For those wondering why this is possible, a lot of new cars unlock if your key fob is in your pocket and you simply put your hand inside of the handle to open your door. And then you sit down and press the start button and you're off. It's really a rather nice feature, although it's also something that seems silly until you get a vehicle with it.
The range with normal usage is very short though. If I'm on the driver side of the car, it doesn't work on the passenger door, and vice versa.
Yup. Like many new convenience features, it seems so silly until you use it and then you can't go back. My new Golf has it, and it works so well that the doors unlock as my hand is entering the door handle cup but before I even have a chance to pull on the handle. If my passenger needs to open the door without me unlocking it, i have to stand REALLY close to them. It's pretty impressive (in normal operation) how perfectly it works as the key-holder but how close you need to stand for it to work for someone else.
I drove a rental car with this "feature" recently and I hated it. I have a habit of pulling on my door handles to make sure they are locked. Every time I did it, the car unlocked itself, which rather defeated the purpose. And as far as I could tell there was no way to disable this behavior, which made it effectively impossible to verify that the car was locked as long as you had the key with you.
I also had a bad experience with this feature on a rental car a couple years back (I think it was a Nissan).
My problem was that I kept my key in my pocket, sat down, the key slid out onto the floor, I drove around which i could still do because the key was in the right area, but then I had a heck of a time trying to find the key so I could lock everything when I got out.
Huh. I guess I always just press the button again if I'm unsure if the car is locked or not. "Effectively impossible to verify that the car was locked" seems like a bit of a stretch. I not-infrequently hit the lock button on my fob while I'm in the house just to see the lights flash on the car to confirm it's locked, particularly before I go to bed.
This is the same behavior I've used on all cars I've owned that have (push-button remote) keyless entry for, I don't know, decades?
That's where this becomes a problem specifically for rentals. This is a car I'm unfamiliar with, my "enough" is a lot higher. My suitcase is in that trunk, I'd like to physically confirm that it's actually locked, and I haven't made some silly wrong assumption about which sound or blinking means locked or if I pressed the wrong button or whatever.
I quickly get used to it, but it's a bit of a barrier every time. But the problem is really around rental cars more than the feature being a bad idea.
Central locking has a bit of a learning curve anyway. Used to be, every door was locked individually. With central locking, now your trunk might be set to unlock with the car, or it might stay locked regardless of the central locking status. Or maybe you hit a button that unlocked (but didn't unlatch!) your trunk, and now it's just waiting for someone to press the button and open it. Those problems aren't made worse by this tech, though; they've been around forever, and it's certainly confusing in a rental car context. (How many drivers have called the rental car agency confused about not being able to get the car out of Park, not realizing they have to depress the brake to shift into gear?)
This is part of the problem: every time you push the door button the lock state toggles. If it was locked, then pushing the button unlocks the doors. And the sound of locking and unlocking is identical. Once you're unsure of what state you're in, there are only three ways to be sure again:
1. Lock the car using the fob (which sounds the horn)
2. Unlock the car using the fob, and then lock it using the door button.
Really? my key fob (Ford Fusion) has a separate lock and unlock buttons. Also, the auto-unlock feature can be disabled through a setup menu on the car dashboard. Furthermore, the spot where a physical lock stem would normally be has a red LED that lights when the door is locked. Finally, it if you touch the outside of the handle in a certain, the doors lock. Really nice feature.
Yes, the fob works that way. It's the door button that toggles. But the fob sounds the horn, so if you don't want to be obnoxious you have to use the door button (or lock all the doors manually).
Only if I hit the lock button twice -- once locks, twice gives the horn beep as a "confirmation" (Ford seems to have really figured it out on this car model). But I can hear the mechanical lock activate from just hitting it once. Oh, and the door also has two buttons, one for lock, the other unlock. Never seen a car door with only one button that toggles.
This is one of those cases where I wish all products had open firmware, so that you can install a best-of-breed user interface on all cars (not to mention, have my car fob also work on multiple cars from different manufactures, and also on the my house door lock).
