
Keeping Your Car Safe from Electronic Thieves - pzb
http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html
======
MrFoof
The article is unfortunately something that's been happening in Europe for
some time. It's just now that the tooling and toys is starting to become
prevalent in the US. Europe has the "advantage" of being able to simply drive
a car to its ultimate destination in Africa or Russia, and getting cars out of
England doesn't require much more effort.

"How much worse could it be in Europe?"

 _Last month, Range Rovers in posh areas of London were being stolen so often
that police were instructed to pull over any Range Rover in the vicinity to
confirm it was being driven by its owner, the paper reported—which seems to be
an extraordinary measure._

It’s problematic enough that Scotland Yard has published bulletins on it, and
has a website about the kinds of thefts and how to prevent it:
[http://content.met.police.uk/Site/keylessvehicletheft](http://content.met.police.uk/Site/keylessvehicletheft)

For those a bit more interested on the topic, The Sunday Times did a neat
overview: [http://www.driving.co.uk/car-clinic/six-ways-thieves-can-
bre...](http://www.driving.co.uk/car-clinic/six-ways-thieves-can-break-into-a-
car-and-how-to-prevent-it/)

~~~
gambiting
In London, insurance companies stopped insuring Range Rovers if they are kept
on the street overnight. They will only insure it if it's kept in a locked
garage. That's how bad it is.

[http://www.autoexpress.co.uk/land-rover/range-
rover/89183/ra...](http://www.autoexpress.co.uk/land-rover/range-
rover/89183/range-rover-owners-refused-insurance-due-to-theft-risk)

------
dbloom
For those of you not in the loop, these "keyless" systems let you walk up to
your car and open your door without getting your key out of your pocket. There
is a proximity sensor under the door handle (similar to proximity sensor on
your smartphone). When the proximity sensor is triggered, it searches for a
nearby key fob and then instantly unlocks. You can also usually start the car
(with a push-button start) without getting out the key. And you can lock the
doors (from outside the car) by pressing a button on or near the door handle
with the fob in proximity. Basically, you never have to get your keys out for
any reason.

Anyway, fortunately, I can never find street parking near my apartment for my
Prius anyway. But I'm still going to find a small faraday cage I can leave by
my bed to put my keys in before I go to sleep...

~~~
mey
How does this work if you are around town, lets say eating lunch?

~~~
blueskin_
You could get an RFID-blocking wallet (should anyway, really) and put the key
in that.

I have one from [http://difrwear.com/;](http://difrwear.com/;) I've tested it
and it's never leaked any signal from cards inside; should work fine with keys
too.

------
schwap
I'm not quite satisfied with the explanation in the article -- maybe someone
with radio signal experience can help me out?

Assuming that the unlock is accomplished over 2-way communication (car calls
to key, key responds), I can understand how an amplifier could boost the car
signal to a key that was far away, but how does it boost the key's response to
accomplish the second half of the process?

~~~
paulgerhardt
The general theory is the amplification works both ways. The device listens
for any signal on a certain band and re-transmits it at a higher power.
Signals from the car to the keyfob are amplified as are signals from the
keyfob to the car. Noise canceling circuitry prevents it from getting into a
feedback loop. This sort of thing exists for garage door openers[1].

In practice, I have found the keyfobs tend to transmit with enough power that
50ft isn't a problem, provided they get an activation ping from the car.

[1] [http://www.ebay.com/itm/Signal-Repeater-Enhance-wireless-
ran...](http://www.ebay.com/itm/Signal-Repeater-Enhance-wireless-
range-300-1000m-315Mhz-/250785246549?rmvSB=true)

~~~
morganvachon
Exactly: It's not simply an amplifier, it's a repeater. It's similar to two-
way radio repeaters used by amateur radio and emergency communications, with
the major difference being that this sounds like a full duplex device on one
frequency, whereas radio communication repeaters generally use two sets of
frequencies in a half-duplex configuration.

------
infinotize
A different type of problem with electronic keys, mainly for motorcyclists, is
if you have the key laying nearby in, say, a garage, hop on and ride off
(there are some bikes with keyless start), you just stranded yourself wherever
you end up shutting the ignition off.

Harder to do with a car unless you forgot your keys and someone playing a joke
on you had an amplifier near your car.

