Keyless system cars easy to steal

Sassicaia · 03-17-2016, 01:09 PM

http://www.thelocal.de/20160317/keyl...car-club-shows

The German Automotive Club (ADAC) tested 24 different cars with the new Keyless Go technology for safety. The result: all of the cars could be stolen with one easy trick.

The locking system Keyless Go is a technology built into new cars from leading car manufacturers such as BMW and Mercedes which allows the driver to open the door and start the car without reaching into his pocket for his key.

He simply needs to approach the car and the doors automatically unlock. The sensors in the car and key combine to release the lock as soon as they are in close proximity with one another.

With most cars with Keyless Go technology there is a simple ignition button, meaning the key also isn't needed once the driver is inside.

The ADAC has now taken a deeper look into the safety issues of the locking system.

In a report released Thursday the ADAC tested 24 car models from 2015 from 19 different manufacturers, including Audi, BMW, VW, Toyota, Renault, and Ford.

The results were damning. They managed to illegally open every single car and drive it away within a few seconds.

“All you need to do is extend the transmission-range of the key from two or three meters to a few hundred meters. The car thinks that the owner is nearby, unlocks the doors and starts its engine - all without any trace of a break-in.” said Arnulf Thiemel, car-technician at the ADAC.

To extend the transmission-range, the thief doesn’t need to be a high-tech hacker, the car club said. The devices can be built out of every-day electronic items - and without much effort.

Broadcaster BR24 give an an example of how such a theft could take place:

One thief can follow the owner of a car with a Keyless Go system after he has parked and locked his vehicle at a supermarket. He then activates the transmission-range device to extend the range of the key’s signal.

Another thief, meanwhile, waits at the car with his device, receiving the signal of the key, transmitting it to the car.

Within a second, the door opens and the engine can be started. The car can be driven for as long as the tank is full - so from most places in Germany it wouldn't be a problem to drive the car abroad.

And there is more bad news: if the car owner reports his car as stolen and then police find it with no trace of break-in, the insurance firm may think he tried to fake the theft in order to make a claim.

Now the ADAC is pointing a finger at the car manufacturers.

“It’s the duty of all car manufacturers to get rid of this problem. It makes no sense that this more expensive locking system is way easier to break into than the normal one,” ADAC stated on its website.

Killramos · 03-17-2016, 01:12 PM

"The car can be driven for as long as the tank is full "

Not sure this one is actually true.

Sassicaia · 03-17-2016, 01:20 PM

Doesnt matter if its a full tank or not. If its as easy as they say the car manufactures need to solve this issue, and fast.

verruckt · 03-17-2016, 05:03 PM

Simple fix - a code on the keyfob that is required for the car to be started. Sounds like right now the whole communication process of the keyfob is interceptable and replayable with no validation taking place.

To expound, there's two methods to get in the car. First the fob is nearby to unlock the door. That's one set of signals with its own comm process, which apparently anyone can "record and replay" to unlock the door.

Then to start the car there's a similar chain of events, however this time the car interrogates the keyfob for a "code", unique id, or random number on the keyfob via low frequency which cannot be duplicated. If the response is valid the car starts - if not it won't start. Only the car's computer knows what response to expect.

Their best bet is to throw in the same technologies like RSA Tokens where the FOB is the token that generates random, LONG strings (when interrogated) that, again, only the car's computer has the algorithm to know whether or not it's right. You could even tie it to the unlocking of the car but have it a completely separate query with it's own required unique response.

Such a method would make man in the middle / replay attacks like this practically impossible.

maddmatth · 03-18-2016, 07:06 AM

Quote:

Originally Posted by verruckt

Simple fix - a code on the keyfob that is required for the car to be started. ....

The hack described is working by expanding the range of the keyfob, so this won't help, pretty sure they would already be using some measures like this anyway. Otherwise these keys would be easily copied.

Real solution could be even simpler. The cars already have multiple antennae to tell where the key is relative to the car, and key has an intentionally short range so for example if the key is inside the car, the door can't be unlocked from the outside.
If the signal is being boosted by such a hack the car should be able to detect that suddenly all or most antennae are suddenly picking up the same key, so with some simple logic it can detect this attack and refuse to unlock or start.

ElSenor · 03-26-2016, 03:50 PM

Quote:

Originally Posted by Killramos

"The car can be driven for as long as the tank is full "

Not sure this one is actually true.

