Hacker News new | comments | show | ask | jobs | submit login
Thieves boosting signal from key fobs inside homes to steal vehicles (cbc.ca)
345 points by colinprince 6 days ago | hide | past | web | favorite | 432 comments

I imagine improvements to the key fob could be made that would require a mechanical coupling with the car in order to start it. That would circumvent this attack.

I'm not sure if this is a joke about old keys being better, but I'd argue you could have the benefits of new keys and old keys combined if you just made it so that new keys have to be inserted into some compartment inside of cars, where they are authenticated by those cars. You can imagine a fob with a USB that has a different authentication code than the wireless one it sends out, and unless the USB is plugged into the car, you can only start the car up but you can't drive it.

In addition, you can make it so that the car doesn't unlock due to proximity with the fob, but rather, it only unlocks if you push the unlock button on the fob.

Does this not sound exactly like what I had back in the 90s where my physical key would need to be inserted to start the vehicle and to unlock I'd press the keyfob to activate the unlocking.

I imagine an smartphone with touch sensor + car remote app would be even safer than what we have now.

The difference is that you can start up your engine (read: have AC on so that your car is the right temperature when you get to it) and also unlock the doors for others from far away

If that functionality was encapsulated on a smart phone, that would be fine too.

My 2007 vehicle does this just fine. And any signal from the fob require a press of the button. These key fobs use rolling codes as well. So you would need to capture a button press while the remote is too far away from the car to receive it. Then replay it to the vehicle. Of course you still need the key to unlock the steering wheel and of you touch the break without inserting the key, the ignition cuts off.

I'm not sure why we are going backwards in the security department here. Seems like a lot to give up just to not have to stick the key in or press the unlock button.

Or jam the signal with pseudo-random-noise. Afterwards you can remove the noise again and have the clear signal.

> I'm not sure why we are going backwards in the security department here.

Consumer products nearly always go features that have whizz-bang "it's so convenient" demo value, until a problem like this becomes prevalent enough to end up on everyone's nightly news.

But then my mom would have to dump out her purse every time she wanted to unlock her car.

My mom used to be the same! It would take her 10 minutes to find her fob! But, there are typically ways around this. For example, now my mom has her keyfob in a small pouch of her purse, and she always knows where it is.

How does she unlock her front door?

I imagine a lot of people don't use a key to get in their house, nor do they use the front door. Hit the button on the garage door remote, drive in, walk into house.

When I was in the states we were discussing this with a friend. He idly noted that after a valet gets into your car he can just select "drive home" in the GPS, open the garage with the integrated garage door opener, and just walk into the house.

He then added "It's good that I always lock the door in the garage too".

I also lock that door in case a second garage door is left unlocked. Then again, I lock doors during the day when I'm home out of habit. Did this before a recent break-in attempt, so hardly discouraged by that.

If I ever have a break-in I imagine it will immediately change my habits. Knock-on-wood, has never happened to me yet.

I do have auto-closers on the garage doors, however, because my kids do have a habit of leaving them open otherwise. Of course, they also keep leaving the man-doors unlocked all day as well.

I got a notice in the mail from our county's assessor because they left three door tags at my house. I almost never open the front door. I go in and out of the garage, and let my cat out the back.

My late grandpa would wear his on his belt. Classy.

> How does she unlock her front door?

For many people, there's no need to unlock the front door because it's never locked. Having to lock your door just means you're living in a terrible neighborhood.

Not sure about the US, but in the UK where I have more experience having my stuff stolen, if you rob a house and the door is locked it is a far more serious crime than if the door is unlocked. Big reason people made sure to lock their doors in my neighbourhood growing up since 90% of the yobs would just check if doors were locked, not actually dare to break in.

> in the UK where I have more experience having my stuff stolen, if you rob a house and the door is locked it is a far more serious crime than if the door is unlocked.

This doesn't make much sense from first principles. I assume everyone agrees that theft is equally unwelcome regardless of whether the door was locked. But the additional damages from breaking into a locked home are pretty minor compared to the damages of the theft. Why would there be a large difference in punishment?

Stealing a bike out of your front garden is no where as near a violation as entering your house (castle) and taking it.

So what? The claim is that it's a "far more serious crime" to enter your house and take the bicycle mounted on the wall, when the door was locked, than to enter your house and take the bicycle mounted on the wall, when the door was unlocked.

The bigger issue is insurance. If you have stuff stolen and there's no sign of forced entry (home or vehicle) then your insurance company will likely be asking questions about how exactly the thieves gained access.

I think there is no difference in the US. Either way it's "breaking and entering" if you so much as open the door, if my law school memory serves.

Even if you live in a "good"neighborhood you could still be burgled by someone casing the neighborhood/home. Do people really not lock their houses when they leave? My parents always taught us to lock the house on the way out, even when we lived out in the country.

Our family practice is to lock the house when going on vacation, but not if we're just going out normally for the day.

I often don't lock my house. But when I'm not there, there's a dog on the front porch who doesn't like strangers.

I don't get the downvotes for this. A dog who doesn't like strangers is a pretty traditional security system, and is much, much more secure than a locked door.

It really really isn't. That stranger can become an instant friend with some food. There was a show once where an ex-burglar would break into people's homes to show how easy it was. People would say, "there's no way he's getting past my dog!" and the guy would just open up the fridge and throw all the meat on the floor. End of problem.

That is evidence that it's easy to get past an untrained dog. It's not evidence that it's easier to get past an untrained dog than a locked door.

Very wrong. Criminals travel. Leaving your front door unlocked is madness, just waiting to see who will come.

Statistically, you are by far the most dangerous person in your life. You are far more likely to hurt yourself than a stranger is. Should some ne'er-do-well enter your unlocked door, remind them of this and start giggling. 'We were just waiting to see who will come!', works too though.

> Having to lock your door just means you're living in a terrible neighborhood.

