
Radio Attack Lets Hackers Steal Cars with Just $20 Worth of Gear - touristtam
https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/
======
strictnein
For those wondering why this is possible, a lot of new cars unlock if your key
fob is in your pocket and you simply put your hand inside of the handle to
open your door. And then you sit down and press the start button and you're
off. It's really a rather nice feature, although it's also something that
seems silly until you get a vehicle with it.

The range with normal usage is very short though. If I'm on the driver side of
the car, it doesn't work on the passenger door, and vice versa.

~~~
rconti
Yup. Like many new convenience features, it seems so silly until you use it
and then you can't go back. My new Golf has it, and it works so well that the
doors unlock as my hand is entering the door handle cup but before I even have
a chance to pull on the handle. If my passenger needs to open the door without
me unlocking it, i have to stand REALLY close to them. It's pretty impressive
(in normal operation) how perfectly it works as the key-holder but how close
you need to stand for it to work for someone else.

~~~
lisper
I drove a rental car with this "feature" recently and I _hated_ it. I have a
habit of pulling on my door handles to make sure they are locked. Every time I
did it, the car unlocked itself, which rather defeated the purpose. And as far
as I could tell there was no way to disable this behavior, which made it
effectively impossible to verify that the car was locked as long as you had
the key with you.

~~~
JoeAltmaier
Agreed. User interfaces should include very real human impulses. We're all
somewhere on the OCD scale; repeated locking and testing should be accounted
for.

~~~
lisper
For me it's not OCD so much as cognitive decline. I often just can't remember
if I've already locked my car or not, but for some reason I can remember
having tugged on the handle.

~~~
innagadadavida
Many cars only have this on the front two doors. So feed your OCD by pulling
back door handles?

~~~
rconti
Good advice -- I don't know of any cars that have this feature on the rear
doors.

~~~
lisper
My car is a coupe. It doesn't have rear doors.

------
nonamechicken
Not sure if its the same tech, saw this video yesterday: Relay attack
Solihull:
[https://www.youtube.com/watch?v=8pffcngJJq0](https://www.youtube.com/watch?v=8pffcngJJq0)

~~~
dfcab
Saw that yesterday as well, always a cat and mouse game.

------
downandout
From the article:

 _" One hacker holds a device a few feet from the victim's key, while a thief
holds the other near the target car."_

While this isn't awesome, it certainly limits the effectiveness. You would
have to have someone waiting in a parking lot to follow the person, then
another person waiting by their car.

I do have a question though...I assume these things work on challenge/response
schemes. That means that even if the car is started and stolen, it could never
be started again without someone tailing the owner 24/7, which makes this a
neat but nearly useless hack. Am I wrong in assuming this?

~~~
joper90
Yes, if you park your car outside your house on the drive, and the key is in
the house in a bowl by the door (for example) then they can steal the car in
the middle of the night..

This is worse in the UK, as we have much less space, so things are much closer
togeather (ie. the car, and the keys (where they are left overnight).

~~~
city41
We now keep our keys in this bag[0] to (hopefully) prevent this. With the key
in the bag I'm unable to unlock the car even with it right on the door.

[0]
[https://www.amazon.com/gp/product/B01HETGX00/ref=oh_aui_sear...](https://www.amazon.com/gp/product/B01HETGX00/ref=oh_aui_search_detailpage?ie=UTF8&psc=1)

~~~
toyg
I repurposed an old silver cigarette case.

------
jagger27
Am I missing something or is the fix a little computer in the fob to
cryptographically sign a one-time challenge sent by the car? I mean, RSA isn't
that hard, is it?

Here's how I see it: the car broadcasts a (short duration) challenge message
on short range (10 meters, say), the key fob, once in range, signs the
challenge message, transmits it, the car checks the signature with the fob's
known public key, and Bob's your uncle. If the fob can compute a signature of
the challenge in 500ms, the window doesn't need to be much longer. Sure,
people will likely be able to pull private keys from the fob with some effort,
and duplicate it that way, but that's no worse than today. Reprogramming the
car wouldn't significantly harder than it is today either.

If we want convenience and security, it seems fine to make the key fob a
little more complicated and beefy.

I feel like this is by no means a new idea and maybe I'm missing something.

 _edit: I was missing something._

