Keyless-Entry Cars Vulnerable to Silent Theft

2010_Taurus_MyKey

Remote keyless entry has been around for a while – since the late 1980s, in fact – and today it’s almost standard on all new cars. But the pervasiveness of this feature is not without consequence. The most advanced keyless systems are passive, meaning you can just approach your car and it recognizes you by the fob on your body. No buttons need to be pressed. As researchers in Switzerland point out, this technology can make vehicle theft a breeze for a savvy thief.

These remote keyless-entry systems use radio waves that typically are specific to a manufacturer, and the signals are usually encrypted. When your vehicle’s key fob is within 20 feet of the car, you’re allowed to transmit a signal to unlock the doors, pop the trunk, remote start your car (when equipped) or activate the car alarm.

Researchers at ETH Zurich discovered that these encrypted signals are easy to intercept and trick.

The theft works by setting up two antennas, one near the targeted vehicle and one near the holder of the key fob — be it in a purse, bag or pocket. This equipment can usually be purchased for $100 to $1,000. The person with the antenna aimed at the owner of the key fob needs to get within 26 feet of the target. In a store, this could be a few aisles away, so as to not arouse suspicion.

Once the antenna is near the intended victim’s key fob, the key transmits a low-power signal to the antenna, which is then relayed to the antenna near the vehicle. Once that occurs, the thief can unlock the doors and drive away (if the vehicle has push-button start).

The Swiss researchers hacked into eight car manufacturers’ passive-entry systems using this method. No cryptology or protocol could stop it.

While this system may seem fairly complicated, it could catch on with car thieves because of the cost of the equipment and anonymity. However, the hack cannot start the cars with traditional keys. Today’s ignition systems are increasingly complicated and secure. That’s one reason why car thefts are largely on the decline in the U.S.

David Wagner, a computer science professor at the University of California at Berkeley, said there are probably easier way to steal cars, but the “nasty aspect of high-tech car theft” is that it doesn’t leave any sign of forced entry. That could lead to problems with police and insurance companies in tracking down the criminals or with filing claims.

Right now, the only way to protect yourself is by either shielding your key fob’s radio with a guard or leaving your key fob at home. Srdjan Capkun, an assistant professor at ETH Zurich, says the institute is working on a way to prevent this sort of theft.

Car Theft by Antenna (Technology Review, via CNet)

By Colin Bird | January 17, 2011 | Comments (29)

Comments 

Derrick G

Go back and read this article again. They're not talking about just keyless entry. They're talking about "smart keys" with pushbutton start. The article says that not only could they open the car by pushing on the button built into the handle on such systems, they could start it too, because the fob IS the key.

Al

False.
This method could conceivably be used to unlock a car, but a car with a smart key uses active RFID and a proximity sensor that requires the smart key to be INSIDE the car for the car to start.

In addition, the required encrypted RF signal to start the car is not the same signal used to unlock the car.

The proximity sensor is so sensitive it can detect if the smart key is less than an inch outside the car, or even if the key is in the trunk. If the smart key is locked into the trunk of our new Maxima, it automatically pops the trunk (just ask my wife!) I am sure my wife will eventually find a way to lock the keys in the Maxima though... She has outsmarted every other car.


dan

This is just lazy car manufacturers, the same public key encryption used in computer networking could be used for key fobs. Otp would also help.

Nick

this is really dumb on the part of the Swiss researchers, because once the car engine is stopped, it cannot be turned on again, so why would a smart thief do that?

Derrick G

Nick,

Many cars are stolen for parts, so you only need to get it to a chop-shop and you're good to go.

Tony

"...or leaving your key fob at home".

And what if your key fob is integrated with your key?

Besides, these cars have engine immobilizers. They can open my car but without my key in it they will not start the engine.

Also, this is why I have insurance. And insurance charges me less exactly because I have this kind of key.

Honestly... If I want to steel a car for chop shop, I would just load it into the trailer and bring it over like that.

Bob

This implies the key is constantly broadcasting but could be shielded....why not have an "off" switch that totally disables the key or blocks it. You could probably capture the signal by parking in the lot and when someone arrives and locks their door, be close enough to capture the signal.

qdp

Just make the fob's radio wave more directionally focused, something like laser, so than neighboring receiving can't easily pick up the signal

qdp

Just make the fob's radio signal more directionally focused, something like laser, so that neighboring receiving devices can't easily pick up the signal

Chad

If the Government had any interest in wiping out car thefts they would make it a mandatory two year prison term. How many politicians do you think have their cars stolen?

