Stealing Cars For 20 Bucks

[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.

The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob.  One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.

The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.

A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk.  We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.

[via Wired]

85 thoughts on “Stealing Cars For 20 Bucks

  1. “A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced.”

    Not likely to work. Radio waves cover a mile in a little over 5 microseconds, while the microcontroller in the keyfob probably needs several milliseconds to respond because it’s not particularly fast. The radio delay is negligible.

    I have a better idea: get rid of these stupid remote keys. If you have to carry the keyfob anyway, is it really that inconvenient to unlock the door with a key?

      1. I meant that as a solution for the manufacturers. I realize that an electronic lock system costs less than a mechanical system, but electronic locks have always been more trouble than they’re worth.

        1. They are really convenient though. Perhaps some kind of 2-factor authetication. Computer vision or other biometrics are really cheap these days and would add some extra level of security without hindering convenience.

          I mean if someone really wants to steal YOUR stuff, they’ll find a way regardless.

          1. Very true, but in the olden days, a person breaking into a car looked a great deal like a person breaking into a car, which was at least a bit of a deterrent. With this sort of hack, a person breaking into a car is indistinguishable from a person legally entering the car.

          2. It will be fun watching people stare into an iris scanner while holding groceries.
            And if you want to let a friend borrow your car you’ll have to go to the dealership and sign some legal contracts, update your car’s computer, and then pay a fee.

      2. Believe it or not, it might.

        Because I store my car in the winter (and sometimes forget to attach the float charger) one of the first things I looked up in my Owner’s Manual was how to get into the car it the battery died. The driver’s door handle has a paint-matched plastic cover over the lock cylinder. I would have *never* known it existed had I not read the manual because it blends in perfectly. The key is “hidden” inside the fob.

        I think the more likely use case for having a physical key for entry is if the fob’s battery dies. Even though my car is 100% keyless start, you can still start and drive the car with a dead fob battery. You must unlock and enter the car as described above, then place the fob into a tiny cubby under the rubber mat in the cup holder. The car must be able to identify the fob via RFID (or similar). This entire process must occur in under 30 seconds or the alarm will sound.

        I suspect many other newer cars (Ford, in my case) have something similar.

      1. +1
        FPGA for the win.

        If I looked around hard enough, I have some FPGA-based RF equipment in my office that I may be able to use to recreate this MITM attack. It would be an interesting experiment

    1. Receiving, decoding, encoding, and transmitting (then back again) adds delays though.
      (How much? Depends on the methodology, using standard digital radios it’s at the very least a whole bit period)

      Now, if the keyfob has a precisely determined time between [start of incoming packet] and [transmit reply], then you can set your timeout to be that plus a couple of CPU clock periods and you’ll at least make it hard for the thieves.

      The current implementation seems to use a delay of 27ms vs a usual turnaround time of 15ms. That 12ms gives you a lot of time to play. Imagine if the gap was only 20 nanoseconds…

      1. Keyfobs though have pretty tight constraints on processing power, because of form factor and especially because of power consumption. Anyone trying to jack a car will be able to use far more powerful/faster hardware to do so. Even if the fobs had asics, a large power hungry FPGA would be able to run circles around it.

      1. Depends on the implementation. On my Lexus, when I perform a ‘manual’ access using the physical key hidden in the fob, I must to place the fob in front of the starter button within a certain time constraint (I believe 30s) or else the alarm will be triggered. The fob contains a passive RFID transponder and the car has an RFID reader behind the start button. AFAIK most manufacturers implement such a procedure for ‘keyless’ cars.

    2. +1
      Remote keys were a gimmick. Once manufacturers realised what they could get away with charging for keys and other parts to that system then it stuck and now they would like us to add it to the “box” replacement mentality that they would like us all to adhere to for all parts.

      Sad and one wonders how long before no one mends anything at all.

  2. lol score one for my old as shit Subaru, still can’t replace what can’t die!! Honestly I’ve got a 2008 hyundia and a 88 subaru. the subaru Iam willing to drive any time, the hyundia I can’t even look at with out feeling like I’m closer to a life in suburbia (BTW hyundia for sale in BC). Meanwile when ever one goes to the shop (IE I get to fix one of my cars) the newer one is always more tricky always costs ten times as much and it’s never ever as serious work as the older one gets. Newer cars are built like bankers wet dreams, every things cheaply close to highway safety code and isn’t cheap to fix. Get an old E30 and look around under the hood, why dont they keep building cars instead of these rolling Ipod things that don’t look good and have shitty visibility. One day manufacturers will just sell you an air bag with a radio with no windows that will cost you the price of a house (in vancouver).