~~~
schwap
You are misunderstanding how the attack works (probably because the article
misuses the word 'spoofing' IMO). The messages between the car and the key fob
are the _real_ messages. They are just using a radio to extend the range of
the car/fob communication.

~~~
jagger27
Ah, I feel a bit stupid now. Of course.

~~~
schwap
Like I said, I think the article is a bit confusing by using the term
'spoofing', which to you and me I think implies a 'fake' message.

------
maxerickson
Anybody up to date on distance bounding protocols? Is there a well studied
implementation that is anywhere near practical?

[https://en.wikipedia.org/wiki/Distance-
bounding_protocol](https://en.wikipedia.org/wiki/Distance-bounding_protocol)

~~~
tomalpha
It must be possible to implement some kind of simple response time check.

Given that the speed of light is ~1ns per foot then a total response time
greater than (2d + p) where d = max distance in feet, and p = processing time
within the keyfob in nanoseconds would provide a bound.

I suspect however that making the keyfob response time consistent might be the
hardest part of the check, closely followed by an accurate timing facility
within the car.

~~~
maxerickson
Yeah, the Wikipedia article talks about an implementation that has a
processing time of 1 ns (which gives the distance within your foot). The
questions are whether it is secure against the world or secure against just
the implementers and how much it would cost.

~~~
tjoff
At the same time as being very low-power.

------
ChuckMcM
It is an insidious problem. There were a couple of kids around here that
weren't stealing the cars, they were just breaking into them on driveways at
2AM and rummaging around for spare change and what not.

Almost every countermeasure defeats the convenience factor. One proposal was
to have the key light up and you pressed a button on it to say 'yeah do your
thing' but at that point why not just have the old style push to open fob?

Perhaps something magnetically coupled rather than RF coupled will help keep
it reliably a near field sort of interaction but even that is subject to a
slightly more sophisticated relay device.

~~~
jwr
Fortunately, this problem has an easy solution.

IEEE 802.15.4 UWB (Ultra-Wideband) radios with timestamping functionality
allow measuring the time of flight (well, not directly, but it can be inferred
from an exchange of messages) of your signal. With some added crypto, it isn't
difficult to build a solution which is limited to a specified distance. You
can get as precise as ±20cm.

This means that you can build a system which will not work beyond a certain
distance, because signals will take too long to travel.

I'm surprised this hasn't been picked up by car manufacturers yet. Perhaps
there is too little market pressure.

~~~
londons_explore
The time of flight is not cryptographically secure. Ie. an attacker can trick
it.

There are protocols which are though:

[https://en.wikipedia.org/wiki/Distance-
bounding_protocol](https://en.wikipedia.org/wiki/Distance-bounding_protocol)

~~~
xr4ti
Sure. However, I think the objective would to increase difficultly and the
level sophistication required for exploitation rather than compete security.
For instance, a physical lock on your front door can easily be defeated by
someone with the requisite tools and expertise, but that doesn't make them
useless as a security measure.

------
bob_theslob646
The thief starts the car and proceeds to drive away.

Will the car continue to operate once the thief is out of range?

Is the purpose of this just to get access to your car to steal goods?

Or is this just an extreme demonstration to get automakers to tighten
security?

~~~
t1o5
Maybe the car can be driven away for once. The engine immobilizer requires the
keyfob to be present inside the car for it be driven away. If the spoofed fob
can trick the immobilizer, yes it can be driven away for once because the
immobilizer check is not always "on". Its checked before the engine starts.

If it was, I could throw my keyfob out of the window on a highway and the car
would come to a stop.

