Keyless entry- easy to steal?

d2ww

Surprised this hasn't come up here, but there was article in last weeks Sunday Times about how thieves have figured out how to get around these.
The basics are that say the owner parks and goes into a shop. The car is continously transmitting a signal to see if the key fob is nearby, but this only has a range of about 2 metres. So, the first thief uses a simple reciever to record this signal then goes into the shop and stands close to the owner while transmitting this signal to the key fob in the owners pocket. The key fob thinks it's beside the car, so it sends a signal to unlock the car. The problem is this key fob signal can reach up to 100 metres out to the car, which thief 2 can now get in, press the start button and drive off.
The worst part is that as there is no signs of forced entry, insurance companies are refusing to pay out, and the car companies are denying any knowledge of it, as they don't have a solution yet.:eek:
There was an interesting example of how useless this feature is. A wife was giving her husband a lift to the airport, when on the way home she stopped a shop in the middle nowhere and was left stranded as the key fob was still in her husbands jacket, on the plane.

Atomic Pineapple

Dont you still need a card or something to insert into a slot in the car before you can start it?

listermint

These signals are encoded, So no it is not as simple as you suggest. And the average dope on the street couldnt afford or have knowledge of the equipment required to steal a car in this manner.

Presently the only cases recorded of this sort of theft is signal jammers, which are quite readily available but can be hit and miss with regards signal selection when jamming. But they allow the thiefs to jam your locking signal hence you walk off thinking car is locked and they steal the belongings out of it. Generally not the car itself.

Its far easier for a thief to break in to your home and steal the keys. These articles indicate a slow news day of a bored reporter.

Jagle

ya normally you need to insert the fob into something

i know someone with a 07 keyless entry car, long as you have the fob in your pocket, funny thing is once the car is started i tried moving very very far away from the car with the fob to see if it would cut out but it wouldnt, thought this is odd

x in the city

even if they did syphon the rf signal to open the door, i doubt it would by pass the immobiliser, but yeah seems pretty stupid..

did the french invent this for the lagunas btw...:p

langdang

Yes saw that article - bit of a flaw in the system alright!
The first method (relaying immobiliser/key id signals) would probably allow you to drive the car away (if push button start) and turn it off once before you would have to find a way to get a matching key to restart.
The second method (jamming remote central locking)would only allow access to the car to rob valuables.

Believe me, this is well within the capabilities of any crowd creating the ATM skimming setups.

Jagle

x in the city wrote: »

even if they did syphon the rf signal to open the door, i doubt it would by pass the immobiliser, but yeah seems pretty stupid..

did the french invent this for the lagunas btw...:p

first car i saw it on was my aunties old laguna, but i dunno if the french invented it

listermint

langdang wrote: »

Yes saw that article - bit of a flaw in the system alright!
The first method (relaying immobiliser/key id signals) would probably allow you to drive the car away and turn it off once before you would have to find a way to get a matching key to restart.
The second method (jamming remote central locking)would only allow access to the car to rob valuables.

Believe me, this is well within the capabilities of any crowd creating the ATM skimming setups.[/QUOTE]

ATM skimmers are extremely simple. Small wireless camera, and a simple card code reader you could probably pick up all the bits in maplin. So no your argument is flawed.

langdang

Jagle wrote: »

ya normally you need to insert the fob into something

i know someone with a 07 keyless entry car, long as you have the fob in your pocket, funny thing is once the car is started i tried moving very very far away from the car with the fob to see if it would cut out but it wouldnt, thought this is odd

Safety feature apparently, in case there was an intermittent issue with keys, or as per the article "what if your kid threw the key out the window on the motorway"

R.O.R

draffodx wrote: »

Dont you still need a card or something to insert into a slot in the car before you can start it?

Nope - it just means you have to keep the (usually bulky) key in your pocket while driving. I prefer to have a nice place to keep the key in the car, say an ignition or something similar.

My old boss left the spare key in the glovebox of her car for about 18 months. Had the keyless entry so anyone could have just jumped in the car and sped off. Wouldn't have been a bad way to pick up a nice CL500 :eek:

kirving

This used to be a problem years ago in the US with garage doors/gates with a keyfob.

