I Helped Mark Rober Steal a Car Using a Baby Monitor! How Does It Actually Work?

[Hugoneus]

You can watch it here: [35 Minutes]
youtu.be/JAmOvt9_DVk


In this special episode Shahriar presents his collaboration with Mark Rober. Shahriar helped the engineering team at Mark Rober's studio build an RF repeater that can fool a car's keyless entry & ignition system. Using an old modified baby monitor, Mark's team managed to steal a car! In this video, Shahriar presents the technical theory behind this heist as well as a detailed view of the RF repeater, circuit measurements and a demonstration of bypassing a vehicle's keyless entry system.

This video is organized as follows:

00:00 - Introductions & collaboration with Mark Rober.
01:22 - How does Keyless Entry & Keyless Ignition actually work?
08:50 - A close look inside of a car's key fob.
11:14 - Making & measuring a magnetic loop antenna to capture a car's keyless broadcast.
13:30 - Complete RF & time domain measurements of the key fob & vehicle keyless signals.
16:56 - Why did we use an old baby monitor to steal a car?
18:30 - Detailed teardown & analysis of the baby monitor's transmit/receive modules.
24:51 - Measurements of the baby monitor's transmit/receive modules for fooling a car.
31:27 - Live demonstration of stealing a car using the baby monitor circuits.
33:52 - Conclusions & how to protect yourself against this venerability.

DISCLAIMER: This video is purely for educational purposes. The video purposely omits the design of come critical parts needed to replicate the project in full. The presented system, as shown, cannot bypass a vehicle's keyless entry or ignition at distance. DO NOT ATTEMPT TO REPLICATE THIS PROJECT FOR ANY ILLEGAL ACTIVITIES.

[Peabody]

I also watched the Rober video.  Can someone explain how the two kids stole the car off the street when the keyfob was no longer nearby?  They broke a window to get in, but how did they start the car?

[Benta]

No reason to break the window. They're just dumb.

[Peabody]

But how did they start the car with the keyfob nowhere nearby?

[Benta]

The Start/Stop button works the same way as the doors. No problems in starting the engine. As soon as the engine runs, it won't stop even if the car is far away form the fob. Just don't turn off the engine until the car is at it's final destination (from the thief's perspective).

[Hugoneus]

I also watched the Rober video.  Can someone explain how the two kids stole the car off the street when the keyfob was no longer nearby?  They broke a window to get in, but how did they start the car?

I was curious about that too, I will ask to see if they know.

[Peabody]

Thanks very much for doing that.  I have no experience with these new-fangled keyless entry/ignition cars since my Honda dates back to 2012 (barely broken in at this point).  But I assume you can't just push the button to start the engine if you break in but don't have the keyfob.  And in the video it looked like Mark and friend had parked the car on the street, and presumably shut off the engine.  So it's a mystery.  Well maybe the teenage thieves were scripted in to make good video.

He has 78 million subscribers.  That's quite remarkable.  He must be very rich by now.  #7 in the US, but only #34 on the list world-wide.

[Benta]

But I assume you can't just push the button to start the engine if you break in but don't have the keyfob.  And in the video it looked like Mark and friend had parked the car on the street, and presumably shut off the engine.

Don't assume.
Pressing the Start/Stop button also makes the car emit the 125 kHz signal and the key transmit the "start engine" code. Range extension works there as well.

The video has one major error between 3:20 and 4:20. The car does not emit a 125 kHz signal every second to detect the key. This is proved by the video itself later on, as no regular signals are detected or shown.
Rather, the 125 kHz signal is triggered by touching the door handle, where a touch sensor activates the 125 kHz TX.

Otherwise, the presentation is correct.

I've found only one generic way to prevent this kind of theft, which is a "Faraday pouch/bag". Same functionality as a tin can, but more comfortable when you're travelling.

[EEVblog]

The Start/Stop button works the same way as the doors. No problems in starting the engine. As soon as the engine runs, it won't stop even if the car is far away form the fob. Just don't turn off the engine until the car is at it's final destination (from the thief's perspective).

I was recently on holiday and dropped the wife and kids off at the house and continued on to the shops. When I got to the shops and turned of the ignition I realised I didn't have the keys, car wouldn't start again. But it would have driven all day just fine. Mrs had to get an uber to bring me the keys that were in my backpack.

[lowimpedance]

Didn't the car beep at you and a warning come up that the key is not detected ?.
My car (Toyota) does this if the key leaves the inside of the vehicle when the ignition is on, granted its only a short notification and beep though.
But yes the car is able to be driven up until you turn it off.

[EEVblog]

Didn't the car beep at you and a warning come up that the key is not detected ?.

Maybe it did, but I don't recall that. The Mrs just took both keys and I continued to drive off.

[Andy Chee]

But I assume you can't just push the button to start the engine if you break in but don't have the keyfob. 

The exact same technique used to open the car door, is applied immediately again to enable push button engine start.  What is ostensibly a two step process is executed seamlessly without any visible transition. 

If the car engine stops 10 miles away from the house, it cannot be restarted without the keyfob.  That's why the engine is always left running (even during refuelling) until it is abandoned. 

