
Thieves boosting signal from key fobs inside homes to steal vehicles - colinprince
https://www.cbc.ca/news/canada/toronto/car-thefts-rising-1.4930890
======
nkrisc
I imagine improvements to the key fob could be made that would require a
mechanical coupling with the car in order to start it. That would circumvent
this attack.

~~~
jamescostian
I'm not sure if this is a joke about old keys being better, but I'd argue you
could have the benefits of new keys and old keys combined if you just made it
so that new keys _have_ to be inserted into some compartment inside of cars,
where they are authenticated by those cars. You can imagine a fob with a USB
that has a different authentication code than the wireless one it sends out,
and unless the USB is plugged into the car, you can only start the car up but
you can't drive it.

In addition, you can make it so that the car doesn't unlock due to proximity
with the fob, but rather, it only unlocks if you push the unlock button on the
fob.

~~~
burtonator
I'm not sure why we can't have some sort of challenge response protocol to
prevent MITM...

~~~
jwcacces
The key fob does use challenge-response, the thief just uses a glorified
range-extender to get the car started with the key normally out of range. The
car stays on once started. There's no MITM involved.

~~~
ken
Huh? The diagram in the article shows two men ("Thief 1", "Thief 2") between
the fob and the car, with arrows showing communications going from fob to
thief to car. According to the first sentence of the Wikipedia MITM article,
that's the very definition.

~~~
__jochen__
the relay is of the radio signal, there is no inspection or tampering of the
relayed messages. basically, the extender tricks the car into thinking the fob
is closer than it is.

~~~
Piskvorrr
In other words, there's identification, there's authentication, but
authorization is replaced by "if in range, then authorized." Two out of three
is still game over.

------
HorizonXP
This happened to a family member of mine, here in Toronto. Lost their gorgeous
M5.

Their kid normally wakes up in the middle of the night, except this time, he
freaked right out like he was scared. They were wondering what was going on
with him, when one of the parents heard the M5 turn on (it's pretty distinct).
"That's my car!" His wife said, "Naw, you're crazy, no way."

Sure enough, enough, key fob attack and theft. Caught on their video cameras.
Filed the police report, claimed insurance, cried internally about the loss of
a gorgeous vehicle. In all seriousness though, it's just a car, so no big
deal, but nothing will fix the violation you feel, and the fact that you were
being targeted.

If I were the insurance companies, I'd be putting pressure on the car
companies, but hey, maybe it's just the cost of doing business for them.
Better to pay out for a vehicle theft, vs. actual injuries from a collision.
That's probably why there's little incentive to fix it, especially if fixing
it makes your product less convenient.

~~~
ams6110
What strange is, I can see unlocking the car and even starting it with this
attack -- but do the cars not continually (or at least every minute or two)
revalidate the presence of the key?

Once they got very far away from the house, the car should shut off. Or so I
would think.

~~~
pofilat
So if you accidentally drop your keys while entering, or your passenger
departs with your key, the car should lock itself 2 minutes later while you
are driving?

~~~
dawnerd
Yeah, sounds reasonable to me. Either of those situations should already be
solved. My car at least yells if the key goes away when the car is on and if
you’re dumb enough to keep driving and that’s kinda on you.

~~~
toss1
No, it is not reasonable for the car to stop suddenly without the key. Even if
it stops by going into an emergency limp mode, this could seriously endanger
the occupants by leaving them in a dangerous traffic situation, a dangerous
location, or with other issues.

This is why every car company has examined it and chosen to not do it.

This feature actually saved huge inconvenience for us once. While visiting the
other coast for wife's mom in the hospital, we used one of her parent's cars
to drive to the airport with her brother to drive it back. We get out at the
airport, get luggage, hugs, bye, head into terminal -- with the key still in
her purse. Car running, doesn't notify him until too late to chase. If it
stopped after 2min, he'd be stuck somewhere outside an airport 100mi away from
anyone he knew. Instead, he just drove it home, got & used the other key for a
few days, and we mailed back the first key when we arrived.

Things that seem reasonable at first....

~~~
swift532
As someone who turns their car on by inserting their key into a slot in it,
all this seems quite convoluted just for the convenience of pushing a button.
I don't understand why the car would even let you accelerate at all if the key
isn't inside the actual car (even if it's just in your pocket, if you insist
on pressing a button).

~~~
toss1
The key has to be in it to start it, but once started, the key can go away and
it will continue to run.

(& yes, I still start my car with a key that is inserted, and mine also has a
clutch & manual H-pattern 5-speed)

~~~
swift532
Sorry, perhaps I should've put my commment higher up. I was referring to the
general problem of the article, which I understood to be enabled (among other
things) by the possibility of unlocking, turning on, and driving a car without
the car having a means of verifying the key is inside/very close to the car.

------
Down_n_Out
Nothing new, has been going on for a while now. Market is already providing
your own "cage of Faraday[0]" for your fob.
[0][https://www.amazon.com/faraday-cage-key-
fob/s?page=1&rh=i%3A...](https://www.amazon.com/faraday-cage-key-
fob/s?page=1&rh=i%3Aaps%2Ck%3Afaraday%20cage%20key%20fob)

~~~
retSava
Since most car manufacturers seem to be vulnerable (to my knowledge), I assume
all or most buy the same COTS keyfob + electronic lock product. Much like
Takata airbags or Bosch ECUs.

