charging or radio interference to make the lock actuator move.

    Only using it on Passenger side as there are considerably less electronics in the passengers door.

    1. Thats exactly what it is. Something with a coil/inductor. My passenger door actuator or whatever is in there, doesnt work any more because my jerk off brother thinks its funny. I wouldnt be surprised to see him in one of those videos if its near downtown chicago. He steals credits on pinball and arcade games, and the thing probably causes cancer.

      http://youtu.be/fgj8R06egKQ

  17. The vehicles featured in the video are all the same major brand, Honda. The SUV’s were Acura, the car was Honda.

    It’s known that not all car manufacturers use rolling codes, it’s also known that the seed codes can be read (and in some cases, rewritten) with a master computer at most major MFG dealerships.

    I would start looking in that direction, especially since the cars all responded as if the keyfob had been used.

          1. Must be nice to know everything. Bold statement, for someone who doesnt offer any sold theories. Arm chair quarterbacking has no place anywhere. Ive seen it work. Until you can prove otherwise, get back to being a spectator.

          2. You are semi correct, cars are immune to weak electromagnetic pulses. They protect the vital spots in a car that would render it unable to operate. This would be the brain of the car, the ECU. These are shielded from interference. I can guarantee you though, that your car locks are not. Engineers probably avoided this because we have physical keys to get into the car, so if the locks burned out, we can still open the door and drive away. In this case, thieves are exploiting an age old design flaw.

    1. There is an early failure mode of some Honda lock actuator modules, specifically 3rd gen CR-V, that cause them to unlock themselves over the course of a minute or so after being electrically actuated. Honda hasn’t recalled this, but there are a few class actions going on to try to compensate affected owners: http://www.chimicles.com/honda-and-acura-door-lock-actuator-failure.

      I replaced the front driver and passenger actuators in our 6 year old CR-V a few weeks ago, and now one of the rear locks is starting to misbehave. It’s extra annoying too, since the ECU sees a failed lock as always open, and relocks the doors every time the car moves from a stop past 10MPH.

      Anyway, as someone else noticed, the “device” may be a red herring, and they may be just looking for Hondas that have bad actuators that the owners believe they have locked.

        1. Possibly, but when the actuators started to fail on ours, the driver side actuator would appear to have locked, then over the course of a couple of minutes would scoot back to the open position. It could easily have been overlooked.

      1. Many cars automatically lock the doors when the car exceeds a certain speed. In mine, it is 16 mph. This is an option that can be turned on and off (if I ever read the book…)

      2. Have you ever considered the obvious thing: Oiling it? My experience with old mechanical things, especially in cars, is that they fail at the same rate that the lubrication does, and that even a half-assed attempt at rejuvenating the lubrication will allow good and smooth operation for many years.

        I fixed (yes, fixed) an increasingly finicky outside driver’s door handle on my 1995 BMW by spraying, rather blindly, some Tri-Flow in through a plastic knockout in the door. It’s been working fantastically ever since.

        Same with window regulators. And the power window motors themselves. Old grease turning to glue == failure.

        Otherwise, there’s often programming options for things like automatic locking. I don’t (and haven’t) owned a Honda, but there’s a chance that the programming directions are listed in the owners manual. If not, Google yourself up a good Honda enthusiast forum and search it. (Where “programming” means some incantation of turn car on, depress brake, turn off and then on in some certain cadence, activate the headlights, or other similar Dance Dance Revolution-like series of moves. No hardware required.)

        (As to which oil to use: Almost anything other than WD-40. Tri-Flow is my go-to favorite, though; it comes from bicycle shops and/or the bike section at Wal-Mart. Gun stores might also carry it. It is made by Sherwin Williams.)

  18. A lot of vw group cars on the passenger side their is a blank where the key hole would normally go nock the blank off long screwdriver unlocks doors and turns off factory alarm

      1. Really? So you mean to tell me that a bunch of robbers would spend 10k euros just so they can break in and steal stuff? Good idea. Now all they have to do is find a way of bringing 50 dual core computers to their targeted area so they can spend two days there trying to figure out the ‘secret key’

        1. The attacks have moved on a long way from there, they are much more efficient and don’t require such an investment in hardware.