These days though, the signals are encoded, and it would be nigh on impossible for your average thief to replicate them on the fly.

langdang

listermint wrote: »

ATM skimmers are extremely simple. Small wireless camera, and a simple card code reader you could probably pick up all the bits in maplin. So no your argument is flawed.

Average criminals are fairly simple. But anyone capable of taking instruction to setup an ATM skimmer and the laptop etc back in the van could be given the equipment in the article (also easily available in maplin) and carry out this scam. So my point is valid.

drunkmonkey

There's nothing to insert in the mercedes or lexus you just need to have the key on you, i've the lexus smart access system it's a gift but I wouldn't fancy speeding down the road without the key as the access code changes constantly. If the steering wheel decides to retreat back into the dashboard you'd end up in a mess.

Jagle

Kevin Irving wrote: »

These days though, the signals are encoded, and it would be nigh on impossible for your average thief to replicate them on the fly.

ya cos all criminals are idiots, please these people arnt stupid

langdang

Kevin Irving wrote: »

This used to be a problem years ago in the US with garage doors/gates with a keyfob.

These days though, the signals are encoded, and it would be nigh on impossible for your average thief to replicate them on the fly.

They are relaying them two-way, not capturing them and replaying them one-way.

listermint

langdang wrote: »

Average criminals are fairly simple. But anyone capable of taking instruction to setup an ATM skimmer and the laptop etc back in the van could be given the equipment in the article (also easily available in maplin) and carry out this scam. So my point is valid.

No just no its not. Each car carries its own unique code. Where are you getting your information from?

Sticking a premade card reader and a mini camera (non wireless) to the front of an ATM takes very very little skill. They remove them about 30 minutes after. Plug both into the USB on the laptop and copy and past the video and text files over and open them up. Christ man its kiddy stuff.

Diseminating encoded vehicle signals on the fly is far more complex. Most of these ATM lads DO NOT carry laptops around or sit near by the back of a van. They do it at home. Your watching too much James Bond mate.

biko

Wouldn't the immobiliser kick in once the owner in the shop is out of range?
Interesting though.

langdang

listermint wrote: »

No just no its not. Each car carries its own unique code. Where are you getting your information from?

Sticking a premade card reader and a mini camera (non wireless) to the front of an ATM takes very very little skill. They remove them about 30 minutes after. Plug both into the USB on the laptop and copy and past the video and text files over and open them up. Christ man its kiddy stuff.

Diseminating encoded vehicle signals on the fly is far more complex. Most of these ATM lads DO NOT carry laptops around or sit near by the back of a van. They do it at home. Your watching too much James Bond mate.

They are relaying the signals two-ways using the vehicle and key's own genuine signals.
They are not "hacking" the rolling code system.
They can use simple equipment from Maplin (for example)
It's as much kiddy stuff as ATM skimming. (use gear that people won't notice and don't look too suspicious carrying it out)

R.O.R

biko wrote: »

Wouldn't the immobiliser kick in once the owner in the shop is out of range?
Interesting though.

Car continues to run until the engine is turned off, once it's been started.

Oh, how our driver laughed when he had to go back to Deansgrange to collect the key of a Mondeo he'd collected for service.

langdang

Article in full, doesn't include pictures of (very simple, even more simpler than ATM skimming) gear


Open sesame: the magic car thieves
Keyless ignition looks stylish, but the system is vulnerable to crooks using basic electronics to open and start your car in an undetectable crime
Dominic Tobin
Published: 6 February 2011

If your car has a keyless entry system, it may not be as secure against theft as you would expect. The Sunday Times has teamed up with university researchers to demonstrate how easy it is to steal the latest models fitted with the new system. All we used were basic components available cheaply from high street electronics shops or on the internet.

The demonstration has provoked concern within the motor industry about the security of vehicles, and prompted an admission by police that an unknown numbers of cars could already have been stolen in this way because the technique leaves no trace.

The problem affects those cars that, instead of having a traditional ignition key, are supplied with a fob or card to open the doors and enable the engine to be started. Also called proximity keys, these devices detect a low-frequency radio signal emitted by the car, and then send their own signal back to the vehicle that unlocks the doors automatically. Once inside, the driver has only to press a *button to start the car rather than turn a key. The flaw does not affect other so-called smart keys where drivers use buttons on the fob to lock and unlock doors.

