Man-in-the-Middle Attack against Electronic Car-Door Openers

This is an interesting tactic, and there's a video of it being used:

The theft took just one minute and the Mercedes car, stolen from the Elmdon area of Solihull on 24 September, has not been recovered.

In the footage, one of the men can be seen waving a box in front of the victim's house.

The device receives a signal from the key inside and transmits it to the second box next to the car.

The car's systems are then tricked into thinking the key is present and it unlocks, before the ignition can be started.

Posted on November 28, 2017 at 6:03 AM • 47 Comments


meNovember 28, 2017 6:23 AM

it's a relay attack, they are just repeating the signal (bidirectional way) so they can pass challenge resposne (if present).

i was thinking about this attack on contactless credit card but from what i have read it is not possible because the expected response time is very low and if you put a retransmitter in the middle the response time increase and the attack will not work.

i don't think that the hint "put the key in a faraday cage" is a good advice.
that's an epic fail of the producer; they should have thought about this, it's not that they can sell wireless key and say it's secure only if you block wireless wtf?!?!?

modNovember 28, 2017 6:43 AM

I suspect (but I do not have any "insider" information) that this is just abusing RFID. The first guy's device (closer to the house) is just emitting an EM field and then the key divulges itself, signal gets picked and relayed the the other device, held by the guy at the car.
Reason is I am saying this is I just saw some "car key pouches" and this reminded me of "RFID pouches". (It's probably not RFID, something more proprietary.)

Nearly any physical security with locks and keys acts just as a flag that somebody broke in - mostly just to prevent random bypassers from opening your doors. It acts also as a social norm - if it's locked and not yours, none of your business.

Markus FritzeNovember 28, 2017 6:51 AM

This kind of attack has became very common in Germany in the recent years. And yes, people started storing their keys at home in metal boxes. Obviously this attack would also work in a parking lot of a store.

The manufacturers have not done anything to avoid this kind of attack - even the most recent cars have this fail. I mean: you can unlock the car with the relay attack, but then you can keep driving forever without the key anywhere close?

I understand that shutting down the car on the Autobahn because communication was lost, is not a good idea and also the battery drain on these keys is probably also an issue.

But maybe after driving the car for 1/4 mile the car starts checking for the key again and only if it makes contact at least once within 2-3 minutes it will allow further driving. That would at least make it harder for a car thief to get far enough away.

meNovember 28, 2017 7:00 AM

@Markus Fritze
you can keep driving forever without the key anywhere close?

apparently yes:
-a friend told me that he had it in his pocket but his dad was going to work, only when he had to come back home he noticed that he haden't the key (his son had it in the pocket near him in the morning)
-read article of tesla? car: he used phone to unlock the car, he stopped in the middle of nowhere (far from city street) to watch the sunset. he could not turn on anymore the car because no mobile phone network in that area.
i still have "old" key (luckily)

Rick LobrechtNovember 28, 2017 7:42 AM

As we've read here many times, security is a trade off against convenience. I have a 2010 Nissan Versa (sub $20k car) with a smart key, and it exhibits the same behavior. Keyfob near the car, and you can unlock the doors (requires pushing a button on the door, but not the key). If I start the car (with the key inside) and then leave with the key, it will stay running.

I suspect that most people want this behavior, and not have to actually interact with the key. Most would see it as a step backward in luxury (i.e. convenience) if the car manufacturers changed the key behavior to be more secure.

That said, they should be able to improve the key identification routine so these kinds of attacks are more difficult.

PiperNovember 28, 2017 7:47 AM

I do love not having to fish my keys out of my pocket in the dead of winter while carrying two arm-loads of groceries.

Ultimately, we all pay the price for this convenience in the form of higher insurance rates.

255November 28, 2017 8:25 AM

@me came to the comments for this, so it's a relay attack not a man in the middle attack

I remember when garage doors would happily open from a replay attack

wolsonjrNovember 28, 2017 8:41 AM

When you're home(or wherever) and the key is going to be in range, lock the car, turn OFF the key. We've done this ever since they came out.
You can't relay it if it isn't broadcasting. It's a little extra work, but not that hard.