Being a step away from the problem probably helps keep that OEM manufacturer
from strapping in and solving it. They don't feel any pain from it.

~~~
mikeash
The vulnerability is pretty much inherent to the idea. No amount of encryption
can protect you from a relay attack. The only foolproof mitigation is to
enforce a short round trip time to ensure the fob is actually close to the
car, but with the short distances involved that means the fob has to generate
and transmit a response within a few nanoseconds.

~~~
alistproducer2
I disagree. A physical switch on the key itself which opened a circuit to the
decryption key would mean the key would need to physically be in the
possession of the driver.

~~~
raisedbyninjas
This eliminates all of the convenience of keyless entry/start.

~~~
alistproducer2
I suspect many people will happily give up such a convenience if it means they
won't have their cars stolen so easily.

~~~
huebnerob
You suspect that the average person is going to give up a convenience that
benefits them multiple times daily to ever so slightly mitigate the risk of an
incredibly rare problem? I do not agree.

~~~
zuppy
i'm a very technical person and I also wouldn't give up the convenience of
keyless entry. that is what insurance is for.

------
snarfy
> Key fobs are constantly broadcasting a signal that communicates with a
> specific vehicle, he said, and when it comes into a close enough range, the
> vehicle will open and start.

Why is it transmitting without the user pressing a button? Is that a feature?
As you walk up to the car it automatically starts like magic? I'm not familiar
with these newer cars.

~~~
gregmac
With my car, as soon as you touch the door handle (with the keyfob in your
pocket, or within a couple feet of the door) it unlocks, and to start the car
you push a button. It doesn't work from even 4' away (eg, someone else touches
the door handle while you're close) and it doesn't work from the other side
(eg, when the keyfob close enough to driver's side door, the passenger side
won't unlock).

The really nice feature is when you walk away (a few seconds after you're out
of range), the doors automatically lock. However, the downside of this feature
is my wife's car does not have it -- and so at least half of the time when I
am driving it I forget and leave it unlocked in parking lots.

~~~
ghaff
>so at least half of the time when I am driving it I forget and leave it
unlocked in parking lots

This is the problem with a lot of the newer tech in cars like backup alarms.
You become used to various features in your own car and when you rent a car
you need to consciously remember that the vehicle doesn't have $FEATURE.
Effectively, cars are becoming a lot less standardized. A car I rented a few
weeks ago beeped at me a couple times and it took a while before I realized it
was the lane departure warning triggering on a couple turns.

~~~
hasbot
It's a problem going the other way too. I drive an older vehicle and rented a
car. I nearly had to ask the attendant how to start the car. Then I was
entirely surprised when I stopped at a light and the engine turned off.

~~~
ghaff
And don't get me started on center consoles. At least my last rental supported
CarPlay and I was pleased to discover that it pretty much just worked. Other
systems I've had seemed far more intent on downloading all my contacts rather
than doing something useful from an entertainment or navigation perspective.

~~~
jasomill
Heh, that reminds me of _my_ last rental, where, not half an hour off the lot,
the touchscreen sound/navigation/??? system got stuck in some sort of reboot
loop. Cursory online research suggested the problem was a known firmware bug
that was unfixable without a service appointment.

A reasonable person would probably have turned around and exchanged the car
with the rental company at this point.

I am not a reasonable person.

Instead, I headed directly to a truck stop and purchased a heavy-duty power
inverter, dropped the back seat, and crammed my portable PA speaker into the
trunk, connected to the car's trunk-mounted battery through the inverter and
to my iPhone through a shielded audio cable run from the trunk to the front
seat.

The result sounded far better than it should have, and what it lacked in
convenience (I had to pop the trunk to power it down) and channel separation
(one speaker = mono), it more than made up for in dB SPL.

(for the record, I've also repaired eBay purchases that arrived in worse-than-
advertised condition rather than returning them, for no other reason than that
learning how to fix things is more fun than going through the hassle of
returning them)

~~~
jdironman
This is also the kind of 'hacker' mindset that got me interested into
technology. But instead of fixing to see how it worked, I broke it apart to
see how it did.

------
post_break
Ford is really bad with this. The Fiesta and Focus, you can program a new key
with the ODB2 port in under 60 seconds. Blast the key with a booster, get
inside the car, plug your laptop in, program a new key, drive off. People have
had to lock the ODB2 port, disable it, put keys into aluminum foil (my
method).
[https://www.youtube.com/watch?v=dvmSOEKfkug](https://www.youtube.com/watch?v=dvmSOEKfkug)

------
xenihn
This seems like as good a HN thread as any to ask this, since I've been
looking into it recently. What are some cars to look into if I'm interested in
the following things? Or what are some cars that I should specifically avoid?

\- Low appeal to thieves interested in stealing the vehicle itself, due to the
hardware (locks and whatever else) being exceptionally difficult to deal with

\- Some sort of secure/hidden compartment for concealing valuables (I know, I
know, don't keep anything valuable in your car, but let's say it will still be
more secure than keeping it outside of the car)

\- Following up to that, an especially secure trunk (if such a thing exists)

\- A wagon or smaller, so no minivans/crossovers or anything bigger

\- Under $25k used for something recent, maintainable (was looking at Audis
but I don't want to risk maintenance issues), and with low mileage, which puts
Teslas out of the picture (sadly)

~~~
sturmeh
Get a manual, nobody steals a manual.