Huh. I've never seen one like that. The ones I've seen (Infiniti, BMW, VW, others I'm sure) unlock when you put your hand into the door cup to grab the handle. They lock by touching an area to the side of the door handle in some way; an action that can't be confused with the opening action.
How did you lock the rental car? with the fob? Because my car has this same feature (Focus Electric) but it has a sensor pad/button on the door (just like my 13 year old Prius).
Physically pressing that button and hearing the click is enough for me. It takes some training, but it works quite well. So maybe it's your rental but most cars with the keyless entry have thought about this.
The rental was an Infiniti Q50 and my car at home is a G37. Sometimes I lock it with the fob, but that sounds the horn so if I don't want to be obnoxious I lock it by pressing the button on the door. Yes, there's a click, but I've gotten into the habbit of tugging on the handle and that routine is part of my muscle memory now so it's a hard habit to break.
With my Passat I can tell it’s locked because the mirrors fold in (and u fortunately they’re kinda loud when it happens). Supposedly it auto locks when you walk away but I have yet to see that happen.
Yeah I actually ordered the power folding mirrors from europe for my Golf -- it sounds silly but my favorite 'feature' is if the mirrors are folded I know it's locked.
There's an edge case where if you unlock the car, the mirrors unfold, and if you don't open the door within 60 seconds, the car re-locks itself, but the mirrors do NOT fold. So you might think it's unlocked when it's not, but you won't think it's locked when it isn't.
Agreed. User interfaces should include very real human impulses. We're all somewhere on the OCD scale; repeated locking and testing should be accounted for.
Some do-- for example, Toyota's keyless system won't unlock the door again for a few seconds after locking, which gives you time to pull the handle to verify that it's locked.
For me it's not OCD so much as cognitive decline. I often just can't remember if I've already locked my car or not, but for some reason I can remember having tugged on the handle.
My car has this feature and I quickly learned that it only unlocks if you put all 4 fingers through the handle. So to check if it's locked I just give it a pull with 2 fingers and the unlock doesn't trigger.
I love the Nissan version of this. My Leaf has the button, which will toggle lock and unlocked state, as well as a double press (from locked) will unlock all doors.
My Prius has the "pull the door handle to unlock" method, and a push button to lock. But while opening the passenger door or trunk will unlock all doors, opening the driver door only unlocks that door. There is no way of automatically unlocking all doors from the driver side (other than the interior lock button).
Many cars unlock the driver's door only by default (assuming using a keyfob) but have the option of setting it to unlock all doors.
One neat thing about VW group cars (VW, Audi, etc) is the ability to use VAG-COM to reprogram a dizzying array of car functions. Other vehicles have this ability (BMW comes to mind) but require extremely expensive dealer-only tools to do it.
Keyless cars let you do that. Typically, on an automatic, the car decides between starting the engine or just having the radio based on whether you are pressing on the foot brake pedal at the same time or not.
Every single push-button start car I've driven has the ability of "engine off, radio on". On the downside my current car (2012 Mini Cooper S - push-button start) will only play the radio for about 10 minutes (??) after the engine is turned off.
My Mazda will keep the radio on if you turn the car off while it's in gear or neutral. Then you can put the car in park, and the radio will stay on until you hit the ignition button again.
Edit: after reading some Mazda forums, it looks like you can just hold the shift button (if you have an automatic) while on park to make the radio stay on, no need for neutral or other gear. You might want to try that.
"One hacker holds a device a few feet from the victim's key, while a thief holds the other near the target car."
While this isn't awesome, it certainly limits the effectiveness. You would have to have someone waiting in a parking lot to follow the person, then another person waiting by their car.
I do have a question though...I assume these things work on challenge/response schemes. That means that even if the car is started and stolen, it could never be started again without someone tailing the owner 24/7, which makes this a neat but nearly useless hack. Am I wrong in assuming this?
It's mostly about getting the car to a secure place where no one will question you when you start tinkering with it.
Trying to start it again and set off the alarm? No worries! Take as much time as you need to disable the alarm before trying to start it again. After all, no one is around to stop you.
Yes, if you park your car outside your house on the drive, and the key is in the house in a bowl by the door (for example) then they can steal the car in the middle of the night..
This is worse in the UK, as we have much less space, so things are much closer togeather (ie. the car, and the keys (where they are left overnight).
Similar relay attacks have been made to work over longer distances and through various obstacles, like exterior walls and locked doors. From 2015:
“Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.“
Light can move about 300 meters in one millionth of a second. It's easy enough to find a store where the parking lot is well within that distance from the middle of the store.
So whatever system that goes into place would need to possibly have accuracy down to the 1us level or smaller.
You can also have three antennas in the car, and have high speed electronics measure the RF delay as received on each antenna. From there the key can tell how far away it is from the car (similar to how GPS works), and it would only respond to the challenge when it is in the proper position.
I was thinking exactly the same thing, speed of light is the only robust way to prevent the attack without hobbling the entire feature.. doubt it could be reliably retrofitted to an exiting design though, timing that precise probably requires additional hardware or at least hardware specifically designed for low jitter
A stolen car is usually worth more after it's been stripped for parts. The identity of a whole car is fairly well controlled via the VIN, but it's quite easy to make the parts of a stolen car disappear into the inventory of an apparently legitimate spare parts business.
Once you have the car, a tame mechanic can get copies of the original keys and program them for the car no problem. Obtaining the car and securing it somewhere you're in control of it is the biggest part of the problem. Ordering keys and trying to get the car programmed while the car is in the wild is far more problematic.
Or you can make the transmitter piece an Internet-of-Thing, so it connects to the cellular network -- and leave the transmitter piece somewhere near the victim's house.
Am I missing something or is the fix a little computer in the fob to cryptographically sign a one-time challenge sent by the car? I mean, RSA isn't that hard, is it?
Here's how I see it: the car broadcasts a (short duration) challenge message on short range (10 meters, say), the key fob, once in range, signs the challenge message, transmits it, the car checks the signature with the fob's known public key, and Bob's your uncle. If the fob can compute a signature of the challenge in 500ms, the window doesn't need to be much longer. Sure, people will likely be able to pull private keys from the fob with some effort, and duplicate it that way, but that's no worse than today. Reprogramming the car wouldn't significantly harder than it is today either.
If we want convenience and security, it seems fine to make the key fob a little more complicated and beefy.
I feel like this is by no means a new idea and maybe I'm missing something.
It really is an oversight from the carmaker not to use it in the design of the keyfob.
If the security of the whole system depends on distance, the crypto behind it should verify that distance limit. The same goes for NFC, bluetooth pairing, WPS, wireless credit and debit cards, and apple/android pay. They all have 'nearby' somewhere in their security model, and in no case is 'nearby' actually verified cryptographically.
You are misunderstanding how the attack works (probably because the article misuses the word 'spoofing' IMO). The messages between the car and the key fob are the real messages. They are just using a radio to extend the range of the car/fob communication.
> Am I missing something or is the fix a little computer in the fob to cryptographically sign a one-time challenge sent by the car? I mean, RSA isn't that hard, is it?
The problem has nothing to do with cryptography. Given radio signals can be relayed at will, and there's no way of knowing so (short of a way to measure quite small latencies), there needs to be a proper way to bind the cryptographic exchange to the person pulling the door open. Relay attacks (which do nothing to exploit cryptographic exchanges -- just relay messages fast) exploit that lack of binding.
That's basically what it is doing now... except that the message from the car is relayed over another radio to a radio the attacker is carrying near the victim. The victim's key thinks it is near the car, and signs the message which then is sent back over radio to the car.
This isn't about better cryptography. This is about how can the car know that the key is in close proximity to it? We can transmit data long distances.
Timing is going to be the key, how much time is allowed to be passed between sending a challenge and getting a response? Right now there is a lot of "slop" to allow the owner with the key to be turned away from the vehicle and things to still work, or have it in your left pocket versus your right when seated in the car.
My Subaru WRX requires the key to be right next to the middle console, so I can only keep my key in my right pocket. If I have it in my left pocket I can't start my car.
I don't know how much "timing" slop there is though. Could someone relay my keys transmission with a short delay?
It must be possible to implement some kind of simple response time check.
Given that the speed of light is ~1ns per foot then a total response time greater than (2d + p) where d = max distance in feet, and p = processing time within the keyfob in nanoseconds would provide a bound.
I suspect however that making the keyfob response time consistent might be the hardest part of the check, closely followed by an accurate timing facility within the car.
Yeah, the Wikipedia article talks about an implementation that has a processing time of 1 ns (which gives the distance within your foot). The questions are whether it is secure against the world or secure against just the implementers and how much it would cost.
There is a startup from ETH Zurich [1] which develops technology to make relay attacks impossible. In short, they are developing a method to make the key proove its within a certain distance of the car. Some of the tech behind it: https://arxiv.org/abs/1404.4435
Apparently Apple does something similar to this in order to unlock Macbooks with an Apple Watch. I don't have a link right off the bat, but I remember watching an interview with Craig Federighi where he explains that the Apple Watch uses precise timers to ensure that users are actually near their computers to avoid relay attacks.
Couldn't you just get the key fob signal first, buffer it in the radio near the car, then initiate the negotiation with the car, and finally replay the unlock signal for the car?
The key fob can't invalidate signals with the car once it's sent since it's too far away, so even if you have distance-bounding on the key fob, it can't tell the car to ignore an otherwise valid signal.
If the car initiates the distance check and the fob does some kind of signature during it, that won't work. Of course that presumes a secure implementation.
It is an insidious problem. There were a couple of kids around here that weren't stealing the cars, they were just breaking into them on driveways at 2AM and rummaging around for spare change and what not.
Almost every countermeasure defeats the convenience factor. One proposal was to have the key light up and you pressed a button on it to say 'yeah do your thing' but at that point why not just have the old style push to open fob?
Perhaps something magnetically coupled rather than RF coupled will help keep it reliably a near field sort of interaction but even that is subject to a slightly more sophisticated relay device.
IEEE 802.15.4 UWB (Ultra-Wideband) radios with timestamping functionality allow measuring the time of flight (well, not directly, but it can be inferred from an exchange of messages) of your signal. With some added crypto, it isn't difficult to build a solution which is limited to a specified distance. You can get as precise as ±20cm.
This means that you can build a system which will not work beyond a certain distance, because signals will take too long to travel.
I'm surprised this hasn't been picked up by car manufacturers yet. Perhaps there is too little market pressure.
Sure. However, I think the objective would to increase difficultly and the level sophistication required for exploitation rather than compete security. For instance, a physical lock on your front door can easily be defeated by someone with the requisite tools and expertise, but that doesn't make them useless as a security measure.
Maybe the car can be driven away for once. The engine immobilizer requires the keyfob to be present inside the car for it be driven away. If the spoofed fob can trick the immobilizer, yes it can be driven away for once because the immobilizer check is not always "on". Its checked before the engine starts.
If it was, I could throw my keyfob out of the window on a highway and the car would come to a stop.
My car will stay running and allow you to drive off without the key. I tested this when I got my car. I started the car, then put the keys in my garage and then drove down the street.
You wouldn't be able to start the car again if you turned it off, but by then the car is long gone.
I keep seeing this problem (and likely suffered from early attempts a few years ago, when my car was effortlessly broken into), but nobody seems to be talking about solutions. What's the answer? It would be nice if I could ask about this when I get a new car in a couple of years.
* Is it about making the exchange more computationally complex, so it can't be just replayed? I guess that would require some sort of clock in the key?
* Have 2FA with something like a phone? Like requiring TouchID on the phone to confirm when you press the key.
Why don't they put an on-off switch on the fob? Better yet, when the vehicle locks, send a turn-off signal to the fob. Then you'll have to press a power button to reactivate it.
