I imagine improvements to the key fob could be made that would require a mechanical coupling with the car in order to start it. That would circumvent this attack.
I'm not sure if this is a joke about old keys being better, but I'd argue you could have the benefits of new keys and old keys combined if you just made it so that new keys have to be inserted into some compartment inside of cars, where they are authenticated by those cars. You can imagine a fob with a USB that has a different authentication code than the wireless one it sends out, and unless the USB is plugged into the car, you can only start the car up but you can't drive it.
In addition, you can make it so that the car doesn't unlock due to proximity with the fob, but rather, it only unlocks if you push the unlock button on the fob.
Lock receives signal from Key, writes down time and picks a random key and uses these to create a ciphertext, encrypts that with the public key of Key to create a second ciphertext and sends. Key receives message, decrypts with private key to first ciphertext and encrypts that with the public key of Lock and sends back. Lock decrypts message with private key and earlier random key, compares to current time and if it has taken more than a set time period does not unlock.
The clock has to be pretty fast, but you can get a secure time of flight measurement, so you can absolutely know the distance of the radio signal path.
A simple button on the fob (rather than in the car) that you must press to open the doors and to start the engine would mitigate the attack. No need for coupling
This happened to a family member of mine, here in Toronto. Lost their gorgeous M5.
Their kid normally wakes up in the middle of the night, except this time, he freaked right out like he was scared. They were wondering what was going on with him, when one of the parents heard the M5 turn on (it's pretty distinct). "That's my car!" His wife said, "Naw, you're crazy, no way."
Sure enough, enough, key fob attack and theft. Caught on their video cameras. Filed the police report, claimed insurance, cried internally about the loss of a gorgeous vehicle. In all seriousness though, it's just a car, so no big deal, but nothing will fix the violation you feel, and the fact that you were being targeted.
If I were the insurance companies, I'd be putting pressure on the car companies, but hey, maybe it's just the cost of doing business for them. Better to pay out for a vehicle theft, vs. actual injuries from a collision. That's probably why there's little incentive to fix it, especially if fixing it makes your product less convenient.
> If I were the insurance companies, I'd be putting pressure on the car companies
And also give car owners an incentive to keep their keys safer, given how many vehicles out there are vulnerable to this. Just fixing this for new cars is only half the solution.
I remember back in the 80s my parents got a discount on their insurance for installing a third brake light in the back window of their old Camaro. If my insurance gave me a discount, I'd get a faraday cage for my keys. I'm considering doing it anyway, even though my house is pretty far from my driveway, and we have cameras.
I've searched for nice-looking faraday cages but haven't found anything good. I think there's a market for fashionable key/phone faraday cages, between this car theft issue and the push to digital detox.
EDIT: curious why this is downvoted? I'm not saying that this shouldn't be fixed by car manufacturers going forward, but we need to do something about the millions of cars on the road already. Is there another solution that would make more sense? Or is there something I'm missing here?
What strange is, I can see unlocking the car and even starting it with this attack -- but do the cars not continually (or at least every minute or two) revalidate the presence of the key?
Once they got very far away from the house, the car should shut off. Or so I would think.
> Better to pay out for a vehicle theft, vs. actual injuries from a collision.
What do you mean? It's not as if anyone will be driving less... the insurance company will pay for a new car, the family will buy a new car (presumably they need it), and still be just as statistically likely to collide with the new car.
Insurance companies pressure drivers who have these misfeatures, drivers pressure car manufactures. See also: discounts for anti-theft tech and airbags.
Whats the yield on the secondary markets for these hot vehicles since the VIN is compromised, a new license plate is needed and a thorough scrubbing has to happen
I use these Faraday cage pouches for my new car keys (I got the two-pack listed "Amazon choice" in the above link) and they are excellent. As far as I can tell anyhow - my car hasn't been stolen (yet!) and if I keep the key in it's pouch I can neither open the doors or start the engine even if I'm right next to the vehicle.
An added bonus, it also makes the keys much more comfortable to have in a pocket, holds them in a fairly flat orientation - and stops them from scratching a phone!
Since most car manufacturers seem to be vulnerable (to my knowledge), I assume all or most buy the same COTS keyfob + electronic lock product. Much like Takata airbags or Bosch ECUs.