~~~
gerbilly
See: [https://imgur.com/gallery/snhvea1](https://imgur.com/gallery/snhvea1)

------
nine_k
I think convenience here is fundamentally at odds with security.

The convenience here is that the system _requires no confirmation from the
driver,_ no physical interaction with buttons, handles, keys, etc. The driver
just opens the door and starts the engine. This allows for a trivial remote
sniff-and-replay attack, not unlike copying a key temporarily.

I bet not having a lock on the door would be even more convenient. But for
some reason it's not widely practiced.

~~~
paulie_a
Leaving a car unlocked is sometimes safer, while not foolproof it reduces the
likelihood of getting your window smashed to loot the vehicle for valuables
(and non valuable items)

~~~
westbywest
Leaving car doors unlocked is SOP in urban corridors with high incidence of
petty theft. I.e. don't leave attractive objects in your vehicle, and leave it
unlocked so that would-be thieves can learn it themselves w/o smashing a
window. The problem here being able to start the engine wirelessly, not simply
getting in.

~~~
asdff
My neighborhood just got hit with a string of robberies from inside cars. Not
one window was smashed; the thieves can simply use a thin piece of metal slid
between the window and door to enter vehicles about as quick as someone with a
key, just like what police do if you locked your key inside the car.

------
kazinator
> _Key fobs are constantly broadcasting a signal that communicates with a
> specific vehicle, he said, and when it comes into a close enough range, the
> vehicle will open and start._

It's a poor design for the system to take any access-escalating action without
an explicit command from the user that initiates a secured transaction that is
resistant to MITM.

It's poor design to assume that the range is based on raw signal strength; it
should use round-trip-time measurements (for packets exchanged with MITM
resistance).

~~~
darkmighty
RTT measurements can give proof-of-proximity (due to relavity), but I think
they're quite hard to get right (you'd need nanosecond RTT resolution in a
cheap keyfob) -- I think analog signal repeaters would't add significant RTT.
It's not impossible though, GPS decoders work in a similar fashion.

Requiring user iniciation seems like the adequate solution here...

~~~
xenadu02
The Apple Watch manages to handle RTT measurements to prevent exactly this
attack.

You don't need complexity in the FOB; the car starts the clock, sends the
signal, measures the time taken to reply. If it exceeds some threshold ignore
the response.

There is no way to spoof this if the request/response itself is using proper
cryptography.

------
verelo
My car was recently “broken into”, it’s a Mercedes C400, i thought it to be
fairly secure so my assumption has been that i forgot to lock the car. I just
double checked, and the car has an “auto-lock” feature and it is already
turned on...so...did this happen to me?

I just want an off switch in my fob, so i can disable it at night. More fancy
solutions would be a motion sensor on the fob to only power it when had
recently moved, or for retrofits, this technology in a battery?

~~~
calmyournerves
You can turn off keyless-go by double pressing the close button. The LED on
the key will light up (short - long) as a confirmation.

~~~
verelo
Ha, that’s an interesting one! I am sure I’ve done that by accident given how
unreliable i find pulling the handle to be.

~~~
calmyournerves
Just to clarify: Double pressing the close button on the key, not the one on
the door handle. I was a bit unclear, sorry!

And it‘s only disabled temporarily. As soon as you press any button on the key
again (e.g. open the car), keyless-go will be activated again.

~~~
verelo
Hmm ok yeah, that wouldn't be it then. However it's still good to know! I'd
love to be able to just disable the remote without taking out the battery or
storing it in some faraday cage.

------
villuv
I wonder how hard it is to measure the delay between challenge and response...
Any distance extension would increase the signal flight time that should be
measurable.

~~~
shittyadmin
This has been proposed in the past yet I haven't seen any implementation of it
- perhaps because of increased power consumption of accurate timing components
needed? Any EEs able to comment on this?

------
siffland
There is a lot of great technical discussions here of ways to possibly solve
the issue. The real problem points back to the lackluster security the auto
industry is used to. Only if some sort of accountability or software security
testing requirements are enforced this will get fixed.

They have to have a mandatory recall if your Audi accelerates quickly by
itself (that was in the early 80's i think), but no recall for a possible
vulnerability in a jeep where someone can hack into the machine and control
the acceleration (and other items).

This would be worse with centrally controlled autonomous vehicles, they are
always sending and receiving data. Image the firmware on your car not being
updated after 2 years and being stuck with the still open vulnerabilities.

~~~
asdff
IIRC for the Audi 5000s it was because the brake and throttle were too close
and your foot or floormat frequently got stuck on top of the throttle. People
would shift out of park not realizing this and go flying, not any kind of
software or security issue.

~~~
siffland
You are correct it was mechanical, I was just drawing a connection that
mandatory recalls exist for issues the auto industry is use to (I.E.
mechanical), but nothing exists to track and force updates to software issues
(like a CVE database, Perhaps something does exist and I have not heard of it)
and have not in the past been the best at software assurance.

