Denial-of-Service Attack Against Electronic Car Locks

This was accidental, but it could certainly be done on purpose:

Some cars failed to start on Tuesday in Parrock Street car park, in Gravesend, Kent, while others would not unlock.

[...]

A spokesman said "weeks of sleuthing" by council officers had them looking for a rogue transmitter or wireless broadband unit in nearby offices.

Staff also checked all transmissions in and around the car park, because of nearby communications at the town's Civic Centre and police station.

[...]

Ofcom was finally called and a survey found a small family car was intermittently sending out signals blocking other fobs in a 164ft (50 m) radius.

Posted on November 6, 2007 at 1:48 PM • 40 Comments

Comments

Chris SNovember 6, 2007 2:52 PM

Okaaay ....

I understand that the key fob needs to transmit to the car. But why does the car need to transmit at all? This article is open to the inference that the car had a malfunctioning transmitter. But why does it have a transmitter at all?

And alternatively, if a parked car - assuming the engine is not running - were generating radio interference at that level, wouldn't it run the battery down? Radio interference at that level - out ot 50 metres - has to be at a fairly high power, yes?

JustinNovember 6, 2007 2:59 PM

Some key fobs are 2-way, allowing for greater functionality. I imagine this car was only transmitting once in awhile, like every 30 or 60 seconds, but that was enough to interfere with the other cars.

DarkFlibNovember 6, 2007 3:01 PM

My guess is the car issues a challenge which the keyfob then responds to, this could make the system immune to replay attacks (keyfob accidentally pressed while out of range and then replayed in range)

M WelinderNovember 6, 2007 3:03 PM

But at 165 ft everything was ok? With that precision it should not have been hard to find.

uberdilligaffNovember 6, 2007 3:18 PM

So what if your key fob transmitter or the receiver in the car won't work -- you just put the key itself in the lock and turn it -- the old fashioned way! Then repeat the process using the key in the ignition lock, and voila -- drive off.

Julian GallNovember 6, 2007 3:20 PM

I'm somewhat sceptical too. Why were the motorists "stuck". Didn't they have conventional keys which would also open their doors? How did this cause some cars to "fail to start"? Presumably these drivers got in and turned the key in the ignition. Keys have an RFID device which needs to be in proximity to the ignition switch but this isn't the same as the transmitter for opening the door, surely.

MikeNovember 6, 2007 3:21 PM

I can understand transmitting on the same frequency, but shouldn't they be coded differently. Such as key codes the auto makers use for doorlocks and ignition switches. Or, electronically speaking, car alarm remotes and garage door openers. Some garage door openers these days automatically switch the code each time it's used as an extra security measure.

Andy CunninghamNovember 6, 2007 3:29 PM

I had an interesting "debugging" session a few years ago when my car battery went flat if the car was parked outside my house for more than 36 hours. Anywhere else, no problem. It turned out my new weather station transmitted on the same frequency as the keys and kept the computer awake!!

There's lots of other car-related problems: when Land Rover first introduced the latest shape Range Rover, the tyre pressure monitoring system got confused if another identical vehicle passed you in the street.

I've also heard of a radio signal based fuel level monitor. Combined with an engine management system that would stop the engine before you run out of fuel to prevent expensive catalyst damage, that suggests some interesting car-jacking opportunities.

Press the remote key on someone's 1999 Range Rover 100 times and they won't be able to open the car.

Renault Megane's can be unlocked and started with a MiFare 4k card - trivially clonable if you look at rfidiot.org.

The car industry hasn't begun to feel the pain of poor security yet.

Knowler LongcloakNovember 6, 2007 3:37 PM

@Chris S

HAM radios can transmit signals (Morse code, bouncing off the ionosphere, using the right antennas) from New York, USA to Sydney, Australia using only 5 watts of energy. For transmitting numbers only 50 meters it would only take a couple of milliwatts of energy. This could easily be sustained continuously for hours on end with a 6-volt flashlight battery let alone a car battery.

ArminNovember 6, 2007 3:46 PM

"Presumably these drivers got in and turned the key in the ignition."

Quite a few modern cars don't have a key to turn in the ignition any more.

They just have a key fob (which you might have to place in a slot, but not more) and a start/stop button.

CZSNovember 6, 2007 3:48 PM

A brief note to uberdilligaff ... I long for the days of old when you actually could use a key... I have a 2007 Mazda Altima and, while there is a key for opening the driver's door, it has a button you push to start. There is no place to insert a key as it's all authorized from an electronic key fob.

The salesman was pretty much at a loss when I asked what Mazda would do to correct a situation where someone figures how to extract the digital key from my auto key.

TanukiNovember 6, 2007 4:05 PM

Many of the car-based receivers for "radio" keys use super-regenerative receivers [typically on 433.92MHz]. One of the characteristics of super-regenerative receivers is that they can radiate broadband RF 'hash' around the frequency they are intending to receive. I can understand how a significantly malfunctioning receiver might radiate such signals and other adjacent receivers would see this as a raised noise-floor rendering them unable to see their genuine unlock-signal cleanly.

There have been similar problems over the years with cars flattening their batteries when subjected to spurious local RF which "wakes-up" the in-car electronics and increases the current drain: Some Range-Rovers had a particular weakness in their BECM [Body Electronic Control Module] which could cause it to draw a constant 2 amps or so in the presence of unscheduled RF signals. Parking one of these near a transmitter could flatten the battery in a couple of days.

dragonfrogNovember 6, 2007 5:52 PM

@Chris S

Most of these systems use a challenge-response protocol, so the car has to receive an "I'd like you to open now" message, then send back a "prove to me you're entitled to that" message, and finally receive the "evidence" message.

With a simple transmission, an attacker could just snoop a single transmission off the fob, play it back, and open your car. With a challenge-response mechanism (assuming it's not easily cracked, as most of them so far seem to be), the thief would have to actually obtain the fob, not simply replay a transmission off it.

The single-transmission model is perhaps like older garage door openers - my wife used to live along the flight path of a smallish airport, and often all the garage doors in the neighbourhood would start opening and closing on their own when a plane flew over.

jammitNovember 6, 2007 6:06 PM

Any body know where I can get a rain cover that doubles as a faraday cage?
As Tanuki stated, some receivers can accidentally transmit a signal. There may have been a faulty GPS doing funny things, or a cell phone, or On Star malfunction. Pretty much any radio device, designed as a transmitter or not, could do something like this. There may be a possibility there's nothing really wrong with the jamming car, but a local radio station may have triggered something in the car that was slightly "iffy". I'd like to hear a follow up on this and find out what exactly was going on.

MartinNovember 7, 2007 12:09 AM

Whatever happened to - you know - keys? Back here in ye olde Europe, all this wireless fancystuff is actually only for comfort, with a solid-steel-key (don't actually know what car keys are being made of) as an always-working backup...

mooNovember 7, 2007 12:27 AM

I find these keyless cars really bizarre too. My first and only car was a 2004 Mazda, and it has a fob and immobiliser--and also a physical key that you can insert in the door, and have to insert in the ignition. (The chip in the key connects electrically to the engine computer when you insert it in the ignition slot). So to clone that puppy you need the digital key off the chip *and* a physically-equivalent key housing (or else you have to rip into the steering column like they did in the good old days).

A car without an actual slot to insert an actual key for ignition seems... weird to me.

Cheese_and_CrackerNovember 7, 2007 1:22 AM

@Martin
Uhh yeah? Never seen one of the keyless Renault? Or Saab? Or Mercedes? They exist for more then 5 years.

In a Renault, you put a small card in a slot and then you push the start button, in a Saab you just sit in the car and you push the start button.

MoeNovember 7, 2007 3:02 AM

A few years ago, there were news reports about thieves who exploited this in .de:

They found out that many remotes could be blocked by a regular cellular phone (no details on what function in that phone caused it, so it could have been BlueTooth or GSM or anything else).

What the thieves did was to hang around a parking lot and block the remotes as owners tried to lock their cars. Many owners didn't actually bother to check if the car really locked up (or at least, if the usual flashing lights occured), so the thieves managed to keep lots of cars open and loot them without raising suspicion. After all, if you're going to a car and open it by the door handle, no one would suspect you're a thief.

TimNovember 7, 2007 3:35 AM

@Martin:

It's not just in the U.S. Most of Toyota's European lineup use rf fobs with an on/off switch as well. My car has one! (And I'm in the U.K.)

David HarperNovember 7, 2007 3:40 AM

RF interference with car systems is not a new phenomenon. Ten years ago, my wife had a 1989-vintage Peugeot 309 with a fob-activated alarm system.

We discovered that whenever we parked in the vicinity of a particular Tube station in London, we couldn't activate the alarm. Next to the Tube station there was an apartment block, and on the roof of the block was an array of aerials, most likely relays for cellphones and/or emergency service radios. One of them evidently operated at the same frequency as our car's alarm system, but at a higher power.