The proximity key system has proved popular on every type of car — from the Ford Fiesta to Bentley Continental — because it is seen as less fiddly than struggling with keys and locks. It also allows car makers to introduce a starter button in the cabin, which many regard as more stylish than a mechanical key.

Thatcham, the centre that works with insurers and car makers to research and test vehicle security systems, says the flaw in security is so serious that manufacturers may be forced to return to using traditional keys. “We are aware of this phenomenon and obviously this is a potential problem,” says Mike Briggs, vehicle security manager for Thatcham. “You could beat anything if this new technique was used. It could be that manufacturers return to a mechanical key to start cars, though we’ve not as yet seen this technique being used in Britain.”

Previously, keyless systems were thought to be secure because the device communicates with the car by sending encrypted data on weak radio waves. An owner must stand no more than two yards or so from the car in order for the car to unlock itself.

However, researchers have discovered a way to capture and transmit the signals given off by the car and increase the transmission distance. The technique, known as a “relay attack” when used by thieves, fools the fob into thinking that the car is close by, triggering it to instruct the vehicle to unlock its doors.

In the interests of security The Sunday Times is not giving away the full details of the technique, though the basics are remarkably simple.

The theft requires two people. Each is equipped with a wire antenna — not unlike those used on many radios and available off the shelf from hardware stores. When a victim is spotted, perhaps in a supermarket car park, one thief makes his way to where the car is parked. The other follows the driver.

When the driver is a safe distance from the car, the thief shadowing him or her moves to within a couple of yards of them. His accomplice then transmits the car’s electronic fingerprint message (which is constantly being sent but limited to a radius of about two yards around the car). The message is received by the thief shadowing the owner and relayed to the fob in the owner’s pocket or bag.

When it receives the car’s signal, the fob assumes it is next to it and activates its own transmitter, sending a message instructing the car to unlock its doors. Unlike the car’s signal, the fob’s signal can travel as far as 100 yards, deactivating the locking system on the car and priming the engine to start.

All the thief now has to do is get behind the wheel and press the starter button. The whole process can take less than a minute and — unless they are watching their car from a distance — the owner is unaware anything is wrong until they discover their car is missing.

The technique was tested last month by computer scientists at ETH University in Zurich, Switzerland. InGear was invited by the university to assist with a demonstration using a real car. With just a few wires and connectors that cost less than £30, we captured the wireless signal sent between the car and fob.

We were then able to fool a Toyota Prius into thinking the fob was next to the car, allowing us to open the door and start the engine. Thanks to an industry-standard safety system, the car’s engine keeps running even when the fob is out of range — a feature designed to ensure that if the fob’s battery goes flat, or a child throws it out of the window mid-journey, the engine does not cut out.

If we had been real thieves, we would have headed straight for a back-street garage, which would be able to hack into the car’s computer and supply another fob, allowing the car to be sold on or exported abroad. For the purposes of our demonstration, the equipment carried by the two “thieves” was connected by electrical cable, but for an outlay of a few hundred pounds, wireless transmitters/receivers could have been used.

“Car companies buy these keyless systems from component suppliers,” says Srdjan Capkun, a professor for system and network security at ETH’s computer science department. “We tested all of the major component suppliers we could identify. We tested 10 cars from eight manufacturers and did not find any that were remotely protected against this type of attack. It didn’t matter if they were high-end cars or low-end cars — don’t assume if a car is more expensive it is better protected. That is not the case. It was surprising that it was that easy to overcome this [keyless] system.”

In Britain the Association of Chief Police Officers says it has recently become aware of the technique, and that because there are no visible signs of breaking in, it is hard to detect. “We are working with partners within the motor manufacturing industry to discover the extent of the problem highlighted,” says Detective Chief Inspector Mark Hooper, head of the association’s vehicle crime intelligence service. “Due to the sensitive nature of the type of threat identified we would not want to discuss in depth any suspected flaws.”

Police have said that thieves need to be caught in the act, or with the necessary equipment, to establish that this is happening. “Unless you catch somebody in the act, even if you recover a car and interrogate its computer, all it will tell you is that the owner was the last person to open and start it. If we know about it, thieves do,” says one senior police source.