It is kind of an apples to oranges comparison, but nonetheless it gets the
point across.

~~~
asdff
They don't issue recalls for every mechanical catastrophe, and they don't
ignore them for software issues either. When an automaker has a problem that
merits a recall, it's because very careful accounting has indicated it is
cheaper to roll out the recall than it would be to litigate or settle in
court, not from any kind of good faith action. Even Audi would have never had
that recall if only just a handful of people were injured or died from the
issue.

------
k_sze
“Greater Toronto Area” = GTA.

What a coincidence.

Jokes aside, this is bound to happen.

It’s disturbing that a vulnerability like this isn’t caught as a show-stopper
before the technology is sold to consumers.

~~~
lbriner
It's not a show-stopper. It's not even close to being a show-stopper any more
than having keys is also a vulnerability to having a car stolen.

All you have to do is keep the fob inside a shielded case at home and you're
fine.

~~~
josefresco
> All you have to do is keep the fob inside a shielded case at home and you're
> fine.

Because we all have Faraday cages in our homes, and I'm sure the salesman who
sold the car also made the customer aware of this vulnerability. /sarcasm.

~~~
dsfyu404ed
>Because we all have Faraday cages in our homes

Yes, most people who own cars new enough to have this vulnerability own
microwave ovens.

~~~
asdff
So you have to pull your keys out of your pocket and stick them in your
microwave every time you enter your house just to have the convenience of not
needing to take them out of your pocket when you approach the car.

~~~
dsfyu404ed
I know it's not a practical workaround. I'm just pointing out that most people
do technically have a Faraday cage in their homes.

~~~
k_sze
It’s gonna be fun when somebody forgets to take the fob out of the microwave
before warming their coffee.

------
Latteland
Tesla recently added a good workaround. They added a setting where you can
turn auto unlock or auto start off, which blocks this remote access hack. You
have to use your key fob button at least once, say to unlock the car and then
it just works wirelessly without further action.

My car is unlocked at night but in my garage. If they got in my garage somehow
and had the signal repeater they couldn't drive off unless I pushed the keyfob
button. In the morning I just have to push it once to go. You can also
en/disable auto door lock if you walk away.

Of course a general solution that blocks signal repeaters would be best. Tesla
has so many fun tweaks it's truly the programmer's car.

~~~
taw123
A motion sensor in the remote would also work and maintain the convenience.

~~~
Latteland
Unless it was in my pocket and I was walking around with it, which I do every
day.

~~~
oh_sigh
Why would a motion sensor not sense motion in your pocket?

~~~
bootlooped
I think they're saying the thieves could still execute the signal boosting
attack while the car owner is walking around with their keys.

------
raverbashing
It seems car manufacturers are eager to be "cool" but not thinking about the
consequences of their actions

Center "touchscreen" consoles with awful usability, shifters that are not
obvious (coupled with people that are too lazy to pull the parking brake) and
now this

~~~
fredley
A touchscreen is a terrible interface for anything in a car, since you _must_
look at it to operate it. Tactile dials/knobs you can feel for—and ideally
feel different to each other—are the best interface for anything in your car
that you want to use while driving.

Voice can be sort of ok, as long as your speech models are locally stored (no
internet blackspots), but deny access to those who cannot talk, or for whom
you haven't bothered to build a speech model that matches their
language/accent.

------
jaclaz
>"The vehicle will continue running in perpetuity until it runs out of gas or
until you shut it down," he said.

>"They do that for safety so that if you lose the key fob or if it loses
signal the vehicle doesn't shut down while you're driving, but that right
there is part of the vulnerability."

Anecdata, a few years ago my wife had a Renault "Megane" that used a sort of
"card" that worked with proximity. She opened and started/drove it without
ever taking the card out of her bag.

A couple of times I was driving it with her in the passenger seat, we arrived
to a shop, she got down in front of the door and went into the shop while I
was going to park it when the car some 20-30 mt away "locked itself" (cannot
remember if it stopped or just didn't allow more than - say - 5 km per hour)
with the display saying it couldn't find the card.

When she changed cars, her new Renault (using the same kind of card, at least
visually, but a different car model) had to be inserted in a slot to allow the
Start/Run button to operate.

------
blang
This article gets written fairly often:

[https://www.nytimes.com/2015/04/16/style/keeping-your-car-
sa...](https://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-
electronic-thieves.html)

[https://news.ycombinator.com/item?id=17733870](https://news.ycombinator.com/item?id=17733870)

[https://abc7news.com/archive/9079852/](https://abc7news.com/archive/9079852/)

[https://www.npr.org/sections/alltechconsidered/2018/02/23/58...](https://www.npr.org/sections/alltechconsidered/2018/02/23/583682220/this-
gray-hat-hacker-breaks-into-your-car-to-prove-a-point)

------
z2
Two factor authentication for cars, here we come! Though, searching for this
phenomenon shows articles at least 3 years old warning to get Faraday cages or
otherwise wrap fobs in aluminum foil.

But do they really transmit all the time, or do they contain accelerometers or
something to prevent battery from being wasted?

~~~
josefresco
2FA seems to make sense. Maybe a 4-6 digit pin that would be optional for
those in high risk areas/situations.

> But do they really transmit all the time, or do they contain accelerators or
> something to prevent battery from being wasted?

I'm curious about this as well. A family member has an older Nissan with a
keyless fob and I don't recall them ever having to replace batteries/keyfobs.

~~~
rainbowzootsuit
Some fobs use an inductive coil to recharge a battery within the key while the
key is in the ignition.

------
taw123
A motion sensor in the remote could mitigate the issue and maintain
convenience.

~~~
Forbo
How battery intensive are accelerometers? The last fob I had required a
battery change once every year or so already, increasing that frequency could
be quite annoying. And I'd rather not have yet another device I need to
regularly charge.

~~~
taw123
Anecdotaly, I have a remote that lights up everytime it's moved (to assist
finding it at night as it's a remote for a bed). I've had it for well over a
year and haven't changed the batteries yet. Granted, it runs on three AAA
batteries. Not entirely sure what tech it uses, but it's not necessarily a
full blown accelerometer.

Edit: some / all of the power drain would be offset because the RF transmitter
would be off while the sensor is on.

------
tomerico
I wonder how difficult it is to add some clock syncing and time-of-flight
measurements to ensure a certain distance.

If the speed of light is to fast, maybe using sound could work.

~~~
frankus
Apple claims that they use time-of-flight for their "Unlock with Apple Watch"
feature on macOS, so it seems like something that a car maker/supplier could
pull off, especially if they're willing to throw dedicated hardware at the
problem.

That said, the fob is much more battery-constrained than a watch that you
charge on a daily basis.

~~~
comboy
This is such an obvious solution that maybe some patents are the reason it's
not implemented by every car manufacturer.

~~~
williamscales
Indeed, the last time this attack vector came up on HN, it was pointed out
that one company has patented using time of flight to validate keyless entry.

Here's the patent:
[https://patents.google.com/patent/US8930045](https://patents.google.com/patent/US8930045)

~~~
andrewstuart2
`ping`. They were granted a patent for ping. That seems ridiculous.

~~~
williamscales
It also describes RADAR, or even LIDAR for that matter. It doesn't seem like
one should be able to patent something that is merely an application of a well
known physical principal. Maybe I misunderstand what "novel" means.

------
cameldrv
The car manufacturers are going to need to incorporate a time of flight
measurement into the key system. Obviously amplitude can be faked.

~~~
wglb
So the test for amplitude is aided by the fact that the signal strength
received at the car increases by a factor of four if the distance is cut in
half. Thus, you have a nice margin for setting your threshold.

With measuring the time, however, presuming that radio signal will travel on
the order of one foot per nanosecond, you have much less of a threshold
tolerance. If the unlock takes place within two feet of the car, that is two
nanoseconds. If the key sits 20 feet away, that is a 20-nanosecond one-way
travel. So this solution would need to be able to distinguish between a four
nanosecond gap (round trip time) and a 40-nanosecond round-trip time.

Add to that the turnaround time in the car CPU which I would imagine to be
some number of milliseconds, would 10 ms be reasonable?

Thus, the electronics in the car needs to distinguish between 10ms + 4 ns vs
10ms + 40ms. And given jitter in any modern CPU/memory/OS/electronics device,
I would bet that the jitter totally swamps that.

(Keep in mind that this is a BOEC [https://en.wikipedia.org/wiki/Back-of-the-
envelope_calculati...](https://en.wikipedia.org/wiki/Back-of-the-
envelope_calculation))

------
DannyBee
This is of course not limited to cars or even this type of key fob, but
instead, anything that uses transmitter power as a proxy for
distance/proximity, and that transmitter power has any chance of being signal
boosted within reasonable means.

The only true solution is to stop using transmitter power as a proxy for
proximity when houses/etc are not opaque to that signal.

Instead, use something that the house is effectively opaque to for the
distance part of it.

IE include an ultrasonic receiver in the keyfob, transmitter in the car and
require it output the distance to the car.

(or something, i'm just spitballing)

The problem is almost certainly the power requirement.

------
delibes
Looks like we have a new modern interpretation for 'boosting'

[https://www.urbandictionary.com/define.php?term=Boosting%20C...](https://www.urbandictionary.com/define.php?term=Boosting%20Cars)

------
megraf
I work at very large OEM. We've run the numbers, and key fob exploits are
_extremely_ rare. (most) Modern keys use rolling keys that are verified by the
ECU, making cloning (let alone initial pairing) extremely time consuming.
However, Keyless-go key fobs _can_ be captured and replayed (not necessarily
exploited). 99.99% of the time that cars are stolen (which we find much more
common in Europe due to small jurisdictions), someone will break a window,
steal your keys, and drive your car away.

(wireless) Key fob capturing and replaying require far more equipment than NFC
PVC card (credit card) cloning.

~~~
sroussey
Why clone? Why replay? You just need signal boosters so the key and the car
think they are next to each other.

~~~
megraf
Following around someone with a 'signal booster' could be very difficult. If
you capture and reply, you afford yourself a lot of advantages.

~~~
jiveturkey
it’s not difficult when you steal it from their house. which is what happens.

~~~
megraf
See my original comment.

~~~
jiveturkey
?

Your original comment is that cloning is nearly if not entirely nonexistent.
Of course it has advantages. But it's difficult and doesn't happen in the real
world. What happens is replaying. Which isn't difficult.

------
Reason077
Here's some security camera footage of a car in the UK being stolen using a
relay attack:

[https://www.youtube.com/watch?v=odG2GX4_cUQ](https://www.youtube.com/watch?v=odG2GX4_cUQ)

------
Tade0
It's useful to note that less sophisticated methods still work as well.

I used to lease a 2015 Toyota Auris(facelift). One year into the lease someone
broke into it smashing the rear-left window and just drove away.