Haven't tested this on the M3, but on my previous car it would be true. Discovered this on my 2013 Renault Clio when the wife and I were in a rush to catch a train. Pulled into the parking lot (I was driving and I had the key in my pocked) and I got out to buy tickets, she hopped into the drivers seat to park the car and pay for parking. I have the tickets but no sign of her as the train approaches. I waited there until the train left in-case she showed up, that way I could hold the door. I head back out to the parking lot and she is standing by the car, still running, because it wouldn't let her turn it off because it didn't detect the key. She could still drive it no problem though.

AIRPOWER · 03-26-2016, 04:50 PM

That's why I have a class 5 integrated alarm, GPS tracking, anti-GPS jamming, 24 hour monitoring, and RF card reader to un-disable the starter on my M3. Because the OEM anti-theft is crap.

The Wind Breezes · 03-26-2016, 05:11 PM

Yawn. Cars are easy as shit to steal--owners keep their keys in the most predictable places and if in doubt you can just tow it away. It would be nice if auto makers cared more than they do about security (they barely care) but it doesn't actually matter.

08njSTEP · 03-26-2016, 05:29 PM

Anti theft and key fobs has been crap forever. I was at a corvette show and a guy walked by a car and it disarmed and unlocked. It wasn't his car. Supposed to be over a billion codes and this guy found his double.

The Wind Breezes · 03-26-2016, 08:09 PM

That's hilarious(ly bad).

Abstraction · 03-26-2016, 11:49 PM

Quote:

Originally Posted by 08njSTEP

Anti theft and key fobs has been crap forever. I was at a corvette show and a guy walked by a car and it disarmed and unlocked. It wasn't his car. Supposed to be over a billion codes and this guy found his double.

Sounds like an old Plymouth Voyager that my parents had back in the 90s... the keys from one of our other Chryslers would open the locks to the Voyager... wouldn't start the car, but still, it was sketchy as hell.

CanadianGatorBacon · 03-28-2016, 10:48 AM

Quote:

Originally Posted by maddmatth

The hack described is working by expanding the range of the keyfob, so this won't help, pretty sure they would already be using some measures like this anyway. Otherwise these keys would be easily copied.

Real solution could be even simpler. The cars already have multiple antennae to tell where the key is relative to the car, and key has an intentionally short range so for example if the key is inside the car, the door can't be unlocked from the outside.
If the signal is being boosted by such a hack the car should be able to detect that suddenly all or most antennae are suddenly picking up the same key, so with some simple logic it can detect this attack and refuse to unlock or start.

"Another thief, meanwhile, waits at the car with his device, receiving the signal of the key, transmitting it to the car."

I think that there is a second transmitter near the car that receives the original fob signal from the broadcaster and re-transmits it from close proximity to make it seem like the original fob is in the right position. A lot of whether the car antennae can detect the signal from the broadcaster would depend on how its sent and the ability of the antennae to receive the broadcast signal, which may be different from the fob signal.

03-17-2016, 01:09 PM	#1
Sassicaia Brigadier General 4461 Rep 3,308 Posts Drives: SMB F80 6MT Join Date: Apr 2015 Location: Vancouver, Canada iTrader: (0)	Keyless system cars easy to steal - german car club http://www.thelocal.de/20160317/keyl...car-club-shows The German Automotive Club (ADAC) tested 24 different cars with the new Keyless Go technology for safety. The result: all of the cars could be stolen with one easy trick. The locking system Keyless Go is a technology built into new cars from leading car manufacturers such as BMW and Mercedes which allows the driver to open the door and start the car without reaching into his pocket for his key. He simply needs to approach the car and the doors automatically unlock. The sensors in the car and key combine to release the lock as soon as they are in close proximity with one another. With most cars with Keyless Go technology there is a simple ignition button, meaning the key also isn't needed once the driver is inside. The ADAC has now taken a deeper look into the safety issues of the locking system. In a report released Thursday the ADAC tested 24 car models from 2015 from 19 different manufacturers, including Audi, BMW, VW, Toyota, Renault, and Ford. The results were damning. They managed to illegally open every single car and drive it away within a few seconds. “All you need to do is extend the transmission-range of the key from two or three meters to a few hundred meters. The car thinks that the owner is nearby, unlocks the doors and starts its engine - all without any trace of a break-in.” said Arnulf Thiemel, car-technician at the ADAC. To extend the transmission-range, the thief doesn’t need to be a high-tech hacker, the car club said. The devices can be built out of every-day electronic items - and without much effort. Broadcaster BR24 give an an example of how such a theft could take place: One thief can follow the owner of a car with a Keyless Go system after he has parked and locked his vehicle at a supermarket. He then activates the transmission-range device to extend the range of the key’s signal. Another thief, meanwhile, waits at the car with his device, receiving the signal of the key, transmitting it to the car. Within a second, the door opens and the engine can be started. The car can be driven for as long as the tank is full - so from most places in Germany it wouldn't be a problem to drive the car abroad. And there is more bad news: if the car owner reports his car as stolen and then police find it with no trace of break-in, the insurance firm may think he tried to fake the theft in order to make a claim. Now the ADAC is pointing a finger at the car manufacturers. “It’s the duty of all car manufacturers to get rid of this problem. It makes no sense that this more expensive locking system is way easier to break into than the normal one,” ADAC stated on its website.
	Appreciate 0 Tweet Quote