SylverNovember 28, 2017 9:14 AM

I have a 2017 Toyota RAV4 and they seem to have figured this out. If I start the vehicle and walk away with the key, the ignition will stay "on"; however, the vehicle will stop and not go anywhere. My wife has "tested" this for me a few times by dropping me off at work and forgetting her keys. I have to go back and giver her my keys before the vehicle will go any further.

MikeNovember 28, 2017 9:15 AM

RE/ driving wihtout key: My BMW X1 will actually complain (A LOT) if the key is not present IN the car, and eventually turn off at the next chance - read: while not moving. I know because... My wife had the key in her purse. I stopped to drop her off for work on a red traffic light, city center, major road, rush hour. She rushed into work and almost at the same time the car turned off complaining that the key was not present...

Well, after only 5 Minutes of me standing and blocking the road she returned with the key.

Convenience vs. Security. Even with this embarrasment I prefer it this way.

Clive RobinsonNovember 28, 2017 9:27 AM

"And all because the lady loved to shop, thus use her bum to open the door"...

Or atleast that's what the adverts used to show.

There is another issue with these electronic keys on cars. Sometimes the range they will work at is way way way beyond that you might expect.

What feels like years ago now the Top Gear Motoring program demonstrated this with Clarkson putting a key up against his temple and unkocking a car that was a very long way away (think large supermarket car park).

With the newer "passive keys" where the key is in effect a smart RFID trigered by a field the car generates all the time, such a relay attack was a forgone conclusion...

There is by the way no technical solution to such Marketing Madness unless you think a stratigic nutron bomb might not be overly objectionable?

.November 28, 2017 10:22 AM

It's more than that. It has to detect both sides of car, distinguish between them so it knows if key is in the car then prevent you from locking key in car. And it has to prevent you from locking key in trunk, say, extra key in luggage. It has to be able to tell if there is more than one key since you may carry more than one, or passenger may have one as well as the driver. Then it has to be smart even when field varies in strength, orientation. It's much more than just a smart proximity device.

As soon as you require owner to remove key from pocket and handle key or press button, might as well remove the feature altogether. Similar problems exist with smart front door locks using smart phones, etc. And they're cost sensitive. If it's too expensive no one will buy it no matter how well it works.

Then you have to actually design for manufacturing, firmware, pcb, plastic, packaging. Test a million times that it does work when it's supposed to work. Owners don't think a whole lot about hackers, but as soon as it acts flaky and they can't get in their car it's game over.

Designing a better system is a lot harder then just spewing comments on a blog somewhere. As difficult as it is for you to believe.

TatütataNovember 28, 2017 10:29 AM

I loathe motorcars, in particular those of the type "Potenzersatz" (male virility substitute) peddled in places like S, M, IN, or WOB, so I won't try to dissimulate too much my schadenfreude... I wouldn't expect right-hand drives to sell too well even in Kazakhstan, so this one will probably be slaughtered for parts which will then be combined with some wreck (but with a legit VIN) and transformed into a saleable carriage. The economics of the whole business make me wonder, it probably wouldn't work without very cheap labour.

I found a Wired article from March 2016, with an embedded ADAC (Germany's largest automobile club, a.k.a. the country's leading political party) video showing essentially the same operation. It's not clear whether the "surveillance camera" section of the video is an actual theft, or a dramatization.

There is a reference to a Swiss 2011 paper, so it's a bit of old news.

The paper mentions "distance bounding", i.e., range limitation. I looked up patents, and found a fair level of activity in that particular area over the last 5-6 years (apparently dominated with filings from South Korea), so the question is why there isn't a workable solution yet.

RussNovember 28, 2017 11:06 AM

I hate these electronic keys/key fobs. When I could I opted for the cheaper car without them. I recently bought a new Subaru and this time I was forced to accept them because there wasn't an option without.

Why are we so lazy we can no longer manually turn a key in a lock?

VNovember 28, 2017 11:27 AM

@ Markus Fritze

But maybe after driving the car for 1/4 mile the car starts checking for the key again and only if it makes contact at least once within 2-3 minutes it will allow further driving. That would at least make it harder for a car thief to get far enough away.

1/4 mile is enough to drive a few blocks and load the car onto a flatbed carrier.

"Oh look: another Mercades. I see those being toted off to the shop all the time."