Ed

Cant they just include a switch to turn off the low frequency the key fob emits? You get out of the car, turn it off, go shopping, now worries.

Mark

I am with Bob for this to work the way they say the fob would have to be transmitting constantly and I don't think the battery would last very long if it did.

I thought they only transmitted when you pushed a button. The cars that have push button start and require the fob to be in the car I would suspect transmit only when the car tells them to so if the thieves knew how to trigger the signal they could get the proximity signal but I wouldn't think they could get the unlock signal that way.

maj

Ken

I'm with Bob and Mark on this. I don't believe the key "automatically sends data" to an antenna with 26 feet. The battery on a constantly transmitting keyfob would last, what, 4 hours or so? This story reminds me of the video of 3 cell phones popping popcorn nearby when they ring. My BS detector went off more and more loudly the more I read.

@Bob, @Mark and @Ken According to the study, it's the car that emits the low powered signal, not the key fob. The antenna near the wireless key tricks the key fob into thinking it's the car, and the key starts to send its encrypted signal to the antenna through the repeater signal and back to the car.

Make sense?

Mike

It would be hard to make it more focused due to the antenna size needed. The frequency is ~350 MHz. I demonstrated more than 3 years ago to a friend in the parking lot I could pick up his key's signal when he pressed on his FOB on my amateur radio HT.

Jerm

This article conveniently leaves out a pretty important part of the research review: That this only applies to proximity keyless entry, not the push-to-unlock types that the majority of us have. They even show this kind of key in the article photo... very misleading.

Dave

This is a poorly written and deceiving article. I assume that I will be receiving the urban myth with this link in my in box in the near future.

What isn't clear is that the devices that the Swiss researchers used were all "PASSIVE" keyless entry fobs. These are NOT the same as the ones most of us use that require the push of a button to lock or unlock the car door.

Jerm and Dave,
We've added the passive entry to the story. It was also left out of the CNET piece but the study itself is indeed referring to passive system that require no button press. Thanks for pointing that out. Almost all of those systems are teamed to push button start, hence the much higher concern over theft than a keyed system would have.

Zack

I wonder what these criminals who sit around and think up these scams could possibly accomplish if they devoted their time and talents to something legitimate. They certainly wouldn't have to steal cars.

Scott

David:

Thanks for "clarifying" article...it did not make sense to me at all when I first read it (on another source) even thought I kind of thought that it was actually talking about the newest "passive" systems. BUT...you should know that this article has been "picked up" by other sources (such as cars.yahoo.com: http://autos.yahoo.com/articles/autos_content_landing_pages/1690/keyless-entry-systems-vulnerable-to-high-tech-car-thieves/) in the unrevised form. In addition, you should also change the picture that accompanies the article as the type of key/fob shown is NOT a "passive" system key/fob.

Last, I do not see how "leaving your key fob at home" is a realistic "work around". After all, my understanding of the new "passive" entry systems that are typically combined with push button start systems is that you need the key fob within a certain distance of the car for the push button to actually start the car. So, assuming you can start the car at home (because the fob is in range) and drive to some place (see below), then how do you start the car at the store (or where ever) without the key fob? I will note that the article that you link to from Technology Review does NOT suggest leaving the fob at home as a potential "solution"...they mention shielding the fob or having manufacturers starts putting on some on/off switch on the fob.

Plus, it was my understanding the such systems have a "kill" mechanism that kills the engine if you get the running car a certain distance from the fob. I will note that NONE of the articles about this research addressed this issue...so, it is not clear if the research itself addressed it.

Overall, I have to say this article/blog post leaves more questions than answers. I ultimately have to agree with Dave that this article (along with its "twins" done by other sources...for example, USA Today has a similarly poorly written article) is rather poorly written.

Mythed

@Dave re "urban myth ... Near future": Today.

Cops have no interest in going after car thieves. The crime is already "priced into" the insurance policies of the companies who sell the police their speed guns.

Car thieves "work for" the police by assisting in the climate of fear so we buy cars with remote starts, keyless entry, etc. The holy grail is the remote engine shutoff. You do not have to be guilty for a LEO to drive up behind you and kill your engine. It's a small matter to Taze you repeatedly to incapacitation while LEO screams "STOP RESISTING! STOP RESISTING!" at the top of his lungs so late-coming onlookers will say in court "I heard the officer say stop resisting to the guy- he must be guilty."

