Electronic key fobs used to steal vehicles?

[BelgianPup]

My neighbor's brother's car was recently stolen.  How they did it was using a technique I've never heard of.  TRUE?

If I've got this right.....

He said that professional car thieves have a gadget that can receive the constant electronic signal given off by your key fob for several hundred feet.

The gadget can find and lock onto your fob's electronic signal in a couple of minutes, they approach your car with it, it immediately unlocks the door, they get in, start the car, and take off.

The cops said you can buy a small pouch with a signal-blocking liner inside to keep your key fob in.  They said it also blocks illicit credit card scanners.

Have you heard of this?  Do car dealers warn  you about this?

 

[highdesertranger]

this is nothing new. it's been around for years. they can also do it to garage door openers and I would imagine any type of smart lock. isn't technology wonderful. highdesertranger

 

[MrAlvinDude]

There are blockers for credit cards.

The wireless part of the credit card is often referred to as  RFID or NFC. 
And any thin metal sheet will block the RFID signals.  Even metalized plastic, is enough.

Most newer passports will also have a chip embedded, and will use the same wireless technology for communication.

What is unique about the wireless technology in RFID and NFC is, that only the reader needs power.
The chip in the credit card will not need a battery, because the reader will be used to (wirelessly) send a small burst of power to the credit card, so there is just enough energy in order to power the chip in the credit card, and allow it so send some data back to the reader.

Usually this contact less communication only has a short range of less than 1 inches. But if the coil in the reader is made big enough, it can have a range of several feet.

But usoing a thin layer of metal, will complketely block RFID/NFC communication.


Now the thing about the key-fobs is more nuanced,
because both ends at the communication has a battery.
And also because there are several different kinds of key-fobs.

The cheap kinds can be scammed like you describe.  Though it does require a certain level of finesse, even if you get a ready-made tool.
But the more advanced key-fobs are way harder to fool. And to most hackers, it is basically impossible. Beyond the tool, you need skills.


All car manufacturers use the whole range of key-fobs (from the simple to the advanced), so one can not generalize about manufactures.

But cheaper model cars will typically have the simpler styles of key-fob, and more expensive cars are more likely to have the more advanced types of key-fobs.


The basic idea of the hack is, that each time you press the key-fob, a different key will be transmitted. 
So if the hacker can interfere with the the wireless signal, but only in away that the hacker will still be able to read the key that has been sent wirelessly (this is where some finesse is needed), then you are likely to press the key-fob again, now the hacker has two keys, and can send the first key to the car.
And can at a later point use the first key to enter the car.


So for cars where the only security is the key-fob, is is somewhat simple to steal such a car.


Many cars will however have a dual security system, in order to start the car. 
So the key-fob will only open the doors and disable the alarm.

For the car to start, then a key needs to be in (or close to the ignition) and a RFID signal will communicate with a chip, embedded into the plastic of the ignition-key.

This dual security system is one of the reasons car keys can be so expensive (compared to just a regular house key). 
And why some cars can only have 2-4 key for the car. Because the computer in the car needs to be paired specifically with the RFID identity of specific keys.


This dual security does however cost more to build into the car, and it is often a hassle to maintaining, for owner/dealership, so sometimes the only security is the key-fob.

 

[bullfrog]

Supposedly organized crime is doing this in areas where it is convenient to have the stolen vehicle in a storage container and loaded on a ship for overseas sale before it is reported. The one I read about was a new Tundra with push button start option.

 

[nature lover]

Thank God I am too poor to drive something new I got a 98 with rust included and no key thob I don’t think they want mine. But when they see how incredibly handsome and sexy I am I personally might get stolen at least I hope so.

 

[PlethoraOfGuns]

Too much technology! Drive an old pile of rust and bolts with an actual key. Yes, they can be stolen too, but at least they won't become self-aware! Skynet is real!

Best ways to thwart a would be thief would either be to own a manual transmission, or have random pieces of duct tape all over.

 

[barleyguy]

Supposedly organized crime is doing this in areas where it is convenient to have the stolen vehicle in a storage container and loaded on a ship for overseas sale before it is reported. The one I read about was a new Tundra with push button start option.

If you look at the crime statistics for Seattle, car theft there is strangely high compared to other places. The "areas" you talk about might be Seattle. It's also the shipping hub for vehicles entering and leaving the United States. If you buy a car from Japan for example, there's a tangible chance it arrived in the country through Seattle.

As far as the key fob thing that's the topic of this thread, yes reading car fobs is a real thing. All it requires is a device that reads the frequency band of the key (such as a small USB dongle), and enough computing power (i.e. a laptop) to decode the sequence of numbers on the key. The key is designed to only transmit over a short distance, so the "attacker" (in computer security terms) needs to be fairly close. The supposed scenario is someone sitting near the doorway or cash register of a coffee shop.

The way key fobs work is by a challenge response sequence on a particular radio frequency:

1. The key says, "Hello car, I'm your key"
2. The car says "I'm not sure I believe you, what's the response to the sequence for 12345?"
3. The key says, "Hi there friend, the response is 23456."
4. The car turns on.

If someone can do that sequence enough times to figure out the pattern (also based on some knowledge of certain brands of cars), they can duplicate the key fob.

This is roughly as secure as an actual key, BTW. Real keys are pretty easy to duplicate as well. A talented locksmith (or someone with the right software) can duplicate a key using a picture of it.

 

[MrAlvinDude]

Hi barleyguy, while I agree with you that the very advanced keyfobs, have two-way communication, and can thus performe a "handshake", as you describe.

Most keyfobs will however only use one-way communication. 

----

The very simple versions simply send out a number.

Some garage door openers may still use this method.  This makes them rather easy to copy/hack. 
All you need to do, is be close by, and listen on the right frequency, and pick up the number, and at any later time you can send that number, and the garage door will open.

On these very simple systems, it is also possible to have a device that will simply blast all numbers/keys.
And within a few seconds (or a minute or so) you may see several garage doors (all the way down the street) opening. 

So this method is no longer used in cars. It will only be used in very inexpensive garage door systems, or super low cost after-marked motorcycle/scooter alarms. 

----

The slightly more advanced one-way-communication keyfobs will use a method with a 'rolling key'. 

So both the keyfob and the receiver (the door) will contain a long sequence/list of keys.   There will typically be a sequence of 1000-8000 keys.  And this list will be stored in both the keyfob and the door.  This way only about 1000-8000 keys out of possibly a 100 million (or more) keys, can be used.

So the method where you simply send all keys, will take way too long. So the very simple attack can not be done, within a reasonable length of time. 
 
Some keyfobs may also have a limit to how many keys a door will try out every hour. So maybe 1000 keys an hour.  So even if the car is a very crowded carpark, where dozens of people open their doors, this safety feature will not prevent the right keyfob to open the door. 


Either way, both the keyfob and the door will keep track of which key, from the list, was used last time.

As you might however randomly press the keyfob butten, while being away from the car, and thus be a little ahead in the list, compared to what the door expects, then the door will actually check the next 250 keys. To see if it was one of those keys that the keyfob did send.  And then open the door. 

After a successul opening, then the door and the keyfob has again synchronized which key was used last time.  

If a hacker/thief can however listen in on the sending of a key from the keyfob, and prevent that key to be received by the door, then the hacker has a usable key stored.  
And since the car door did not open when you pressed the keyfob, then you may press again to send the next key. And if the hacker can interfere again, then the hacker now has two keys stored. 

If the hacker then sends the first key, the door will open, and the hacker still has the second key in store for later use. 


So even though this keyfob is only a one-way communication, it is still quite difficult (not impossible, but still difficult), to 'break'/hack this method. 
And thus this method a rolling-key, has been used for decades. And by now, the chips are very, very cheap. 

---- 

Producing/developing hacker gadgets that out-of-the box, can be used to intercept the rolling-key-method, has however also become very inexpensive to produce. So by now, such devices are available on the underground-markets. 


Another "weakness" in this method is the secret list of those 1000-8000 selected keys that are (somewhat) unique to each keyfob/door combination.
If an organization could somehow get access to those lists, then it would pose one more angle of attack.

--- 

Also, a dealership needs to have a method to deal with those "secret" lists, each time they make a set of keys/keyfobs for a car.
Usually the safety here is, that the dealer needs to plug-in, somewhere inside the car (and have the keyfob in hand), in order to do the initial sync of the listes between a new keyfob and a car/door.
But again, an organization might find a weak point in the dealer system, and take advantage, so they can randomly open car doors.

--- 

And thus it somewhat becomes an arms race, of how to continue to securely produce and distribute one-way-communication keyfobs (adding new simple tweaks to the rolling-key method), without organizations finding ways to intercept.
Because one-way-communication keyfobs are still so lovely inexpensive to produce and use.

 

[MrNoodly]

Supposedly organized crime is doing this in areas where it is convenient to have the stolen vehicle in a storage container and loaded on a ship for overseas sale before it is reported.

Rings like this also tend to operate in high population areas where there are lots of vehicles to choose from. Since I spend most of my time in the boonies, it's not something I worry about. Besides, I don't have digital locks. I don't even have power windows or cruise control.

 

[barleyguy]

MrAlvinDude,

Thanks for the info. Very educational.

It seems to me that if the sequence is one way from the key, and the "transaction" can be initiated by the car, that's extremely insecure. For example, I leased a Mazda a couple of years ago that had a fob with no buttons, and to open the doors or start the car you just had to have it in your pocket. If the key was sending the sequence in that case with no challenge/response, then there's nothing stopping any other device from asking the fob for the next number in the sequence. As you've implied, that's really not the slightest bit secure.

I guess keys are to keep honest people honest. And that goes for electronic keys as well.

 

[MrNoodly]

I was housesitting for a friend and he had me drive him to the airpot in his Tesla. When I got back, it felt so strange to not do something to lock up the car. You just walk away with the fob. The car doesn't even chirp to let you know it activated the locks. I had to check, so I left the fob in the house and went back to try the doors. Yup. locked.

 

[Dingfelder]

Can read from 300 feet away. Check out this video from a guy who got his truck stolen:

 

[ridgeway]

I once had an older car and I thought "Nothing to steal in here". One night someone tossed a rock through the window and ripped out the window controller. A used controller was $80. and the window was $200.

There is always something to get stolen.

 

[MrNoodly]

It was a small, quiet college town in the early '70s. My roommate was one of very few people who always locked their car. One night someone smashed his rear window and stole his sleeping bag. Because I was a jerk, I commented, "See, Jeff, if you hadn't locked your car you'd just be out a sleeping bag instead of a sleeping bag and a window."

 

[PlethoraOfGuns]

Can read from 300 feet away.  Check out this video from a guy who got his truck stolen:

Wow, that's crazy. Technology will be the end to us all...

 

[bullfrog]

When I was in service I lived in South Tucson where many vehicles got stolen and owned a CJ5 Jeep with no top. I disabled it so it wouldn’t start every time I parked for the night. The second time, about 2 AM I heard someone cranking it over with a hot wire I shot out my own windshield! Lol!!! It was one I could lay flat, insurance covered it and I needed some sleep! They didn’t come back any more that night.

 

[Cammalu]

Good for you Bullfrog!!!

 

[user 423]

There are blockers for credit cards.

I've been protecting my debit card by using the metallized card holder that my passport card came in. 

I also have 2 credit cards I carry in my wallet. Are they also protected by the metal that's holding the debit card?

 

[MrAlvinDude]

I also have 2 credit cards I carry in my wallet. Are they also protected by the metal that's holding the debit card?

So long as the debit/credit cards are inside the 'metal cage' of the wallet, then they are all protected.

The idea is, that there needs to be metal all around it. Or at least with only as few edges as possible, not covered by metal.

For credit/debit cards and passports, it is okay that the opening side of the wallet/protective-pocket (the one edge) is not sealed (or covered). As there is no power (battery) on the card it self.

The cards have no battery, so energy needs to first be transmitted to the card (via the RFID coils/tech). And with only one edge being a tad open, such energy can not be transferred to the card, from any type of reader.


For the keyfob (as shown in the youtube link above (by Dingfelder), there needs to be a flap, covering the opening of the pocket, as the keyfob has a built-in battery, and is thus not dependent on power first being transferred to the keyfob, before it is able to send signals.

For a keyfob, for those push-botton starters, the metal-pocket/faraday-cage needs to be as metal covered as possible. And the opening MUST have a flap (with a vey thin layer of metal inside), in order to keep the signals inside the pocket.

 

[user 423]

So long as the debit/credit cards are inside the 'metal cage' of the wallet, then they are all protected.

The idea is, that there needs to be metal all around it. Or at least with only as few edges as possible, not covered by metal.

OK. I didn't think they would all fit but they do. So now I'm better protected.