    1. And apologize for everything. But not for being the only thing available, which it will try to sweep under the rug by always being “grateful” for the “opportunity” to meet your transportation-related expectations on this glorious day.

  3. Seriously, the best thing, no wait – the only good thing – about my 2016 Nissan Juke was that you NEVER had to get your keys out of your pocket. I hate fumbling around, particularly when I’ve got a big set of keys jammed in my pocket under my wallet. It’s always a pain to yank them out because they’re so bulky with a keyfob on them. If it can stay in my pocket, that’s awesome.

  4. “Are car drivers really so lazy that they can’t press a button to unlock their car?”

    Yes. and you nailed it. It’s 100% laziness. I refuse to buy any car with the keyless entry or start like that. Luckily it’s still optional on most car brands.

    1. Actually I love my Prius’ entry system because you don’t have to touch the fob – all you do is grab the door handle and pull, and if you have the fob in your pocket the door will unlock and open. I currently am driving a rental car and am amazed at how clunky it is to have to get the stupid fob out every time I want to open the door. Plus, because I’m an old fart I can’t distinguish between the lock button and the unlock button, so the horn keeps honking :-)

    2. They need to pass a law either making these kind of passive entry systems an optional feature that can never be standard that someone buys at their own risk or outright banning them.

        1. @ Jerry you don’t seem to pay attention they do force you to buy it by making it standard even on something as lowly as a Juke.
          If you want a new car you have to get one with this poorly implemented feature.

          1. No one is forcing you to buy a new car, I know I don’t. If you do it just means that you are willing to compromise, in which case, why should the manufacturer care? You just proved it wasn’t important enough to lose them the sale.

  5. Recently my car was broken int o outside my house. No physical damage was done to the car and the only thing stolen was small change. It turned out that several neighbors on the same street had their cars broken into in the same way. Clearly the thieves were using some sort of rolling code generator to unlock the doors. I don’t think they had reached the sophistication of a “man in the middle” attack on proximity keys. The good news was that with this approach you don’t end up with a smashed window. On the other hand, it makes most cars very vulnerable. I have decided to address this problem in a number of ways. A long term idea is to have a sensitive receiver listening for code generators approaching, This would be a little complex but would give early warning. In the short term, I will be fitting a door lock disable for use when I park overnight or for a long time in a car park, As my door locks are on a dedicated fuse, I could simply remove the fuse. As I have the option of using a real key, this would be OK. A more convenient approach would use a modified “piggy back” fuse adaptor wired to a switch in the car. I am planning on going one step further and using a separate ESP8266 wifi based remote to enable the locks, by connecting the fuse, before using the regular remote. Although thieves could hack the wifi remote, the chances of them bothering are slim and the secondary remote could be secured if necessary. That way such thieves will most likely go on to the next car.

    1. I am absolutely loving your ‘wireless relay on fuse’ idea! I’m paranoid about my new car. First time I’ve ever had a “new” car, and I’m parking in front of cameras and away from the shopping-carts. ;)

      You are basically adding your own 2nd factor of authentication! Walk up, turn on your phone’s WiFi or Bluetooth, press keyfob, door unlocks. Awesome. :)
      Please create an .io or an Instructables or heck, an Imgur page if you get around to it.

      1. I will be adding an .io project as soon as I have time to work on it. I am currently waiting on some parts so the blog entry was very relevant . I am currently deciding whether to make an extension of an ESP8266 based project that I am working on now or a Bluetooth based Load Leveler project from a long time ago. The BT leveler used an App for control but I may want to incorporate the controller into a keyfob.

      1. Hopefully they would prefer to go to the next car. That would attract less attention. I only plan to use it where breaking a window would attract attention such as outside my house. My basic protection is not to keep anything valuable in my car.

        1. I like how this solution echoes the old joke about two guys camping who hear a bear approaching. One puts on his tennis shoes. The other guy mocks him saying you can’t outrun a bear. The shod guy says, I don’t need to outrun the bear, I only need to outrun you.

          You don’t need to get a brick through the window, you just need to make your car a less attractive target than the next guy’s car.

      1. This is for the scenario when the thieves are driving down the street with a code generator. They just go for the cars that open. If thieves want to target your car they will get in one way or another. In that case maybe you should just leave it unlocked!

        1. I only lock my cars when I have something worth taking, and only when I’m out & about. The drivers side door is always left unlocked. I had too many friends that had windows broken, even though they got nothing (my dumb- assed son was the exception, after a long trip they were “too tired” to bring in their stuff, but apparently too tired to lock the doors. Lost their camera, laptop and a bunch of other stuff.)

          Also made me thing it would be cool to put trackers in a bunch of old electronics, and let the car unlocked.