Interesting. Is that an American thing? I do recall that most of my American friends don't lock their doors, whereas I can only think of a handful of people not locking their doors in Europe - and those live in remote outposts, where people are scarce and deer are unlikely to use the door handle.

Growing up, we did not even have a key for our house. Lots of places around the US, there is no need for keys. It is really hard for some people to grasp the idea based on how and where they grew up. My wife grew up in a gang riddled area and will not abide unlocked doors if we are out and about.

My parents never locked the doors growing up, but I still lock the door of my own house. My parents never gave me a key when I was a kid, so it was probably left unlocked so I could always get back in. I'm not sure why they didn't just make sure we all had a key so they could keep it locked. That's what my roommates and I do at our place now and it works fine.

My childhood home’s door didn’t have a lock too. The loan sharks put superglue in the keyholes.

Because of that, we had an additional safety feature, you couldn’t open the door from outside!

She doesn't have her keys on her fob. Heck, last time I took her to get her oil changed, the key fob still had the little plastic removable key tag from the dealer she bought it from.

We use the garage or a key code lock.

Smart door lock?

safety pin near the top + carabiner = instant easy access keys

Lots of purses have clips near the top for this very purpose too.


Sounds like she needs a better purse.

Yes, I was making a joke, but I was also semi-serious. I personally wouldn't mind that the car unlocks based on the fob's proximity, but requires insertion of the key for ignition. I currently drive a 2009 car with the usual key fob and my biggest issue with it is not having to insert it to start the car, but unlocking the doors while my hands are full. Once I'm seated in the driver's seat I'm not carrying anything and starting the car is no problem.

My problem with modern cars is that there’s no good place to put the keys. They’re uncomfy in my pocket when sitting down and I’m too warm for a jacket with pockets.

The old ignition hole was the perfect solution. You had a dedicated spot for your keys, you always knew where they are, were unlikely to forget them in the car, and it also happened to start your engine. Perfect

I thought that's what the cup holder is for. Of course, this doesn't solve the forgetting the keys problem.

In the movies they always leave a key behind the visor.

I use a caribiner and a belt loop. I think a bracelet would be a pretty great form factor for a key fob.

> unlocks based on the fob's proximity

Unfortunately, that would be vulnerable to theives unlocking your car and taking everything in it. For me, the biggest convenience of fobs is the ability to start the car and have AC on so that the car isn't burning/freezing when I get to it

And this is probably a more common scenario than stealing the car.

I never like to have the car running when I'm not in it. If it's low on oil, or overheating, etc there's nobody watching the gauges.

Do you have an old car or are you a pilot?

If they're stealing your car like in this article, then that's already happening anyway. At least if it was unlock only and not ignition as well then you'd at least still have your car.

Then the thief could hide in the back, and rob you while you were driving down the interstate (ie. he could hold a knife to your throat and force you to drive to location that was hidden from public view). I don't know how realistic this is, but it is far more dire.

Which the theives in the article could have done anyway.

If the objective is to steal your car, the thief is going to use the least risky way that he can come up with. If you take away his ability to do it without having you start the engine yourself, this is what he's left with.

Toyota Prius does that. (Or at least the 2007 version did) You have the key fob (with emergency key inside). You have to insert the whole fob into a port on the dashboard for it to start.

Not required for the optional smart key system.

Thats essentially how my car works right now, it's push to start, but you've got to have the fob slotted into a thing in the dash for the push to start button to actually work.

What vehicle do you have?

Mine too! But only because the battery on my fob died and I am too poor now to replace it. Frankly I kinda like it that way, it makes me more conscious or the damn fob (I used to just drop it anywhere in the car).I have a Tucson 2011 FWIW

The battery is like $1 on eBay

It’s a 2032. Just snag one from an ewaste computer motherboard. Dollar stores usually have 3 for $1.

A 9 year old BMW without the comfort access package.

My BMW did not come with such a fob slot but still required you to dig the key out to press the (un)lock buttons. Weird transition.

But that's the perfect fob! I keep it in my pocket and it has enough of a distinct shape I can press the buttons from the outside of the pocket. So I lock/unlock and open the trunk with no effort and yet am imune to this attack because a button press is always required. People I've driven were mistified how I was operating things because it's become so second nature you can hardly tell.

BMW late 2000s were like this. Maybe still are.

I have a 2007 BMW. It does have a slot to insert the fob. But it is not required to start or run the car. The slot acts as a charger and holder for the fob. But proximity is all that is actually needed.

Sounds like you've got the comfort access package on your car. Without that tech package (sadly not offered on my make and model year) you've got to actually put the fob into the slot to make the push to start work.

I had a 2011 3-series that required the fob to go into the slot to power or start the car.

My wife's 2014 Mini works this way as well.

I'm not sure why we can't have some sort of challenge response protocol to prevent MITM...

The key fob does use challenge-response, the thief just uses a glorified range-extender to get the car started with the key normally out of range. The car stays on once started. There's no MITM involved.

Huh? The diagram in the article shows two men ("Thief 1", "Thief 2") between the fob and the car, with arrows showing communications going from fob to thief to car. According to the first sentence of the Wikipedia MITM article, that's the very definition.

the relay is of the radio signal, there is no inspection or tampering of the relayed messages. basically, the extender tricks the car into thinking the fob is closer than it is.

In other words, there's identification, there's authentication, but authorization is replaced by "if in range, then authorized." Two out of three is still game over.

That's exactly what I'm wondering.

Maybe it has something to do with the additional battery consumption that doing this incurs, probably something like double/triple consumption, with the hashing.

All the thief does is amplify. Good luck!

Challenge response prevents replay attacks, not real time MITM.

This is not even MITM, the thief just blindly proxies traffic.

Key fobs inside a home have one property:

They are laying on a desk or in a drawer and are not being touched/moved for extended periods.