Being a step away from the problem probably helps keep that OEM manufacturer from strapping in and solving it. They don't feel any pain from it.
Yeah this has been a thing for years in the UK. Myself and my wife put our keys into a metal lunch box in the hallway which mitigates this problem, which was prompted by both next door neighbours getting their cars broken into.
> Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.
Why is it transmitting without the user pressing a button? Is that a feature? As you walk up to the car it automatically starts like magic? I'm not familiar with these newer cars.
Yes, it’s a feature, so you don’t have to remove the key from a bag or pocket to enter or start the car.
In typical designs, the car continually transmits a low-frequency (e.g., 135 kHz) radio signal to wake up any wireless keys within range. When a key receives this signal, it replies with a VHF (e.g., 315 MHz) signal, and the car unlocks or starts when a door is opened or the start button is pressed.
The reply signal, at least, is uniquely coded to the car. The attack is to extend the range of the LF wake-up signal, causing a key stored away from the car to transmit a valid reply.
In some models, besides the transponder described above, the key also has a passive RFID tag, which works with a reader in the car to allow starting even if the battery in the key is dead.
(The article is wrong about the broadcasts, by the way; if the key transmitted continually, its battery wouldn’t last long.)
With my car, as soon as you touch the door handle (with the keyfob in your pocket, or within a couple feet of the door) it unlocks, and to start the car you push a button. It doesn't work from even 4' away (eg, someone else touches the door handle while you're close) and it doesn't work from the other side (eg, when the keyfob close enough to driver's side door, the passenger side won't unlock).
The really nice feature is when you walk away (a few seconds after you're out of range), the doors automatically lock. However, the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.
Ford is really bad with this. The Fiesta and Focus, you can program a new key with the ODB2 port in under 60 seconds. Blast the key with a booster, get inside the car, plug your laptop in, program a new key, drive off. People have had to lock the ODB2 port, disable it, put keys into aluminum foil (my method). https://www.youtube.com/watch?v=dvmSOEKfkug
This seems like as good a HN thread as any to ask this, since I've been looking into it recently. What are some cars to look into if I'm interested in the following things? Or what are some cars that I should specifically avoid?
- Low appeal to thieves interested in stealing the vehicle itself, due to the hardware (locks and whatever else) being exceptionally difficult to deal with
- Some sort of secure/hidden compartment for concealing valuables (I know, I know, don't keep anything valuable in your car, but let's say it will still be more secure than keeping it outside of the car)
- Following up to that, an especially secure trunk (if such a thing exists)
- A wagon or smaller, so no minivans/crossovers or anything bigger
- Under $25k used for something recent, maintainable (was looking at Audis but I don't want to risk maintenance issues), and with low mileage, which puts Teslas out of the picture (sadly)
I think convenience here is fundamentally at odds with security.
The convenience here is that the system requires no confirmation from the driver, no physical interaction with buttons, handles, keys, etc. The driver just opens the door and starts the engine. This allows for a trivial remote sniff-and-replay attack, not unlike copying a key temporarily.
I bet not having a lock on the door would be even more convenient. But for some reason it's not widely practiced.
> Key fobs are constantly broadcasting a signal that communicates with a specific vehicle, he said, and when it comes into a close enough range, the vehicle will open and start.
It's a poor design for the system to take any access-escalating action without an explicit command from the user that initiates a secured transaction that is resistant to MITM.
It's poor design to assume that the range is based on raw signal strength; it should use round-trip-time measurements (for packets exchanged with MITM resistance).
My car was recently “broken into”, it’s a Mercedes C400, i thought it to be fairly secure so my assumption has been that i forgot to lock the car. I just double checked, and the car has an “auto-lock” feature and it is already turned on...so...did this happen to me?
I just want an off switch in my fob, so i can disable it at night. More fancy solutions would be a motion sensor on the fob to only power it when had recently moved, or for retrofits, this technology in a battery?
I wonder how hard it is to measure the delay between challenge and response... Any distance extension would increase the signal flight time that should be measurable.
There is a lot of great technical discussions here of ways to possibly solve the issue. The real problem points back to the lackluster security the auto industry is used to. Only if some sort of accountability or software security testing requirements are enforced this will get fixed.
They have to have a mandatory recall if your Audi accelerates quickly by itself (that was in the early 80's i think), but no recall for a possible vulnerability in a jeep where someone can hack into the machine and control the acceleration (and other items).