[Benta]

Didn't the car beep at you and a warning come up that the key is not detected ?.
My car (Toyota) does this if the key leaves the inside of the vehicle when the ignition is on, granted its only a short notification and beep though.
.

The warning is only triggered if you open the driver's door.That will initiate a "key check". If the driver stays seated with the door closed, nothing happens. I suspect that's the case here.

[Sacodepatatas]

Don't assume.
Pressing the Start/Stop button also makes the car emit the 125 kHz signal and the key transmit the "start engine" code. Range extension works there as well.

125kHz? I thought that the key fob transmits at 13.56MHz, or any multiple of that, because the 2nd harmonic is at 27.12MHz, that tunes channel 14 of CB-27 radio band (license free), and useful for baby monitors.

[Peabody]

But I assume you can't just push the button to start the engine if you break in but don't have the keyfob. 

The exact same technique used to open the car door, is applied immediately again to enable push button engine start.  What is ostensibly a two step process is executed seamlessly without any visible transition. 

If the car engine stops 10 miles away from the house, it cannot be restarted without the keyfob.  That's why the engine is always left running (even during refuelling) until it is abandoned.

But in this case, the keyfob was nowhere nearby.  They broke the window to get into the car, and then drove off.  How did they start the car?

Perhaps the theft was staged to make good video.

[themadhippy]

if theirs no immobiliser theirs multiple ways to get a car started,screwdriver  rammed in the lock was popular as it also takes out the steering lock

[Peabody]

if theirs no immobiliser theirs multiple ways to get a car started,screwdriver  rammed in the lock was popular as it also takes out the steering lock

There is no lock.  Only a push button.

[MisterHeadache]

I have some limited background in automotive RF communication protocols for RKE and TPMS systems.  I watched the video and the method Mark showed passes my crap detector, from a technical stand-point.  Basically, the contraption they put together is a two-way repeater.  As he says, it's all about fooling the car into thinking that the key fob is right by the car.  Which would be enough to open the doors and start the car, but like Dave's experience, if you drove away and shut the car off, you would not be able to restart it, because the data stream that the rig captured was a one-time code exchange from the car and the key fob.

But clearly, most of these thefts are joy rides/destruction/chop shop drop-offs, so the thiefs don't care about restarting it.

This is a version of a man in the middle attack, and I suspect that many OEM's have strategies to thwart it.  So this method might not work on some cars.

Also, I tried various experiments after watching the video with my key fobs.  All the cookie tins I tried failed to block the RF data exchange from fob to car (likely because the tins are painted and the lid did not complete the faraday cage.  However, a single layer of aluminum foil worked every time.  Fob would not be recognized when wrapped, even with me sitting in the drivers seat.

[coromonadalix]

seems the same method or similitudes  like some old nokia phones who will saturate car systems,  and some system will go bonker and not authenticate between the main and sub systems ...

[langwadt]

if theirs no immobiliser theirs multiple ways to get a car started,screwdriver  rammed in the lock was popular as it also takes out the steering lock

would only work on an ancient car

[Monkeh]

if theirs no immobiliser theirs multiple ways to get a car started,screwdriver  rammed in the lock was popular as it also takes out the steering lock

would only work on an ancient car

Or a modern Kia.. sold in a backwards country.

[langwadt]

if theirs no immobiliser theirs multiple ways to get a car started,screwdriver  rammed in the lock was popular as it also takes out the steering lock

would only work on an ancient car

Or a modern Kia.. sold in a backwards country.

I thought you were joking, but then I looked it up ...

Here, "a vehicle must have an electronic immobilizer system that prevents the engine from starting without a pre-authorized, secure digital credential" has been a requirement for nearly 30 years ...

[Bud]

So did it work out?   

[geerlingguy]

But I assume you can't just push the button to start the engine if you break in but don't have the keyfob. 

The exact same technique used to open the car door, is applied immediately again to enable push button engine start.  What is ostensibly a two step process is executed seamlessly without any visible transition. 

If the car engine stops 10 miles away from the house, it cannot be restarted without the keyfob.  That's why the engine is always left running (even during refuelling) until it is abandoned.

But in this case, the keyfob was nowhere nearby.  They broke the window to get into the car, and then drove off.  How did they start the car?

Perhaps the theft was staged to make good video.

That's what I was wondering too; the kid who smashed the window didn't look like he had any key fob tech, and I would assume the 2026 Hyundai being demonstrated doesn't suffer from a simple 'USB to start' hack like the Kias did...

[mikeselectricstuff]

The Start/Stop button works the same way as the doors. No problems in starting the engine. As soon as the engine runs, it won't stop even if the car is far away form the fob. Just don't turn off the engine until the car is at it's final destination (from the thief's perspective).

I was recently on holiday and dropped the wife and kids off at the house and continued on to the shops. When I got to the shops and turned of the ignition I realised I didn't have the keys, car wouldn't start again. But it would have driven all day just fine. Mrs had to get an uber to bring me the keys that were in my backpack.

some cars will start beeping a warning if the key disappears, Mine definitely beeps if you get out with the ignition on, but maybe not if in drive