Maybe a simple mems step counter could help activate them for a short period of n seconds/minutes.

Lock receives signal from Key, writes down time and picks a random key and uses these to create a ciphertext, encrypts that with the public key of Key to create a second ciphertext and sends. Key receives message, decrypts with private key to first ciphertext and encrypts that with the public key of Lock and sends back. Lock decrypts message with private key and earlier random key, compares to current time and if it has taken more than a set time period does not unlock.

The clock has to be pretty fast, but you can get a secure time of flight measurement, so you can absolutely know the distance of the radio signal path.

This is basically the solution. Light travels about 1 foot in one nanosecond, so the car needs to reject latent replies.

I did research in this area a few years ago. Here's a research paper [1] from 1993 that goes into more detail about this type of "distance bounding" solution (i.e. authenticating received signal only if 1) it is received within a few nanoseconds AND 2) the decrypted received signal contains the previously sent random number) in order to defend against "relay attacks". The paper discloses many variations to this general solution as well.

[1] Brands and Chaum, "Distance-Bounding Protocols"


I realised after writing it that you don't actually need to send the time itself, but it was my first 5 minute stab. Plus it is sort of fun to have the time flying about.

edit - thanks for the link, having a read through.

A simple on/off button on the fob would work, and probably extend the battery life by a few years.

An timeout that goes into idle mode until it detects some movement, would be less hassle.

It still leaves a small window of opportunity for abuse, but seems like a decent middle ground.

Yes, a MEMS accelerometer would be a very cheap mitigation.

Assuming you could do that without killing the battery, then it wouldn't provide a benefit for people like me who keep their keys in their pocket.

My personal solution is to not drive often, and when I do it's a 1996 Subaru. ;)

I think it would pretty easily differentiate between "keys in your pocket" and "keys sitting on bedside table for several hours".

Apparently so: https://spectrum.ieee.org/view-from-the-valley/transportatio...

But, he may be saying he's vulnerable for long periods because the idle timer won't kick in for him.

Exactly - if I'm in bed for an optimistic 8 hours, then we're talking about a security feature that works for a third of the day. As for that time being at night when people are more likely to steal: https://www.nytimes.com/video/opinion/100000001423494/bike-t...

I'd much rather have a solution that precludes relaying; maybe something that involves a precise turnaround time in the radio signal between the car and key, and so the key physically can't work beyond some relatively short range.

Ah, yes, let's put the burden back on the user after we promised them something easier.

We should just go back to traditional keys if this is the case.

Please yes. Traditional keys fit on my keyring, can survive the clothes washer, don't unlock doors by accident, can open a car with a dead battery, don't have their own battery issues, and can be brought into restricted work environments where radio transmitters are banned.

I want key holes in all doors. I want to insert a key to start the car.

About half of those problems don't really exist, in my opinion. I've washed the keyfob (it is waterproof), it has a built in key if the car battery is ever dead, I've never actually had to replace a fob battery. Personally I don't carry any keys so having a small round-ish object in my pocket that doesn't stab me in the leg when I sit down is a preferable situation.

Maybe I've just met an abnormal amount of lucky people, but in my role as one of the more mechanically inclined among my friends and family, I've seen three people completely locked out of their cars when under-door or other concealed keyholes have needed to be used.

I'm not sure if it's been from rust, lack of use + time, or ice, but unused or backup keyholes on vehicles seem to fail far more often than those used for normal entry.

That is a good point. I've never had to test the theory that my backup key would work in a pinch. Come to think of it, I don't actually recall anybody in my circle of friends and family having any issues either. Cars sure have become reliable in the past 30 years. I also live somewhere relatively mild where we don't put salt (for the most part) on the roads in the winter so corrosion is less common.

Counterpoint: much that is touted as waterproof tends to have smallprint saying "applicable in dry water only" (yup, had major warranty hassles on supposedly IP68-certified equipment, how could you tell?), and had to replace car fob batteries (unrelated incident; also needed to resync the token generator in the fobs, who knew there even was one?).

"I'm lucky" is not quite the same as "that's a nonexistent problem".

Most vehicles have hidden physical keyslots somewhere, often under the plastic cover of the door handle, but usually not all door handles.

Source: worked for a valet company

My fancy wireless fob/key has a 'hardware' fallback which I absolutely adore. If you click a very well hidden button, the fob separates exposing a plain old metal old-timey key ready to be used.

OTOH keys can be cloned from a photo nowadays, so I gather.

My local Lowes store offers key duplication via digital image as a service. You do need to insert the physical key but the machine creates a digital image for cutting the duplicate.


> A simple on/off button on the fob would work, and probably extend the battery life by a few years.

As well as taking away much of the convenience advantage that passive fobs have over active-only fobs (most fobs already can be actively used, as well as passively.)

This comment made me happy.

Or putting the key fob in a metal container.

My Tesla requires a pin to drive like a phone

That was rolled out in a recent update, right?

I think the over-the-air updates is one of the big advantages that Tesla has right now. They can respond quickly to critical vulnerabilities like that.

I wonder how fast other car manufacturers are going to catch up? Volvo recently announced that they are working on an Android based system, but it's not going to be rolled out before 2020.

Yes, it was rolled out in a recent update - mainly in response to security researchers discovering they were using weak 40-bit crypto that had been broken back in 2005 that meant an attacker could just outright clone their fobs. They couldn't fix that in a software update so they stuck a PIN on as a patch.

Have there been any cases where a Tesla was under repossession and as such the delinquent owner was simply locked out of the car?

Or maybe where the Tesla auto drives itself to the nearest repo-man?

I dread the day when cars update over night. Drivers become testers, and anyone participating in traffic (aka everyone) has to fear a minor point release introduces a bug that might kill them.

I kind of think OTA updates are a double-edged sword. It could also introduce partially tested software, or malicious code.

How do you get it to not drive like a phone?