~~~
hkai
Curious how they started it?

~~~
peterwwillis
If it has an immobilizer? You can find immobilizer bypasses on sale online,
who knows if they work, or you can create your own and disable it yourself:
[https://www.youtube.com/watch?v=ispXq4EMrsY#t=24m45s](https://www.youtube.com/watch?v=ispXq4EMrsY#t=24m45s)
[https://github.com/fjvva/ecu-tool/wiki](https://github.com/fjvva/ecu-
tool/wiki) (see also
[https://ioactive.com/pdfs/IOActive_Adventures_in_Automotive_...](https://ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf)
and
[http://opengarages.org/handbook/ebook/](http://opengarages.org/handbook/ebook/))

So besides relaying the key, you can just hack via the CAN bus. There's also a
trick to use a second ECU to bypass the immobilizer, but that's probably too
time consuming.

Many manufacturers (inc. Toyota) also allow bypassing immobilizers and other
features using TechStream and a maintenance tool. If they claim you have to
buy a new ECU if you lose your master keys, call bullshit:
[https://attachments.priuschat.com/attachment-
files/2015/10/9...](https://attachments.priuschat.com/attachment-
files/2015/10/96213_T-SB-0043-14.pdf)

------
gambiting
I already put mine in a metalic bag for the night, or just press the "lock"
button twice which disables the keyless entry system entirely.

Manufacturers really need to hurry up and implement more accurate timing
detection in the keys - it should be absolutely trivial to detect how far away
the key is based on the response time, but for some reason manufacturers don't
do this yet.

Edit: I also know people who take the exact opposite approach with their
expensive vehicles - they leave the key in plain sight near the front door, so
if someone wants to steal the car using this method they can do so without
entering the house or if they do break in they will(hopefully) take the key
and leave, without threatening and possibly harming their family. I'm not sure
which way is better - preventing the thief from stealing your vehicle and risk
that they will then decide to break in and get the key from you, or let them
steal it and just deal with insurance later.

~~~
mrb
« _it should be absolutely trivial to detect how far away the key is based on
the response time_ »

It's not possible. A keyfob has a relatively slow R/F communication channel,
less than 1 Mbit/s (at best) because it's constrained by power. Thus the
"length" of a bit transmitted over the air is 300 meters or more. The receiver
needs to demodulate "300 meters" of R/F signal to recover a single bit. A
difference of +/\- 10 meters when these thieves boost the signal across your
front yard is therefore indistinguishable from R/F noise and not demodulable
by the receiver. You can visualize this as a 300 meter bit that has a noisy
beginning and a noisy end.

That's why the distance-bounding techniques (term we use in the field) used by
car manufacturers are instead pretty primitive, such as measuring the strength
of the R/F signal (which is easily defeated by a proper signal booster.)

~~~
jwr
It is absolutely possible. As I wrote elsewhere in the comments, you need to
use radios with timestamping that can measure the distance (10cm accuracy is
achievable). See for example Decawave DW1000 radios.

Use those and you can base your distance estimation on time measurement,
rather than signal strength. Amplifiers won't help.

~~~
mrb
Nope, DW1000 can't work in an adversarial scenario.

Their ranging algorithm critically depends on the receiver time-stamping the
"leading edge" of the first bit of the first byte of the PHY header. This bit
is either always 0 or always 1 (it's part of the 802.15.4 data rate field), so
an attacker can easily cheat by preemptively sending a 0 or a 1 just before
the signal booster can relay the first legitimate bit from the keyfob. This
legitimate bit will be received (by the booster) while the preemptive bit is
still being transmitted, so the booster can smoothly transition to sending the
subsequent legitimate bits, and the receiver will have been completely fooled
that the keyfob is nearby.

DW1000 is nice but it only works in scenarios where both transmitters and
receivers are being honest to each other.

------
aj_g
It seems to me like there is often just as much creativity in thievery as
there is in entrepreneurship.

~~~
toyg
It _is_ astonishing the lengths some people will go to _not_ earn a honest
salary.

~~~
asdff
Everything is risk vs. reward in life.

------
seniorsassycat
Another commentor describes the key handshake. The car emits a high frequency
wake up signal, the key receives the signal and emits a low frequency unlock
code. It is hard to restrict the time of the unlock code because it's low
frequency limits the accuracy of your clock.

Could you Honeypot the cars wake up signal? If the car detects a delayed
broadcast of it's wake up signal it could trigger an alarm or at disable
keyless entry. The high frequency signal will have lower tolerances for a
timing check.

Or car makers can provide Honeypot keys. If the key receives a wake up signal
it can alert the owner and disable keyless entry. The owner would put the
Honeypots where they don't want their keys to activate.

~~~
firethief
> Could you Honeypot the cars wake up signal? If the car detects a delayed
> broadcast of it's wake up signal it could trigger an alarm or at disable
> keyless entry. The high frequency signal will have lower tolerances for a
> timing check.

If the repeater is directional / shielded on the side toward the car, I'd
think it would be impossible to distinguish echoes of a repeated signal from
normal echoes.

------
mtgx
But people still blindly trust carmakers to make reliable and difficult to
hack fully software-based and with always-on internet access self-driving
vehicles.

They can't even secure the thing that directly unlocks your car and enables
thieves to steal it.