~~~
mikeash
I spoke to a Tesla owner who had spoken to _another_ Tesla owner who locked
his keys in his car. Normally this wouldn't be possible, except he apparently
happened upon a dead spot in the interior of the car where it couldn't sense
the key. The car automatically locked when he walked away, and that was that.

With Tesla you have a backup, in that you can unlock the car with your phone,
as long as both the car and the phone have a signal. Of course this fellow
locked his phone in the car too....

~~~
Swizec
This used to happen regularly before central locking systems. When I was a
kid, buying a used car meant you didn't have central locking. I was probably
17 before my family had our first car with central locking.

Anyway, what happens there is you usually lock all doors before closing them.
Then when you close them, if the key is inside, oops.

This is mitigated in slightly moderner cars by the fact that driver-side doors
don't lock when they're open.

So I guess we had this beautiful period of the last 15 or 20 years where we
locked our cars by pressing a button on the key. Makes it impossible to lock
your keys into the car.

I wonder if we're going to decide that was better than keyless before keyless
becomes widespread.

~~~
mikeash
Personally, I love keyless systems. I also habitually lock my car (happens
automatically now, yay!) and never take the key out of my pocket, so leaving
it in the car by accident isn't an issue. Old habits die hard, though.

------
nine_k
This is a case when I'd literally like an SSH2 key for my car. With time-
proven code, perfect forward security, proof against replay attacks, and so
on.

Could be a small but lucrative business!

~~~
aidenn0
Did you read the article? It wouldn't be effective against this attack unless
you are required to take some action to open the door.

~~~
nine_k
Oh, yes, it's a different kind of attack! (What I thought about is recording
your key's transmission and replaying it later.)

For this, I'd opt for a button on the key; it's still better than not
forgetting to put the key to a Faraday cage. Cutting the power circuit and
adding a button that restores it must be much simpler that refitting the
entire car's locking system.

~~~
lambdaelite
There's already a button on the fob to unlock the doors. The proximity unlock
is a separate feature. The whole point of the proximity function is to remove
the need to push a button on the fob. Your idea makes no sense, unless you're
proposing deletion of the proximity unlock feature.

~~~
nine_k
Yes, I'd like to remove or severely limit this feature. When it's always on,
and it does not properly check for proximity of the key, it's broken by
design.

I'd rather have a button that allows for proximity unlock during 1-2 minutes
after pressing, much like Bluetooth public visibility.

If I had an existing key with this proximity misfeature, I'd like to modify it
as I described: having press a button to unlock my car is for me preferable to
a risk to have it stolen.

~~~
lambdaelite
So you'd like to take the fob out of your pocket, push a button to enable
proximity unlock for a brief interval, place the fob back in your pocket, and
then have the door unlock when you approach the car?

I'm clearly missing something.

~~~
secabeen
It makes sense. Normally I don't keep my car key in my pocket when I'm at
home. It's on the desk, or on a hook, etc. So his model is that he hits the
button as he grabs the key to stick it in his pocket, then when he approaches
his car a few minutes later, the proximity unlock works.

You could add some security to the process without requiring the button press
by disabling the proximity unlock unless an accelerometer in the fob detects
that the fob is moving.

------
babuskov
Does the freezer really act like a Faraday cage?

Quick Google search suggests it isn't really effective:

[http://mentalfloss.com/article/51597/does-refrigerator-
make-...](http://mentalfloss.com/article/51597/does-refrigerator-make-good-
faraday-cage)

~~~
dbloom
Your microwave oven is likely a better choice, since its faraday cage-like
behavior is required for both safety and regulatory reasons.

~~~
xgbi
And your key battery will thank you... Freezer would kill the battery in a few
days of such treatment.

~~~
dbloom
Killing the battery isn't a bad idea either, actually :)

(Usually there's a recessed traditional key in the fob that you can use as a
backup)

~~~
vkjv
Wow, I didn't think of it until I read your comment, but it would be super
easy to add a switch to my fob!

With little more than a cap, you can throw on a button that enables the
feature on for a period of time then disables it again.

------
lost_name
Fixing this issue would probably only happen in newer models of vehicles...
the keys for existing cars don't often change, and I'm not sure a recall would
ever be issued for something like this.

Here's another article from four years back; the tactic is likely older than
that:
[https://news.ycombinator.com/item?id=2079289](https://news.ycombinator.com/item?id=2079289)

~~~
csours
For older vehicles you can turn off the Auto Unlock / Lock feature.

------
downandout
I am not a hardware dev but I think this attack could be defeated by having
the car measure the amount of time the key takes to respond to the call outs.
If it takes more time than it should for the signal to travel a few feet, then
it shouldn't unlock. If they embraced this method then existing cars could be
protected with a software update instead of new hardware.