Petre PeterNovember 28, 2017 11:33 AM

“I am going to work this out. Computer!”. Remember, Motorsport is no longer a paradox with a self driving car on the autobahn. Because of complexity, the driver mitigates the risk of not being “fully asleep” to the manufacturer which in this case is the human element. i can see the car as the bed in a hotel with a receptionist: if i get to it, i can sleep my way to the destination as long as i trust the luggage person(MITM), travel light, or never leave the the auto...mode. The human element is required to make progress. Without it, we are agreeing to compete on whose car/bed/auto is more automatic. Utopically, the only way to test this topic is through the ability to remember if i was “fully asleep”-a new type of sport safe from (MITM). “Define legislation Computer”. Legislation is the key. Until a hitchhiker- another type of MITM. Hu ⚛️

albertNovember 28, 2017 11:44 AM

I remembered the story of the guy who found that his house door key matched his car key:) That's awfully convenient. How long before someone implements this?

Around here, we call it 'stripping'. Just the other day, I saw a car set up on bricks and blocks, stripped of all 4 wheels. It was a relatively busy residential area. Cars are like cows for the strippers; all parts are used, even the body panels can be cut out and saved. New replacement parts for luxury cars are eye-wateringly expensive, hence the demand. Given legit labor and parts costs (and legal risks), it's not a low wage business. RH and LH drive systems use many common parts, and chassis designs are identical for both.

. .. . .. --- ....

Clive RobinsonNovember 28, 2017 1:13 PM

@ albert,

Just the other day, I saw a car set up on bricks and blocks, stripped of all 4 wheels.

I saw the same a couple of years back just up the road from one of those gospel missions that have sprung up all over London were,the faithful can be fleeced.

It was parked outside a house who's owner I was on a nodding/how yer doing basis, and he happend to be having a smoke whilst leaning on the wall. I said hello and we got to chatting about the weather then the expensive motor up on bricks. He said it's the Pastor's and thumb pointed over his shoulder at the mission building. I asked if somebody had jacked it whilst the Pastor was preaching and was told no he did it himself... A statment that just was begging for a follow up question or three.

It turns out the Pastor who's a bit of a slipper charecter with the mission funds and other monies and payed special devotional attention to some of the younger yews ib his flock, had gone on an all expenses paid fact finding mission to the US for a couple of weeks. Further that the Pastor didn't trust people so rather than park it in the garage where he lived he'd parked it up on bricks and covered it with a cover so it would not get "taken"[1]. Well I noticed immediately that the cover was gone, so I asked, and was told that some of the local kids had been seen carrying a bundle of the same coloured plastic. I half jokingly said "how long do you reckon before they strip it?" he thought for a moment or two before saying that he reckoned the only thing the pastor would have left by the time he got back would be the wheels locked up in the misson and laughed.

Turned out he was a little optomistic, somebody broke in the mission that night and stole the wheels, put them back on the car and pulled it up on a low loader and disappeared off into the night.

Apparently it was not the repo men but somebody else, as the repo men came looking a week later...

Not sure if the Pastor ever came back from the US, as the mission had a new one shortly after. Who was not so much of the "hell and damnation" if you don't fill the collection box type, and a lot quieter in his sermons, and had a wife to keep him on the straight and narrow.

A few weeks after that I got chatting with the guy that owned the house and said it was quite funny in a way. To which he replied smiling "You know God moves in mysterious ways" befor nodding and saying "It couldn't happen to a more diserving man... No it sure couldn't" before laughing a lot. I guess he didn't like the Pastor much either.

[1] If I remember rightly the actuall word was "repo'd".

AJWMNovember 28, 2017 2:32 PM

My older Subaru has both a key and an electronic fob. The key is absolutely required to start the engine, the doors can be unlocked/locked with either. But there's a catch.

The alarm system can only be disarmed with the fob.

It being an older car, the battery contacts in the keyfob are a bit worn and dirty. Sometimes the pushbutton doesn't do anything. No big deal, I thought, the first time this happened. Unlocked the door with the key, got in, and the alarm immediately sounded. I'm trying everything while the horn is blaring, but even the key in the ignition switch didn't stop it. Finally after much varied fob-button pushing, it mercifully silenced.


At least the bad guys can't start the engine with a replay attack. (Not that the car is worth the effort, probably.)