          But the reality of it is that several manufacturers use the same key across many models or even all cars.

          Spend some time recovering the key once, use it again and again.

  19. It is an assumption that the car is being unlocked via the keyless entry system. On-star and the like can also remotely unlock a door. Perhaps that is a lower hanging fruit. I tend to agree with the comments suggesting that they were opening already unlocked doors and that the passenger side is more likely to have the stuff they are interested in. Hopefully technophobia does not cloud police judgement.

    1. Yup, it’s most likely 3.3.

      People keep talking about nonsense like rolling codes and all that, but what they aren’t getting is there is next to no electronics in the keyfob itself, which means that if you know the fob protocol it’s fairly easy to try a bunch of random seeds until one works, or in the case of the pdf you linked to, get the car to flat out tell you the seed key.

      1. What do you mean? Rolling codes aren’t nonsense, they’re what a lot of keyless entry systems actually use. And the keyfob contains a microcontroller or other chip capable of generating and transmitting the codes.

        If that’s what you mean by “next to no electronics”, then you’re right, but I don’t see how your claim of insecurity follows from that.

  20. We unfortunately had a rash of thefts a few months ago in our neighborhood. 29 cars broken into within a 3 block radius including my 2… all Hondas. My two were definitely locked as was my neighbor’s. My neighbor had 2 cars– 1 Honda, one not. The Honda was the only one broken into. There could be something to this. I’ve been trying to figure it out since then, but haven’t found anything.

      1. My Honda was broken into a few years back. I swear I had locked the doors, the person I was driving with said so as well, but my car was opened, no windows broken, no scratches from a slim jim. They stole my military issue Oakleys, my tinted safety glasses, all my cd’s (though most were burned), my gps, and a dartball dart from my last season.

  21. I didn’t read thru every entry so I don’t know if this has been mentioned but on the new Toyota Priusus (Pri-i…… not sure the plural) the doors WILL relock automatically if you leave the car and the keyfob goes out of range.

    1. totally fake… trust me to open boot you have to have way stronger force just that pump… neighbors car was vandalized, tried to open with crowbar, sheet metal was bent all over but lock did it`s job… second with plunger, myth busters busted this myth… and electroshock ? neahh… fake

      1. I saw the MB episode with the tennis ball… my comment was about the taser. If the door lock is driven by a solenoid or motor that can be ‘excited’ via an EM field, an on-board computer that can be reset via an EM pulse, ‘fail safe’ door locks, nearby fuses that can be tripped, or some combination of these. That – is worth some thought.

        I own a 2012 Honda Odyssey and 2007 Honda Civic… the passenger door locks are purely mechanical – and according to the manual turn off the car alarm when opened.

        1. you do not own a 2007 civic. There are no locks on the passenger side. I have one, only lock hole is on the drivers side and it’s a switch with a chip reader.

          1. No door lock actuator on the passenger side?!? Honda has cheated me… I must get my money back!

            There is most certainly a door lock actuator on the passenger side – a keyhole? I didn’t say anything about a keyhole. Would you like to see pictures of my cars?

            Seriously… splitting hairs is such a time-suck.

  22. A few notes from someone who has been following factory automotive security systems for a long time:

    1.3xxMhz=States 4xxMhz=Euro&Other

    2.Hitatchi, Megamos, Phillips, TI make all the passive key transponders and have the manufacturers algorithms in their data-centers, protected by compromised RSA systems. These algorithms are also in the possession of government associates like DARPA, Prince contracting firms(ex:Blackwater USA) and others, and foreign intelligence through phishing and espionage.

    3.The FPGA that stores the challenge/response algos(there are two in all cars) has almost always been in the BCM on the CAN, Fuel-management just does a simple check bit check. Mid-ninety and older cars that first implemented transponder-key had everything on one board and there was no CAN, same for the resistor based systems.