The only advisable kill switching is the kind you control. Giving anyone else- especially police, fbi, cia, dod, nsa, dhs or anyone else the ability to stop you (yes they want YOU! not the drug dealer) is a foolish act against your own interest.

If you drive a car which "authorities" have access to, it is just a matter of time.

Live Free or Die

Emerson

@liberty matters:

Um... ok. Way to bring on 6 months of akward silence.

@ everyone else:

I agree that this is a poor article. It ignores several key features of both my car, and several proximity key equipped rentals rentals I've used. But I'm still left without real answers. Is theft of these vehicles a problem in the US?

Southerner

This is slightly more advanced now and I speak in terms of push button start with keyless entry. There is no need to use two antennas. A single piece of equipment can be used to hack the low frequency signal that the vehicle emitts. From there on the theif uses a skeleton key and more advanced decoding to actually drive off with the vehicle. Six bmw coupes were stolen from one particular neighbourhood in the uk a few months ago... At the end of the day if someone is going to knick your car they can do it being a free loader or a low lift. Even button press to open fobs are at risk, these do take 15-45 minutes to hack but without the actual key near the immobilizer ring the car cannot be started... So how come the keyless entry and pish button is at more risk? Have bmw stopped using immobilizers? Or have immobilizers become easier to hack. There has got to be a major security flaw somewhere in the bmw system that enables the by pass of the immobi if there is one. Makes you wonder what the best security protection system is when clifford/vipre made by direct electronics can be hacked in under an hour. Add on immobilizers are available but Ive known a vehicle to use two... I wonder if that would be an option in making a theifs life a bit more difficult?

krzystoff

Southerner, BMW has an option to start your car from your keyfob, something most other manufacturers don't. that fact means the immobilizer is switched off using the remote key, and in the same way any thief can do the same, and just need to disable the steering lock (which takes a skilled thief seconds) to steal the car.

Steve Young

I use Ravelco's immobilizer. Sometimes simple is best. Protects from even these thieves. No plug, no start/run. Would take hours a thief does not have for a drive away theft. Over 90% of vehicle thefts are drive aways. Nothing protects from the tow truck, yet.

Tom Turkington

There is a different problem with key fobs and not of the automatic type and I really think somebody should address it. Essentially I have a push button fob to unlock my car. This works from fairly long distances. I can be sitting in my condo 3 floors above my garage and accidentally touch the button and unlock my car. A couple days ago this happened and I lost an ipod to a car prowler. I don't understand why there isn't an off switch to the fob. If the technology has been around since the 1980's, you'd think somebody would've thought about this. I'm personally surprised the consumer protection agency is out in front demanding that manufacturers put off switches on the key fobs. I personally hate my new car primarily because of the fob. I have no issue with using a key to unlock my car, but alas my car has only one door on it that can be opened with a key, and even then it will set off an alarm if not opened with the fob. Really annoying; please let's all return to the 1990's.

Des Alba

That reminds me of an incident where I pushed the fob for my car to sound the horn so I could locate it in a huge parking lot, and two vehicles honked!

So I pushed the fob again, and the same two vehicles honked again.

I thought this couldn't happen. I tried it for a third time, and two cars honked again.

I was only interested in locating my own car.

Jim Gott

I don't see how this can work with a newer keyless car. My Honda Accord will not start if the fob is outside the car. The car knows if the fob is inside or outside the car. If the fob is inside the car, you can't lock the car from the outside(so you can't lock the keys in the car), and if the fob is outside the car, the push button start doesn't work. It is pretty sophisticated. Even if the fob is right outside the door, the push button start will not work.

Post a Comment 

Please remember a few rules before posting comments:

  • If you don't want people to see your email address, simply type in the URL of your favorite website or leave the field empty.
  • Do not mention specific car dealers by name. Feel free to mention your city, state and brand.
  • Try to be civil to your fellow blog readers. This blog is not a fan or enthusiast forum, it is meant to help people during the car-buying process and during the time between purchases, so shoppers can keep a pulse on the market.
  • Stay on topic. We want to hear your opinions and thoughts, but please only comment about the specified topic in the blog post.
view posting rules

If you have a TypeKey or TypePad account, please Sign In

Search Results

KickingTires Search Results for

Search Kicking Tires

KickingTires iPhone App
Ask.cars.com