  6. one of the few good reasons I have manual doors and windows on my 2007 car. no extra electric parts to break down. My alternator died a few months ago, and the engine still ran when nothing else worked. I was able to get back home to replace it.

  7. > Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat.

    Thats wrong. If you use the Keys like any other RF-Key (Pressing the “Lock”-Button on your Fob after you leave your car) it will be just as safe as these.
    Keyless is disabled then. You will then have to press the “Unlock” Button manually, next time you open your car. => hack warded.

    This works at least for my Renault and a few german cars I tried.

    So no need for tinfoil or selling your car if you are paranoid: just press a button. You will be just as safe as a traditional RF-Key (or even safer as you cannot forget to close at all).

    1. I just tried what you recommended on my 2016 Mustang. It doesn’t work on this particular car.

      From a distance, I pressed the lock button twice and waited for a honk confirmation. I then approached the car, grabbed the handle, heard the door-lock actuator cycle, then opened the door.

    2. The ability to turn it off should be a standard feature for any passive entry system and manufactures should be forced by law to implement it on vehicles that lack it on their own dime.

    1. If my understanding is correct, the owner’s key is typically in the house. The two radios involved in the hack act as a relay between the key and the car. This effectively forces the car to think the key is within range of the car’s door, thus allowing the door to be opened without the fob actually being nearby. For my car, “within range” means the fob is within a few feet of the car.

      1. Once inside the car they have access to the ODB port which means they can bypass the immobilizer.
        A another thing they can in theory do with this this setup is they can pair an extra fob to the car since as far as the car is a valid fob is inside it.

        1. If the car is equipped with keyless start as well as passive entry, they may not need to disable an immobilizer. They should be free to start the car and drive it as they please. Unless they are still within range, they wouldn’t be able to restart the car once it is turned off. They also shouldn’t have to fight with any steering column locking mechanisms.

          My car requires two valid, currently detected fobs to be present in order to add a third or a fourth (limit of 4). Other vehicles will likely behave differently.

          1. Hm, so if you really wanted to add a key, which would be super-convenient and nearly as good as a legit one, you’d just have to find where both car keys are. If the owner’s at home, then probably so are both the keys.

            Might be difficult to get both of them in range, but I suppose you could increase the power to the 315MHz transmitter, and maybe make the fob-recieving antenna a bit more efficient, directional. It’d add another stage to this proof-of-concept but might mean it’d become practical. To steal any car like this, one guy stands by the car, another by the house, and that’d be it!

            If you’ve got a paired fob that starts it every time, you could sell the car as a whole unit, ready to drive away. Maybe in another country, to avoid the police catching it. But worth a lot more than stripping for parts.

            Manufacturers removing the button from the key fob makes a really big difference to security!

    2. Just go to a car park. Wait for someone to park their car. Place on of the units in the staircase, and have the other in your hand. As they walk to staircase, you walk to their car. Once the are in the staircase, you pull the handle, open the car.

  8. This is why those passive entry systems are a very bad idea since having the key always ready to transmit as soon as it detects the car means the attack footprint becomes much larger than if it only transmits when you press a button.
    The batteries also die much much quicker in the former as well.

      1. I have to wonder who complained about having to press a whole entire button, just to start his car. You still have to drive the fucker, what’s the point of fitting a thief-magnet to solve a non-existent inconvenience?

  9. odd. I just read a highly technical defensive “rant” from a Media Selected Expert about how this sort of thing absolutely could not happen and no way would cheap stuff bought from the Internet do this.


  10. I have keyless entry on my Corolla from 2008 and I don’t want my new car without such feature.

    Its silly to deny practicallity of keyless entry. I would risk the possibility to have car stolen for the benefit of this feature. Those who are paranoid – they should simply carry their fobs inside protective case that would block the signal. Most of our expensive cars can be opened in 20 seconds anyway. If you ever locked yourself out you will see just how fast certified technicians can open your car.

    Also don’t forget that one receiver still needs to be in proximity of keyfob and that is not so easy to do, unless you believe that there is one guy from ‘gone in 60 seconds’ in every neighborhood.

    1. It’s not hard to do. You wait in a car park with your accomplice. When someone comes in in a nice car, your accomplice follows him and stays in range. People park their cars in public places, it just needs the driver to be within range of this extender-gadget, but out of sight of his car.

      Once the car’s started, you text your accomplice, and off you both go. Or let him go on his merry way, and meet later to split the money. There must be plenty of times you’ve parked your car, and some stranger’s followed you part of the way. Not for suspicious reasons, coincidence. So you wouldn’t think it unusual if this happened.

      Of course the chances of a team equipped with this happening to be near your car are small, but that’s irrelevant.

      1. You don’t even need an accomplice. You see someone get out of their car and walk towards the mall. You walk over to the car, drop one unit behind the front wheel, and follow the person into the mall with the second unit. Just long enough to be confident that the car is open, then go back to the car.