Or just requiring the key to be inside the car. It would only need more antennas.

A simple button on the fob (rather than in the car) that you must press to open the doors and to start the engine would mitigate the attack. No need for coupling

> A simple button on the fob (rather than in the car) that you must press to open the doors and to start the engine would mitigate the attack.

Yes, reverting from passive-supported to active-only remote entry/start would eliminate the attack by eliminating the feature on which it is based. OTOH, the handsfree nature of passive remote entry is a major selling point.

Selling point for some. For others, either a "do not buy" point or "crammed down your throat" point.

There is a general trend that car electronics is increasingly acquiring behavioral features that annoy me, that cannot be disabled. This is all across the board; if you don't like it, you have fewer and fewer options: pretty soon, you will have to drive a used old beater if you don't like what new cars are doing.

As long as they’re not susceptible to replay attacks.

If they are, just do a stakeout and then replay it later in the day to gain access.

A challenge-response notification would not be susceptible for a replay attack

Mount the receiver to a drone and park it on the roof of a garage you want. Even hop around the neighborhood and capture - a whole new level of war-driving.

Fly the drone into gated estates, or better yet a country club drive-up near the valet and record many high-value signals.

That defeats the purpose of the fob. Be easier to put an on/off switch on the fob so you can turn it off at night.

I think he was making a joke about regular car keys

you mean a key?

(that's the joke)

This happened to a family member of mine, here in Toronto. Lost their gorgeous M5.

Their kid normally wakes up in the middle of the night, except this time, he freaked right out like he was scared. They were wondering what was going on with him, when one of the parents heard the M5 turn on (it's pretty distinct). "That's my car!" His wife said, "Naw, you're crazy, no way."

Sure enough, enough, key fob attack and theft. Caught on their video cameras. Filed the police report, claimed insurance, cried internally about the loss of a gorgeous vehicle. In all seriousness though, it's just a car, so no big deal, but nothing will fix the violation you feel, and the fact that you were being targeted.

If I were the insurance companies, I'd be putting pressure on the car companies, but hey, maybe it's just the cost of doing business for them. Better to pay out for a vehicle theft, vs. actual injuries from a collision. That's probably why there's little incentive to fix it, especially if fixing it makes your product less convenient.

> If I were the insurance companies, I'd be putting pressure on the car companies

And also give car owners an incentive to keep their keys safer, given how many vehicles out there are vulnerable to this. Just fixing this for new cars is only half the solution.

I remember back in the 80s my parents got a discount on their insurance for installing a third brake light in the back window of their old Camaro. If my insurance gave me a discount, I'd get a faraday cage for my keys. I'm considering doing it anyway, even though my house is pretty far from my driveway, and we have cameras.

I've searched for nice-looking faraday cages but haven't found anything good. I think there's a market for fashionable key/phone faraday cages, between this car theft issue and the push to digital detox.

EDIT: curious why this is downvoted? I'm not saying that this shouldn't be fixed by car manufacturers going forward, but we need to do something about the millions of cars on the road already. Is there another solution that would make more sense? Or is there something I'm missing here?

It's unclear how the insurance company would verify you're using the faraday cage. Presumably you're not willing to accept responsibility for the loss.

Sure, this wouldn't mean I'm responsible for any theft of my vehicle, just that it would reduce the likelihood that it would happen — benefiting both the insurer and insured.

The companies could even give away nice-looking faraday boxes that cost them next to nothing to make, and which would probably have decent adoption among people who have requested them. That would cut the hard costs to be very low, and give them a branding/perception benefit.

Imagine seeing "Mercury Insurance is giving away a Fob Box to any customer who wants one." It wouldn't make me switch to Mercury, but it would make me think more highly of them. And if I were just out of college and choosing my first insurance company, I'd undoubtedly choose them.

Given the spate of thefts and the likelihood that it continues, a promo like this could resonate for a long time and get mentioned in lots of news stories.

Use a cookie tin. Holiday ones are often decorated nicely.

> And also give car owners an incentive to keep their keys safer, given how many vehicles out there are vulnerable to this. Just fixing this for new cars is only half the solution.

Why is it always up to us to deal with the consequences of all this poorly thought out new crap?

It sort of reminds me of the way they want us to believe that "identity theft" should be our problem to clean up, when its really caused by banks poor security practices.

Could simply putting the thing in a foil/metal lined drawer in your entryway do the trick?

I do exactly this. I lined a cookie tin with foil, and tested it by holding the closed box (with the keys inside) next to the car. It didn’t unlock. Then I opened the box, and it did unlock. The box has to be closed (lid fully on, no gaps) or the car will still unlock.

Of course this only foils overnight theft. I imagine it would be trivial for someone to follow me from a car park to a public location and sit next to me to get the key signal from my pocket.

I would imagine the signal emmitted from the fob is time sensitive. The codes should be invalid within a few seconds. If not, shame on them for such a terrible step backwards in security.

Does an unlined cookie tin not work? Does having the lid mostly closed (but with some small gaps) at least cut the effective range?

I’m wondering if a tin facing away from the door may be sufficient since the signal will be reflecting in the wrong direction.

Then just a metallized flap for extra protection.

Leakage is fine. As long as it’s in the right direction.

I didn’t test rigorously but an unlined tin did not block the signal when the tin was right next to the car. Maybe it still reduces the range.

I've watched some DIY videos and am considering doing just this. I'm not sure how tight a seal you need though (one video said you want overlap from lid to sides/bottom), and the draws we have there aren't super tight. Maybe we'd make an enclosure within the drawer and be able to line that sufficiently?

If anyone knows how much leakage there would be for fobs/phones, and whether it makes a difference for this application (where the sniffer/attacker would be 10+ feet away), I'd love to know it!

Would be easy to test what is needed. Wrap up your keys and take them to the vehicle.

I just completely wrapped my remote with one layer of aluminum foil and that was enough. A small gap on side was enough for the car to detect it.