    4.Master ECMs exist for at least GM and can easily be hot-loaded.. Some CA and NYC repo firms somehow have these..

    5.All remotes can be cloned through cluster sequences, in most cases keys too, if you have two and a blank. Keys can all be cloned with only one key, providing you have the pricey machines, or know the algo and have a RFID tranciever(they are all standard RFID PHY)

    5. People still leave valet keys in their cars..

    6. High-end makes have satcom and tracking. Middle-eastern auto-theft rings operating inside the US can hack them. There are well documented FBI cases involving Mercedes..

    To anyone who thinks I just Googled that: Good luck finding it all on any search engine, but when you do it’s all on highly credible domains..

    1. On your google remark: countless are the times I failed to find technical info or PDF’s that I knew were out there, and I’m talking non-security stuff. I think google is pretty flawed unless you look for the very obvious mainstream stuff.

    2. ^- This. Yup. #4 – their $12K CANDII handheld will do the trick, there’s a fancier model as well. You can purchase them you just need to deal with automotive stuff and fill out some paperwork/legal stuff and pay a huge price for it. #5 Yup.

      The majority of ‘this type’ of exploit, this rash of them that is, are Hondas. There’s something to it likely.

    3. Not for GM. GM “chip keys” are just resistors until 1995 after that they are simple RFID. and GM keyfobs are simple as garage door openers and have been until the mid 2000’s. I know, I have hacked many a GM system and was surprised as to how half assed GM security is on the cars.

      1. Everything is simple with these once their challenge/response is cracked. Every manufacturer on the planet uses the two remote bands and standard RFID PHY for keys. Some use stupid key blade etching too.

        The reason you don’t see it is because cars are expensive, and the few systems that can be dumped are really hard to do and take a long time just to prep to do so..

        It’s still uncharted territory in the security industry. Outside John Hopkins work that only affects RF units used by older GM and gas pumps, these systems have never been hacked.. literally.

        P.S. if you can get a clone or key head you can still slide-hammer out locks and start with a screw driver on 2013 cars.

  23. I wonder if they are fooling the system into thinking the key is locked in the car. Some systems automatically unlock if the door is locked with the key in the car. My wife’s car does that.

    1. I was thinking the same thing. My car won’t auto lock if the keys are inside. Maybe holding the device on that side of the car, makes the car think the keys are inside. However, the passenger side thing could simply be because people leave things on that side of the car. I always put my wallet etc, on the passenger seat or the glovebox…

  24. Not reading all the comments but most car alarms if you don’t have the key fob you unlock the passenger door it disarms the alarms. It did on my last 3 suburbans and my mothers Taurus. Unlock passenger door alarm deactivates. As for what device they are using, I’m a HAM op and I can get my auto locks to pop if I key up my UHF HT on High power (5 Watts) right next to the lock solenoid. If they are using a radio to pop the solenoid on the passenger door the alarm thinks that you just used the key and deactivates.

  25. I have the exact device used by these people, Jeezus Some of you are over thinking this. I only use mine for testing, it is not expensive, in the $1000 range.

    Do you really think the guys shown in the video are paying $12,000 for a smart piece of hardware? Just to steal some loose change, or stereos or whatever it is they are stealing?

    Some of the things you guys have described would cost 40 grand easily. Only one person here as hit the nail on the head (isitjustme), with 2 others that I can see who have the right idea.

    I swear some of you must cost your employers/companies huge amounts of money with the over thinking you do. Probably start with the hardest to accomplish theories and work your way to the simple ones when researching or developing. Jeezus.

    1. You don’t have to buy the equipment to make use of the benefits, you merely need access to one or get someone to generate seeded keys for you, using the devices. You can also have the devices tell the BCM to allow blank keys to work, and the like. I simply mentioned that because all the cars were the same parent model, and many likely go to the same dealership(s). This type of exploit was used in Gone in 60 seconds, and has been used in crimes before. EMP’s are always a good choice as well.

