Relay car theft

[fcb]

http://www.bbc.co.uk/news/av/uk-42132804/relay-crime-theft-caught-on-camera

This has been speculated on for at least 10 years.  Now the evidence.

So it's going to be a faraday cage for the car keys or buying a crook-lock.

[cybermaus]

"To protect against this type of theft, owners can use an additional tested and Thatcham-approved steering lock to cover the entire steering wheel"

LOL: Yes, I want keyless entry. Soo handy and trendy. just need to lug this 10Kg object around as well.

[Kilo Tango]

I thought they used a code - hopping technique on keys so grabbing the signal and resending it wouldn't work. And don't you have to be pressing the key fob button to make it actually transmit ?.

Ken

[cybermaus]

For keyless entry, you only need to have a card in your wallet. No keypress required.

And recording and resending is indeed protected by rolling codes. But simply amplifying the signal by a dumb repeater would work.

[Jeroen3]

Just have the dealer disable the feature. It's an option anyway.

[Kilo Tango]

For keyless entry, you only need to have a card in your wallet. No keypress required.

And recording and resending is indeed protected by rolling codes. But simply amplifying the signal by a dumb repeater would work.

thanks for that, I had missed that it was keyless entry.

Mind you my Vaux meriva has keyless entry. You lock the car up at night, and come down in the morning to find that the front windows have wound down all by themselves, and if its raining the seats are soaking. 

Ken

[Halcyon]

Mind you my Vaux meriva has keyless entry. You lock the car up at night, and come down in the morning to find that the front windows have wound down all by themselves, and if its raining the seats are soaking. 

Consider it a "feature". It's a bit like your dog tearing up your clothing or toilet rolls when you're away then coming home to that face.

[NivagSwerdna]

Once out of range of the house/relay wouldn't the card immobilize due to lack of key?  i.e. you find your car down the street?

[cybermaus]

Based on the video not mentioning it was indeed found down the road, apparently not.

Makes some sense in a way. You would not want your car to stall while in a highway tunnel because you already have a old bad card with marginal signal, and some EMI or pants-pocket-flexing just made the last bit of signal disappear. Once its running, its running, I guess.

[ElektroQuark]

I suppose the device acts now as the card.

[fcb]

Once out of range of the house/relay wouldn't the card immobilize due to lack of key?  i.e. you find your car down the street?

Nope.  The most they do is bleep a dash warning at you that the key is out of range (this has happened a few times when one of the kids goes out to warm the car up, then I drop them off somewhere and they still have the keycard in their pocket) - it certainly doesn't shut down the car.

The thieves must either be exporting the vehicles straight away or have a way of defeating the system/reordering keys when they have the vehicle in their possession. They look a bit to organised to just be taking them for a joyride.

[coppice]

Once out of range of the house/relay wouldn't the card immobilize due to lack of key?  i.e. you find your car down the street?

Nope.  The most they do is bleep a dash warning at you that the key is out of range (this has happened a few times when one of the kids goes out to warm the car up, then I drop them off somewhere and they still have the keycard in their pocket) - it certainly doesn't shut down the car.

The thieves must either be exporting the vehicles straight away or have a way of defeating the system/reordering keys when they have the vehicle in their possession. They look a bit to organised to just be taking them for a joyride.

Safety wise I don't think you can stop an operating car if the card goes out of range. You can't have a car simply cut out on the motorway, just because a passenger pops the card somewhere well screened. You might disable the car the next time it comes to a halt, but that could be quite quirky and annoying in practice.

[Red Squirrel]

I always knew all this wireless tech in cars was a bad idea.  It COULD be done securely but we all know how most companies don't care about security when it comes to stuff like this.

Interesting that it uses the keys though, so at least it shows there is SOME thought put into the design.  You could probably put the keys in a lead box to protect yourself from this.

[G7PSK]

Dont need a lead box a tin one will doo or just keep them in the fridge, that way no one will be able to grab them with a fishing rod through the letterbox.

[Nusa]

Wrapping it in aluminum foil like a sandwich would do the trick as well.

I notice the scanner guy had to turn around and do his job a second time after the guy got inside the car. Presumably a fresh interrogation of the key was required to start the car. The repeater wouldn't work as a key replacement on its own.