Judson EdwardsNovember 28, 2017 2:53 PM

My mother has the fob and a friend was driving the car. She dropped my mom at the door and went to find a parking spot. The car stopped and the horn started honking and lights flashing.

But in this case the device just took over for the fob. So right not a MITM but it emulated the fob and fooled the car into believing that the fob was close by.

Solution. Drive an old car.

JoeSchmoeNovember 28, 2017 4:47 PM

Some related anecdotes:

Here in Washington state we have had problems on the ferry system with theft detection systems that disable the car (fancy european cars and especially those "reach" BMW rentals) if the vehicle is moved without the key present, preventing a thief from loading the car onto a flatbed or just towing it away. But anyway, the problem is that owners found themselves unable to start the car when the ferry docked. Total pain in the ass for everyone, repeated delays to the entire ferry system while they bring in a tow truck to get the disabled vehicle out of the way.

Also on the ferry system here, routine (and routinely ignored) announcements to owners to remember to disable motion sensor alarms. I vote they announce that any passengers should feel free to key any vehicle with an alarm going off. That might fix the problem.

A friend couldn't figure out how to lock his (fancy) rental car. He would lock it, but then when he tried the door to verify it was locked, it would open right up. Took a while until I pointed out that this was a "feature" not a "bug" - he had a proximity key, and since the key was in his pocket, of course it opened the door for him. I thought it was funny, but he failed to see the humor. :-)

Clive RobinsonNovember 28, 2017 5:05 PM

@ thiefhunter,

Can the key code be relayed to a device that will save the code, thus enabling duplication?

The answer is "it depends".

Obviously the key and the lock share a common secret, that they are paired by.

Back in the old days the key just transmitted the actual common secret over and over and over. Some garage door openers still work this way. Thus yes record the code then retransmit it and the lock would open.

Slightly later versions used a rolling code system thus each time you pressed the button the next code would be transmitted. They solved the code replay sort of, but introduced a whole bucket load of synchronisation problems... Which you could write a book about.

So the next trick was to use a cipher system. The key transmitter would send out a signal to wake up the lock, which would transmit back a --supposadly-- random number that the key encrypted with the secret and transmitted back to the lock. The lock would decrypt it with the secret and if the decrypted number matched the random number then the lock opened. Early systems used weak random number generation and stream ciohers... Thus were subject to replay with "bit flipping" attacks.

The RFID type proximity systems work the other way around. The lock transmitts a random number, the key fob picks it up encrypts it with the secret and transnitts the ciphertext back to the lock. The lock decrypts and compares and if the number is the same unlocks. They tend not to use a stream cipher but a "secret sauce" block cipher, which might not be very strong at all. The reason being that the fob is effectively powered by the EM field put out by the lock which is going to be at best in the microwatts of power at the limits of the range.

Thus if the secret sauce has been reverse engineered and analysed weak crypto would enable some form of recovery.

However... In some the lock would keep transmitting the same supposadly random number untill the lock unlocked... As the block length was short (16-20bits) it was feasible to just transmitt all bit patterns in sequence till the lock unlocked...

Thus you could say "If there was an incorrect way to do crypto, then the electronic car lock chip designers had probavly already tried it and found it did not work prior to going onto their next failure...

The reason this happens is good crypto is CPU cycle intensive and each CPU cycle takes a finite amount of energy. Thus good crypto drains batteries at many many times the rate of bad cpu cycle saving crypto... Further designing a fob with a changable battery is a lot lot more expensive than designing one that is not changeable... So a lot of money can be saved going down the bad crypto route. Beter yet customers don't have to be changing batteries twice a year, which also means less "fat thumb syndrome" of broken or forced battery contacts and covers leading to replacment costs and technician time for re-pairing of a fob to lock...

Speaking of which some car manufactures based the secret on the VIN number which people can read off of the window, dash board etc. So if an attacker knows the algorith then making a fake fob key is the work of moments...

That such weaknesses are put into the second most expensive thing people buy (ie house first, car second...). Suggests that the car manufacturers are trying to minimalise or externalise the cost of crypto failure. But you should ask "do they care?" the answer is no. Because to them any car stolen and stripped/vandalised/exported is just a new sale to them.