What strange is, I can see unlocking the car and even starting it with this attack -- but do the cars not continually (or at least every minute or two) revalidate the presence of the key?

Once they got very far away from the house, the car should shut off. Or so I would think.

> but do the cars not continually (or at least every minute or two) revalidate the presence of the key?

Mine will beep for a bit if I leave the car with the key. But the vehicle also works when the fob's battery is depleted (it has an RFID tag and an embedded physical key for the door). Having the car randomly shut off based on something so potentially flakey seems like a worse idea.

> Once they got very far away from the house, the car should shut off. Or so I would think.

In the event that the actual owner of the car left their fob at their previous stop and discovers this fact 40 miles down the highway later, if the car were to stop, the driver is now stranded with a car that won't start. As it is now, as long as there is enough gas in the tank, the owner can just drive back and get it.

That's why the car should stop after less than a mile, or even not go into drive at all, rather than driving 40 miles. In your scenario, how will the driver discover that the key is missing without turning the car off and then finding herself unable to turn it back on?

So if you accidentally drop your keys while entering, or your passenger departs with your key, the car should lock itself 2 minutes later while you are driving?

Yeah, sounds reasonable to me. Either of those situations should already be solved. My car at least yells if the key goes away when the car is on and if you’re dumb enough to keep driving and that’s kinda on you.

No, it is not reasonable for the car to stop suddenly without the key. Even if it stops by going into an emergency limp mode, this could seriously endanger the occupants by leaving them in a dangerous traffic situation, a dangerous location, or with other issues.

This is why every car company has examined it and chosen to not do it.

This feature actually saved huge inconvenience for us once. While visiting the other coast for wife's mom in the hospital, we used one of her parent's cars to drive to the airport with her brother to drive it back. We get out at the airport, get luggage, hugs, bye, head into terminal -- with the key still in her purse. Car running, doesn't notify him until too late to chase. If it stopped after 2min, he'd be stuck somewhere outside an airport 100mi away from anyone he knew. Instead, he just drove it home, got & used the other key for a few days, and we mailed back the first key when we arrived.

Things that seem reasonable at first....

Well, it means that a simple presence of a key in the vicinity of a car isn’t enough to answer the question of “will this key be present there” by the ene of the journey.

It means the key has to he inserted somewhere. That makes it both safe and predictable.

As someone who turns their car on by inserting their key into a slot in it, all this seems quite convoluted just for the convenience of pushing a button. I don't understand why the car would even let you accelerate at all if the key isn't inside the actual car (even if it's just in your pocket, if you insist on pressing a button).

The key has to be in it to start it, but once started, the key can go away and it will continue to run.

(& yes, I still start my car with a key that is inserted, and mine also has a clutch & manual H-pattern 5-speed)

Sorry, perhaps I should've put my commment higher up. I was referring to the general problem of the article, which I understood to be enabled (among other things) by the possibility of unlocking, turning on, and driving a car without the car having a means of verifying the key is inside/very close to the car.

I got myself in a bad situation where I set my key fob on the top of my car after a run, changed, jumped into the car, and got onto the highway before realizing my mistake. The fob fell onto the road and was run over and destroyed before I could get to it. Thankfully I left my car running during this time and was still able to get home.

The way it works is reasonable. Maybe tighten up the proximity. But honestly, I miss my classic keys.

Or drop to 5MPH and flash the lights and horn.

In the article, the first car mentioned the car was found in a parking lot, contents emptied. If they wanted to take it to a chop shop, easy enough to take it far enough to put on a flatbed.

Maybe they came across a better car?

That seems pretty dangerous. Why not just have the car beep at you?

> Better to pay out for a vehicle theft, vs. actual injuries from a collision.

What do you mean? It's not as if anyone will be driving less... the insurance company will pay for a new car, the family will buy a new car (presumably they need it), and still be just as statistically likely to collide with the new car.

Insurance companies have more of an incentive to make cars safer because of the larger liabilities of injury.

That's no problem for the insurance company. Everybody has to pay a bit more, problem solved.

Sure, if a car theft for one car spread the cost to _all_ insurance companies, but it doesn't. So to stay competitive, companies have to 1) insure good drivers so the rates stay low and 2) invest in customers who have good car security (note the discount one gets for having their car garaged).

> If I were the insurance companies, I'd be putting pressure on the car companies

Oh please, this is Ontario. The auto insurance companies main innovations have been:

1) getting caps on benefits

2) creating new driving violations to jack up your premiums (eg: non-criminally blowing over 0.05, but less than 0.08)

Neither resulted in lower premiums for anyone else.

Sounds like a great opportunity to increase the theft premiums for people owning fobbed cars.

Insurance companies pressure drivers who have these misfeatures, drivers pressure car manufactures. See also: discounts for anti-theft tech and airbags.

The latest insurance "incentive" is a tracking device in your car that tracks when and where you drive, how fast, how hard you corner and stop, etc.

I've declined this but expect that insurers will push for it to become mandatory. They would love to be able to charge unsafe drivers more money, and in the abstract I don't have a problem with that, but the tracking is creepy.

No no no, they would love to charge everyone more until they prove to be safe drivers — ready to withdraw the discount at the first doubt.

This is why I am not going to get one, nor a “smart” water or electricity meter: give more data to corporations, and you can be sure that they will use it against you.

Or to put a combative point on it: "How much money do I get when you abuse this data for any purpose other than your exclusive safety metrics?"

This is an idea that I do not see getting enough attention. “Big Data” has a lot of possible benefits but only if companies collect limited and relevant data. I’m comfortable telling my insurance company where and how I drive as long as they cannot share that or combine it with any other data.

Wait until your insurance suspends their coverage for 24 hours because the road conditions aren’t meeting their requirements, or you didn’t evacuate quickly enough, or there’s a forest fire nearby.