~~~
fenwick67
Typically with these systems they will continue running until you turn them
off (or stall).

------
toyg
I keep seeing this problem (and likely suffered from early attempts a few
years ago, when my car was effortlessly broken into), but nobody seems to be
talking about solutions. What's the answer? It would be nice if I could ask
about this when I get a new car in a couple of years.

* Is it about making the exchange more computationally complex, so it can't be just replayed? I guess that would require some sort of clock in the key?

* Have 2FA with something like a phone? Like requiring TouchID on the phone to confirm when you press the key.

~~~
moioci
Why don't they put an on-off switch on the fob? Better yet, when the vehicle
locks, send a turn-off signal to the fob. Then you'll have to press a power
button to reactivate it.

~~~
Xylakant
That's running exactly contrary to the feature that's implemented and abused:
The car should unlock when the owner comes within radio distance. So the key
must be on and transmitting - and it's that signal that gets relayed. It's not
a replay attack, basically the signal just gets amplified to trick the car
into believing that the key is close.

~~~
moioci
Right, so when you put the fob in your pocket to leave, you activate it, and
it stays active until you've completed your trip and you lock the car. But
while it's resting on your nightstand or kitchen counter, it's inactive. Or is
there something I'm missing?

------
trisimix
Convenience kills. All you needed was a button on the fob. Oh well.

~~~
agumonkey
So this model lock mechanism is based on distance only ? no human action
required ?

~~~
joper90
Correct, you just have the key (well a card) in your pocket/wallet and walk up
to the car, which unlocks, you can then get in and press 'start'..

So if you leave your keys in a bowl by the door, they can just extend the
range of the key with a relay/booster.

The car will only stop when you turn it off.

~~~
pessimizer
Juvenile power fantasies are going to kill us all. People want to be magical,
wave their arms and move their hands mysteriously, and affect the world.

Things like this save an infinitesimal amount of time (or sometimes even make
actual usage _more_ difficult), and introduce orders of magnitude more
complexity ripe for exploitation. All so people can feel like they're magical.

~~~
kevin_thibedeau
It is a cost savings move. If you have power locks and a transponder system
anyway, the lock cylinders are effectively redundant (minus security concerns)
and can be eliminated for more profit.

~~~
djrogers
These cars all still have physical lock cylinders for backup, the key is
usually hidden inside the fob.

------
dsfyu404ed
There's probably useful commercial applications for this "attack" for
companies that manage large fleets of vehicles. If you already have some the
hardware/software infrastructure to manage it (like company cell phones or
tablets) you could toss all the keys in a central office somewhere and never
worry about losing them or making duplicates. $30ish for a box that plugs into
the 12v (or OBD2 if you want to collect that data) and $1 for a usb cable to
connect it to the $100 tablet that you already have mounted in the company
vehicle for doing work things. Obviously the details would need to be fleshed
out and I'm sure someone (like OnStar) already offers similar services but
being able to hack your way into a cheaper equivalent would put downward
pressure on price.

~~~
maxerickson
It's also based on an inexcusable flaw in the key system. Not a good place to
start a business.

------
secabeen
I've always thought that a simple measure that automakers could implement is
to require the keyfob to have moved in the last X seconds to authenticate an
unlock. That prevents the "key is sitting on a table in my house" relay
attack.

------
mmaunder
Tighter timing constraints doesn't seem like a robust solution. I'm guessing
proximity as an authenticator will become a thing of the past. New keys may
have a button that must be pressed or even a fingerprint scanner.

~~~
craftyguy
> New keys may have a button that must be pressed

My 15 year old car has this feature!

~~~
GoToRO
You are living in the Future!

------
Clubber
I don't know if it's even possible anymore, but a Slim Jim is even cheaper
than that.

For those who don't know what a Slim Jim is (not the snack):

[http://www.autobodydepot.com/AET-
SJ2.html?gclid=EAIaIQobChMI...](http://www.autobodydepot.com/AET-
SJ2.html?gclid=EAIaIQobChMIsO3zwKfh1wIVXbbACh1RIgraEAQYASABEgIVefD_BwE)

~~~
Zarathust
A slim jim worked because the wires holding the lock were exposed inside the
door. An extremely cheap fix was to wrap those with a metal cylinder.