  26. looking at that video, it does just look like he simply tried the handle. I believe the device in his hand would just be a smartphone that he’s using as a misdirection, to make it look like he’s just nonchalantly strolling around looking at texts. however:

    I’ve though about an attack for rolling-code wireless security that involves replays (I’m not sure if it could work on other systems). the idea is that you place a device on the target vehicle which plays a predictable and known noise signal in the frequency band of the key fob to block its ability to lock the door. when a person uses the key fob, which plays the current number of the rolling code, the signal is jammed and recorded by your device. if they walk away at that point then the car is unlocked, but if they try the fob again, you jam and record the next code and replay the previous one, which will then lock the car. the attacker then comes to the car and the device replays the recorded code.

    of course the problem with this, aside from me not being sure how technically possible this is in the first place, is that you have to get the device near enough to their car before you try to do this. this means that you will either need to put it somewhere in a parking lot and just rely on blind luck, or actually stick it to the car and follow it around (or the device could include a GPS transponder for tracking the target).

      1. If you transmit a jamming signal while trying to capture a signal of interest, you will capture the jamming signal + the signal of interest. Since you know the jamming signal (you transmitted it) you can subtract it from the captured signal and obtain the transmitted signal.

        1. Ah you’re right! Controlled jamming. Actually, you could probably do the subtraction all in the analog domain and still have a randomly generated noise jam signal.

    1. Except that if they did this then they would know which car to hit as it’s the one they previously placed the device on or it’s the one in the spot where the device was left. Also, why the passenger side?

  27. If this were handled by Today Tonight in Australia:

    “Coming up next: How foreign terrorist criminals are stealing YOUR cars, and how you’re powerless to stop them. We also test the new super miracle fruit based cream that can take decades off your life!”

  28. http://worldjammers.webs.com/

    These people seem to sell all sorts of interesting crap. Christ alone knows if any of it works. I’d imagine their refund policy is nonexistent. Buying a criminal tool off a bunch of Chinese pirates isn’t the height of reassurance.

    But the point is, there’s a car-locking jammer for sale! Any use in this case?

    1. I’m starting to think this whole blog post was made by someone seeking to harvest carjacking methods via free induced group brainstorm…

      Gotta love the ol’ classics like fake focus groups for product development or “business concept contests” (w/ some puny $1k scholarship on the line, and fine print signing over the intellectual properties submitted to the organizers). This here smells like version 2.0. “LCD panel, LCD panel on the desk, tell me how to rip off that sweet Lambourgini…”

  29. I think it has to do with the following situation: A driver and a passenger are getting out of the car. The driver opens the door, gets out, closes the door, and presses the lock button. The passenger, slow getting out (old, checking makeup, getting something from back seat, etc), realizes the door is locked. The passenger manually unlocks the door, the courtesy light turns on, and the passenger exits.

    There is a setting on Honda (probably all) cars that only unlocks the driver door when the car is turned off. The passenger might be used to having to manually unlock the door.

    In this situation the car is armed with a passenger still inside. Should the alarm sound when the passenger exits? I would think no.

    Most people would not realize there is a difference between the lock button on the key and the lock in the car. Someone probably would be scared or panic if their car’s alarm went off. They probably wouldn’t even understand why it went off.

    If you usually drive by yourself, you have a good chance of getting out of the car and locking it subconsciously and not even think about locking the passenger in. You probably would just apologize while he/she unlocks the door and gets out.

    As for how it is unlocked, that is another question. Almost all of them are Honda/Acura. My Honda’s doors unlock in the direction of the handle. If the lock was made out of metal and you had a strong magnet on the outside, it would unlock. It could have to do with the solenoid.

    1. Yes, the human aspect seems most likely.

      Different, but related:

      My GMC work truck locks its doors automatically when I put the transmission in drive. It unlocks automatically when I select park.

      Since I almost always drive the vehicle alone, this doesn’t bother me a bit: It’s not like I’ve ever try to get out of the car with the thing in-gear, going down the road…

      But when I stop to pick up or drop off a (rare) passenger, I find the following happens: The doors are locked. They try to get in/out, and can’t. I find myself fumbling for the lock button (which I never use while driving, or with the door closed for that matter) to disengage the locks.