Think about that carefully, their implementation of weak security means increased sales thus profits, thus quaterly targets etc... So where is the incentive to make things to strong?..

TatütataNovember 28, 2017 6:01 PM

Back in the old days the key just transmitted the actual common secret over and over and over. Some garage door openers still work this way. Thus yes record the code then retransmit it and the lock would open.

A friend asked me circa 2005 to take a look at a remote control for his building's underground garage.

I found inside a Motorola MC145030 encoder/decoder, a 9-dipswitch block, and a few odd transistors and coils forming a 433MHz ASK or OOK transmitter.

All switches were still set in the default position... (All zeros or all ones, whatever).

Replacement remotes were still offered for sale at that time. Probably still are as of late 2017...

But anyway, the problem is that owners found themselves unable to start the car when the ferry docked.

That would be an alternative explanation for the opening scene of Polanski's "The Ghost [Writer]", where a BMW wouldn't start upon arriving on the ferry from Martha's Vineyard (actually Sylt). I liked that flick, although it was one big product placement from start to finish.

Security SamNovember 28, 2017 8:20 PM

The more things do change
The more they stay the same
Reading this article triggers
A trip down memory lane.

Clive RobinsonNovember 28, 2017 10:14 PM

@ Security Sam,

    From a French King, To happy reminiscing.

From four lines to two,
A binary chop,
So over to you,
For one less few.

TordrNovember 29, 2017 1:30 AM

A solution would be to install a pin pad to get the vehicle started (2-factor authentication). We are so accustomed to entering pins that one more to get the vehicle started is not that much of a hassle. Stops these replay attacks dead in the water, does not stop thieves from entering the car with a replay attack.

Gunter KönigsmannNovember 29, 2017 2:00 AM

A friend of mine claims to know two cars his electronic key works for. Which would be a strong hint for really weak random numbers being used. Anyway:

If your car stopped abruptly as soon as your key is jammed/broken that would be an security issue. I once drove a car whose error memory apparently wasn't a ring buffer but stopped abruptly every few minutes if a head light with a bad contact had filled it with "light is broken/Light works" messages. Which in the middle of a motorway was quite scary.


There was an question about relaying wireless credit cards. In the German press there were reports from scientists who claim to have done it. You cannot relay the data via cell phone as the ping time is too high, but apparently by other (lower latency) means of RF transfer. And I would be inclined to believe that it wouldn't be too hard to take a wireless card reader to a party and to read all the cards you manage to come near to.

Squeaky WheelNovember 29, 2017 3:40 AM

It is not a mere "replay" attack, but a true man-in-the-middle attack capable of intercepting or deducing the secret key and then emulating the rolling codes, allowing the attacker to escalate his privilege to that of the keyholder. This is possible because today's fancier car keys or key fobs are now both transmitters and receivers, and they do employ crypto, but have implemented their key exchange protocols poorly.

Sqeaky WheelNovember 29, 2017 3:57 AM

Correction, a purely analog implementation would be sufficient to achieve this effect on keyless vehicles. Basically it greatly extends the physical distance whereby the key's proximity to the vehicle will allow it to open and start.

JamesNovember 29, 2017 5:58 AM

So I guess the mitigation is to store your key in a metal container overnight. Or maybe have some kind of metal sleeve?

Clive RobinsonNovember 29, 2017 7:38 AM

@ James,

So I guess the mitigation is to store your key in a metal container overnight...

If it's an effective Faraday screen, which might well not be.

But as I noted above,

    There is by the way no technical solution to such Marketing Madness unless you think a stratigic nutron bomb might not be overly objectionable?

All real world solutions have edge and corner cases even when you think them through carefully.

Any RF engineer will tell you that all analog RF systems have bandwidth, and as long as you can filter to that bandwidth and the correct center frequency you can amplify the transmitted signal to any reasonable level thus range.

So an analog repeater will work from anywhere around the world if other precautions are not taken.

Thus you have to try and figure out the range of the keyfob.

There are two basic ways to do this currently and both have their problems. The first is to get two or more barings on the transmitter, which is the old way used for Direction Finding. However in the case of the analog repeater it will only tell you where the repeater transmitter is not the key fob. The second is a little like radar, you send out a timing mark and check the return path delay to get a range for the key fob. The problem is that the finer you want the range information the greater the bandwidth required. Usually wide bandwidth is a big no no in spectrum allocation.

