Hacking Automobile Keyless Entry Systems

Suspected members of a European car-theft ring have been arrested:

The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away.

As a result of a coordinated action carried out on 10 October in the three countries involved, 31 suspects were arrested. A total of 22 locations were searched, and over EUR 1 098 500 in criminal assets seized.

The criminals targeted keyless vehicles from two French car manufacturers. A fraudulent tool—marketed as an automotive diagnostic solution, was used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob.

Among those arrested feature the software developers, its resellers and the car thieves who used this tool to steal vehicles.

The article doesn’t say how the hacking tool got installed into cars. Were there crooked auto mechanics, dealers, or something else?

Posted on October 17, 2022 at 10:07 AM12 Comments


Ollie Jones October 17, 2022 11:14 AM

I wonder if this is confusion on the part of the press-release author? The whole thing would make more sense if the attack vector were some kind of code-stealing and replay gadget.

Austin October 17, 2022 12:19 PM

per: https://www.the420.in/europol-arrests-31-for-stealing-cars-by-hacking-keyless-technology/
“A fake gadget, promoted as an automobile diagnostic solution, was used to change the vehicles’ original software, allowing the doors to be opened and the ignition to be started without the need of the actual key fob.”

I wonder if this is like an OBD2 port diagnostic tool that can use either wifi or bluetooth to let you read data (and sometimes change) on your vehicle. There are several of these in the US market that they intend you to keep plugged in permanently for various reasons. Some are for diagnostics and your smartphone periodically collects data and sends to their servers where you can look up stats 1or get alerts. Some are “parental controls/monitoring” of your teenage driver, and many are from insurance providers for tracking your driving habits to ‘potentially’ lower your bill.

lurker October 17, 2022 12:44 PM

Bleepingcomputer says they asked for more detail and haven’t yet got it.

PCMag says servers were seized that “had recorded over 53,000 connections.”

SpaceLifeForm October 17, 2022 2:59 PM

Supply Chain attack comes to mind.

If the Diagtool is hacked at the creator side, then it could appear that when used by unwitting techs, it still provides the correct diagnostic info but silently creates the security hole.

SeanB October 17, 2022 3:02 PM

Going to guess this was a common BT OBD plug, with slightly rewritten firmware, that allowed it to copy the CAN bus messages from the real fob, and allow them to be replayed, allowing the thieves to approach the parked vehicle, open the door and drive it off, as the system replayed the data from the original fob to the immobiliser, which them allowed start, and also allowed the doors to be unlocked on command. Then they can plug in the OBD port and, with the vehicle active, simply pair a new set of fobs to the immobiliser, and delete the originals, allowing them to move the vehicle and sell it in another country.

Going to say the devices were installed either by mechanics at dealerships, or by valets at hotels, or any place, like a car wash, where you leave your vehicle with other people unattended for a few minutes, as it takes little time to plug this small unit into the OBD connector, or with a little more time unscrew the existing OBD connector, and replace it with this device integrated into a short wire loom, with a socket to screw to the existing location, and a plug to plug into the original, so it does not appear to be there from cursory inspection. Common with things like car trackers used on those on “buy here pay here” places, or if you use the vehicle as surety for a loan, so they can recover the asset if it is needed.

Ted October 17, 2022 10:32 PM

This is from a French article (translated):

“The thieves, experts in car hacking, bought from the organization tablets, software and connectors allowing them to “duplicate vehicle keys but also to program blank keys without having the original” and to “modify embedded systems fitted to many vehicles”, according to the gendarmerie .

These digital kits were sold on a website, hosted by several companies based in France, which recorded more than 53,000 connections “which could correspond to as many thefts or attempts to reprogram keys”.”


Here’s another article:

“The searches led to the seizure of more than one million euros in criminal assets, dozens of blank vehicle keys of all brands, as well as computer equipment.”


Here’s also a tweet from the French National Gendarmerie with what looks like a picture of seized assets.


Denton Scratch October 18, 2022 7:15 AM

That’s an odd report.

They re-programmed the car, so they could unlock the doors and start the engine?

How were they able to re-program the car, without first gaining access? Is this “automotive diagnostic solution” something like Intel’s ME, whereby the firmware can be re-blown remotely, even when the machine appears to be switched off?

I haven’t tinkered with a car for 30 years, and I haven’t owned one for 20. Time was when an ordinary person like me could fix a lot of car problems with a screwdriver and a socket set. My first car was a Morris Minor; a ten-year-old could learn to service and repair that machine. You could get at just about everything in the engine compartment without removing other parts; there was a lot of air in there.

Francis October 18, 2022 1:07 PM

This is one more reason that automotive makers and other manufacturers of information technology enabled products need strict security standards mandated in the same manner strict safety standards are mandated. The systems need to be locked down so that only bonded and authorized dealers can mess with any security system. It is foolish to buy or trust diagnostic systems from vendors that are not proven to be trustworthy and that provide guarantees backed up by audits that assure security. The world’s political leadership is ridiculously uninformed about technology and the myriad threats that our archaic laws are enabling. Where are the system engineers that manage multidisciplinary teams that include security and safety engineers????