I was under the impression that this was standard for at least 15 years but
since we're talking about automotive industry, some makers may not even be
aware of that yet

~~~
berbec
Even with cars that have the lock cables wrapped, the window has enough play
to wedge it open and hit the door unlock button. Most locksmiths (sample size:
number of times I've locked myself out of my car) just do that as it has less
damage potential than fishing inside the door.

------
xr4ti
Seems like an easy fix might be to simply kill the engine if the key fob goes
out of range. I can see this problematic if erroneously triggered on a highway
or something, but it would limit the range the thieves could take the car to
the range of their radio, and require radio proximity to the key for the
duration of their travel.

Maybe this is already a thing?

~~~
redbeard0x0a
This could be incredibly dangerous because now your car decides to stop
working because the battery became too low to keep authenticated. Or if
something happens with interference.

The potential failure scenarios increase by a huge margin if you require the
keyfob to be authenticated with the car the entire time.

------
blacksmith_tb
I am no RF expert, but I would guess that it wouldn't take much shielding
around a fob to keep its signal from being relayed (given the poor range of
the fobs in general, the transmitter in there can't be very powerful). Seems
like potentially an Altoids-style tin would be enough of a Faraday cage?

------
zeep
I wish that it would still be possible to get a "dumb" car... one that would
have almost no electronics (or that you could at least disable all wireless
receivers/transmitters).

We know that computers can't be secured... so it is a little scary to ride in
one.

~~~
redblacktree
You can usually buy a base model vehicle with manual locks and limited
technology. You probably can't avoid the AM/FM radio. :)

------
mikeokner
The new Tesla model 3 uses your smartphone over bluetooth as a key. I suspect
we'll see that become more prevalent, which should provide ways to mitigate
most of these issues by using GPS for location instead of RF strength/timing.

~~~
londons_explore
GPS isn't cryptographically secure, and is easy to spoof[1]. Bluetooth can be
relayed[2]. The two attacks would be easy to do simultaneously from the same
evil box.

[1]: [https://www.newscientist.com/article/2143499-ships-fooled-
in...](https://www.newscientist.com/article/2143499-ships-fooled-in-gps-
spoofing-attack-suggest-russian-cyberweapon/)

[2]:
[https://link.springer.com/chapter/10.1007/978-3-540-30182-0_...](https://link.springer.com/chapter/10.1007/978-3-540-30182-0_29)

------
nasredin
"Relay" attack in UK. "Thieves" \- or is it hackers? - steal a Merc.

[https://m.youtube.com/watch?v=8pffcngJJq0](https://m.youtube.com/watch?v=8pffcngJJq0)

------
drdebug
Did I miss something or does it sound like a problem GPG solved a while back ?

~~~
signet
GPS doesn't work in garages, adds complexity and is also power hungry?

------
bluesign
doesn't simple frequency hopping with the OTP in the fob and the car solve
this problem?

------
timthelion
I know that a button on the keyfob would work, but this attack could also be
prevented with clock syncing, as the re-transmission of the signal will
certainly take time. A simple timed ping (with cryptographicly signed time-
stamps to prevent replay) would sort this out.

~~~
jimmies
Relying on timings for this type of thing is impractical because you'd have to
sync the time to the nanoseconds and wireless is notorious for being noisy.
It'd make it more expensive too.

The most practical one, I think, is to make it NFC-near instead of BLE-near.
Or, you know, just use a non-contactless one. Or add a button.

~~~
berbec
Or use something that you put in a tumbler-style mechanism that requires
physical contact as well as the RF