      If I frequently had a passenger, this wouldn’t be an issue: I’d be used to this behavior. But again, I almost never do.

      I don’t see -anything- in TFV that suggests that the cars weren’t merely unlocked to begin with. I don’t need a tinfoil hat or an EMF generator to say that two cars of the same manufacturer caught unlocked in the same frame by two different thieves is more an eventuality than an odd and sophisticated technological coup.

      They grab the handle, and the dome light turns on as the door opens. Just as if it were unlocked. The singular instance of the unlocked, street-parked Honda caught by a dude’s household CCTV shows that a thief walked by, tried the door handle, noticed that it felt different than a locked door might, and then made a second move to open the door the rest of the way.

      He had probably tried hundreds of doors in the past; maybe even hundreds in just that one night. Of course he can feel when it is unlocked.

      I see opportunism, not cleverness.

  30. my car leaves the right doof open even if when i remote lock it, thats due to the servo is too weak or something, so it most of the time only locks on second try.

    probably thats more common than i thought

  31. Keeloq was in theory unbreakable too :D
    Maybe they got in their hand the master key of some car manufacturer crypto system.
    Just an idea but proven work with old keeloq why not with newest obscure technologies.

  32. You guys railing on about EMP or EMI or whatever are crazy, you need a lot of energy to penetrate the steel of a car door with a EM field and actually cause a solenoid, which takes amps of current, to actuate… These guys are simply doing the ol’ pull and pray on the door handle. I work with high voltage and high power RF every single day with equipment that is no where near as sheilded from EMI as a car and never have a relay or anything else for that matter simply acutate from a stray field and there is no sort of encryption or CAN bus driving that stuff. The actual fet or transistor that is driving the relay which in turn powers the door actuator is buried in either the body or engine control module, you would need to induce, through steel, a current on a wire that is 12V at probably an amp if not a few amps to overcome the mechanical friction of the door locking parts all just using an EM field… And if they are causing enough electrostatic hash to f*ck with the cars electronics, the car would likely never start again let alone not set the alarm off. Your cell phone would be screwing with your car and unlocking the doors if it were that easy. Modren cars are some of the best shielded devices out there when it comes to ESD and all the other nasty situations cars have to deal with and still work in the real world. A high voltage, high frequency generator such as a stun gun, etc, could maybe cause a little havoc, but you’d likely be setting off more car alarms than getting a door to actually unlock. They either have a remote code exploit that works on certain cars or they are simply trying door handles.

    1. And dont get me wrong, if you are transmitting an EM field with the right remote control data at the right frequency you could do this, hence a remote control exploit. But brute force EMP or EMI? Uh, we get pretty bad thunder and electrical storms where I live, and I never had my car unlock itself when Thor came calling, although I have lost a T.V. or a telephone or two…

      1. Unless your car is hit with a bolt of lightening, it won’t make a bit of impact from afar. EMP devices concentrate that magnetic field and throw it out in a direction. The falloff is immense, so being as close to whatever you are trying to induce current into is a must. My theory is that they are hitting the passenger side doors because the coil for the unlock side of the solenoid is exposed to the door panel (less distance for the field to travel through.) The driver side is probably the lock side of the coil. They have to wait a brief period of time because the slider is probably moving to the unlock position (it isn’t directly coupled to a battery after all.) So holding the door handle is just so they can wait to feel for it to be in the unlock position. This hack only seems to work on certain cars because some cars don’t use solenoids, but servo motors. Servo motors need lots of current to actuate, solenoids not so much.

  33. After watching the video, I think there are a few things to note. First is they always try passenger side, could just be cause of easy access to glove box etc. Second, they hold the handle for a second before it opens. If they were opening remotely, why would they do this?? Third, might not be much but interesting to note, the thieves that walked from back of car to front gained access, but front to back didn’t.

  34. While EMP and high voltage could work (and are quite cool), they’d leave some evidence of their use behind; arc points, cheaper caps burning out, etc.