    2. (Active?) Keyless entry and passive keyless entry are different. For the sake of conversation, I’m going to call what your Corolla and my wife’s 2010 Corolla have, active keyless entry. With this type of system, for entry, the car and fob do not communicate unless a user intentionally presses a button on the fob. Therefore this exact man-in-the-middle attack will not work.

      It’s passive keyless entry systems where, without ANY user intervention, the car detects a key within proximity to the car that the car would then automatically unlock. That is where this attack vector is used.

  11. I’m having a hard time seeing how this is anything close to what could be reasonably called an attack vector.

    I have passive keyless entry and start in both my 2015 Cadillac and 2017 Explorer and I have absolutely no worry about either of them getting stolen. Especially the Cadillac – Go ahead and steal it…OnStar will tell me exactly where you brought it.

    But let’s say that you use a jammer and then rip out the OnStar module so that I can’t track down the car. Big deal – the car is absolutely useless to you. Even if you can get a hold of replacement key fobs, good luck getting them paired.

    Yeah, sure, if you can get the car started and you can bypass GPS tracking on the vehicles that have it, you could drive it somewhere to strip it for parts – but that’s not a new thing. Cars have been getting stolen and stripped since forever. That’s what I pay insurance for.

    1. I’m having a hard time seeing how this isn’t a reasonable attack vector. If I want to enter your vehicle without your permission, take whatever I want, and leave without a trace, all at the cost of about $20… that sounds like the ultimate attack vector to me. Heck, I want to try it on my own car for fun and science and to see if I can do it easier/cheaper.

      Just because someone can get into your car, it doesn’t mean they’re going to steal the car itself. They’ll take whatever isn’t fastened down. That’s far less risky. If they take something valuable, but less than your homeowner’s/renter’s insurance deductible, you’re out the money to replace it. Valuables stolen from a vehicle typically aren’t covered by auto insurance, even if you have Comprehensive coverage.

      I’m not particularly worried about this sort of exploit being used on me where I live, but I think others should be genuinely concerned that their automaker of choice has failed to protect them from such a simple exploit.

      1. It’s as much of an attack vector as a brick is.

        First off, who leaves anything of value in their vehicle to begin with? If you’re leaving anything worth stealing in your car, you’re just getting what’s coming to you.

        Second, someone who has the technical know-how to pull this off isn’t going to be doing this in hopes of randomly stumbling upon a vehicle with something of value inside. Stealing the contents of a vehicle is a crime of opportunity.

        At my old house, in a slightly less savoury neighbourhood, my old car had it’s window smashed twice by someone who thought there might be something worth stealing inside of it. My solution wasn’t to lock down the car or put a loud alarm, but rather to just not leave anything inside and leave the doors unlocked at night. Every once in a while there would be some change missing from the cup holder or a cigarette or two missing from the pack – but never another broken window.

        In short – Criminals are going to crime, no amount of security will stop that. Also – Door locks only serve to keep honest people honest.

        Personally, I’m not interested in giving up convenience so that I can make a criminal’s life ever so slightly more difficult.

      1. Read the above reply. An attack vector the same way that a crowbar to my front door or a brick to my car window is.

        It’s a very interesting hack; I won’t take that away from them. You’ll have my attention when/if they ever manage to crack the keycode OTA. Even the “crack” of the older systems mentioned in the article is only “meh” – You still need physical access to the OBD port.

        If anybody is looking to steal modern, expensive luxury vehicles, they’ll do it the same way that they’ve always done it…a man on the inside. Get someone at the dealer to program spare keys while the vehicle is in for service and then give you the programmed spare and the customer’s address.

    2. I think you’ll find that there’s a method detailed in the owner’s manual for how to learn new keys to the Cadillac without having any of the old keys. Look for “Programming without a Recognized Transmitter”.

  12. This is a problem thats already been fixed in most cars, and that I know of any VWs newer than 2000.

    This setup will gain you entry to those cars. However actually starting the car and moving it depends on an RFID chip in the fob itself, thats a PITA to get programmed. Its also very difficult to workaround the engine kill you get without that RFID. Even if you have the right fob signal and a 100% legit key AND a ODBII linked laptop on hand, its still not easy.

    If they just want entry to your car however most arent going to resort to this. They’ll just do a smash and grab, breaking your window and grabbing whatever is inside. Its very popular in my city. Im so glad I have a garage to park in nowadays.

    As far as moving your car.. if they have the tech on hand to move your car, they’ve far exceeded the tech in this hack needed to gain entry. They’re going to be able to steal that car regardless, though its pointless since the value of the car isn’t that high to begin with.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.