Hacker News new | past | comments | ask | show | jobs | submit login
Keeping Your Car Safe from Electronic Thieves (nytimes.com)
139 points by pzb on Apr 15, 2015 | hide | past | web | favorite | 102 comments

The article is unfortunately something that's been happening in Europe for some time. It's just now that the tooling and toys is starting to become prevalent in the US. Europe has the "advantage" of being able to simply drive a car to its ultimate destination in Africa or Russia, and getting cars out of England doesn't require much more effort.

"How much worse could it be in Europe?"

Last month, Range Rovers in posh areas of London were being stolen so often that police were instructed to pull over any Range Rover in the vicinity to confirm it was being driven by its owner, the paper reported—which seems to be an extraordinary measure.

It’s problematic enough that Scotland Yard has published bulletins on it, and has a website about the kinds of thefts and how to prevent it: http://content.met.police.uk/Site/keylessvehicletheft

For those a bit more interested on the topic, The Sunday Times did a neat overview: http://www.driving.co.uk/car-clinic/six-ways-thieves-can-bre...

In London, insurance companies stopped insuring Range Rovers if they are kept on the street overnight. They will only insure it if it's kept in a locked garage. That's how bad it is.


For those of you not in the loop, these "keyless" systems let you walk up to your car and open your door without getting your key out of your pocket. There is a proximity sensor under the door handle (similar to proximity sensor on your smartphone). When the proximity sensor is triggered, it searches for a nearby key fob and then instantly unlocks. You can also usually start the car (with a push-button start) without getting out the key. And you can lock the doors (from outside the car) by pressing a button on or near the door handle with the fob in proximity. Basically, you never have to get your keys out for any reason.

Anyway, fortunately, I can never find street parking near my apartment for my Prius anyway. But I'm still going to find a small faraday cage I can leave by my bed to put my keys in before I go to sleep...

But I'm still going to find a small faraday cage I can leave by my bed to put my keys in before I go to sleep...

A small, all-metal box will probably do just as well. For bonus points, connect it to earth ground.

Yeah I was thinking keeping electronics in the freezer probably isn't great, there would eventually be build up of moisture inside the key housing itself right?

some aluminium foil would do just as nicely!

How well would an anti-static or foil-lined bag work?

How does this work if you are around town, lets say eating lunch?

You could get an RFID-blocking wallet (should anyway, really) and put the key in that.

I have one from http://difrwear.com/; I've tested it and it's never leaked any signal from cards inside; should work fine with keys too.

OffPocket, perhaps.

I'm not quite satisfied with the explanation in the article -- maybe someone with radio signal experience can help me out?

Assuming that the unlock is accomplished over 2-way communication (car calls to key, key responds), I can understand how an amplifier could boost the car signal to a key that was far away, but how does it boost the key's response to accomplish the second half of the process?

The general theory is the amplification works both ways. The device listens for any signal on a certain band and re-transmits it at a higher power. Signals from the car to the keyfob are amplified as are signals from the keyfob to the car. Noise canceling circuitry prevents it from getting into a feedback loop. This sort of thing exists for garage door openers[1].

In practice, I have found the keyfobs tend to transmit with enough power that 50ft isn't a problem, provided they get an activation ping from the car.

[1] http://www.ebay.com/itm/Signal-Repeater-Enhance-wireless-ran...

Exactly: It's not simply an amplifier, it's a repeater. It's similar to two-way radio repeaters used by amateur radio and emergency communications, with the major difference being that this sounds like a full duplex device on one frequency, whereas radio communication repeaters generally use two sets of frequencies in a half-duplex configuration.

I can see this boosting the signal going from the car at 315MHz or 433MHz but what about boosting the response back from the key at 125KHz or 130KHz?

A different type of problem with electronic keys, mainly for motorcyclists, is if you have the key laying nearby in, say, a garage, hop on and ride off (there are some bikes with keyless start), you just stranded yourself wherever you end up shutting the ignition off.

Harder to do with a car unless you forgot your keys and someone playing a joke on you had an amplifier near your car.

I spoke to a Tesla owner who had spoken to another Tesla owner who locked his keys in his car. Normally this wouldn't be possible, except he apparently happened upon a dead spot in the interior of the car where it couldn't sense the key. The car automatically locked when he walked away, and that was that.

With Tesla you have a backup, in that you can unlock the car with your phone, as long as both the car and the phone have a signal. Of course this fellow locked his phone in the car too....

This used to happen regularly before central locking systems. When I was a kid, buying a used car meant you didn't have central locking. I was probably 17 before my family had our first car with central locking.

Anyway, what happens there is you usually lock all doors before closing them. Then when you close them, if the key is inside, oops.

This is mitigated in slightly moderner cars by the fact that driver-side doors don't lock when they're open.

So I guess we had this beautiful period of the last 15 or 20 years where we locked our cars by pressing a button on the key. Makes it impossible to lock your keys into the car.

I wonder if we're going to decide that was better than keyless before keyless becomes widespread.

Personally, I love keyless systems. I also habitually lock my car (happens automatically now, yay!) and never take the key out of my pocket, so leaving it in the car by accident isn't an issue. Old habits die hard, though.

I've had a few instances where my wife has the key in her purse, which allows the car to be started, and I don't even realize I don't have my key on me. I drop her off somewhere and then notice. But both of our cars sound a loud alarm and show an impossible to miss message on the dash the instant the key leaves the car, so it's pretty hard to actually drive off without the key.

Mazdas (at least the 6 and CX-9) will beep at you if the key isn't inside when the vehicle is running.

If keyless ignition does make it big in the motorcycle world, I would expect that motorcycle manufacturers would add lights/beeping/ignition cutoff if you got too far from the key.

This is a case when I'd literally like an SSH2 key for my car. With time-proven code, perfect forward security, proof against replay attacks, and so on.

Could be a small but lucrative business!

Did you read the article? It wouldn't be effective against this attack unless you are required to take some action to open the door.

Oh, yes, it's a different kind of attack! (What I thought about is recording your key's transmission and replaying it later.)

For this, I'd opt for a button on the key; it's still better than not forgetting to put the key to a Faraday cage. Cutting the power circuit and adding a button that restores it must be much simpler that refitting the entire car's locking system.

There's already a button on the fob to unlock the doors. The proximity unlock is a separate feature. The whole point of the proximity function is to remove the need to push a button on the fob. Your idea makes no sense, unless you're proposing deletion of the proximity unlock feature.

Yes, I'd like to remove or severely limit this feature. When it's always on, and it does not properly check for proximity of the key, it's broken by design.

I'd rather have a button that allows for proximity unlock during 1-2 minutes after pressing, much like Bluetooth public visibility.

If I had an existing key with this proximity misfeature, I'd like to modify it as I described: having press a button to unlock my car is for me preferable to a risk to have it stolen.

So you'd like to take the fob out of your pocket, push a button to enable proximity unlock for a brief interval, place the fob back in your pocket, and then have the door unlock when you approach the car?

I'm clearly missing something.

It makes sense. Normally I don't keep my car key in my pocket when I'm at home. It's on the desk, or on a hook, etc. So his model is that he hits the button as he grabs the key to stick it in his pocket, then when he approaches his car a few minutes later, the proximity unlock works.

You could add some security to the process without requiring the button press by disabling the proximity unlock unless an accelerometer in the fob detects that the fob is moving.

I don't get it either. Even if it was an on/off switch, so when you come home at night you can disable it, I can't see it getting much use (except maybe during this brief period before they resolve the distance issue).

Does the freezer really act like a Faraday cage?

Quick Google search suggests it isn't really effective:


Your microwave oven is likely a better choice, since its faraday cage-like behavior is required for both safety and regulatory reasons.

And your key battery will thank you... Freezer would kill the battery in a few days of such treatment.

Killing the battery isn't a bad idea either, actually :)

(Usually there's a recessed traditional key in the fob that you can use as a backup)

Wow, I didn't think of it until I read your comment, but it would be super easy to add a switch to my fob!

With little more than a cap, you can throw on a button that enables the feature on for a period of time then disables it again.

Sure. Or maybe requiring to put a key in the lock! Oh wait...

... Unless you have a push button start...

Unlikely, assuming a lithium cell.

Be careful not to turn it on though (yes, there's a story behind that ;( ).

I can tell you it isn't for mine. I have a Mother cookie sensor in there reporting in near real time the temperature wirelessly.

It depends on the frequency of the signal that the key uses. I forget the formula, but to be a good faraday cage the cage needs walls of thickness proportional to the wavelength of the signal.

Wait I thought it was minimum interstitial spaces between conductive cage elements proportional to lambda.

attenuation is related to both. Once the holes are much smaller than the wavelength though, only the thickness matters.

Fixing this issue would probably only happen in newer models of vehicles... the keys for existing cars don't often change, and I'm not sure a recall would ever be issued for something like this.

Here's another article from four years back; the tactic is likely older than that: https://news.ycombinator.com/item?id=2079289

For older vehicles you can turn off the Auto Unlock / Lock feature.

I am not a hardware dev but I think this attack could be defeated by having the car measure the amount of time the key takes to respond to the call outs. If it takes more time than it should for the signal to travel a few feet, then it shouldn't unlock. If they embraced this method then existing cars could be protected with a software update instead of new hardware.

The signal travels 10 feet or 3m in 10^-8 seconds. I don't think the sampling circuit has that kind of resolution.

I think it could. For example, the Leica Disto2 laser rangefinder has a minimum measuring distance of 5cm. I don't see why an RF-based system couldn't do adequately for this use case.


The article states:

  Mr. Danev said his company was in talks with several car
  manufacturers to install a chip that can tell how far the key
  is from the car, thereby defeating the power-amplifier trick.

So only cars that "self unlock" are affected right?

If you have remote but no self-unlock it should be okay, for now.

Toyota has a way to turn on and off certain features from the lock system by reprogramming using a pattern of opening and closing the driver door and inserting/removing the key. Same way you add/remove fobs.

So it might be possible to turn off self-unlock. You'd have to find the dealer manual though.

added, or google it: http://thepoch.com/2013/automatic-door-locking-and-unlocking...


No. Many of the remote unlock by pressing a button on a keyfob systems are vulnerable to brute force and replay attacks. The news is out there, take a look if you are concerned.

According to the Prius manual you linked, you can apparently turn on a power save mode on the keyfob by holding down the lock button and hitting unlock twice. This stops the key from receiving radio waves at all until a button is hit, so it would seem to be effective against an amplifier attack.

The article specifies there are brute-forcing radios out there that can open bmw's so no, everyone is in danger.

Well, I know you can remove all fobs from a system with that same method listed above, so then only the physical key will open it.

But that sucks there are so few codes they can all be scanned.

Wouldn't the logical conclusion from that premise be that everyone who owns a BMW is in danger? How do you go from BMW being compromised to everyone?

You can disable it via the on-dash console in GMs.

Oh if only they had read wikipedia...


Apparently a solution was available in 2010.

Most of these keyfobs are running ~16MHz processors.

Distance verification would be implemented in the car though. The keyfob would implement some secret function using analog circuitry as described in the linked article.

I'm not sure you have taken this thought to its logical conclusion.

Free version: https://archive.today/WyCdu

This is why I despair at all these new keyless cars. I would pay money to have a normal key over one of those, because it's more secure.

Also, one huge reason I would never want a keyless car: I can't check if it's locked before I walk off; I just have to trust that it will lock once I'm far enough away and before someone else jumps into it and drives off.

Convenience and radio waves will be the death of us all. Why do car companies not have expert security and RF guys on staff? This is so predictable.

Same as the "internet of things" - they are with security where Microsoft was in the 1990s. Security by obscurity is their watchword.

Always remember: "Internet Of Things is also called IOT, because you'd have to be an IDIOT to believe they're secure".

I always check my car doors are locked before walking away, even though I have a more conventional remote central locking system. For the last few years in South Africa, crooks have been using things like garage door openers to block the signals of remotes. Once the driver walks away from the car they steal its contents.

I press the lock on my fob twice and it chirps. That way I know it heard the "lock yourself" command. I did it because I found my car unlocked a few times and it must have either been that I forgot to lock it or the first keypress didn't take.

And this is why I'll get myself a VW T4 again once I have the cash. Unlike T5, easily repairable by yourself and not much electronic bullshit that is vulnerable to hacking or just general wear (I'm looking at you, Renault).

Only thing I'm gonna add is a Raspberry Pi for general monitoring, webcam and a 3G uplink with GPS.

Cocktail shaker would be a good alternative to a freezer.


Nope. I just happened to have one handy and tried it. A cocktail shaker does not a Faraday cage make.


The one about the BMWs was a flaw where you could access the Obc port and get the car to program itself a new key. In the 1 series there is an alarm dead spot where the Obc port is. So the thieves would cut the glass, insert a cable, program a blank key and then open the door and drive away.

I find it very funny that for such expensive cars there are no security considerations.

I hope to god those contactless credit cards can't be just cloned with a long range rfid reader or else this is gonna be a very funny few years

The wealthier you are the better neighborhoods you live and work in, and arguably the better police and government benefits you get.

I'd park a Porsche with a vulnerable system in a fancy suburb or in a high-rise parking garage without a second thought. I wouldn't park a Chevy in the ghetto with any system without lots of worry.

Well that's what the two kids in the article were hoping for. Los Feliz is pretty affluent and trendy.

A Mazda3 and a Prius are such expensive cars?

Relative to the second hand market? Yeah. Unless you want something that is going to be absolutely no bother, and that doesn't need anything at all done to it, then you can spend a few thousand pounds at most and still get something in reasonable nick. For instance, my current car came with around 17,000 miles on the clock and cost £1,300.

A Prius would cost me £21,995 - around 16 times as much. Though there are far more expensive cars out there, that they can't even get basic security right is fairly disgraceful....

Minor nitpick: new cars are not without bother. It's just that when (not if) something breaks, you don't pay for the repairs. But you still have to go through the hassle of taking it to the garage, driving a rental in the meantime, etc.

And if you take depreciation into account, you can do a bloody lot of repairs on a used car before it's more expensive than a new one with free repairs.

Depends on where you live. 20k for a car where I live is very expensive. I honestly would not risk even a 5k car on this broken system, is it that hard to put a key in a hole?

Most cars I see on the road and in parking lots are 5-20 years old. Anything newer is a low-end model. Expensive cars stand out.

OTOH, by definition, most cars are going to be 5-20 years old.

I bought my Prius used for much less than 20k, and it has this system. (And when you buy a used car, you don't choose what features you get!)

I think the more accurate statement is: cars are expensive.

Any car theft will hurt a lot for most people.

I roll around in a 15 year old Saab 93 which has a book price of around 300 quid. A Mazda 3 or a Prius would be expensive to me.

They can, and so can the passports with the same technology.

Someone did a demo where they snagged someone's private details by "bumping into" them on the street.

>I hope to god those contactless credit cards can't be just cloned with a long range rfid reader or else this is gonna be a very funny few years

They can. That's why they require your PIN every N tries (N is configurable by the issuer, I think). All the money spent up to and until N is reached is just lost though, I guess.

This is why I have an RFID-blocking wallet.

I believe they can, and people are already selling RFID-proof wallets.

I wonder how many combinations they use. For old school keys there was always a small chance the key would work in a different car. Would be a pain if you shared a combo with a nearby neighbor.

Back in the late eighties and early nineties it wasn't difficult if you had a Ford product. My escort key would unlock another same color Escort in the parking lot. My Aunt was able to take the Mercury to the mall but was locked out as she had her husband's keys to his Ford (I forget the model)

However now with the new chipped keys that is far less likely. Yet at the same time we introduce new means to communicate with cars its likely without some sort of industry standards there will be holes as manufacturers will not be inclined to pass on lessons learned to others

It happened to a family member recently, for her mid-2000s Ford Expedition. She unlocked and entered a similar looking Expedition before realizing all the stuff in the console wasn't hers.

This happened a lot with Mazda 323's and Toyota Corollas. A friend of mine once went to his car at a mall, started the engine and was backing off the parking slot when he realized that his car does not have children's seats at the back, this one did. No children though at that moment.

There’s one place already selling “military spec” faraday cages for this exact purpose: http://www.carkeycage.com

I remember someone around 2001 describing vulnerabilities in keyless entry to me. It sounded technically feasible, but I was surprised that I never read about it or heard about it happening to anyone. I guess I wasn't reading Jalopnik, but you'd think that this would have gotten more attention earlier.

Who knows, maybe I'm just not paying attention.

KeeLoq was widely used back then. Careless users make it theoretically vulnerable to replay attacks, but it's rarely exploited.


Thanks! I could never remember the reference.

Ok so this allows them to unlock the car, maybe start it, though the article doesn't really get into that, but then what? After they drive beyond the range of the amplified key transceiver?

I imagine for safety reasons the car won't shut off just because it's out of range. If it did it'd certainly solve this problem.

In any case, they'd just drive it to the chop shop.

I can confirm that it doesn't shut off. At least in my case, it beeps for a while saying "KEY NOT DETECTED", but it doesn't seem to actually do anything about it.

When my key battery was low this would occasionally happen and it wouldn't actually do anything until you need to actually start the car again after stopping it.

09 Avalon uses same principle as in the article and is most likely vulnerable. Functionality that I have encountered:

Battery charged in fob:

Walk up to car push any button located on handle of doors to lock vehicle or push button on trunk to open trunk.

Within proximity to any door lights under side view mirror light up, interior lights also turn on. After touching driver handle driver door opens, any other door handle touched (within proximity to fob) will cause all doors to open.

Battery dead: Trunk will open if fob is held directly near button. Similar behavior on doors fob must almost be in hand pushing button. Valet key can open the driver door. Buttons to unlock etc dont work. Have to hold fob near push to start to start vehicle. Depending on proximity during drive the alert on dash may light up.

Few times I or S.O. has driven off without key (luckily realizing within a few miles of house or location of key). The Avalon will continue to run only having the alert on the dash. I'm guessing my defense here would be to let the batteries die in the fob. Ill still get most of the functionality without the risk. Keeping the battery one (when I want to sacrifice security for convenience) stored in a cage. Really like the attack though.

they won't be able to start it again, but once they get far away, they don't really care as the car is now gone

So this is basically a MITM attack. When is TLS comming to car keys?

This is not really a MITM attack. TLS would not have mitigated it.

The attackers are just extending the range over which the key and the car can hear each other. The attackers don't need to decrypt or modify any of the traffic.

I can see the high frequency signal being boosted but how is the low frequency response from the key being boosted back to the car as it can usually only go a few inches

I know people that has rewired some fundamental part of the car like the fuel pump or something like that. There is a combination of the car buttons that must be pressed to start the car, if not you may start it but the engine will stop after some minutes. It must be done by someone that knows electronics, but doesn't seem that dificult to implement(although probably expensive), and it's very hard to detect and avoid by thieves if done properly.

this opens a new era in the car-sharing business!

I wonder if the Apple Pay system is vulnerable to a similar attack?

Apple Pay requires a thumb press or other confirmation to proceed with the transaction.

On the watch is it vulnerable? I thought it only required waving your wrist at the pay point?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact