Schneier on Security
A blog covering security and security technology.
« Workshop on the Economics of Information Security |
| FaceTime for Mac Security Hole »
October 21, 2010
Electronic Car Lock Denial-of-Service Attack
Inspector Richard Haycock told local newspapers that the possible use of the car lock jammers would help explain a recent spate of thefts from vehicles that have occurred without leaving any signs of forced entry.
"We do get quite a lot of car crime in the borough where there's no sign of a break-in and items have been taken from an owner's car," Inspector Haycock said. "It's difficult to get in to a modern car without causing damage and we get a reasonable amount of people who do not report any.
"It is a possibility that central locking jamming is being used," he added.
Devices that block the frequency used by a car owner's key fob might be used to thwart an owner's attempts to lock a car, leaving it open for waiting thieves. A quick search of the internet shows that devices offering to jam car locks are easily available for around $100. Effectiveness at up to 100m is claimed.
I thought car door locks weren't much of a deterrent to a professional car thief.
EDITED TO ADD (10/22): The thieves are not stealing cars, they're stealing things left inside the cars.
EDITED TO ADD (11/10): Related paper.
Posted on October 21, 2010 at 2:07 PM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This smacks of more "security scace" tactics.
Lots of noise but little thought to either prevention or warnings to car owner to check their vehicle.
It would be interesting to see how many people actually listen for the "Locked" chirp from their car and how many just wander off...I think most people will keep pressing the fob until they lock the vehicle and if it doesn't happen at all they'd go back and do it manually.
Don't most vehicles flash their lights and beep the horn on successful locking? If you care about locking at all, you have to be aware of the signal, since if a door isn't properly shut one or both of the signals is suppressed, to let you know.
@Scott In order for there to be a chirp noise, the remote would have to be part of an anti-theft system. Most remote lock / unlock systems are a convenience item, so the only sound you're likely to hear is the mechanical sound from the lock mechanism activating or deactivating.
@Mark M: Ford's convenience remote locking system only flashes and beeps if you press the lock button a second time within a second or two of pressing it the first time. I only use the second press if I don't hear the locking mechanism engage.
> I thought car door locks weren't much of a deterrent to a professional car thief.
From the quote, they are not stealing cars, they are stealing stuff from unlocked cars.
Personally, I only use the remote for unlocking. I lock with the interior button, and then pull the door handle to double check. And ofter enough, the double-check shows me that I hit unlock instead of lock, so I go back and do it again.
I can believe this one. Around 1994, it was found that the HP 48-SX calculator used the same frequency of transmitter as the ones used on a brand of car locks. People could, and did, program the calculator to send every possible code for that lock.
@dave-ilsw: Toyotas chirp too with only whatever factory-installed antitheft systems come by default.
IMO Scott and Mark's comments are right on the mark. Just press it until you receive some confirmation that the vehicle is locked. No biggie.
My Prius "smart" key system gives the beep when I press the button on the door, and I've definitely trained myself to wait to hear it before leaving the car.
Interestingly, because the car has a radio-based system that checks for the presence or absence of the fob/transceiver, I've experienced problems when parking in one particular side of one particular garage in downtown San Diego, which sits opposite an antenna farm atop a government building. It's VERY difficult to lock or unlock a "smart" key-based car in that location. I had a heck of a time getting back into my car one night!
@Curby: "No biggie."
Sure, but a jammer with a 100m range is essentially spamming every car that parks in the area, all day, every day. YOU might be supa seekur, but like spam it only needs a few dummies - or you to be a little inattentive.
@dave-ilsw "Most remote lock / unlock systems are a convenience item..."
The report is from the UK. Cars sold since 1 October 1998 in the UK have been required to be fitted with immobilisers so the remote lock system will invariably activate the immobiliser - if not actively linked then a passive arming of the immobiliser will kick in shortly afterward. If an alarm is fitted it would again almost certainly be linked to the remote lock/unlock unless it was an aftermarket system.
I have a suspicion that the claim in the report of active jamming is incorrect. I have a British made car and it's fitted with the Lucas 5AS alarm/immobiliser which has a radio remote lock/unlock key. This model of alarm was fitted to a lot of British made vehicles (Rovers, Land Rovers, some Nissans, etc.) . It has a terrible radio receiver front end on it - it's a cheap superegenerative receiver with pathetic selectivity and a completely untuned aerial. Consequently it completely fails to work in the presence of any significant radio frequency interference.
There are several places that I regularly park where I know that the remote won't work and have to make a point of using the mechanical key to lock and unlock the vehicle. In some places (for example, the local supermarket car park) the interference level is so high that I can't disable the immobiliser with the radio key even when I'm sitting in the vehicle with the remote pressed against the aerial. If this happens you have to tap in a four digit override code using the key in the driver's door - left three times, right seven times etc. This is so difficult and error prone that it's a great incentive to avoid setting the alarm/immobiliser in places like this.
This has been going on for years, so it's not some recently arrived miscreants with a 'jammer'. What MAY have happened recently is that thieves have realised this phenomenon and are taking advantage of radio interference blackspots.
We recently did an analysis of "Passive Keyless Entry and Start" systems on many cars. A simple relay attack allows to open and start cars equipped with those systems, "without leaving any signs of forced entry" as well:
"I thought car door locks weren't much of a deterrent to a professional car thief."
The door locks are easily bypassed, but many cars with key fob locks have alarms that go off when a door is opened or the car is moved.
@Aurélien "... A simple relay attack ..."
clever. and very effective. if you'd cover an area by a network of your devices you can, in theory, open any PKES car contain within.
I have had things stolen from my car three times. All three times I had the doors locked so they just broke the window. That's $300 to replace and less than my deductible.
Now I leave my doors unlocked.
I knew there was a good reason why I don't even bother carrying the remote. Besides the fact that it doubles the size of my keyring, that is.
Well, that and the fact that where I live, I don't even bother locking my car. There's nothing in there to steal anyway.
Actively jamming most of these systems is very easy. Take one of the higher power 433Mhz (or appropriate band) transmitters, and then drive it very hard using any of the readily available microprocessors. You can drive some of the very cheap ones with voltages much higher than specified, as long as you pulse it to avoid overheating. The transmitter starts putting out a lot of harmonics - but you don't really care.
Most of the receivers in alarms seem to have simple automatic gain/threshold controls and no jamming detection, so if the duty cycle of the transmitted signal is more than about 75%, the receiver will be overwhelmed.
So not exactly out of the range of a car thief.
"Don't most vehicles flash their lights and beep the horn on successful locking?"
I've turned my chirp off (it's annoying and I work nights, so I don't need to be "beeping" at midnight in an apartment complex), but I still listen for the locking mechanism. And the lights still flash, which I visually check if I don't hear the locks for some reason.
I did like the setup in my mom's old Galant. It would lock the doors when you press the key fob, but it would only beep if the doors are fully closed. So, if the door isn't closed all the way, you don't hear the beep and know you need to go back and close it properly.
On the chirp:
My truck does not chirp, but the locks make a hefty 'kerchunk' noise, and yes, I listen for that.
I have met (rented) cars without anti-theft alarms that simply beeped the horn. As was pointed out above, that's highly inappropriate when you're coming back at midnight in a quiet neighborhood. After poking around in the owner's manual, there's usually a way to turn it off. Those I've met still flashed the lights, though.
On the professional car thieves?
No. These are simply snatch 'n' grab types. Even the radio isn't worth stealing anymore, they're after purses, CDs, spare change, whatever's in the glovebox (Not uncommonly a firearm(!!)), &c.
In other news:
Keyfobs can be unreliable for many other reasons. Positive feedback (in the sense of "Yes, I confirm I received your instruction") is a good thing. As far as I know, *none* of them are two-way communicators, so the car has no way of telling the fob "Acknowledged". I've never seen one. I wouldn't put it past really high-end fobs reaching that point, though (My Mercedes is twenty years old... ;-)
I should add that the beeping and flashing are telling the *owner* of the fob that it worked, but doesn't tell the *fob* anything.
I second the above comments that it is anti-social behaviour to have the chirp/beep enabled for routine locking if you have any plans to use the automobile outside of daylight hours.