That's running exactly contrary to the feature that's implemented and abused: The car should unlock when the owner comes within radio distance. So the key must be on and transmitting - and it's that signal that gets relayed. It's not a replay attack, basically the signal just gets amplified to trick the car into believing that the key is close.
Right, so when you put the fob in your pocket to leave, you activate it, and it stays active until you've completed your trip and you lock the car. But while it's resting on your nightstand or kitchen counter, it's inactive. Or is there something I'm missing?
A working distance-bounding protocol would address it.
I think ultimately you would be relying on a 3rd party evaluation of the systems automakers are using because salesmen aren't going to have a useful knowledge of the specifics.
fobs don't come with accelerometers? Or are you saying the car is doing this calc based on timed signals from fob? That would be open to spoofing as well...
I will occasionally stop at a mailbox a block or two from my house to drop off outgoing mail, and when I get back in I always have a warning about the fob not being in the car. I can drive away no problem but the warning stays up for 5-10 seconds. I can't imagine the engine would stop once you can get it running.
The car won't stop running, it will just complain about the key not being in the car. It will let you drive away. (I tested this is my car when I got it - I started it, left my keys in the garage, then drove down the block and back).
Juvenile power fantasies are going to kill us all. People want to be magical, wave their arms and move their hands mysteriously, and affect the world.
Things like this save an infinitesimal amount of time (or sometimes even make actual usage more difficult), and introduce orders of magnitude more complexity ripe for exploitation. All so people can feel like they're magical.
You're being overly harsh there. I've found not having to reach for my keys to be rather convenient when shopping with both of my kids (eg opening the boot by touching it when my hands are full carrying shopping + kids under my arms).
Sure, I would still cope with conventional keys; I wont deny that. Just as my mum coped raising me when she didn't even have a car. But I'm just making the point that this feature isn't just some "juvenile power fantasy" and actually does help make like a little bit easier.
Though frankly, even if it was just a vanity feature then I still wouldn't begrudge anyone wanting it. Isn't that the half the reason people buy nice cars in the first place?
For what it's worth, if this is a feature you have but don't like, then some cars (mine included) do allow you to disable that feature. So it might be worth consoling your manual / checking the in car settings menu.
I believe society still have a lot of inertia toward this. I also think video games tapped into this brain subsystem, that IMO was designed as a desire to learn how to master the real world, except now technology can bridge the fantasy
It is a cost savings move. If you have power locks and a transponder system anyway, the lock cylinders are effectively redundant (minus security concerns) and can be eliminated for more profit.
I don't think this is really how it is. From what I know, all of the cars have lock cylinders still because if your battery dies, how do you get into your car to replace or jump the battery?
There is a very slim key that is included in all the key fobs that I've seen.
There's probably useful commercial applications for this "attack" for companies that manage large fleets of vehicles. If you already have some the hardware/software infrastructure to manage it (like company cell phones or tablets) you could toss all the keys in a central office somewhere and never worry about losing them or making duplicates. $30ish for a box that plugs into the 12v (or OBD2 if you want to collect that data) and $1 for a usb cable to connect it to the $100 tablet that you already have mounted in the company vehicle for doing work things. Obviously the details would need to be fleshed out and I'm sure someone (like OnStar) already offers similar services but being able to hack your way into a cheaper equivalent would put downward pressure on price.
I've always thought that a simple measure that automakers could implement is to require the keyfob to have moved in the last X seconds to authenticate an unlock. That prevents the "key is sitting on a table in my house" relay attack.
Tighter timing constraints doesn't seem like a robust solution. I'm guessing proximity as an authenticator will become a thing of the past. New keys may have a button that must be pressed or even a fingerprint scanner.
Tighter timing constraints could definitely work. If the car requires a response within 10ns you can guarantee the fob is within 1.5m of the car.[1] The only issue is the fob has to be able to decode the signal, calculate a response and transmit it very quickly (or within a very precisely known amount of time).
[1] Light travels at ~30 cm/ns, so a round trip time of 1 ns corresponds to 15cm.
There's another attack where they just break into the house and steal the keys and drive away. It's easy since most people have their keychains close to the outside entry.
