Ask Hackaday: How are these thieves exploiting automotive keyless entry?

A new attack on automotive keyless entry systems is making headlines and we want to know how you think it’s being done. The Today Show reports that vehicles of different makes and models are being broken into using keyless entry on the passenger’s side of the car. It sounds like thieves steal items found inside rather than the vehicles themselves which makes these crimes distinctly different from the keyless ignition thefts of a year ago.

So how are they doing this? Here are the clues: The thieves have been filmed entering only the passenger side of the car. They hold a small device in their hand to unlock the doors and disable the alarm. And there is evidence that it doesn’t work on 100% of vehicles they try. Could it be some hidden manufacturer code reset? Has an encryption algorithm been hacked to sniff the keyfob identifier at a previous time? Or do you think we’re completely off track? Let us know your opinion by leaving a comment.

[Thanks Mom]

368 thoughts on “Ask Hackaday: How are these thieves exploiting automotive keyless entry?

  1. You know, entry ONLY from the passenger side would sort of give the mini-EMP suggestion some credibility. What controls are on the passenger side of the car? Typically the Lock / Unlock button and window controls only. The ECU and fusebox are typically on the driver side of the vehicle.

    Triggering a mini-emp (or other device) only on the passenger side would avoid shorting out the entire system and only trigger the window AND lock/unlock button…

    1. The mini-EMP concept is bunk: Find a digital device. Expose it to random radiation of sufficient intensity that it misbehaves. What happens? Random stuff.

      But what’s happening here is specific stuff, not random stuff. Of all of the reports of this activity, none of them involve random stuff happening.

      And nevermind the fact that whatever is on the passenger side is connected electrically with wires to other stuff on the driver’s side. Whatever signals are present at one end of the wire, are present also at the other end.

      My theory is that in all cases, there is no magic handheld device. I certainly don’t see one in the videos.

      I suspect that in many cases folks simply failed to properly lock their car doors, even though they’re -sure- that they did so.

      And it’s possible that some manner of jammer is in use that prevented a lock signal from the owner’s own remote from behaving properly to begin with. This would actually be fairly easy: Put a battery-powered jamming device somewhere (under a tree, inside of a plastic bin, whatever) and wait for folks to come home and fail to lock their cars.

      And, of course: Passenger-side only, because all good thieves always enter from the easiest place possible. They’re just as efficient (==lazy) as the rest of us, and the passenger side has both a glovebox which may contain something valuable, and lacks a steering wheel which otherwise would inhibit mobility.

      (In other “news,” window-smashing pilferers always break a back window on a 4-door car. Why? Because sitting in broken glass sucks.)

      1. I do have to say that a related concept of power and clock glitching on microcontrollers often seems to yield useful results even with the stimulus being random. You are unlikely to make the system behave truly randomly – you are likely to cause a small disturbance that changes one bit of a variable or a change the code path. Many of these will result in nothing happening – if something hangs, the watchdog timer will reset it. Generally the only observable effect will be things the system was designed to do anyway, but not in the order that was intended.

        You’ve also got the fact that there has not been any demonstration of a portable EMP device that could even have this random effect.

  2. This just happened to my dad’s 2012 jeep wrangler. We have it on video, the kid comes up through the passenger door and holds his left hand to the handle for half a second before the car opens up. Is there a way to upload the video on this website? Perhaps some of you can chime in on it.

  3. What about a pair of repeaters / transceivers? One guy trails the owner and the other one approaches the car. The repeaters transmit signals between the fob an the car. Thus the car and fob can talk to each other and fools the car into thinking the fob is right next to the car.

    The system probably keeps track of the delay between fob and the car. If the transceiver in the car is located near the passenger side door, it might explain why the burglar enters from that side: to lower the delay. A too long delay might also explain why the scheme sometimes fails. Entering from the passenger’s side might also just be a habit or provide better access to the glove compartment, though.

  4. The RF receiver is located right behind the door handle on the pass side. It would be my guess that they are using a high watt transmitter to overload the receiver. It only needs a small voltage drop on the circuit for the computer to turn off the security system and power the door lock actuator. A simple goggle search gives it all up

    1. 1. Not seen a single car with the RF receive in the passenger door. Sometimes a RFID/prox tag reader is there.
      2. The security system isn’t disable by a small voltage drop – this is a car, everything is designed to deal with noise.
      3. Why would that unlock the door?

  5. Why passenger side?
    Simple, you have access to glove compartment and other parts of the car easier. The driver side has the steering wheel. And usually valuables are left either on the passenger side, glove compartment or hand rest. Easier access is from passenger side.