This would be worse with centrally controlled autonomous vehicles, they are always sending and receiving data. Image the firmware on your car not being updated after 2 years and being stuck with the still open vulnerabilities.
Tesla recently added a good workaround. They added a setting where you can turn auto unlock or auto start off, which blocks this remote access hack. You have to use your key fob button at least once, say to unlock the car and then it just works wirelessly without further action.
My car is unlocked at night but in my garage. If they got in my garage somehow and had the signal repeater they couldn't drive off unless I pushed the keyfob button. In the morning I just have to push it once to go. You can also en/disable auto door lock if you walk away.
Of course a general solution that blocks signal repeaters would be best. Tesla has so many fun tweaks it's truly the programmer's car.
It seems car manufacturers are eager to be "cool" but not thinking about the consequences of their actions
Center "touchscreen" consoles with awful usability, shifters that are not obvious (coupled with people that are too lazy to pull the parking brake) and now this
>"The vehicle will continue running in perpetuity until it runs out of gas or until you shut it down," he said.
>"They do that for safety so that if you lose the key fob or if it loses signal the vehicle doesn't shut down while you're driving, but that right there is part of the vulnerability."
Anecdata, a few years ago my wife had a Renault "Megane" that used a sort of "card" that worked with proximity.
She opened and started/drove it without ever taking the card out of her bag.
A couple of times I was driving it with her in the passenger seat, we arrived to a shop, she got down in front of the door and went into the shop while I was going to park it when the car some 20-30 mt away "locked itself" (cannot remember if it stopped or just didn't allow more than - say - 5 km per hour) with the display saying it couldn't find the card.
When she changed cars, her new Renault (using the same kind of card, at least visually, but a different car model) had to be inserted in a slot to allow the Start/Run button to operate.
Two factor authentication for cars, here we come! Though, searching for this phenomenon shows articles at least 3 years old warning to get Faraday cages or otherwise wrap fobs in aluminum foil.
But do they really transmit all the time, or do they contain accelerometers or something to prevent battery from being wasted?
For the 2nd factor, they should have some kind of non-electronic device which when inserted and turned, would allow the activation of the door and ignition of the car.
2FA seems to make sense. Maybe a 4-6 digit pin that would be optional for those in high risk areas/situations.
> But do they really transmit all the time, or do they contain accelerators or something to prevent battery from being wasted?
I'm curious about this as well. A family member has an older Nissan with a keyless fob and I don't recall them ever having to replace batteries/keyfobs.
2fa on a car would be a disaster. I can't wait to whip out my phone in the pouring rain, trying to unlock it while my hands are full and I have no signal.
[+] [-] nkrisc|7 years ago|reply
[+] [-] jamescostian|7 years ago|reply
In addition, you can make it so that the car doesn't unlock due to proximity with the fob, but rather, it only unlocks if you push the unlock button on the fob.
[+] [-] ce4|7 years ago|reply
They are laying on a desk or in a drawer and are not being touched/moved for extended periods.
Maybe a simple mems step counter could help activate them for a short period of n seconds/minutes.
[+] [-] starbeast|7 years ago|reply
The clock has to be pretty fast, but you can get a secure time of flight measurement, so you can absolutely know the distance of the radio signal path.
[+] [-] cronix|7 years ago|reply
[+] [-] cjhanks|7 years ago|reply
[+] [-] figers|7 years ago|reply
[+] [-] zitterbewegung|7 years ago|reply
[+] [-] marcosdumay|7 years ago|reply
[+] [-] cft|7 years ago|reply
[+] [-] wvenable|7 years ago|reply
[+] [-] ulkram|7 years ago|reply
[+] [-] HorizonXP|7 years ago|reply
Their kid normally wakes up in the middle of the night, except this time, he freaked right out like he was scared. They were wondering what was going on with him, when one of the parents heard the M5 turn on (it's pretty distinct). "That's my car!" His wife said, "Naw, you're crazy, no way."
Sure enough, enough, key fob attack and theft. Caught on their video cameras. Filed the police report, claimed insurance, cried internally about the loss of a gorgeous vehicle. In all seriousness though, it's just a car, so no big deal, but nothing will fix the violation you feel, and the fact that you were being targeted.