My Toyota has a beep, one that doesn't use the horn. It's barely loud enough to hear in fairly noisy situations, and not loud enough to disturb people indoors next to where it chirps.
This wouldn't necessarily alter an existing car thief's M.O., but it would allow more patient, risk-averse types to engage in theft that normally requires a smash-and-grab mentality.
There are lots of ways to RF jam a car lock system, while recording the car owner is broadcasting the Lock and Unlock signals. My favorite demo technique is intentionally jamming individual bits, doing this 'blindly' gives you a 50/50 chance of disrupting that bit AND lets you know EXACTLY which bit is wrong in the sequence. (which is useful for replay attacks)
To even suggest that the system is secure, shows just how pathetically uninformed the automakers are about active RF attacks and RF link security in general.
I know at least 3 attacks that will defeat most car alarms and require no knowledge of cryptography.
BTW: Cryptographic attacks on the lock / unlock sequence are also trivial, as are auto resynchronization attacks.
Like tudza, I'd rather not pay for the replacement window, so my car is unlocked, and it's also empty. Three or four times in the last 20 years, I've found my glove compartment door open, but since there's nothing in it, so what?
I only buy cars with crank windows and mechanical locks, that way I don't have to worry about fobs, radio interference, dead batteries, setting off the alarm by accident, doors that lock automatically at inconvenient times, sitting in the passenger seat waiting and unable to open a window while the driver takes forever to do their errand... call me a luddite but none of that stuff improves my life one bit. Why suffer daily hassle on the slight chance that you'll meet one of the few criminals who wouldn't just break the window anyway?
In Europe most cars use a single ISM frequency 433mc, a very crowded one. Everything is allowed on this frequency and for very nearby frequencies there are licenses of a few hundred watt power.
So, your car will not lock and can not be unlocked in several places. Checking is default for me.
Jamming devices are not needed, you can buy a normal walky-talky which works great to tease your neighbour.
There was a case from 2006 in the Czech Republic, where Radko Soucek, a local car thief was caught. He had a laptop programmed with the unlock codes for pretty much all production cars.
(Source: printed edition of Prague Post, week of 24th April 2006)
The best on-line reference I have found is:
@tudza: A smart person would probably switch to an insurance without deductibles after the first self-paid break in.
A not so smart person leaves the car unlocked to encourage even the dumbest thief to take an inside look...
@Mark M.: not all vehicles do. Some only blink a special little light (f'rex older Mercs), and in at least some European cities it's forbidden to use the horn unless in an emergency, so that's disabled as feedback when locking, too.
The thing to do would probably to work on better feedback, maybe a vibrate mode on the keyfob once the car acknowledges the lock command (of course that'd mean a receiver on the keyfob instead of just a transmitter)?
At least in Germany, the horn is not allowed to be used as a lock indicator or similar, only as a signal device on the road. AFAIK, it's not even allowed to be tied to the burglar alarm.. those need a separate speaker/horn. (and I'm rather glad for that.. there are people who like to sleep at night even if the neighbors decide to drive away.)
The usual lock/unlock indicator around here is flashing the turn lights.. which is visible enough.
I've heard of something even more clever:
1) they do this on highway stops common for people going on vacation;
2) steal only your gps device;
3) use the gps to go to destination "Home";
4) when you get back from vacations, your home is empty...
Solution: set the home address as that of the closest police station to your house.
This is as silly as the story a while ago of "laptop detectors". Police reported in Hampshire that thieves we using a laptop detector to locate cars with laptops in, but hidden out of sight in the boot/trunk. In practice local thieves were simply profiling a fat bloke in a suit driving a BMW: there is a laptop, blackberry and probably an iPhone/iPod in the car.
Most European cars do beep, so all you need to do is sit in a car park watching for a car that doesn't beep and you can quickly get in and out, and the owner will never realise that they hadn't locked it...
A couple years ago, I accidentally locked my keys in the trunk of my Lexus. Fortunately, the car body was unlocked at the time, so my breakdown service managed to hack the remote trunk release. Apparently, had that not been an option they'd have needed to bend panels in order to break into the trunk.
While at the time I was pretty dismayed by that, with hindsight the thought that a thief needs a crowbar rather than a lock pick to get stuff out of my trunk is encouraging. It seems not all vehicle locks are a security joke.
I have solved the problem of theft from inside my vehicle.
I leave my top down and doors unlocked.
Now my only concern is rain. When that happens, I raise the top and windows.
I adopted this practice a few years ago and I can report my method continues to be 100 percent fail-safe.
I have applied for a patent called "Don't leave stuff in the vehicle" and once approved will sell my fool-proof method via ebay.
Locks in general are not much of a deterrent to a professional thief, or even an amateur one. This is mainly in reference to the typical locks/alarms systems used on our vehicles and homes.
@Jon: I should add that the beeping and flashing are telling the *owner* of the fob that it worked, but doesn't tell the *fob* anything.
Actually, the beeping and flashing are telling anyone (not just the owner) within sight/hearing of the vehicle that it's been locked (or, usually, additionally, unlocked).
@Woo "A smart person would probably switch to an insurance without deductibles after the first self-paid break in."
In North America, such a policy is either unavailable or is so expensive that it is not viable.
That's why I've got this Carjammer Jammer!
Ian Mason: "I have a suspicion that the claim in the report of active jamming is incorrect. ... It has a terrible radio eceiver front end on it ... completely fails to work in the presence of any significant radio frequency interference."
Strictly speaking, this is still jamming. It's just not someone actively jamming for nefarious purposes. Instead the thief might deliberately choose places where the jamming is already happening.
Oddly enough, this actually strikes me as even more devious. If arrested, even with evidence, the thief can claim "yeah, but the guy left it unlocked". So he might still be charged, but the car owners might discover that they can't claim insurance if items are beyond recovery.
I guess it's time to start assessing carlock transmitter systems for robustness and reliability - not to mention fitness for purpose.
Yet another reason to switch from Bait Cars to Death Cars. But I'd definitely keep the remote video capabilities. The government could SELL the videos to Spike TV, offsetting the deficit by billions, while simultaneously providing badly-needed humor to everyone who has to WORK for a living. And if we could develop a system that recycled, say, the cyanide gas used AND the otherwise useless bodies, we'd be GOING GREEN.
Leaving your doors unlocked, windows and top down is a good start but you still have a dashboard and steering wheel at risk of damage. Best to also leave the keys in the ignition or just eliminate the key and have a big red "press here to steal me" button.
As long as we're thinking of ways to reduce damage by eliminating perimeter controls, I suggest everyone ride a bicycle instead.
> I am Bruce.
So what, all us philosophers here are Bruce.
In Australia a few years back it was easy to buy a "code grabber" which would grab and store any Amplitude Shift Keyed signal in the 300 to 400MHz range - Aussies use 308MHz for central locking, garage doors etc. The code grabber could then play the signal back. I knew people who had their homes and cars burgled this way. Rolling codes are now madatory for cars - not sure about homes etc.
Electronic door locks are turning out to be one of the greatest gifts to thieves. The old fashioned mechanical key locks were nearly impossible to pick. Thieves had to use slim jims to open car doors, which looked very suspicious to police and bystanders watching the forced entry.
Now, with electronic door locks, thieves only need a pocket size electronic jammer/opener to get into your car. Since this entry doesn't use a pry bar or slim jim no one notices that the person opening the door is not the owner. Merry Christmas, thieves.
By the way, not all forced entries are aimed at your possessions. Newer cars, expecially luxury and sports models, have high value as parts. Thieves can have a brand new Mercedes or Corvette stripped down within a couple of hours after it reaches their shop.
100m is trivial: in the UK, most car door remotes operate at 433MHz, within the band allocated to amateur radio. As such, transmitters capable of 50W or more are easily available (compare with a few hundred milliwatts for the "low power device" transmitters).
I legitimately run a repeater once a week from my home, which means it transmits near-continuously for approximately half an hour.
Experiments suggest that certain cars are affected at approximately 500m away through residential surroundings.
As for me, I just have to remember to get everything out of my car before I try and unlock it again once the repeater is active :-).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.