WooNovember 7, 2007 3:45 AM

hmm.. I guess by the time I need a new car (which hopefully won't be before at least four or five years.. I love my current one and the latest BMWs look ugly) I'll be stuck with the keyfob and button-to-start "feature" too, as more and more brands copy that. If that's the case, then the first thing I'll do is to rip that button out, and install a classic tact keyswitch in its place. Might not raise security significantly as it can surely be hotwired if the thief doesn't care for physical damage to the dashboard, but at least it'll cost them a few minutes.. and it preserves me a place to put my keys while driving ;)

marcNovember 7, 2007 3:54 AM

@Cheese_and_Cracker

you are mixing up different things, as mentioned above : the key and the ignition system.
In every Renault's RFID card is a spare key you can use in case of troubles. (have a look on the "rouded" edge of the card). Inserting the card into the "slot" is just putting an RFID in a reader (and this reader is located less than 5 millimeters from the card, thus playing down any RF troubles).

The door opening transmission system has nothing to see with the ignition system. It's a plain old RF remote (using UHF low power transmissions) and not a RFID (wich is mostly a passive device, or beeing considered as).

This story is interesting in many ways. People are so accustomed to press a button that they are totaly disarmed when the technology is collapsing. They don't try to turn away to find a new solution (extracting the spare key from the card), they call the Ofcom...

That prooves at least one thing : we all tend to trust a new device because the less we understand the technology within, the more we estimate the safety it is supposed to offer. Why ? because we identify ourself with the thiefs and other "villains". If "I" don't understand how it works, so are "they", and thus giving "them" less chances to steal my belongings.

Alas ! we are often forgetting a small detail : "they" are specialised more than us, because knowing how works an RFID is part of their "professionnal" activity.

My 2 cents

ThomasPNovember 7, 2007 5:50 AM

Interferences can block the recognition of the genuine key-fob. On Honda HISS, I had the problem once. I had a perfect physical key with a non coded ID and a broken key with a well coded ID. In strapping the keys together, no way to start the engine, until I removed the non coded ID from the good physical key.
So yes, those interferences can stop you from started the car.

Clive RobinsonNovember 7, 2007 6:14 AM

The real problem apears to be the mass market use of a very very limited radio spectrum.

Put simply most Governments around the world require that transmitters be licenced individually by their operators (for various arcane reasons). Which is rediculous for a mass consumer item and has proved very problematic in the past (remember having a licence for a radio receiver?).

--> Boaring historical bit 8)
Prior to the Second World War nobody realy cared about localised use of "wireless" as the equipment was to expensive to make and extreamly fragile. However after WWII compleate mayhem then occured due to large quantities of reliable surplus kit. More regulation was brought in including an International Organisation responsable for deciding what part of the radio spectrum could be used and for what in what parts of the world where it crossed international boarders.

To cut a long story of greed averice one upmanship and plain stupid short sightedness by the various Gov's and Organisations involved short, we ended up with several world regeions that have different Band Plans...

However due to representation from the Industrial Scientific and Medical organisations several (ISM) bands where reserved for R.F. equipment that where not directly intended for communications. This type of equipment became "licence excempt" in that the operator is not required to go cap in hand to the Gov and tug their fetlock to have permision to operate it.

However the way the ISM band equipment was specified it allowed all sorts of low power radio equipment to be developed that realy was never envisaged in the first place (TV remote controles, Cordless Phones, childrens toys etc).
--> End of Historical bit

However licence excempt does not mean no "type aproval" on the equipment which can be an expensive and lengthy business. Obviouslt it is also a hinderance that most manufactures whish to minimise or avoid.

Unfortunatly in a lot of cases the ISM bands do not appear to cover the same frequencies in all parts of the world, which if you are an International manufacturer of consumer goods is a real pain.

The result the manufactures have all settled on the few bits that are Internationaly Standard (2.5GHz being one) in just a very few MHz of band space. So the ISM bands in use can seem like the radio equivalent of Times Square on New Years Eve in even a moderatly urban area.

--> DO NOT TRY THIS AT HOME
A simple experiment of major engineered chaos would be,

Take an ordinary Microwave oven and make some minor mechanical and electrical adjustments to it (See details on the WWW posted by helpfull Ham Operators).

Add a unidirectional antenna to it (see details on WWW posted by helpfull WiFi users etc), then take it to the top of a tall building in a major financial district and sweep it up and down the 2.5GHz ISM band. A minor mod to a computer UPS will give you sufficient power for ten minutes of "fun" if there is no handy mains supply on the roof.

Basically in most parts of the world your WiFi / Bluetooth / CCTV links / security systems / etc are given a maximum radiated signal (ERP) of a few milliwatts (1mW = 1/1000W). The magnatron in the microwave oven however is usually capable of generating more than 500Watts and with an antenna of suitable gain (21dBi) can look more like 50 thousand watts or over 5 million times stronger. This gives it something like 2 thousand times the effective range of the other afformentioned devices

One important note make sure you are quite a distance away from the microwave oven lashup or you might just cook bits of yourself and other items of electronic equipment that you regard as important 8).

A few years ago there was a handy post made by an idividual along with a video clip showing how at close range this sort of lashup was effectivly a High Energy Radio Frequency (HERF) Gun. The video showed it taking out various bitts of electrical equipment at anyhting up to 100m.

A HERF gun is considerd a battle field weapon by the U.S. and other nations, and was supposedly first used during the first gulf war. It has also been (again) supposedly used to blackmail various orgnisations whose data centres are visable through glass from adjacent buildings.
--> End of DO NOT TRY THIS AT HOME

The solution to the whole overloaded ISM band problem is fairly simple but is not likley to happen any time soon, which is for the allocation of more ISM bands that are the same throughout the world.

Thus giving a much wider radio spectrum for manufacturers to use to the benift of all, it would also help if the standards bodies also compartmentalised varios uses to diferent parts of the band so that things like WiFi and Bluetooth did not interfere with each other.

matt aNovember 7, 2007 7:03 AM

WRT just using the key if the fob doesn't work - I don't know if Pontiac (or if this was a GM thing in general, all though my Tahoe at the time didn't do this) still does this but my 2001 Aztec has an interesting theft deterent. If you locked the car with the fob and then unlocked the door with the physical key, the alarm goes off. If you used the key or the inside locks to lock the door, then the alarm did not sound when you used the key. I guess it was designed so that in case someone stole your keys (which is usually on the same ring as the key fob) AND they didn't manage to get your key fob in the process, the alarm would sound.

Of course, this is the same car company that designed the Aztec so that you could put a tent on the back of car (which was kinda cool) but if you left the back latch up (required to put the tent up), it drained the battery and left you stranded in the morning...

TheDoctorNovember 7, 2007 8:50 AM

I always found remote car locks an evil in itself.

Simply think of yourself walking along the seashore and the battery equipped key falls accidently in the salty water.

If you are lucky there is a mechanical backup key but the electronics are gone.

derfNovember 7, 2007 2:59 PM

@dragonfrog

"... the thief would have to actually obtain the fob, not simply replay a transmission off it."

So the thief just shoots you in the back and takes your key & fob. Not all that difficult when compared to trying to monkey with a bunch of electronics and encrypted keys. Wouldn't it be safer to just leave the keys in it?

bernardyNovember 7, 2007 7:48 PM

matt a:
I think that feature is a GM-wide thing. My 2000 Saturn had it. But I thought the point of the feature is to sound the alarm in case someone without your fob jimmies or picks the lock on the car.

MarkNovember 8, 2007 6:51 AM

@Andy Cunningham
I had an interesting "debugging" session a few years ago when my car battery went flat if the car was parked outside my house for more than 36 hours. Anywhere else, no problem. It turned out my new weather station transmitted on the same frequency as the keys and kept the computer awake!!

Where was the charge going? 36 hours is not that long and car batteries store a large amount of energy. (Sufficent to drive the starter motor for several tens of seconds.)

@Andy Cunningham
There's lots of other car-related problems: when Land Rover first introduced the latest shape Range Rover, the tyre pressure monitoring system got confused if another identical vehicle passed you in the street.

It actually makes some sense to use a wireless system for this. It's rather hard to see how the wheel on a passing vehicle could be closer than a pickup's "own wheel" without a collision. Unless someone did something daft like one RX for all four (or five) wheels. as opposed to one per wheel.

@Andy Cunningham
I've also heard of a radio signal based fuel level monitor.

Why? Especially if the fuel sender is powered by the vehicle battery.

@Andy Cunningham
Combined with an engine management system that would stop the engine before you run out of fuel to prevent expensive catalyst damage, that suggests some interesting car-jacking opportunities.

To do this sensibly if would make more sense to look air in the fuel line. Even when the tank sensor reads "empty" you may still have sufficent fuel to travel some distance.

markmNovember 8, 2007 8:12 AM

"Unless someone did something daft like one RX for all four (or five) wheels. as opposed to one per wheel."

Using a single receiver would save three receivers, four cables out to the wheel wells, and probably three input circuits for the car computer. I'm just guessing, but that's probably at least $10 saved per car.

Auto manufacturers will go to amazing lengths to save less than that, because such numbers are multiplied by a very large number of cars. It supposedly only took Ford $5 to retrofit a Pinto with metal blocks that would put a hard stop in the rear suspension before it compressed enough to punch holes in the fuel tank. (Those were 1970's dollars, equivalent to perhaps $20 today, but I'm sure that the cost added by designing those hard stops into the car in the first place would have been much less.) So Ford saved a few bucks per car even though it would kill a few people. The consequences of temporarily misreading a tire pressure sensor are much lower.

AnonymousNovember 8, 2007 10:04 AM

"Whatever happened to - you know - keys? Back here in ye olde Europe, all this wireless fancystuff is actually only for comfort, with a solid-steel-key (don't actually know what car keys are being made of) as an always-working backup..."

That is disappearing as part of 'security'. If a mechanical key can operate the car, then all a thief needs to do is clone the key.

As I understand it, even many cars with 'keys' actually interrogate the key chip electronically and will not start if that fails.

blowhardNovember 9, 2007 2:58 AM

The solution to this situation is the implementation of IPV6. The number of IP addresses is immense beyond description. Each vehicle would have it's own IP address number. Due to the trillions of possible addresses, cracking the IP address would be so close to impossible as to be an excellent security solution. the fob and the on board computer would be "attuned" (use the same IP address) to one another on an RF broadcast to open the car and operate the vehicle. For the first car company that implements this in the form of chips embedding the IPV6 solution, you owe me major bucks. This is full notice that this solution is mine and rights will be licensed.

John CNovember 9, 2007 3:23 AM

A couple of things:
1) a car I owned had a traditional key as well as a fob. But it also had an engine immobiliser. If you have to use the key, to deactivate the immobiliser then there is a 20 digit number you enter. For the first digit you turn the key to the right that many times. For the next, to the left that many times, and so on for the whole 20 digits. Nice. If you make a mistake you have to wait - 5 mins I think - and start over. So basically you have to use the fob. I don't know how many other cars have a similarly impossible process you need.

2) if there is someone with a key fob jammer rigged up, then he can come up to you one dark night when you are about to get you in the car, and suggest a donation for turning the jammer off...

I believe that the whole nice thing about these was you could unlock the car just before you get to it and so get in quickly and thus more safely - these two points show that it can actually decrease this.

DOS against wireless is so easy that I feel there always needs to be a good alternative. For sure, it should never be relied upon when access to quick access to important resource is needed.

John David GaltNovember 15, 2007 9:34 PM

In the US, the solution currently being touted by GM is to subscribe to "OnStar" and have its remote operators open the door if you're locked out. I'm not sure exactly how OnStar communicates with its handlers (I suspect an embedded Iridium phone), but I'll bet it's full of security flaws that haven't been publicized yet, both those involving interception (or spoofing of either end) of the Onstar radio link and those involving "social engineering" of OnStar staff by people who aren't really authorized to have access to the car.

I wonder how many companies like OnStar will have to be sued to death before the industry figures out that good security pays. (If it does, and I hope so.)

mckendrickMarch 24, 2008 9:34 AM

I had a 2007 Volvo XC70 that would not start on 6 different occassions - the battery would drain and the dealer could not figure out what was happening. So they gave me a new car an XC 90 and now it has not started on 2 different occassions. Obviously something is interfering with the electronics of my car. Any one have any ideas?

stu30September 14, 2008 3:37 PM

There is a black spot on my drive that when parked there the key fob will not work until you are almost touching the car I have tried this with 4 different cars and all the same result weird or what? Park 5 meters away and its fine?

Lee WickerMarch 7, 2011 2:54 PM

In my 2007 RangeRover, the radio has a mind of it's own. When I start the car, the radio will be blasting away on a station that I never listen to. And sometimes the radio comes on when it is turned off.

Any ideas?

Clive RobinsonMarch 7, 2011 5:02 PM

@ Lee Wicker,

"Any ideas?"

Have you ever watched "Top Gear"?

The presenter Jermy Clarkson is well known for "jigging" the radio etc in another presenters (james May AKA Captain Slow) car on their various jaunts in motor cars.

Maybe somebody you know has been watching ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..