~~~
Someone1234
It is a legitimate point to a degree, vehicle makers have a long track record
of terrible software, and now they want to go headlong into one of the most
complicated software projects ever attempted by man.

It will be interesting to see how legal liability shapes up with self-driving.

------
ChuckMcM
That this vulnerability is being exploited in the wild isn't particularly new
news is it? Perhaps it is the fact that I live in the Bay Area but I was
walking with a home made Yagi (directional) antenna that I normally keep in
the camper for picking up distant WiFi signals and the police noticed enough
to stop and ask what was up. It does make me wonder if carrying around and SDR
will get you in trouble at some point :-)

------
INTPenis
I believe the issue is that key fobs are too small and underpowered to have
any real security.

Everything else in our lives we've automated using our cellphone and apps. So
why not cars?

Bring back the old mechanical coupling method, upgraded for better security in
close proximity, and provide a long range automation method via app.

Just like your standard light switch. We have the old mechcanical way of using
it, and our new radio based way via app.

------
vwvw
Research in this type of attack was published in 2010 already [1]. A spin-off
was created out of it [2] for those interested.

[1]
[https://eprint.iacr.org/2010/332.pdf](https://eprint.iacr.org/2010/332.pdf)

[2] [https://www.3db-access.com/](https://www.3db-access.com/)

------
extrapickles
Car makers should use frequency/channel hopping rather than time of flight
until doing time of flight gets cheaper. The car and fob would also broadcast
on frequencies/channels that are not in the preshared set to detect someone
trying to amplify.

The hopping pattern should be derived from a good cryptographic protocol that
also contains mutual attestation.

~~~
reaperducer
How would that affect battery life?

To you and me, changing the batteries in a key fob isn't a big deal. But more
than once I've seen people walk into the auto dealer's repair center because
their fob stopped working, and all the tech did to repair it is replace the
battery.

(If you think that sounds stupid, I work in healthcare, and we have employees
who spend a surprising amount of time teaching people how to put AA batteries
in their blood pressure and other medical gadgets.)

~~~
extrapickles
Not much at all. You use the traditional system to wake up the more powerful
radio/mcu.

------
jwr
A good solution to that problem are UWB radios with timestamping (like the
Decawave DW1000), which let you measure the time it takes for the signal to
travel. You can then place physical limits on the proximity, rather than
assuming that a strong radio signal means proximity.

Coupled with a cryptographic authentication protocol these solve the issue
quite nicely.

~~~
ghaff
It looks like the chips are about $10 each. That's quantity 1 but it's also
just the radio IC. It's not immediately obvious what the power draw would look
like in an application like this as the sleep mode draws far less power than
when it's operating. There is an open source project based on the chip.
[https://github.com/lab11/polypoint](https://github.com/lab11/polypoint)

What I'd really like to be able to do is to wirelessly tether a Tile-like
small long battery life device to a band (or watch) I wear with user
configurable distance settings but it doesn't look like the tech is quite
there today. UWB does seem to be the current approach you'd take though.

------
deytempo
Wouldn’t the technology behind thwarting this essentially be a solution to the
man in the middle attack?

~~~
asimpletune
Yup

~~~
jiveturkey
no. it’s a relay attack, not a mitm attack. mitm acts at layer 7, relay at
layer 2.

------
secabeen
I've been surprised that no vendor has put a motion/vibration sensor in their
keyfobs. I know they're pretty power constrained in keyfobs, but it seems like
a pretty sensible protection to require the fob to be not sitting still on a
table to do a proximity-only unlock.

------
k_sze
Shower thought: make a system where you unlock and start your car using your
iPhone’s Face ID or Touch ID, and you can drive the car via the phone, like in
Golden Eye. That would be really cool. I don’t care about security. It just
sounds really cool.

------
pontifier
I'm convinced that time of flight analysis could solve this problem, and many
others. If someone could beat that, then they deserve much more than just a
new car.

I've currently got a blockchain "proof of proximity" idea on one of my back
burners.

------
CaRDiaK
Really good video of the attack in action here:
[https://www.youtube.com/watch?v=bR8RrmEizVg](https://www.youtube.com/watch?v=bR8RrmEizVg)

------
triviatise
ive tested a couple of things to see if they would block the signal by putting
the keys in the container and then standing next to the car and trying to open
the door

kids Lunch box would not block, small metal garbage can, would not block,
cookie tin would not block. All would block if you lined the edge with
aluminum foil before putting the top on.

foil lined Potato chip bag would block.

Wrapping in enough aluminum foil will block the signal

Those faraday bags are convenient, but I park in the garage so Im not that
worried. Garage door openers now have lock switches which prevent the door
from being opened using any opener.

~~~
rmetzler
I just read "Garage opener" and automatically I have to think about Samy
Kamkar's OpenSesame Hack [0].

Regarding the keyfobs, I've seen demonstrations on video where the RF signal
was relayed. I can search for them, but they were in German.

[0]:
[https://www.youtube.com/watch?v=iSSRaIU9_Vc](https://www.youtube.com/watch?v=iSSRaIU9_Vc)

------
billconan
Both my audi Q5 and my roommate's Q5 mysteriously opened their trunk for a few
times when parked close to our home. now I dare not park it very close to our
home, assuming the issue is from the key fob.

