Story 2015-05-11 8TR4 Keyless entry fobs result in rash of vehicle thefts

Keyless entry fobs result in rash of vehicle thefts

by
in security on (#8TR4)
story imageAs vehicles become more technologically advanced, thieves are becoming technologically savvy, too. Cars with a hands-free key fobs typically unlock a car within about 30 centimeters. But across the USA, thieves have begun using a device called a power amplifier to help unlock cars. The amplifier, which can cost less than $20 over the Internet - takes the signal from the car and projects it as far as 100 meters, so your car can find your key fob in your purse, pocket or the table where you dump your stuff when you come in the door.

In Toronto, Los Angeles, Long Beach, New York, Springfield, and more cities, police have reported a spike in thefts from Toyota and Lexus SUVs, Priuses, and more vehicles, all parked in owners' driveways with no signs of damage. As more people buy cars with these no-push key fobs, what's the solution to stopping this type of break-in? "Use a microwave" or wrap your keys in aluminum foil. The heavy metal cages block the signal. It's another case of convenience becoming a two-edged sword.
Reply 17 comments

I can't say I understand this 100% (Score: 1)

by tanuki64@pipedot.org on 2015-05-11 16:49 (#8TZY)

Ok, the car sends constantly some kind of 'hello' signal. Usually it has a reach of 30cm. Fine. The amplifier increases signal tremendously... understood. But now the key has to 'answer'. And its signal is not amplifies. So how far away its signal can be detected by the car? And where is the problem to limit this reach to perhaps 1m? Then the thieves you need two amplifier... And a way to get close to the key without the owner noticing it.

Re: I can't say I understand this 100% (Score: 1)

by evilviper@pipedot.org on 2015-05-11 19:00 (#8V64)

No doubt the signal boosters/amplifiers in question are bi-directional.

There is no way for a radio signal to be limited to any specific range. The typical working distance is based on the common antenna configuration(s). Using a highly directional (high gain) antenna, you can reach a signal from many times further away than it was ever designed for. For example, how many people are stealing distant neighbor's WiFi, thanks to a Pringles cantenna, or similar?

Re: I can't say I understand this 100% (Score: 1)

by tanuki64@pipedot.org on 2015-05-11 20:38 (#8VC1)

Sure, the amplifiers are bi-directional, but even such amplifiers have limits. If the normals distance is 30cm, you go within the 30cm range of the car and maybe amplify it to 100m. No problem. This I understood. But an amplifier can only boost what is receives. How far are key/car usually apart. when the car is parked and the owner at home? 20m? 40m? You say there is no way to limit a radio signal to a specific range. Of course not. But when the strength of the key signal is too weak to be detected by the amplifier in 1m distance, it effectively is limited. So, why is the signal strength of the key so strong, that the amplifier can receive and amplify its answer over such a large distance?

Re: I can't say I understand this 100% (Score: 1)

by kerrany@pipedot.org on 2015-05-11 21:00 (#8VD2)

The idea that the key is constantly generating a signal is a little difficult to believe - receiving signals is cheap, battery-wise, but sending would surely wear that sucker out in a year or less. More likely it only 'wakes' when it detects a ping from the car that passes whatever authentication it has built in, probably with some form of RFID passive receiver. Thus the car is doing the generating, and the thieves have access to the car because it's parked on the street or in a driveway.

The scenario goes something like this. The thief pulls up to the sidewalk in getaway car and hits the button. The amplifier amplifies the signal the car is constantly sending to the key. The key responds to the amplified "Key where are you?" signal with its usual "Itsa me, the key!" signal, et voila, the car is unlocked.

Surely it wouldn't be that easy, but the evidence seems to suggest it is. There seems to be no validation beyond sign and countersign. Maybe they'll patch that up by adding more tests to the car's routine, but the key is probably always going to be a dumb device (unless they make it a smartphone app) due to battery life.

Re: I can't say I understand this 100% (Score: 1)

by tanuki64@pipedot.org on 2015-05-11 21:17 (#8VEJ)

The key responds to the amplified "Key where are you?" signal with its usual "Itsa me, the key!" signal, et voila, the car is unlocked.
Yes, of course... But the car has the megaphone, not the key. The key might answer "Itsa me, the key!", but why can it be heard of such a distance?

Re: I can't say I understand this 100% (Score: 0)

by Anonymous Coward on 2015-05-11 22:31 (#8VHD)

The device is bidirectional. It catches the reponse from the key then passes it to the car. Think wireless repeater.

Re: I can't say I understand this 100% (Score: 1)

by tanuki64@pipedot.org on 2015-05-12 00:46 (#8VQ5)

Didn't you read my post? Apparently not. I have no problems with the device being bidirectional. But a repeater cannot repeat what it cannot receive. The thieve stands with the amplifier by the car. The cars sends its request. According to the article this signal it is so weak that it can only be received by the key when the key is in 30cm distance. The amplifier boosts this signal so it can be received by the key in 100m distance. Fine. The key might happily answer.... 100m away. But what good is this, when the key signal is also so weak that it can only be received in 30cm distance?If the key signal is too weak to reach the amplifier, it cannot be amplified. Bidirectional or not. Is this so hard to understand?