If I were the insurance companies, I'd be putting pressure on the car companies, but hey, maybe it's just the cost of doing business for them. Better to pay out for a vehicle theft, vs. actual injuries from a collision. That's probably why there's little incentive to fix it, especially if fixing it makes your product less convenient.
[+] [-] gnicholas|7 years ago|reply
And also give car owners an incentive to keep their keys safer, given how many vehicles out there are vulnerable to this. Just fixing this for new cars is only half the solution.
I remember back in the 80s my parents got a discount on their insurance for installing a third brake light in the back window of their old Camaro. If my insurance gave me a discount, I'd get a faraday cage for my keys. I'm considering doing it anyway, even though my house is pretty far from my driveway, and we have cameras.
I've searched for nice-looking faraday cages but haven't found anything good. I think there's a market for fashionable key/phone faraday cages, between this car theft issue and the push to digital detox.
EDIT: curious why this is downvoted? I'm not saying that this shouldn't be fixed by car manufacturers going forward, but we need to do something about the millions of cars on the road already. Is there another solution that would make more sense? Or is there something I'm missing here?
[+] [-] ams6110|7 years ago|reply
Once they got very far away from the house, the car should shut off. Or so I would think.
[+] [-] tomp|7 years ago|reply
What do you mean? It's not as if anyone will be driving less... the insurance company will pay for a new car, the family will buy a new car (presumably they need it), and still be just as statistically likely to collide with the new car.
[+] [-] _trampeltier|7 years ago|reply
[+] [-] Scoundreller|7 years ago|reply
Oh please, this is Ontario. The auto insurance companies main innovations have been:
1) getting caps on benefits
2) creating new driving violations to jack up your premiums (eg: non-criminally blowing over 0.05, but less than 0.08)
Neither resulted in lower premiums for anyone else.
[+] [-] pofilat|7 years ago|reply
[+] [-] gammateam|7 years ago|reply
Free cars?
Whats the yield on the secondary markets for these hot vehicles since the VIN is compromised, a new license plate is needed and a thorough scrubbing has to happen
[+] [-] JustSomeNobody|7 years ago|reply
[+] [-] stri8ed|7 years ago|reply
[+] [-] Down_n_Out|7 years ago|reply
[+] [-] dave7|7 years ago|reply
An added bonus, it also makes the keys much more comfortable to have in a pocket, holds them in a fairly flat orientation - and stops them from scratching a phone!
[+] [-] retSava|7 years ago|reply
Being a step away from the problem probably helps keep that OEM manufacturer from strapping in and solving it. They don't feel any pain from it.
[+] [-] sofaofthedamned|7 years ago|reply
[+] [-] snarfy|7 years ago|reply
Why is it transmitting without the user pressing a button? Is that a feature? As you walk up to the car it automatically starts like magic? I'm not familiar with these newer cars.
[+] [-] wsh|7 years ago|reply
In typical designs, the car continually transmits a low-frequency (e.g., 135 kHz) radio signal to wake up any wireless keys within range. When a key receives this signal, it replies with a VHF (e.g., 315 MHz) signal, and the car unlocks or starts when a door is opened or the start button is pressed.
The reply signal, at least, is uniquely coded to the car. The attack is to extend the range of the LF wake-up signal, causing a key stored away from the car to transmit a valid reply.
In some models, besides the transponder described above, the key also has a passive RFID tag, which works with a reader in the car to allow starting even if the battery in the key is dead.
(The article is wrong about the broadcasts, by the way; if the key transmitted continually, its battery wouldn’t last long.)
[+] [-] gregmac|7 years ago|reply
The really nice feature is when you walk away (a few seconds after you're out of range), the doors automatically lock. However, the downside of this feature is my wife's car does not have it -- and so at least half of the time when I am driving it I forget and leave it unlocked in parking lots.
[+] [-] post_break|7 years ago|reply
[+] [-] xenihn|7 years ago|reply
- Low appeal to thieves interested in stealing the vehicle itself, due to the hardware (locks and whatever else) being exceptionally difficult to deal with
- Some sort of secure/hidden compartment for concealing valuables (I know, I know, don't keep anything valuable in your car, but let's say it will still be more secure than keeping it outside of the car)
- Following up to that, an especially secure trunk (if such a thing exists)
- A wagon or smaller, so no minivans/crossovers or anything bigger
- Under $25k used for something recent, maintainable (was looking at Audis but I don't want to risk maintenance issues), and with low mileage, which puts Teslas out of the picture (sadly)
[+] [-] nine_k|7 years ago|reply
The convenience here is that the system requires no confirmation from the driver, no physical interaction with buttons, handles, keys, etc. The driver just opens the door and starts the engine. This allows for a trivial remote sniff-and-replay attack, not unlike copying a key temporarily.