[dexters_lab]

we have a keyless entry car too...

i described how this type of repeater box attack works to my partner a few months ago and now she keeps the keys in a metal box in the bedroom

[Jeroen3]

It's an amplifier. The key is a weak transmitter, when you amplify it the car thinks it's near enough to unlock.
Then, when you start the car, the key won't be challenged anymore.

You can then drive away and use your laptop to pair new keys anytime anywhere, as long as the engine is on.

A lot of land rovers have been stolen this way.

[cybermaus]

You can then drive away and use your laptop to pair new keys anytime anywhere, as long as the engine is on.

Is that true? I have trouble believing that, especially the lighthearted "anytime anywhere" part of it.

I am sure once they have full hardware access, they get around it. Desoldering flash chips if needed. But you make it sound like "as long as the engine is running, the car will accept all new keys" and I think that may may under-represent it a little. Either that, or the engineers at land rover have been really stupid, given that we are already past the recorded and played back signal age, so some security awareness has set it (its not the 90's or 00's anymore)

[Jeroen3]

No, it's not like "click here to add key", it's more complicated. But basically: physical access is full access.

[janoc]

No, it's not like "click here to add key", it's more complicated. But basically: physical access is full access.

Depends on the car. That Mercedes was likely shipped out to Ukraine/Russia right away. Other cars that have this kind of system - e.g. many new Renaults, Skodas, VWs - are mostly stolen to be taken apart for parts and resold because it is more profitable and safer like that.  Nobody will bother with re-keying the ECU in such case.

[Marco]

It's so bloody silly, the silicon to do time of flight distance simulation would have added zero to the cost of manufacture. >10 year old cheap PICs can do it, so could they.

There hasn't been justification to do proximity detection based on signal strength in decades, yet we still get systems which do so.

[Halcyon]

Safety wise I don't think you can stop an operating car if the card goes out of range. You can't have a car simply cut out on the motorway, just because a passenger pops the card somewhere well screened. You might disable the car the next time it comes to a halt, but that could be quite quirky and annoying in practice.

You'll find some cars will allow you to drive short distances initially (for example to move the car) but after that it won't allow you to re-engage the driving gears after you put it into park, without the key being present.

[janoc]

It's so bloody silly, the silicon to do time of flight distance simulation would have added zero to the cost of manufacture. >10 year old cheap PICs can do it, so could they.

There hasn't been justification to do proximity detection based on signal strength in decades, yet we still get systems which do so.

ToF is not going to be any more reliable given the usual distances these things work at. Those are nanosecond times. The possible errors (e.g. due to multipath or reflections) would be such that the window within which it needs to accept the signal would need to be fairly large. And I doubt someone is going to try to do a relay attack across a football field - in the typical case the keyfob is only few meters away behind a wall ...

Most of these systems don't even do proximity detection based on signal strength - there is no need for it. Either the computer manages to interrogate the keyfob or it doesn't, with one antenna on the outside to open the doors and possibly another one inside that unblocks the ignition. The "proximity" part is only because of the very low power of the transmitter in the fob limiting the distance naturally.

[bills]

Ok you guys made me think about this(good thing) I did some tests, The range of the key fob is about .5 meter.
test 1- aluminum foil- no response will not work the locks.
2- anti static bag , no help fob works just fine.
3- aluminised   Mylar bag see #2.
more tests to come.
The car is a 2017 Ford Explorer.
At this point I plan to store my fob under my foil hat until I figure a defense.
Update A "passport guard"  rfid shield worked as well as the aluminum foil, (rogue wallet co.)
It is just a paper envelope ??
I guess there is no need to alter my foil hat. 

[cybermaus]

It's so bloody silly, the silicon to do time of flight distance simulation would have added zero to the cost of manufacture. >10 year old cheap PICs can do it, so could they.

There hasn't been justification to do proximity detection based on signal strength in decades, yet we still get systems which do so.

It may be more complex.

Sure, EM travel time on a pulse is easily done. But a simple responce pulse could be spoofed by the relay itself. So the relay would know when to dumbly pass the data, and when to generate a pulse. To be secure, you would have to be measure response time between an encrypted challenge-response pair.

So a challenge token received (at least 64 bit, for a "minor" encryption, but I am sure people will yell about 256 or 512 bit) . Apply some public/private key encryption, in other word, processing time, and send the response back, again at least 64 bit.

When a 1uSec calculation and packet length is involved, it is a whole lot more difficult to determine if it arrived in the correct 5ns window.