    My two cents based on presented evidence: most if not all of the drivers here just forgot to lock their cars or didn’t verify that the cars were locked, and the police are reading too much into the pause. That pause before opening the door might just be them going slow to not create noise in opening the door.

    With the start of summer, people are more swift in going from car to buildings, minimizing the time spent in the heat. This means its more likely that they are walking away while locking their cars. Combine this with strict “hands free driving” laws, first thing people are likely to do getting out of the car is to see what texts/messages they missed, distracting themselves from the autonomous behavior of locking their car. At my campus in grad school a couple years back, there was one test campus police did where they showed way too many cars in a single garage were just left unlocked. They would test every car, leaving notes behind and maintaining an increased presence on the floors they tested (since they were marking unlocked cars).

    All that being said, information not presented which would change my working theory (since this was not a direct police request for help but a sensationalized news story):

    * How many of each make and model car was successfully broken into/unsuccessfully accessed? (one or two of each a meaningful sample does not make)

    * Is there any confirmed sighting of this ‘device’? From what I saw, I couldn’t make out anything looking like it. The one with the gentleman walking by a car and surprised it opened quickly transferred his drink into the ‘device hand’, suggesting it was likely free.

    * Which neighborhoods/garages are this happening in? Based on the appearance of the neighborhood where the guy had a camera on his car, it looked like a nicer one where people would have more sense of comfort. The garage could be one supplying mainly a single corporate building, where many arrive at the same start time, and hence even if you listen for locks clicking or the confirmation horn, you might end up hearing someone else’s if its not a primary process of focus.

    * Is there evidence other than the driver’s assurances that the cars were locked? Presumably, with video surveillance available, the police went back in time to see if the car was in fact locked by the driver, but one cannot assume without evidence.

    From the evidence presented thus far, it’s hard to conclude anything other than driver error. But again, there could be evidence that wasn’t presented which would change this stance. Plus, the police may be pressured to do a fuller investigation as based on the cars and drivers, the noisiest victims appear to be middle to upper middle class, which sadly carries more weight than it should.

    That being said, my best theory of a device if one existed: simple brute-force broadcaster. A device which rapidly broadcasts known codes along with random codes of the correct length. Simple strolling would allow a shotgun approach to see what sticks. This would explain the pause by the cars of the gentleman with accomplice – taking the time required to quickly broadcast a known dictionary, and the surprise of the other gentleman, a random key struck after he passed. This would also explain make/model preference – different devices on different frequencies and different levels of security. With today’s miniaturization of higher performance computers in the forms of tablets and phones, there seems to be enough power out there to make a good go at it. This would leave no evidence behind,

    (sorry for enormity of this comment – my ocd towards puzzles doesn’t easily permit me to walk away without a proper go at it.)

    -James

    1. “That being said, my best theory of a device if one existed: simple brute-force broadcaster. A device which rapidly broadcasts known codes along with random codes of the correct length. Simple strolling would allow a shotgun approach to see what sticks.” – James

      I’d say this was the most plausible. unlock codes would/could be/are issued to manufacturer garages.

      someone loose their keys, ring up a manufacturer certified garage: “help I locked out of my car” – service guy grabs code for that registration number. Programs a spare key and meets customer, along with a hefty bill no doubt!

      All it takes is a savvy mechanic and bribe/threat in the right direction to get these code and nab a spare key to hack apart – “sorry boss I lost it on my last job!” (saying that it could be an employee with nothing to loose here/ getting fired anyway as possibly loosing one of these keys may be a sack-able offence!). A Relative works at a Ford certified/trained garage, stuff (even important stuff!) goes missing ALL the time and nobody gives a shit!

      Hack the key apart, scribble up some code, download the unlock codes and the program to a cheap micro-controller dev platform of their choice, sprag the controller output to the the transmitter output.

      bingo, I’m sure with a button press it could rattle through all those unlock codes and “clunk”: x1 stolen motor!

      1. Locked out of car? Usually that means the keys are inside. There’s lots of methods (the simplest of which is an inflatable wedge and a stiff rod that can hit the unlock button) to open a locked car door.