------
GreeningRun
Not to be pedantic, but wait, what about the security by design concept? It is
at least astonishing that you implement a functionality without any thought to
how to protect it ...

------
gumby
I’m honestly more amazed that there is enough of an economy for someone to
design such a device and market it (ditto skimmers). I wouldn’t even know
where to look for such a thing — alibaba?

------
EGreg
This is ridiculous. I never understood why it's THAT needed for a keyfob to
open a car by merely being close to it. Whatever happened to key fobs you had
to PRESS to open a car?

~~~
dragonwriter
> I never understood why it's THAT needed for a keyfob to open a car by merely
> being close to it.

It's convenience factor that makes a big difference for people that tend to
get to their car with full hands.

> Whatever happened to key fobs you had to PRESS to open a car?

They still exist, handsfree entry is an upgrade (or an included feature but
only on higher trim levels) on many models.

------
yonatron
I think it's the fault of the municipal government of Toronto. I mean really,
if you nickname your metropolitan area "the GTA", what do you think will
happen?!!

------
Reedx
The article recommends putting your fob upstairs or as far away as possible,
but that seems like false security.

What's considered a safe distance? How far away can they pick up the signal?

~~~
toyg
Measure how far away your car unlocks, then keep the keys as far from external
walls as that.

But to be honest it’s easier to keep them in a metal box that shuts properly.
That’s what i do (although my fob still needs interaction, so i should be a
bit safer, in theory).

Also consider that keyless cars actually still have a way to enter, be it
physical or remote: garage-supplied universal keys and software. VWs for
example have an old-school keyhole under a thin plastic bit on the door, so
that garages can access it when you lose the fob.

~~~
searchhay
Thieves are boosting the fob's signal. So it's not practical for car owners to
measure a safe distance.

------
quickthrower2
IoT security FTW!

Glad I have a key.

Easy fix: a thing called a "button" that you press before it broadcasts the
private key. Even better, also broadcast a different key each minute, like GA

~~~
rb808
The S in IoT stands for security.

------
PhasmaFelis
I'm confused. Are there cars where the fob can _automatically_ start the car,
without any button presses, _just_ from proximity?

How did they not realize that was a bad idea?

~~~
secabeen
Yes, the Tesla Model S and X keyfobs do not require any button presses.

~~~
RandallBrown
Not even without pressing a button on the car to start it?

~~~
secabeen
Just the brake pedal.

------
gray_-_wolf
Well I'm not sure that recommended solutions are better than the one I use.
Just turn this feature off and use my car keys as normal (lock/unlock button).

------
mirekrusin
My mother in law just got her car stolen 3 days ago in Nice, France, fob
thingy as well. Police just called today they found it, apparently car is ok.

------
mandeepj
This is really strange and shallow thinking of some manufacturers.

I have a 2009 car. It'd NOT start if I don't have my key fob inside the car.

~~~
tasty_freeze
I'm sure the car in these break-ins are like that too. The remote fob _is_
inside the car, but they have an RF relay outside the car which proxies the
keycode to the one inside the car.

------
Zamicol
Why not triangulate the signal?

I don't hear much about the speed of light being used for security, but it's
applications are innumerable.

~~~
rovr138
The attack uses 2 antennas. One next to the keys and one next to the car. It
transmits the signal from both sides. The car thinks the key is inside/near.

Triangulating it won’t help. It thinks it’s there.

------
tebbers
Thieves have been using this method in the UK/Europe for a long time now.

------
zzyzxd
Why is this still news? Such relay attack has been there for years.

------
noobermin
Where's the public link to how to hack together one of these?

------
dwighttk
Why are these fobs constantly sending a signal? Just make it so that the
holder of the key has to push a button to open/start and this attack becomes
much more difficult.

------
exabrial
Can someone explain to me how keeping your keyfob in a faraday bag is supposed
to increase security?

~~~
nkurz
From the linked article:

 _Relay thefts_

 _According to Bates, many of these thieves are using a method called "relay
theft."_

 _Key fobs are constantly broadcasting a signal that communicates with a
specific vehicle, he said, and when it comes into a close enough range, the
vehicle will open and start._

 _" The way that the thieves are getting around this is they're essentially
amplifying that low power signal coming off of the push start fob," he said._

 _" They will prey upon the general consensus that most people are leaving
their key fobs close to the front door of their home and the vehicle will be
in the driveway."_

 _The thief will bring a device close to the home 's door, close to where most
keys are sitting, to boost the fob's signal._

 _They leave another device near the vehicle, which receives the signal and
opens the car._

Storing the keyfob in a faraday bag blogs the signal and prevents the relay
attack from working.

~~~
exabrial
Have a link? I'm familiar with rolling code systems, but this continuous
transmission is new to me

~~~
exabrial
I can't find anything on continuous transmission, but it appears most of the
keys use an rfid system, where the transmitter is powering the receiver.

------
intrasight
I'm sure this problem can be solved with blockchains ;)

------
conanthe
It seems like this is easy to do with cryptography. Sounds like a gross
negligence on the car makers part, similar to storing passwords in plain text.

~~~
crooked-v
"Easy to do" how? Please give an example, not an analogy.

~~~
conanthe
The same way as MFA works. Every time the key generates different token that
can't be reused. This renders replay of signal useless.