~~~
Luc
The signal travels 10 feet or 3m in 10^-8 seconds. I don't think the sampling
circuit has that kind of resolution.

~~~
ridgeguy
I think it could. For example, the Leica Disto2 laser rangefinder has a
minimum measuring distance of 5cm. I don't see why an RF-based system couldn't
do adequately for this use case.

[http://www.leica-geosystems.us/en/Leica-DISTO-D2_69656.htm](http://www.leica-
geosystems.us/en/Leica-DISTO-D2_69656.htm)

------
ck2
So only cars that "self unlock" are affected right?

If you have remote but no self-unlock it should be okay, for now.

Toyota has a way to turn on and off certain features from the lock system by
reprogramming using a pattern of opening and closing the driver door and
inserting/removing the key. Same way you add/remove fobs.

So it might be possible to turn off self-unlock. You'd have to find the dealer
manual though.

added, or google it: [http://thepoch.com/2013/automatic-door-locking-and-
unlocking...](http://thepoch.com/2013/automatic-door-locking-and-unlocking-on-
toyota.html)

[http://www.toyota.com/t3Portal/document/om/OM33856U/pdf/sec_...](http://www.toyota.com/t3Portal/document/om/OM33856U/pdf/sec_01-02.pdf)

~~~
k_os
The article specifies there are brute-forcing radios out there that can open
bmw's so no, everyone is in danger.

~~~
ck2
Well, I know you can remove all fobs from a system with that same method
listed above, so then only the physical key will open it.

But that sucks there are so few codes they can all be scanned.

------
IshKebab
Oh if only they had read wikipedia...

[https://en.wikipedia.org/wiki/Distance-
bounding_protocol](https://en.wikipedia.org/wiki/Distance-bounding_protocol)

Apparently a solution was available in 2010.

~~~
paulgerhardt
Most of these keyfobs are running ~16MHz processors.

~~~
kevinchen
Distance verification would be implemented in the car though. The keyfob would
implement some secret function using analog circuitry as described in the
linked article.

~~~
paulgerhardt
I'm not sure you have taken this thought to its logical conclusion.

------
blueskin_
Free version: [https://archive.today/WyCdu](https://archive.today/WyCdu)

This is why I despair at all these new keyless cars. I would _pay money_ to
have a normal key over one of those, because it's more secure.

Also, one huge reason I would never want a keyless car: I can't check if it's
locked before I walk off; I just have to trust that it will lock once I'm far
enough away and before someone else jumps into it and drives off.

------
w8rbt
Convenience and radio waves will be the death of us all. Why do car companies
not have expert security and RF guys on staff? This is so predictable.

~~~
blueskin_
Same as the "internet of things" \- they are with security where Microsoft was
in the 1990s. Security by obscurity is their watchword.

Always remember: "Internet Of Things is also called IOT, because you'd have to
be an IDIOT to believe they're secure".

------
buyx
I always check my car doors are locked before walking away, even though I have
a more conventional remote central locking system. For the last few years in
South Africa, crooks have been using things like garage door openers to block
the signals of remotes. Once the driver walks away from the car they steal its
contents.

~~~
e40
I press the lock on my fob twice and it chirps. That way I know it heard the
"lock yourself" command. I did it because I found my car unlocked a few times
and it must have either been that I forgot to lock it or the first keypress
didn't take.

------
mschuster91
And this is why I'll get myself a VW T4 again once I have the cash. Unlike T5,
easily repairable by yourself and not much electronic bullshit that is
vulnerable to hacking or just general wear (I'm looking at you, Renault).

Only thing I'm gonna add is a Raspberry Pi for general monitoring, webcam and
a 3G uplink with GPS.

------
puddlesmorning
Cocktail shaker would be a good alternative to a freezer.