I think in California it's illegal for insurance to put in a black box that measures anything other than total # of miles driven.

Does the mileage number have to be accurate in terms of wheel rotations? Can a hard braking event add miles? Is miles just an abstract representation of risk?


Free cars?

Whats the yield on the secondary markets for these hot vehicles since the VIN is compromised, a new license plate is needed and a thorough scrubbing has to happen

In some countries, they’re worth more than American MSRP.

Some luxury sellers are actively making it difficult to buy for export to arbitrage this.

Get it to a chop shop for parts and/or get it out of the country and I can imagine it's pretty high.

Insurance companies will just raise rates and be done with it.

What are the thief's doing with these cars?

Selling parts. Usually chop shops, then to shady body shops and mechanics. With exotics, many are exported to less principled markets, with minimal vin mitigation needed. Notice how the top stolen cars on every annual list are always ones with popular body styles (accord, etc), it is no accident. The parts are often worth more than the car, and can be sold at full market value, unlike a stolen car.

Nothing new, has been going on for a while now. Market is already providing your own "cage of Faraday[0]" for your fob. [0]https://www.amazon.com/faraday-cage-key-fob/s?page=1&rh=i%3A...

I use these Faraday cage pouches for my new car keys (I got the two-pack listed "Amazon choice" in the above link) and they are excellent. As far as I can tell anyhow - my car hasn't been stolen (yet!) and if I keep the key in it's pouch I can neither open the doors or start the engine even if I'm right next to the vehicle.

An added bonus, it also makes the keys much more comfortable to have in a pocket, holds them in a fairly flat orientation - and stops them from scratching a phone!

I've had these. They worked for a while. But then I guess the metalized fabric wore through or something, because after a while they no longer kept the car from starting.

The smallest ones I could find would actually hold two fobs, but when filled were large and uncomfortable enough in my pocket that I preferred to just keep the fobs naked.

I still haven't found a good solution that actually works for keeping passive fobs secure while they are actually in my pocket.

Since most car manufacturers seem to be vulnerable (to my knowledge), I assume all or most buy the same COTS keyfob + electronic lock product. Much like Takata airbags or Bosch ECUs.

Being a step away from the problem probably helps keep that OEM manufacturer from strapping in and solving it. They don't feel any pain from it.

The vulnerability is pretty much inherent to the idea. No amount of encryption can protect you from a relay attack. The only foolproof mitigation is to enforce a short round trip time to ensure the fob is actually close to the car, but with the short distances involved that means the fob has to generate and transmit a response within a few nanoseconds.

As long as the fob's own delay is very consistent, I don't see why you couldn't time the signal.

Edit: there's a discussion down the page somewhere. The issue seems to be that (for power reasons) they use low-freq radio, on which it's hard to get timing accurate enough for 10m distance changes.

"but with the short distances involved that means the fob has to generate and transmit a response within a few nanoseconds."

And the challenge-response pair must be different for every transaction, otherwise the thief can easily grab a SDR with tx capabilities, get to the car and ask for a transmission, record the spectrum, then go near the car owner door, transmit the car challenge and record the key fob response, go back to the car, wait for another challenge transmission and time the response accordingly. Not even need for a second thief.

I disagree. A physical switch on the key itself which opened a circuit to the decryption key would mean the key would need to physically be in the possession of the driver.

“The idea” here refers to having the key operate automatically without having to manipulate it. If you require the driver to push a button on the key, the problem is trivially solved.

This eliminates all of the convenience of keyless entry/start.

I suspect many people will happily give up such a convenience if it means they won't have their cars stolen so easily.

You suspect that the average person is going to give up a convenience that benefits them multiple times daily to ever so slightly mitigate the risk of an incredibly rare problem? I do not agree.

Isn't "keyless entry" basically same concept as "not locking a door"? You can trivially implement it on every vehicle without using any electronics at all.

Uh, no? When you touch a door handle when the car is locked, the car will try to detect a keyfob near the door and then unlock itself when the keyfob is detected. The car won't unlock if a keyfob is not detected.

And what problem does keyless entry/start aim to solve?

It is a convenience feature -- you don't have to fish your keys out of your pocket/handbag and press a button to unlock your car doors or to start the car. So long as you have the key somewhere on you (bag/handbag/pocket), you can unlock and start the car.

Is getting your keys out of your bag or pocket really that hard? In comparison to the security risks?

To think of it another way: before keyless entry was a thing - how many people were thinking 'damn I wish I didn't have to get these annoying keys out of my pocket?'

To think of it yet another way: How many people buy the upgraded trim on their car mainly for the keyless entry?

(Not having a go - genuinely curious)

Like with anything to do with security and convenience, there is always a trade off (longer passwords are more secure but harder to type, etc...). I don’t think this is a big enough security issue right now for car manufacturers and insurance companies to really do too much about.

I used to have a car without this feature and it was sort of annoying for 5 seconds each time I have to unlock the car. I do get annoyed when I get a rental without this feature too.

Additionally, this also helps when I am carrying bags or other large items with two hands. I can simply make a kicking motion at the bottom bumper of my car and the trunk will open automatically instead of me having to put the bags down and fish for my keys.

I agree that it is minor and not a real deal-breaker, but it is a nice to have.

It’s really pretty impressive too. I once tried (accidentally) to lock my key in the trunk of my car and it refused to close the latch.

That’s what we had 10 years ago.

And apparently what we had 10 years ago was better as people couldn't steal your car without touching it.

Is it true that encryption cannot proetect from a relay attack? If the encrypted payload is passed based on some kind of pre-shared secret (pairing) then each message should be unpredictable to a third party right?

The third party doesn’t need to predict it, just repeat it. The relay doesn’t need to understand or modify the message, just pass it along.

If the message is encrypted with some time component and a pre-shared secret then it is protected from a replay attack no?

Yes, but a replay attack is quite different from a relay attack.