However there are a couple of exceptions Spread Spectrum systems such as Direct sequence(DSSS) and Frequency hopping(FHSS) and what are called Ultra Wide Bandwidth (UWB) systems such as Carrier free UWB (DS-UWB) and Multiband OFDM (MBOFDM).

All of these systems have their own issues DS-UWB is effectively a modern version of the Spark Gap Transmitter developed by Victorian Gentleman Natural Philosophers with ultra short duration transmission pulses, thus putting fractional amounts of energy across the 'DC to Microwave' spectrum or some chosen harmonic of it.

The actual solution will almost certainly end up being a variation of the ranging codes and direction finding, but I suspect that will not happen to quite some time after UWB IoT systems and UWB wirless USB bring the on chip technology down to a few cents.

It realy all depends on how smart the blackhat ebgineers are who design the repeaters for the car thieves. When it comes to luxury cars and their spare parts there will always be "other channels" to buy especially with the premium prices manufacturers want. Mark ups of 2-30 thousand percent are a direct invitation to car theives. Even basic mass produced car parts at a 1000 percent markup are still sufficient margin, after all it's that sort of margin that happily keeps legitimate breakers yards in business.

Security SamNovember 29, 2017 8:05 AM

@Clive Robinson

A just read your soliloquy
Using fancy terminology
It's a pity for a garage door
To abuse modern technology.

Clive RobinsonNovember 29, 2017 8:24 AM

@ Security Sam,

Alas a right old mess we've made,
As best laid plans have strayed,
You'ld have hopped caution staid,
Should have been the game we played.

I'll stop at this point to let @Wael get a turn in ;-)

WaelNovember 29, 2017 9:33 AM

@Clive Robinson, @Security Sam,

Now you're talking talking!

Alas a right old mess we've made,
As best laid plans have strayed,
You'ld have hopped caution staid,
Should have been the game we played.

Since 'Dead men don't wear plaid!'

JeffNovember 29, 2017 4:24 PM

Modern garage doors allow one of the remote controls to be "cloned" into the remote buttons in the car (usually the rear-view mirror). This is done by operating the remote while the car "listens" to it. But the original remote still works, even if not used for several months after being cloned. How do theses systems work, security-wise, in light of possible rotating codes, etc.?

Z.LozinskiNovember 30, 2017 4:02 AM

I had a look at one of the Mercedes "Keyless-Go" systems to see if there are any simple defences against the relay attack.

The apparent components of the system are the car, the key and an engine starter button in the steering column where the key normally goes. The starter button is about 40mm in diameter and about 10mm-30mm deep. The business end of the key is a solid block, about 10mm x 20mm, it is not a traditional mechanical key.

The trick to working out how to disable the "Keyless-Go" feature (and thus the relay attack) is looking carefully at the starter button and key. The key is that same physical design as "normal" Mercedes keys, it has a flat area at the end that appears to be made of an infrared transparent material. The usual way you use it it to touch the door handle, and if the key is in your pocket it opens. Then press the starter button and you can drive off.

The starter button can be removed from the steering column, which exposes a slot for the key, which is the same physical design as a non-Keyless Mercedes. The "keyway" appears to have an infrared transparent area, about 3mm in diameter. In the non keyless car, the key is paired to the engine Electronic Control Unit, and there is some sort of challeng/response when you insert the key in the keyway. (Put the wrong key in and you get an error message). You can plug the key directly into the keyway and use it like a normal key - turn the key and the engine starts. If you remove the starter button the only way to start the car is with the key. (We'll ignore the onboard diagnostic port ... )

My hypothesis is that Mercedes have taken the standard design and added the starter button is an RF-to-IR transceiver, and that it's purpose is to relay the challenge-response from the Engine Control Unit to the key over RF. (At a guess this is a standardisation/cost saving thing as I believe early implementations had a dedicated starter button on the dashboard.) The advantage is you can remove the starter button, which disables the keyless function.

The obvious weakness is a black hat hacker could engineer a module that goes in the keyway and performs the relay function. Basically a (slightly) more sophisticated version of the current relay attack which looks like it is RF relay / amplification.

I'm not even convinced its a useful feature. Hertz gave me a car with a keyless feature and it served mainly to confuse my mental model of "where" is the car key. I know to take key out of steering column and put it in my pocket when parking. When it is keyless, I don't have a standard place to keep the key when driving.

SpencerNovember 30, 2017 7:06 PM

PKE works this way: You approach or touch car. It emits a low power 125kHz signal that triggers the key fob in your pocket to transmit the unlock code. Flaw in the thinking is that the security depends on the low power of the 125kHz transmission.

Receiving the 125kHz signal near the car and re-transmitting it at a high power will trigger the keyfob to send the unlock signal, and if the keyfob is within range of the car, it will unlock the car.

The attack works just as well when you are walking from your car into a supermarket.

I don't think that it has to be a store and forward attack, if you can build an analog receiver/transmitter that doesn't go into a feedback look - a short delay or even a phase shift would do that.

Faraday cage (we use a silver tea caddy) does work and you can demonstrate this by walking up to the car with your Faraday cage with the keyfob inside and seeing if you can unlock the car.

It's not as reliable but putting the keyfob in your pocket next to your mobile phone may work since there is enough RF coming out of your phone to potentially disrupt the keyfob's transmission.

Now, if the same technique can be used to make the car think the key is inside, you can start it and drive off. None of cars prevent you driving off without the key inside.

Security SamDecember 2, 2017 2:15 PM

A Faraday cage is used
To trap the things inside
A faraday shield is used
To block the things outside.

EzekialDecember 4, 2017 12:37 AM

How much is this costing the Insurance companies? If it was a significant sum surely they would be refusing to cover vehicles with known vulnerable systems, both locks and immobilisers. Would this bring pressure on the manufacturers to make a better job of their vehicle security?

AmplectorDecember 8, 2017 6:34 AM

I’ve read about blockchain being the future of securing IoT devices. Could blockchain somehow be applied to secure something like this? If so, how?

Clive RobinsonDecember 8, 2017 8:35 AM

@ Amplector,

Could blockchain somehow be applied to secure something like this?

The answer to the "somehow" is probably yes, but there are way better ways to secure such systems. Especially when you consider the work factor in CPU cycles and thus battery life...

Contrary to what some blockchain devotees believe the blockchain is very much not the first soloution to any kind of security or authentication issue. There appears to be a race on for people to get their name associated with some kind of blockchain solution as though it's a must have on a C.V.

At it's simplest a block chain is a simple often linked list of records in groups or blocks where a cryptographic hash of a previous block is in effect the IV for the next block to be hashed with. Thus the hash chain is in effect a running key cipher with all the issues that involves.

But there are hidden issues that need to be resolved such as the temporal or sequence order of not just the blocks but the records within them. Thus some people make the block size be a single timestamped record and try to eliminate any kind of distributed state. Because the timestamp is a real thorny issue in any kind of system with two or more communicating nodes as for various laws of physics reasons the time at one node is not the same as the time at an observing node. Thus a three or more node system will have an irreconcilable issue with ordering records with those kept at the other nodeI’ve read about blockchain being the future of securing IoT devicess (look up "relativistic light cones" for a simple explanation)...

The last thing you want if record ordering is of importance is to have to introduce special relativity into your nodes as they have to do in GPS navigation systems and various communications networks such as those used in GSM mobile phone networks.

Thus the likes of High Frequency Trading where contract time and order are paramount get extreamly complex temporally. This will get worse as blockchains get used for contracts and similar...

For instance lets assume my trading point is in the same room as the contract arbitrage system, but your trade point is 1000Km away. I can send you a contract which you sign and send into the arbitrage system. Meanwhile I've sent a copy of the contract to the arbitrage system that is different. However it arives at the arbitrage system before you signed contract arives. When it comes to reconcilliation I can claim the contract you signed is not the final contract I sent you as that is the way it appears in the arbitrage blockchain... If you do not work this out within the actual protocol you are going to have lots of lawyers bills in your future...

As for,

I’ve read about blockchain being the future of securing IoT devices

I'd look for more informed writing by the likes of an embedded systems designer who has worked in the complex communication of embedded devices for a decade or two. Unfortunately you will find they realy are quite thin on the ground... Which is why I can forsee the rise of IoT security issues that make the history of WiFi look tame...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.