Hack long enough and hard enough, and it’s a pretty safe bet that you’ll eventually cause unintentional RF emissions. Most of us will likely have our regulatory transgression go unnoticed. But for one unlucky hacker in Ohio, a simple project ended up with a knock at the door by local authorities and pointed questions to determine why key fobs and garage door remotes in his neighborhood and beyond had suddenly been rendered useless, and why his house seemed to be at the center of the disturbance.
Few of us want this level of scrutiny for our projects, so let’s take a more in-depth look at the Great Ohio Key Fob Mystery, along with a look at the Federal Communications Commission regulations that govern what you can and cannot do on the airwaves. As it turns out, it’s easy to break the law, and it’s easy to get caught.
Continue reading “The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!””
Almost all modern cars come with keyless entry, some even come with keyless start. Of course, the price you pay for this technology is a bulky plastic keyfob that is an absolute pain to remove from your pockets, and generally spoils the lines of your carefully chosen outfit. [Jeremy] decided enough was enough.
The project begins with a careful disassembly of the original key. This is important to avoid damaging the PCB inside, particularly if there are any delicate wire links between different sections of the keyfob. With the piece disassembled, it was then time to start designing a replacement encasement to hasten escapement while pacing the pavement.
The 3D printer really is the perfect tool for the job here, and [Jeremy] employs it well. With this being a proximity-based keyfob, the buttons are only necessary if you want to operate the locks at a distance. They simply took up too much vertical space, so they had to go. In the end, with a redesigned housing for the PCB, and while retaining the backup mechanical key, the new fob is just 11mm, down from 18mm – a nearly 40% saving in thickness!
It’s a tidy way to clean up your pockets and make life easier. We’ve seen similar work before, too.
Modern cars these days tend to come with proximity keys, which allow the driver to unlock and start the vehicle without having to remove the key from one’s pocket. While this is a great usability upgrade, for some reason key fobs continue to be bulky plastic monstrosities that when stuffed into a pocket can easily ruin the lines of a well-chosen outfit. This wasn’t good enough so [Patrick] decided to sort it out.
Starting with a Prius key, the first step was to disassemble the already broken key fob and separate out the PCB from the case and battery holder. With those removed, a coin cell was soldered to some wires connected to the PCB. As a substitute for the original case, a plastic card was cut up and the PCB inserted within, allowing the setup to fit neatly in a wallet’s card pocket. Lashings of tape bring the project home.
Unsurprisingly, it works, and works well. It raises the question why key fobs are so large and ungainly, taking up so much precious pocket space. We’d love to see even slimmer takes on this with 3D printed enclosures or even completely redesigned PCBs. Give it a go, and hit up the tip line. Else, check out how key fobs are routinely hacked to steal cars.
[Yingtao Zeng], [Qing Yang], and [Jun Li], a.k.a. the [UnicornTeam], developed the cheapest way so far to hack a passive keyless entry system, as found on some cars: around $22 in parts, give or take a buck. But that’s not all, they manage to increase the previous known effective range of this type of attack from 100 m to around 320 m. They gave a talk at HITB Amsterdam, a couple of weeks ago, and shown their results.
The attack in its essence is not new, and it’s basically just creating a range extender for the keyfob. One radio stays near the car, the other near the car key, and the two radios relay the signals coming from the car to the keyfob and vice-versa. This version of the hack stands out in that the [UnicornTeam] reverse engineered and decoded the keyless entry system signals, produced by NXP, so they can send the decoded signals via any channel of their choice. The only constraint, from what we could tell, it’s the transmission timeout. It all has to happen within 27 ms. You could almost pull this off over Internet instead of radio.
The actual keycode is not cracked, like in a HiTag2 attack. It’s not like hacking a rolling key keyfob either. The signals are just sniffed, decoded and relayed between the two devices.
A suggested fix from the researchers is to decrease this 27 ms timeout. If it is short enough, at least the distance for these types of attacks is reduced. Even if that could eventually mitigate or reduce the impact of an attack on new cars, old cars are still at risk. We suggest that the passive keyless system is broken from the get-go: allowing the keyfob to open and start your car without any user interaction is asking for it. Are car drivers really so lazy that they can’t press a button to unlock their car? Anyway, if you’re stuck with one of these systems, it looks like the only sure fallback is the tinfoil hat. For the keyfob, of course.
Most keyfobs out there that open cars, garage doors, and gates use a rolling code for security. This works by transmitting a different key every time you press the button. If the keys line up, the signal is considered legitimate and the door opens.
[Spencer] took a look into hacking rolling code keyfobs using low cost software-defined radio equipment. There’s two pars of this attack. The first involves jamming the frequency the keyfob transmits on while recording using a RTL-SDR dongle. The jamming signal prevents the receiver from acknowledging the request, but it can be filtered out using GNU Radio to recover the key.
Since the receiver hasn’t seen this key yet, it will still be valid. By replaying the key, the receiver can be tricked. To pull off the replay, GNU Radio was used to demodulate the amplitude shift keying (ASK) signal used by the transmitter. This was played out of a computer sound card into a ASK transmitter module, which sent out a valid key.
A lot of higher end cars are now coming out with RF fobs that unlock and start the car. There is no longer a physical key that is inserted in the ignition. It turns out that for BMW this means stealing the cars is extremely easy for a sophisticated criminal. We always liked the idea of metal keys that ALSO had a chip in them. The two-tiered security system makes sense to us, and would have prevent (or at least slowed down) the recent rash of BMW thefts that are going on in the UK.
So here’s the deal. A device like the one seen above can be attached to the On-Board Diagnostic (ODB) port of the vehicle. It can then be used to program a new keyfob. This of course is a necessary feature to replace a lost or broken device, but it seems the criminals have figured out how to do it themselves. Now the only hard part is getting inside the car without setting off the alarm. According to this article there are ultrasonic sensors inside which are designed to detect intrusion and immobilize the vehicle. But that’s somehow being circumvented.
You can check out a keyfob programming demo, as well as actual theft footage, after the break.
Continue reading “Keyless BMW Cars Prove To Be Very Easy To Steal”