Denton Scratch October 19, 2022 9:16 AM

only bonded and authorized dealers can mess with any security system

I don’t think I agree. How’s that different from saying only Vaillant can service my gas-boiler, or only Apple can service my iPhone?

The problem you seem to be trying to address is that a third-party can make a device that can re-flash your car, and sell it to some rando. So you want to legislate against that? How are you going to prosecute a manufacturer in China, for example?

Maybe the problem is really that it’s permissible to sell a car knowing that the firmware might be defective, and therefore in need of re-flashing. Old-fashioned cars (I haven’t owned a car since 2004) managed fine with no firmware at all. I realize that modern cars have engine-management systems, smart brakes etc., that need software; so just make it so you can’t sell a car with critical security features in firmware.

K.S. October 19, 2022 10:09 AM

“The systems need to be locked down so that only bonded and authorized dealers can mess with any security system.”

Such goal would also drastically increase maintenance costs as it would inevitably going to be used to attack right to repair and lock out independent mechanics from performing unrelated repairs. More so, it is likely to be ineffective as there are multiple examples of malicious staff at legitimate dealerships leading to misuse of official tools.

Ted October 19, 2022 12:32 PM

The UNECE (UN Economic Commission for Europe) passed two regulations in support of vehicle cybersecurity: UN R155 and UN R156, for cybersecurity and software updates respectively.

I believe they have applicability dates in 2022 and 2024. The regs apply to 64 countries, including the EU, UK, Japan, and South Korea.

Although the US and China aren’t under the UNECE, experts believe the regs will develop into a “de facto global standard”.

Is anyone familiar with UNECE’s WP.29?*

*World Forum for Harmonization of Vehicle Regulations



Clive Robinson October 19, 2022 6:12 PM

@ Ted, ALL,

Re : Internationalisation of regulation.

“Although the US and China aren’t under the UNECE, experts believe the regs will develop into a “de facto global standard”.”

I would put money on it being that way.

The US is a falling world market for various reasons, and other markets are larger and appear more buoyant.

But that asside a little history,

The reason you have GPS in your smart phone is because the US mandated it for “Health and Safety” reasons (even though that was an out right lie). From a “Fast Moving Consumer Electronics”(FMCE) manufacturers point of view, having two different production lines for what is in effect the same product is more expensive than the cost of adding a GPS antenna and chip (the chip cost nolonger applies as it’s integrated with BlueTooth, WiFi, and similar on just a single chip these days).

The EU Low Voltage Directive and RT&TTE directives as were effectively “phased out FCC” regulations by FMCE manufacturers because they were better standards and untill Trump threw the toys out the pram over China very few cared or even bothered with FCC compliance (or still do).

EU regulation on “Waste Electrical, Electronic Equipment”(WEEE) were ground breaking in many ways, many other parts of the world just looked found them to be reasonable and deployed a ruber stamp and translators.

The fact peoples radios televisions and similar still work in the US is actually quite funny in a way. It comes via the EU and it’s EMC standards for “placing on the market” (see “Blue Book” for more on thay).

The US had made knowledge of what went into EMC “secret” along with “TEMPEST” and other EmSec. Because the likes of the US IC wanted to read your VDU two hundred yards down the road, see “Van Eck Phreaking” on Wikipedia or on this more than a decade old video,


Note in the second half it talkes about screening rooms by turning them into Faraday cages (something I’ve detailed in depth on this blog in the past). In that they talk about a fine mesh of wires used in the windows, it was actually illegal to sell that and other screening materials and the filters inside computers and “Visual Display Units”(VDUs) in the US. And knowledge of them was official classified as secret prior to the EU EMC legislation back in the 1980’s, which kind of blew the lid off of it for the NSA who looked on TEMPEST as gold method in their book of “methods and sources”. The EU EMC forced the FCC to up it’s game.

It’s always struck me as odd trying to “classify” what is essentially “the laws of physics” and any half way intelligent third year undergrad should be able to work most of it out from the info given in their course books…

Fun factoid, although Van Eck Phreaking appeared in 1985, it was nothing new, other than it only used $15 of electronics. Back in the 1970’s a decade before, the BBC Science and Technology news program “Tommorow’s World” demonstrated the technique for viewers to see much to the “British Government” subsequent disaproval. I was still technically at school then and I’d gone around to the “Physics Master’s” house to finish up a project on Satelite Tracking and weather image reception. I was chatting to him about how difficult it might be to “convert the equipment” to do the same thing (not at all difficult as we made a few mods then and there to see). His father was a senior Civil Servant and he was very interested and joked about the discussions they had held “in the office” about it (the word “Cabinet” goes in there somewhere ;-).

As got pointed out, it was not exactly news even in the 1970’s as the BBC Licence Detector Vans run by the “General Post Office”(GPO) actually did have a similar system in them (and yes it was then and still is now covered by the Official Secrets Act… I kid you not).

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.