    The device? I don’t think there’s anything there. Just unlocked doors. The light inside the car goes on only when the door handle is pulled and the door opens. Usually for newer cars the light goes on when you unlock, as well as lights, signals etc.

  6. It over powers the insulation properties used on the outside of the wiring thus allowing current to pass through the wire that sends the current to the lock motor to unlock. The Auto industry will have to know design cars with a grounded out door setup along with separate wire harnesses one (the unlock line) that is separate from all metal and other wire contact but closer to the inside of the cab rather then outer door. Similar to the problem Ford had with the Windstars for some years. When someone turned the wipers on the sliding doors would open. The cause was the insulation on the wires was to thin from the peak current running trough when the motor was on. it would allow it to jump and pass through the insulation into the neighboring wires on the harness. Wire harnesses in cars can be overcome with a higher amp same voltage run.

  7. All you need is a receiver to capture the code from the key, store that code, then retransmit it later to access the vehicle and turn off the alarm. After papers are taken from the glove box close the vehicle and send the same code again to reset the alarm and lock it.

    This has been done elsewhere and the cure for the area was to convince people to use the physical key to lock and unlock their vehicle so no key code is broadcast.

    I think the answer is to be able to use a separate system in the vehicle running in parallel and maybe even discontinue the original equipment. Use a separate device such as a infrared controller to set the alarm and lock the door. That would work as long as the area doesn’t go the same way with the same sort of device or the smart thieves will counter that too.

  8. I’m surprised no one asked ‘how many times is always’ when they say the thieves always enter the passenger side. If they’ve been filmed 10 or fewer times it’s well within the realm of possibility that it’s just a fluke, the equivalent of tossing a coin and coming up heads 10 times in a row.

  9. I left my truck in a parking garage and locked the doors by pushing the button on the door. I watched the drivers door and the drivers side back door lock before I closed the door. The next morning there was stuff missing from my truck. My wife and daughter beat me to the truck and had to wait until I unlocked the doors before they could enter the passenger side. No marks on the truck from being broken into. You tell me. I know that there can’t be as many different frequencies as there are vehicles.

  10. This is an old post, but since it was referenced in a recent email I’ma gonna give my two bits worth.
    First, some facts.
    Cellphone signals induce audio frequency signals in wires when held close to them. Any audio amplifier with poorly shielded wiring can be used to demonstrate this.
    Most consumer electronics systems use the I2C protocol to allow communications between subsystems.

    So it would be possible, in theory, to reverse-engineer the signals used by a vehicle’s security system to open the passenger doors and turn off the alarm. Then use a 2.4Ghz transmitter to inject these signals into the wiring running through the door panel.

    If most vehicle security system happen to use the same signals for their sub-systems, you would find many vehicles are vulnerable to that kind of attack.

    1. Only problem I see there is OE amplified systems are EM shielded or noise from the ignition system would bleed through causing a very annoying whine in the system. On the other hand many manufacturers have integrated so many CAN-BUS subsystems that if the head unit is removed 3rd party adapters are required to maintain correct functionality. If the CAN-BUS protocol can be hacked wirelessly, through Bluetooth or another integrated method, then theoretically one could have access to just about any feature including security.

  11. Gonna blame Microsoft for this one. Most aftermarket nav systems use windows CE as a base. New (and some not so new) nav systems can integrate with OE features. Microsoft + OE integration = hackers/thieves dream. Fucking windows.

  12. If these cars have had after market security systems with remote start feature added, then its quite possible the thieves are using one of several possibilities. A dealership master FOB (DEI) or they’ve figured out how to compromise the remote start’s immobilizer bypass. The immobilizer bypass is a device installed by aftermarket security system to allow the remote start to function on a car that requires a smart or PATS ignition key in the ignition. Because the bypass device interfaces directly with the car’s data buss it also allows access to other functions supported by the car manufacture, window up/down, door and trunk/hatch control etc.

  13. Update. An owner happened to have internal video running in his car. You can distinctly hear the doors unlock when the person placed the box at the window. So the car WAS locked. There is also external video that showed the person pacing around with the box. These boxes have now shown up in Las Vegas and cars are locked before they are broken into.

  14. Android Apps it’s the way it’s being done download and application that sends a radio frequency to the vehicle and if u send the correct signal “Boom” you just unlocked the vehicle. The anti theft system works though radio frequencys. Look it up yourself if you need too.

    1. The video with the backpack may be using an amplifier, as it would take a backpack to carry the battery power an amplifier would need, but an amplifier can’t be the technology the small hand held devices some thief’s have been seen with is using.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s