[http://thelede.blogs.nytimes.com/2013/06/25/why-snowdens-
vis...](http://thelede.blogs.nytimes.com/2013/06/25/why-snowdens-visitors-put-
their-phones-in-the-fridge/)

~~~
chrsstrm
Nope. I just happened to have one handy and tried it. A cocktail shaker does
not a Faraday cage make.

[http://cl.ly/0X0K280n1Z06](http://cl.ly/0X0K280n1Z06)

------
brc
The one about the BMWs was a flaw where you could access the Obc port and get
the car to program itself a new key. In the 1 series there is an alarm dead
spot where the Obc port is. So the thieves would cut the glass, insert a
cable, program a blank key and then open the door and drive away.

------
k_os
I find it very funny that for such expensive cars there are no security
considerations.

I hope to god those contactless credit cards can't be just cloned with a long
range rfid reader or else this is gonna be a very funny few years

~~~
thehoff
A Mazda3 and a Prius are _such expensive cars_?

~~~
k_os
Depends on where you live. 20k for a car where I live is very expensive. I
honestly would not risk even a 5k car on this broken system, is it that hard
to put a key in a hole?

~~~
mkr-hn
Most cars I see on the road and in parking lots are 5-20 years old. Anything
newer is a low-end model. Expensive cars stand out.

~~~
smackfu
OTOH, by definition, most cars are going to be 5-20 years old.

------
ChuckMcM
I wonder how many combinations they use. For old school keys there was always
a small chance the key would work in a different car. Would be a pain if you
shared a combo with a nearby neighbor.

~~~
Shivetya
Back in the late eighties and early nineties it wasn't difficult if you had a
Ford product. My escort key would unlock another same color Escort in the
parking lot. My Aunt was able to take the Mercury to the mall but was locked
out as she had her husband's keys to his Ford (I forget the model)

However now with the new chipped keys that is far less likely. Yet at the same
time we introduce new means to communicate with cars its likely without some
sort of industry standards there will be holes as manufacturers will not be
inclined to pass on lessons learned to others

~~~
orbitur
It happened to a family member recently, for her mid-2000s Ford Expedition.
She unlocked and entered a similar looking Expedition before realizing all the
stuff in the console wasn't hers.

------
Interestante
There’s one place already selling “military spec” faraday cages for this exact
purpose: [http://www.carkeycage.com](http://www.carkeycage.com)

------
state
I remember someone around 2001 describing vulnerabilities in keyless entry to
me. It sounded technically feasible, but I was surprised that I never read
about it or heard about it happening to anyone. I guess I wasn't reading
Jalopnik, but you'd think that this would have gotten more attention earlier.

Who knows, maybe I'm just not paying attention.

~~~
nroets
KeeLoq was widely used back then. Careless users make it theoretically
vulnerable to replay attacks, but it's rarely exploited.

[https://en.wikipedia.org/wiki/KeeLoq](https://en.wikipedia.org/wiki/KeeLoq)

~~~
state
Thanks! I could never remember the reference.

------
mborsuk
Ok so this allows them to unlock the car, maybe start it, though the article
doesn't really get into that, but then what? After they drive beyond the range
of the amplified key transceiver?

~~~
jewel
I imagine for safety reasons the car won't shut off just because it's out of
range. If it did it'd certainly solve this problem.

In any case, they'd just drive it to the chop shop.

~~~
GlickWick
I can confirm that it doesn't shut off. At least in my case, it beeps for a
while saying "KEY NOT DETECTED", but it doesn't seem to actually do anything
about it.

When my key battery was low this would occasionally happen and it wouldn't
actually do anything until you need to actually start the car again after
stopping it.

------
franciscop
So this is basically a MITM attack. When is TLS comming to car keys?

~~~
ef4
This is not really a MITM attack. TLS would not have mitigated it.

The attackers are just extending the range over which the key and the car can
hear each other. The attackers don't need to decrypt or modify any of the
traffic.

------
jamesg1
I can see the high frequency signal being boosted but how is the low frequency
response from the key being boosted back to the car as it can usually only go
a few inches

------
omegant
I know people that has rewired some fundamental part of the car like the fuel
pump or something like that. There is a combination of the car buttons that
must be pressed to start the car, if not you may start it but the engine will
stop after some minutes. It must be done by someone that knows electronics,
but doesn't seem that dificult to implement(although probably expensive), and
it's very hard to detect and avoid by thieves if done properly.

------
nervous
this opens a new era in the car-sharing business!

------
DannoHung
I wonder if the Apple Pay system is vulnerable to a similar attack?

~~~
fiatmoney
Apple Pay requires a thumb press or other confirmation to proceed with the
transaction.

~~~
DannoHung
On the watch is it vulnerable? I thought it only required waving your wrist at
the pay point?