I bet not having a lock on the door would be even more convenient. But for some reason it's not widely practiced.
[+] [-] kazinator|7 years ago|reply
It's a poor design for the system to take any access-escalating action without an explicit command from the user that initiates a secured transaction that is resistant to MITM.
It's poor design to assume that the range is based on raw signal strength; it should use round-trip-time measurements (for packets exchanged with MITM resistance).
[+] [-] verelo|7 years ago|reply
I just want an off switch in my fob, so i can disable it at night. More fancy solutions would be a motion sensor on the fob to only power it when had recently moved, or for retrofits, this technology in a battery?
[+] [-] villuv|7 years ago|reply
[+] [-] siffland|7 years ago|reply
They have to have a mandatory recall if your Audi accelerates quickly by itself (that was in the early 80's i think), but no recall for a possible vulnerability in a jeep where someone can hack into the machine and control the acceleration (and other items).
This would be worse with centrally controlled autonomous vehicles, they are always sending and receiving data. Image the firmware on your car not being updated after 2 years and being stuck with the still open vulnerabilities.
[+] [-] k_sze|7 years ago|reply
What a coincidence.
Jokes aside, this is bound to happen.
It’s disturbing that a vulnerability like this isn’t caught as a show-stopper before the technology is sold to consumers.
[+] [-] Latteland|7 years ago|reply
My car is unlocked at night but in my garage. If they got in my garage somehow and had the signal repeater they couldn't drive off unless I pushed the keyfob button. In the morning I just have to push it once to go. You can also en/disable auto door lock if you walk away.
Of course a general solution that blocks signal repeaters would be best. Tesla has so many fun tweaks it's truly the programmer's car.
[+] [-] raverbashing|7 years ago|reply
Center "touchscreen" consoles with awful usability, shifters that are not obvious (coupled with people that are too lazy to pull the parking brake) and now this
[+] [-] jaclaz|7 years ago|reply
>"They do that for safety so that if you lose the key fob or if it loses signal the vehicle doesn't shut down while you're driving, but that right there is part of the vulnerability."
Anecdata, a few years ago my wife had a Renault "Megane" that used a sort of "card" that worked with proximity. She opened and started/drove it without ever taking the card out of her bag.
A couple of times I was driving it with her in the passenger seat, we arrived to a shop, she got down in front of the door and went into the shop while I was going to park it when the car some 20-30 mt away "locked itself" (cannot remember if it stopped or just didn't allow more than - say - 5 km per hour) with the display saying it couldn't find the card.
When she changed cars, her new Renault (using the same kind of card, at least visually, but a different car model) had to be inserted in a slot to allow the Start/Run button to operate.
[+] [-] blang|7 years ago|reply
https://www.nytimes.com/2015/04/16/style/keeping-your-car-sa...
https://news.ycombinator.com/item?id=17733870
https://abc7news.com/archive/9079852/
https://www.npr.org/sections/alltechconsidered/2018/02/23/58...
[+] [-] z2|7 years ago|reply
But do they really transmit all the time, or do they contain accelerometers or something to prevent battery from being wasted?
[+] [-] eyeinthepyramid|7 years ago|reply
[+] [-] gruez|7 years ago|reply
in other words, requiring a button press.
[+] [-] josefresco|7 years ago|reply
> But do they really transmit all the time, or do they contain accelerators or something to prevent battery from being wasted?
I'm curious about this as well. A family member has an older Nissan with a keyless fob and I don't recall them ever having to replace batteries/keyfobs.
[+] [-] slantyyz|7 years ago|reply
[+] [-] fabricexpert|7 years ago|reply
[+] [-] taw123|7 years ago|reply
[+] [-] tomerico|7 years ago|reply
If the speed of light is to fast, maybe using sound could work.
[+] [-] cameldrv|7 years ago|reply