Hm, good point. I guess I don't really know how these systems work. I assumed there was some kind of rotating value but I have no reason to believe this. Based on these attacks it seems the keys are really just sending the same signal every time. That appears to be a real shortcoming of the design.

I think you’re not understanding the attack. It could be a unique, unpredictable signal every single time and the relay attack would work just fine. The devices intend to use distance to prevent this, with distance determined by strength of signal. The relay captures the challenge, passes it to the fob and then passes the response back to the car, boosting the signal if necessary. The timing on this is fast enough that it is within the tolerance of the system. As long as these devices are acting as proximity sensors and your fob isn’t electromagnetically isolated, this attack will work. No amount of key rotation will help.

Ok yes, I was confused. Thank you for spelling that out for me, now I understand what is happening.

The modern ones send a unique value each time, so capturing the transmission and playing it back is useless. But that doesn’t save you from an attacker that just amplifies the signal and otherwise lets the two ends communicate normally.

Embedded devices can be laggy at times.

More efficient for the car to estimate the distance and power of the transmitter.

You’ll just estimate the distance and power of the relay. Roundtrip delay is the only thing you can’t fake.

The relay could emulate a reasonable power output, but that requires more precise measurements and would discourage thieves.

Can't you stop the car if the key is not present in the car? I guess the thieves could fake it with long distance transmission of the signal, but that would be more difficult and the further the car drives away from the actual key, the easier if becomes to detect the timing delay.

No. Safety-wise you can't just shut the engine off and lock the steering because the RF connection to some keyfob is wonky.

These thefts have been going on for years and they will not stop until key-less go is dropped or changed such that the key requires interaction (like every higher security transponder has for, like, always).

Obviously you would not use that absurd shutdown procedure. You'd give a warning and tell the driver that the engine is going to shut off in X minutes, and after X minutes you decrease its max speed to 10 km/h for Y minutes before shutting down completely. Cars already do way more dangerous stuff if you assume that arbitrary components fail.

It also depends on the reliability. You could also say that you can't just shut the engine off if the electrical contact in the keyhole is wonky.

Before the keyfobs become poplar there were transponder keys with embedded RFIDs. While still attackable, they aren't actively pinging their car and revealing their presence like the fobs do.

> Before the keyfobs become poplar there were transponder keys with embedded RFIDs.

Tesla is using an NXP Athena OS based smartcard that uses the Java Card 2.2 platform for it's NFC Key on the Model 3.

Yeah this has been a thing for years in the UK. Myself and my wife put our keys into a metal lunch box in the hallway which mitigates this problem, which was prompted by both next door neighbours getting their cars broken into.

Top Gear did a thing on this during their one road trip: https://youtu.be/-aU09WT5rXg fast forward to the 3 minute mark

Exactly. Luckily i've got a Kia which nobody wanted to steal, but it's definitely a well known attack vector. A car on one side got stolen, the other side 'just' had stuff stolen from it.

Wait until bad weather. I had an utterly clapped-out Jeep Cherokee stolen one cold-as-hell winter night. Sure enough, found two neighborhoods over... a fair walking distance from where the last late night bus would have dropped someone off. So, yeah, a stolen beater is just fine when it's freezing cold outside...

Good point. We've got a new (year old) Kia Ceed, and a 15 year old Ford Focus. I'd imagine if somebody needed a ride they'd just take the Focus. Either way we've got the cameras outside which, along with the fact we don't have a Jaguar or a BMW outside probably makes us less likely to be turned over.

> Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.

Why is it transmitting without the user pressing a button? Is that a feature? As you walk up to the car it automatically starts like magic? I'm not familiar with these newer cars.

Yes, it’s a feature, so you don’t have to remove the key from a bag or pocket to enter or start the car.

In typical designs, the car continually transmits a low-frequency (e.g., 135 kHz) radio signal to wake up any wireless keys within range. When a key receives this signal, it replies with a VHF (e.g., 315 MHz) signal, and the car unlocks or starts when a door is opened or the start button is pressed.

The reply signal, at least, is uniquely coded to the car. The attack is to extend the range of the LF wake-up signal, causing a key stored away from the car to transmit a valid reply.

In some models, besides the transponder described above, the key also has a passive RFID tag, which works with a reader in the car to allow starting even if the battery in the key is dead.

(The article is wrong about the broadcasts, by the way; if the key transmitted continually, its battery wouldn’t last long.)

This is insane. Please tell me this is an option that non-insane consumers can get their car without. Fortunately I drive an old car so this does not affect me—yet. If I ever have to replace mine, this looks like yet-another-misfeature I’ll have to look out for to avoid.

On many models keyless entry and remote start are options, rather than standard. If you park in a garage at night, then this particular attack isn't much of an issue.

I'm sure you didn't intend it that way, but "let them park in their garages" seems to imply the hoi polloi who don't have covered parking deserve to have their vehicles stolen...

It's standard with many "premium" brands (e.g. BMW, Audi, ...)

My 2015 Kia has it.

It is pretty much standard across all cars now days, except maybe the very bottom of the line models.

Thankfully, the 2019 Honda Fit I got does not have this feature. The Sport model had it, and was one of the reasons I decided against it. Old school keyless entry via fob button and traditional key ignition

Whew, my 2014 Camry does not have it. Dodged the bullet.

my Tesla Model 3 works by my phone being in range or swiping a key card. I am not sure if they are up to spoofing this method yet

Is there any type of encryption between the car and the key? Or are the signals always constant?

Could you just record the relay signal and play it back whenever, essentially replicating the key?

Every run of the mill garage door opener using rotating keys or nonces to prevent replay attacks. I assume any fob design worth its salt would implement something similar.

I believe a nonce is used to prevent replay attacks, but wouldn't be surprised if there are some fobs out there which are vulnerable to replay.

It uses a challenge-response protocol, so you can’t simply record the signal and play it back.