At the moment, they're generally fishing through the catflap over here, according to a different police force.
But this attack makes no noise (other that opening and closing the doors, and starting the vehicle), and won't set off the burglar alarm in the house, and probably won't be noticed until the vehicle owners go to drive off.
Shot, maybe not, but stabbed or clubbed or just being beaten into a pulp are worldwide. I’m not making a statement about gun control, just pointing out that the risks of breaking into a home are not limited to firearms.
A slim jim worked because the wires holding the lock were exposed inside the door. An extremely cheap fix was to wrap those with a metal cylinder.
I was under the impression that this was standard for at least 15 years but since we're talking about automotive industry, some makers may not even be aware of that yet
Even with cars that have the lock cables wrapped, the window has enough play to wedge it open and hit the door unlock button. Most locksmiths (sample size: number of times I've locked myself out of my car) just do that as it has less damage potential than fishing inside the door.
A slim jim worked because the lock plunger was physically connected to the locking mechanism. You could pull up on any part of that metal piece to physically manipulate the plunger, thus unlocking the door.
Seems like an easy fix might be to simply kill the engine if the key fob goes out of range. I can see this problematic if erroneously triggered on a highway or something, but it would limit the range the thieves could take the car to the range of their radio, and require radio proximity to the key for the duration of their travel.
This could be incredibly dangerous because now your car decides to stop working because the battery became too low to keep authenticated. Or if something happens with interference.
The potential failure scenarios increase by a huge margin if you require the keyfob to be authenticated with the car the entire time.
I am no RF expert, but I would guess that it wouldn't take much shielding around a fob to keep its signal from being relayed (given the poor range of the fobs in general, the transmitter in there can't be very powerful). Seems like potentially an Altoids-style tin would be enough of a Faraday cage?
I wish that it would still be possible to get a "dumb" car... one that would have almost no electronics (or that you could at least disable all wireless receivers/transmitters).
We know that computers can't be secured... so it is a little scary to ride in one.
The new Tesla model 3 uses your smartphone over bluetooth as a key. I suspect we'll see that become more prevalent, which should provide ways to mitigate most of these issues by using GPS for location instead of RF strength/timing.
GPS isn't cryptographically secure, and is easy to spoof[1]. Bluetooth can be relayed[2]. The two attacks would be easy to do simultaneously from the same evil box.
I know that a button on the keyfob would work, but this attack could also be prevented with clock syncing, as the re-transmission of the signal will certainly take time. A simple timed ping (with cryptographicly signed time-stamps to prevent replay) would sort this out.
The problem of distance-bounding mechanisms is that the technology isn't quite there yet. A microcontroller in a keyfob operates at ~5 MHz. If it takes 1 clock cycle to receive & decode the first bit of the cryptographic challenge as well as to start transmitting the first bit of the response, then the R/F signal has already traveled 60 meters. Most cars parked in a driveway by the owner's house are less than 30 meters away from the keyfob.
The limited performance of the low-power microcontroller isn't the only problem. The R/F signal itself is modulated at a low baud rate. If it's modulated at 1 Mbaud then each bit is sent as an R/F symbol that's 300 meters long in the air. In a sense the R/F receiver needs to demodulate "300 meters of R/F analog data" to be able to decode it to a 0 or a 1. If there is a little delay or noise at the beginning of the 300 meters of data because the signal is being relayed (if you can visualize what I mean), then the receiver isn't going to notice.
The low-power constraint on the keyfob (as it's powered by a small battery that must last years) prevents manufacturers from developing R/F physical layers and chips that are performant enough for precise distance-bounding.
Relying on timings for this type of thing is impractical because you'd have to sync the time to the nanoseconds and wireless is notorious for being noisy. It'd make it more expensive too.
The most practical one, I think, is to make it NFC-near instead of BLE-near. Or, you know, just use a non-contactless one. Or add a button.
The range with normal usage is very short though. If I'm on the driver side of the car, it doesn't work on the passenger door, and vice versa.