        Yes, a skilled and well-equipped locksmith, or a dealer, can sometimes make a new key for a modern car on the spot, but that’s unnecessary. These theives weren’t stealing cars. They were stealing stuff from within cars. AFAICT, no attempt to drive the car was ever performed.

        So. Take apart a key and reprogram? Meh. You’re overthinking the situation. The car door’s lock simply has mechanical pins and tumblers, just like most any other lock. If it were any more complicated than that, a dead battery would mean either a broken window or a recycling center…and somehow I think if dead batteries were killing cars absolutely, that this would be bigger news than a thief discovering someone leaving the vehicle unlocked.

        Which is all that appears to be the case here: Thief approaches unlocked car, pulls handle gently, car door opens. I don’t see any indication of some magic device being used, except for the sensationalist Today show and a clueless cop insisting that it must be some new sorcery.

  35. this is been happening for the last year in south africa . the guys use a electric gate remote and hold the button in to put it into program mode . at that stage it blocks all the 433mhz frequencies and prevents the care from locking .

    1. I kinda doubt that. Most car remotes work on a rolling set of ID’s. Now if someone figured out the algorithm that generates that code they could record the arming code. Since most people have to hit a their remotes at least twice (once to lock and once to arm and possibly a third time because it it didn’t register a click) they now have a series to build off of.

      Even if they can’t reverse engine the sequence that could just let the algorithm run on a PC and save the results to a database. Have a Raspberry Pi nearby and do a database look-up when its reads a sequence. Have the RPi program an Ardunio with the next possible 10 id’s in the most likely sequence and then walk over and blast the car with the sequence.

      The reason for the passenger side attacks is most likely so they can see an indicator light or dashboard sequence on a Uvo/Sync ID code. Something triggers it to appear that they use the info for the hack. More exotic hacks could be code injection through Bluetooth or tire pressure sensors.

  36. He may be doing something as simple as holding a key remote so as not to look suspicious when going up to a car, trying the door handle to see if the owner forgot to lock the car. Never actually using the key remote to open any doors.

    1. This is my thinking too. Holding out the key fob at least makes it look to casual observers like he’s the owner coming back for something. Much less probable that a casual observer is also the owner of the car to know he doesn’t belong. I think this is much less hi-tech than everyone is thinking, and he’s just trying doors at random; not everyone remembers to lock their doors.

  37. I also think the cars are unlocked when you use a key fob the lights usually blink on the front are back of the car and the device the say you can barely see just looks like a door Handel mad someone just freezes the frame to make it look like they were just standing there the inside light did not turn on until the touch the Handel that is another indicator to me that a keyless method was not used no indication the are being unlocked my main vehicle I drive is a gmc truck and and have no experience with all the makes and models I they might ack differently

  38. probably blue tac overloading the sensor. you can make diffrent patterns on blue tac by putting it on fabric or other matericals. The sensor in cobination with ease of access programming for the true driver probably make the asumption that a dotted matrix couldnt be anything but the driver or a default setting.

  39. I have not read all of the comments, but this was my take: on one of the videos CBS showed, you can clearly see the “perp” (sorry, too many TV police dramas…) turn back after walking by the door, did he perhaps hear the door unlock? My take because of this, and I do not have a knowledge of how keyless entry works, is a RFID proximity type of keyless entry with some type of a random (key frequency) generator, perhaps using a small subset of known or a backdoor code or overload with a higher frequency. Had all of the “perps” touched the car like in another of the videos, I would have gone with a type of electric pulse.

    1. He was surprised because it was unlocked. He pulled the handle, the dome light came on as if the door were about to be opened, and kept walking nonchalantly (because, seriously: if you’re walking down the sidewalk trying door handles, do you really stop and study each one?).

      It felt different. He came back and gave it another tug. It opened.

      ‘Nuff said. The car was simply unlocked.

      News at 11: $big_city layman leaves car unlocked, has things stolen from inside; blames sorcery.

Leave a Reply to AndyCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.