It might not matter. If the point of the amp is to reduce the effective distance between the car and the fob, whatever messages are exchanged will look right to the car and the door will open.

With my car, as soon as you touch the door handle (with the keyfob in your pocket, or within a couple feet of the door) it unlocks, and to start the car you push a button. It doesn't work from even 4' away (eg, someone else touches the door handle while you're close) and it doesn't work from the other side (eg, when the keyfob close enough to driver's side door, the passenger side won't unlock).

The really nice feature is when you walk away (a few seconds after you're out of range), the doors automatically lock. However, the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.

> the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.

My brother in law did this on a ski trip with a borrowed Range Rover. It was only at the end of the week he realised he'd left his keys in a jacket pocket in the car the entire time and it had been sitting unlocked in the car park half a mile down the road from the apartment. Thankfully it was fine but stealing it would've been a case of getting in, pressing the start button and driving away.

>so at least half of the time when I am driving it I forget and leave it unlocked in parking lots

This is the problem with a lot of the newer tech in cars like backup alarms. You become used to various features in your own car and when you rent a car you need to consciously remember that the vehicle doesn't have $FEATURE. Effectively, cars are becoming a lot less standardized. A car I rented a few weeks ago beeped at me a couple times and it took a while before I realized it was the lane departure warning triggering on a couple turns.

It's a problem going the other way too. I drive an older vehicle and rented a car. I nearly had to ask the attendant how to start the car. Then I was entirely surprised when I stopped at a light and the engine turned off.

And don't get me started on center consoles. At least my last rental supported CarPlay and I was pleased to discover that it pretty much just worked. Other systems I've had seemed far more intent on downloading all my contacts rather than doing something useful from an entertainment or navigation perspective.

Heh, that reminds me of my last rental, where, not half an hour off the lot, the touchscreen sound/navigation/??? system got stuck in some sort of reboot loop. Cursory online research suggested the problem was a known firmware bug that was unfixable without a service appointment.

A reasonable person would probably have turned around and exchanged the car with the rental company at this point.

I am not a reasonable person.

Instead, I headed directly to a truck stop and purchased a heavy-duty power inverter, dropped the back seat, and crammed my portable PA speaker into the trunk, connected to the car's trunk-mounted battery through the inverter and to my iPhone through a shielded audio cable run from the trunk to the front seat.

The result sounded far better than it should have, and what it lacked in convenience (I had to pop the trunk to power it down) and channel separation (one speaker = mono), it more than made up for in dB SPL.

(for the record, I've also repaired eBay purchases that arrived in worse-than-advertised condition rather than returning them, for no other reason than that learning how to fix things is more fun than going through the hassle of returning them)

This is also the kind of 'hacker' mindset that got me interested into technology. But instead of fixing to see how it worked, I broke it apart to see how it did.

Oldest car I've seen it in is a 2006 Infiniti.

>>Why is it transmitting without the user pressing a button? Is that a feature?

It's not transmitting anything, it works pretty much the same way NFC works. Both the key and the car have their own public/private key pairs(which were obviously set by the manufacturer) and when you touch the handle the car transmits an unlock request to the key, encrypted with the car key's public key(this is going to get confusing lol) - when the key receives the message, it decrypts it using its own private key, if it's correct then it replies with an "ok" message encrypted with the car's public key. When the car receives that it decrypts it using its own private encryption key and opens the doors. Simple, and in theory unbreakable. The issue is that the car doesn't measure how far away from vehicle the key is - it only relies on the fact that the transmitters used by the car and the key are super-low range(like, within 50cm). Which is obviously defeated by using signal boosters.

This is kind of a nitpick, but it's unlikely that the keyfob is doing public key cryptography. Those things have to be as energy-efficient as possible in order to maximize battery life. An HMAC would accomplish effectively the same thing, and is much more efficient to compute.

As you described it, it is easily broken with a replay attack.

Yes, that's why it's not all there is to it - the request to unlock the car contains a rotating key, just like with normal wireless car keys.

Can you also boost the nfc to make payments from distance?

Yup, but it's not very lucrative vs. risk, thus rare. This doesn't happen all that often because the payments need to also go somewhere, and following the money is apparently easier in electronic form. Plus there's a safety/security layer - you need to authenticate payments above a certain low limit, bank vouches for what's below the limit, etc.

It doesn’t start automatically, but unlocks automatically as you approach the car. Tesla Model X even opens the door for you.

Newer vehicles are already mitigating this attack, eg by measuring signal timings. Signal relay introduces a delay which can be identified and rejected.

Yes, it’s called keyless entry and ignition system.

Yeah, it allows for unlocking without inserting a key or pressing a button.

Ford is really bad with this. The Fiesta and Focus, you can program a new key with the ODB2 port in under 60 seconds. Blast the key with a booster, get inside the car, plug your laptop in, program a new key, drive off. People have had to lock the ODB2 port, disable it, put keys into aluminum foil (my method). https://www.youtube.com/watch?v=dvmSOEKfkug

This seems like as good a HN thread as any to ask this, since I've been looking into it recently. What are some cars to look into if I'm interested in the following things? Or what are some cars that I should specifically avoid?

- Low appeal to thieves interested in stealing the vehicle itself, due to the hardware (locks and whatever else) being exceptionally difficult to deal with

- Some sort of secure/hidden compartment for concealing valuables (I know, I know, don't keep anything valuable in your car, but let's say it will still be more secure than keeping it outside of the car)

- Following up to that, an especially secure trunk (if such a thing exists)

- A wagon or smaller, so no minivans/crossovers or anything bigger

- Under $25k used for something recent, maintainable (was looking at Audis but I don't want to risk maintenance issues), and with low mileage, which puts Teslas out of the picture (sadly)

When I was a grad student, my parking permit put me in the law school parking lot. Problem solved.

Get a manual, nobody steals a manual.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact