> Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.
Why is it transmitting without the user pressing a button? Is that a feature? As you walk up to the car it automatically starts like magic? I'm not familiar with these newer cars.
Yes, it’s a feature, so you don’t have to remove the key from a bag or pocket to enter or start the car.
In typical designs, the car continually transmits a low-frequency (e.g., 135 kHz) radio signal to wake up any wireless keys within range. When a key receives this signal, it replies with a VHF (e.g., 315 MHz) signal, and the car unlocks or starts when a door is opened or the start button is pressed.
The reply signal, at least, is uniquely coded to the car. The attack is to extend the range of the LF wake-up signal, causing a key stored away from the car to transmit a valid reply.
In some models, besides the transponder described above, the key also has a passive RFID tag, which works with a reader in the car to allow starting even if the battery in the key is dead.
(The article is wrong about the broadcasts, by the way; if the key transmitted continually, its battery wouldn’t last long.)
This is insane. Please tell me this is an option that non-insane consumers can get their car without. Fortunately I drive an old car so this does not affect me—yet. If I ever have to replace mine, this looks like yet-another-misfeature I’ll have to look out for to avoid.
On many models keyless entry and remote start are options, rather than standard. If you park in a garage at night, then this particular attack isn't much of an issue.
I'm sure you didn't intend it that way, but "let them park in their garages" seems to imply the hoi polloi who don't have covered parking deserve to have their vehicles stolen...
Thankfully, the 2019 Honda Fit I got does not have this feature. The Sport model had it, and was one of the reasons I decided against it. Old school keyless entry via fob button and traditional key ignition
Every run of the mill garage door opener using rotating keys or nonces to prevent replay attacks. I assume any fob design worth its salt would implement something similar.
It might not matter. If the point of the amp is to reduce the effective distance between the car and the fob, whatever messages are exchanged will look right to the car and the door will open.
With my car, as soon as you touch the door handle (with the keyfob in your pocket, or within a couple feet of the door) it unlocks, and to start the car you push a button. It doesn't work from even 4' away (eg, someone else touches the door handle while you're close) and it doesn't work from the other side (eg, when the keyfob close enough to driver's side door, the passenger side won't unlock).
The really nice feature is when you walk away (a few seconds after you're out of range), the doors automatically lock. However, the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.
> the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.
My brother in law did this on a ski trip with a borrowed Range Rover. It was only at the end of the week he realised he'd left his keys in a jacket pocket in the car the entire time and it had been sitting unlocked in the car park half a mile down the road from the apartment. Thankfully it was fine but stealing it would've been a case of getting in, pressing the start button and driving away.
>so at least half of the time when I am driving it I forget and leave it unlocked in parking lots
This is the problem with a lot of the newer tech in cars like backup alarms. You become used to various features in your own car and when you rent a car you need to consciously remember that the vehicle doesn't have $FEATURE. Effectively, cars are becoming a lot less standardized. A car I rented a few weeks ago beeped at me a couple times and it took a while before I realized it was the lane departure warning triggering on a couple turns.
It's a problem going the other way too. I drive an older vehicle and rented a car. I nearly had to ask the attendant how to start the car. Then I was entirely surprised when I stopped at a light and the engine turned off.
And don't get me started on center consoles. At least my last rental supported CarPlay and I was pleased to discover that it pretty much just worked. Other systems I've had seemed far more intent on downloading all my contacts rather than doing something useful from an entertainment or navigation perspective.
Heh, that reminds me of my last rental, where, not half an hour off the lot, the touchscreen sound/navigation/??? system got stuck in some sort of reboot loop. Cursory online research suggested the problem was a known firmware bug that was unfixable without a service appointment.
A reasonable person would probably have turned around and exchanged the car with the rental company at this point.
I am not a reasonable person.
Instead, I headed directly to a truck stop and purchased a heavy-duty power inverter, dropped the back seat, and crammed my portable PA speaker into the trunk, connected to the car's trunk-mounted battery through the inverter and to my iPhone through a shielded audio cable run from the trunk to the front seat.
The result sounded far better than it should have, and what it lacked in convenience (I had to pop the trunk to power it down) and channel separation (one speaker = mono), it more than made up for in dB SPL.
(for the record, I've also repaired eBay purchases that arrived in worse-than-advertised condition rather than returning them, for no other reason than that learning how to fix things is more fun than going through the hassle of returning them)
This is also the kind of 'hacker' mindset that got me interested into technology. But instead of fixing to see how it worked, I broke it apart to see how it did.
>>Why is it transmitting without the user pressing a button? Is that a feature?
It's not transmitting anything, it works pretty much the same way NFC works. Both the key and the car have their own public/private key pairs(which were obviously set by the manufacturer) and when you touch the handle the car transmits an unlock request to the key, encrypted with the car key's public key(this is going to get confusing lol) - when the key receives the message, it decrypts it using its own private key, if it's correct then it replies with an "ok" message encrypted with the car's public key. When the car receives that it decrypts it using its own private encryption key and opens the doors. Simple, and in theory unbreakable. The issue is that the car doesn't measure how far away from vehicle the key is - it only relies on the fact that the transmitters used by the car and the key are super-low range(like, within 50cm). Which is obviously defeated by using signal boosters.
This is kind of a nitpick, but it's unlikely that the keyfob is doing public key cryptography. Those things have to be as energy-efficient as possible in order to maximize battery life. An HMAC would accomplish effectively the same thing, and is much more efficient to compute.
Yup, but it's not very lucrative vs. risk, thus rare. This doesn't happen all that often because the payments need to also go somewhere, and following the money is apparently easier in electronic form. Plus there's a safety/security layer - you need to authenticate payments above a certain low limit, bank vouches for what's below the limit, etc.
It doesn’t start automatically, but unlocks automatically as you approach the car. Tesla Model X even opens the door for you.
Newer vehicles are already mitigating this attack, eg by measuring signal timings. Signal relay introduces a delay which can be identified and rejected.
Why is it transmitting without the user pressing a button? Is that a feature? As you walk up to the car it automatically starts like magic? I'm not familiar with these newer cars.