If the key has a reach of 30cm and the car has a reach of 30 cm... where do you place the amplifier that it can amplify both signals? Either the answer signal from the key is by far stronger than that of the car. Why? Or the amplifier is much more sensitive and can receive the car and/or key signal over a much larger distance than the key can, but this is info missing in the article.

Re: I can't say I understand this 100% (Score: 0)

by Anonymous Coward on 2015-05-12 10:01 (#8WEV)

The repeater might also have a more sensitive antennae to listen for the signal emanating from the key fob in your house. It may even involve a directional antennae for even more distance but the thief has to point in the general direction where he thinks the key fob is.

If you build a wifi cantennae you don't need one on both ends... one will do. So standing close to the car and aiming a cantennae or yagi around is all it would take.

Re: I can't say I understand this 100% (Score: 3, Informative)

by zocalo@pipedot.org on 2015-05-12 07:46 (#8W7M)

There's an assumption here that the key fob only has a range of 30cm - are we sure that's the case? I don't have one of these specific systems, but I do have a remote fob for my car and it's good for tens of meters (I've not tried to establish the max range), which is mostly intended for stuff like turning on the AC to start to cool a hot car. Perhaps the system works by having the same type of fob with the added functionality of a receiver - when it receives the weak signal from the car, perhaps it just sends the regular high powered "open door" signal in response. You might still need a high powered receiver to pick up and boost the fob signal if it's far away, but it does resolve the 30cm:30cm problem.

Re: I can't say I understand this 100% (Score: 1)

by tanuki64@pipedot.org on 2015-05-12 08:37 (#8WAJ)

I don't assume. I ask. I would like to know more about the specifics... but not in the article. Yes, I can believe that the added functionality sends with the same power than all the other signals. In hindsight this is stupid, but as it is said: Hindsight is 20:20. At least it should be easy to fix... just limit the damn key to 30cm, too.

Btw... one of the reasons why I always refused security related projects. :-D

Re: I can't say I understand this 100% (Score: 1)

by billshooterofbul@pipedot.org on 2015-05-14 13:51 (#91MK)

Yeah, I doubt its that easy. RF is fun and easy to manipulate like this. Its pringle cans all over again.

I actually discussed this last January with a dealer. He thought I was nuts. I insisted on a real key. No auto unlock by proximity feature.

Grab a faraday cage for your keyless entry fob (Score: 1, Interesting)

by fobguard@pipedot.org on 2015-05-17 11:00 (#96VE)

Guys, you can solve the problem with a keyless entry fob faraday cage from Fob Guard. It's small, light, durable, and fits in your jeans. It's made in the USA, from materials all developed and sourced in the USA. Sorry to be a bit spammy here but I hope that this is exactly what some pipedot members will find useful to protect themselves from this kind of hacking. Cheers!

Re: Grab a faraday cage for your keyless entry fob (Score: 1, Funny)

by Anonymous Coward on 2015-05-17 12:54 (#96ZZ)

Or, to save the USD 30, just re-purpose a little of the tinfoil from your hat...

Re: Grab a faraday cage for your keyless entry fob (Score: 2, Informative)

by fobguard@pipedot.org on 2015-05-23 06:07 (#9KBT)

Be careful to seal all the holes in the tin foil, and don't leave any gaps, tears and holes. The size of an allowable gap in a faraday cage relates to the size of the wavelength the cage is absorbing. Be careful when you are re-folding the foil that it doesn't tear and no new holes exist from general wear and tear.

Re: Grab a faraday cage for your keyless entry fob (Score: 1)

by evilviper@pipedot.org on 2015-05-17 19:20 (#97G2)

Why would anyone do that, when you can get something just as functional for a tiny fraction of the price:

http://www.amazon.com/Antistatic-Resealable-Bags/dp/B00BT5BJY6/

Re: Grab a faraday cage for your keyless entry fob (Score: 1)

by fobguard@pipedot.org on 2015-05-23 06:14 (#9KBV)

Those bags have radically inferior performance characteristics. Try sticking your key fob inside them and see if you can still open the car door - you might be surprised. If you want a tried and independently tested product that will give you -80db across the board, and is made in the USA, you know where to go :)

Re: Grab a faraday cage for your keyless entry fob (Score: 0)

by Anonymous Coward on 2015-07-29 05:53 (#FRVD)

Hi pipedot, I'm an AC who has wandered over from slashdot for the first time. Is it considered acceptable use for companies to sell their products within the comments here like this? If so I'll keep a wanderin'...

...and having a special baggie to put your keys in (and take out of every time you want to use)? Seems more inconvenient than the good old-fashioned button on the keyfob, doncha think? For the cost of a Fob Guard you could get your remote entry key coded to an after-market press button keyfob. Problem solved.