03-17-2016, 01:12 PM	#2
Killramos Captain 314 Rep 863 Posts Drives: '19 M2 '21 X5 Join Date: Mar 2014 Location: Calgary iTrader: (1) Garage List 2021 BMW X5 40i [0.00] 2019 BMW M2 Competi ... [0.00]	"The car can be driven for as long as the tank is full " Not sure this one is actually true.
	Appreciate 0 Quote

03-17-2016, 01:20 PM	#3
Sassicaia Brigadier General 4461 Rep 3,308 Posts Drives: SMB F80 6MT Join Date: Apr 2015 Location: Vancouver, Canada iTrader: (0)	Doesnt matter if its a full tank or not. If its as easy as they say the car manufactures need to solve this issue, and fast.
	Appreciate 0 Quote

03-17-2016, 05:03 PM	#4
verruckt First Lieutenant 110 Rep 314 Posts Drives: F82 M4, G05 X5, Gen 2 Raptor Join Date: May 2015 Location: Florida iTrader: (0)	Simple fix - a code on the keyfob that is required for the car to be started. Sounds like right now the whole communication process of the keyfob is interceptable and replayable with no validation taking place. To expound, there's two methods to get in the car. First the fob is nearby to unlock the door. That's one set of signals with its own comm process, which apparently anyone can "record and replay" to unlock the door. Then to start the car there's a similar chain of events, however this time the car interrogates the keyfob for a "code", unique id, or random number on the keyfob via low frequency which cannot be duplicated. If the response is valid the car starts - if not it won't start. Only the car's computer knows what response to expect. Their best bet is to throw in the same technologies like RSA Tokens where the FOB is the token that generates random, LONG strings (when interrogated) that, again, only the car's computer has the algorithm to know whether or not it's right. You could even tie it to the unlocking of the car but have it a completely separate query with it's own required unique response. Such a method would make man in the middle / replay attacks like this practically impossible.
	Appreciate 0 Quote

03-26-2016, 04:50 PM	#7
AIRPOWER Lieutenant Colonel 1687 Rep 1,812 Posts Drives: 2015 6MT YMB M3, 1974 Corvette Join Date: Apr 2015 Location: NW Florida iTrader: (0) Garage List 2015 BMW M3 [9.67]	That's why I have a class 5 integrated alarm, GPS tracking, anti-GPS jamming, 24 hour monitoring, and RF card reader to un-disable the starter on my M3. Because the OEM anti-theft is crap. __________________ AIRPOWER
	Appreciate 0 Quote

03-26-2016, 05:11 PM	#8
The Wind Breezes Lieutenant Colonel 919 Rep 1,848 Posts Drives: 135i N55 DCT Join Date: Apr 2015 Location: USA iTrader: (0)	Yawn. Cars are easy as shit to steal--owners keep their keys in the most predictable places and if in doubt you can just tow it away. It would be nice if auto makers cared more than they do about security (they barely care) but it doesn't actually matter.
	Appreciate 0 Quote

03-26-2016, 05:29 PM	#9
08njSTEP Captain 795 Rep 762 Posts Drives: '07 335i, '66 SS396 Chevelle Join Date: Dec 2015 Location: Manchester, NH iTrader: (0)	Anti theft and key fobs has been crap forever. I was at a corvette show and a guy walked by a car and it disarmed and unlocked. It wasn't his car. Supposed to be over a billion codes and this guy found his double.
	Appreciate 1 Quote

03-26-2016, 08:09 PM	#10
The Wind Breezes Lieutenant Colonel 919 Rep 1,848 Posts Drives: 135i N55 DCT Join Date: Apr 2015 Location: USA iTrader: (0)	That's hilarious(ly bad).
	Appreciate 0 Quote