Stuart Chapman, the police relationship manager at Tracker, a company that fits systems that allow police to trace stolen cars, says the number of thefts where cars are mysteriously stolen while the owners still have the fobs and without any sign of entry is on the increase. “Sometimes you just don’t know which method they are using unless you catch them in the act,” says Chapman, a former police officer. “We have had customers whose cars were stolen being suspected of fraud because that seemed like the only logical explanation.”

Car makers seem reluctant to admit that they are affected. Toyota claims it is not aware that any of its cars have been stolen using this method. “Since 1999 Toyota GB has worked with independent security experts, the police and insurance industry to ensure we gain the fullest possible awareness of trends and techniques,” says a spokesman.

The Society of Motor Manufacturers and Traders says it is concerned about the development and is reviewing the research from Zurich. Some manufacturers claim their cars are immune to the problem. Audi says its vehicles are unaffected and Jaguar Land Rover claims its cars are “robust” against the hack, though the firm declined to elaborate.

“I am very sceptical about claims that these systems are protected,” says Capkun. “In principle, this attack will work on each system that uses this design. We know how to build a more secure keyless system but the technology at the moment is expensive and it depends on whether manufacturers think it is worth the while to invest in it.

“If you believe you might fall victim to this attack, you should probably shield the key — perhaps in a small case lined with aluminium. Some of the convenience of keyless entry would be lost, but this would make the relay attack very difficult in practice.”


Key fob (Kevin Dutton)If you are able to keep your fob shielded, your car should remain safe (Kevin Dutton)
How to protect your fob

For the scam to work, the thieves have to establish wireless communication with your fob, so if you are able to keep your device shielded, your car should remain safe. Luckily, fobs operate on the same wireless frequency as RFID (radio frequency identification) devices — the sort of chips now built into credit and debit cards, and even passports — which means there are already a number of shields on the market.

For example, the Ogon RFID wallet (£27.95, clickshop.com) is a click-shut metal container with seven expandable pouches for holding your plastic, and a well into which most fobs will fit. It is available in 10 colours. For a cheaper option, buy a tin of Altoids (90p, victoriahealth.com), eat the mints inside and then keep your fob safe in the aluminium container.

Woman using cell phone by car Keyless ignition may seem convenient but it is easy to find yourself stranded (Jupiterimages)
This gimmick is a real turn-off

Don’t get Keith Crain started on keyless ignition — he has too many tales of woe to ever believe the technology is of any use

My son, Chris, from New York, was spending time with his family in northern Michigan. On Sunday afternoon, Carinna, his wife, took him to an airport some 90 miles away to catch a plane back to work in New York while she stayed on with the family.

Everything was great with their new Mercedes. He hopped out of the car and headed for the plane, and she headed back to their summer place — except he had the fob in his pocket, heading for New York.

Late on that Sunday afternoon, after stopping far short of her destination, she could not restart the car. While you don’t need the fob mechanically to start the car, you do need to have the fob with you.

Keyless ignition has become the hottest feature today on any number of luxury and not-so-luxury cars, but I don’t have the slightest idea why.

Were consumers clamouring for this feature? I don’t think so. I figure some very good salesman for a supplier sold it to one car company, and it spread like wildfire — but for no good reason.

Mercedes even has a feature that allows you to pull a key out of the fob, pop off the start button, put in the key and turn it to start the engine. A key to start the ignition, that you can’t mislay while you’re driving. What a novel idea.

Some systems tell you not to store the fob anywhere near the car or it will run down the battery in the fob. Huh?

I don’t know who thinks up some of these features, but they should do a little more real-world research before they foist them on unsuspecting customers.

I’m not against new features. I really like most of them, but this one is a dud. I’ve heard more stories about someone leaving a car running, going into a hotel or restaurant and having the car stuck because the valet didn’t have the fob to restart it later.

There may be a lot of value to this feature, but I can’t think of any.

And, sadly, if you lose the fob on a weekend, you may be stuck until the dealership opens on Monday when you can reprogram the car.

Keith Crain is editor-in-chief of Automotive News

Keyless cars

Cars that offer keyless entry and start systems include:

* Audi A4, Q7
* Bentley Continental GT
* BMW 1, 3, 5-series
* Ford Fiesta, Focus, Mondeo
* Infiniti EX
* Jaguar XF
* Land Rover Freelander, Discovery
* Lexus LS, RX
* Nissan Juke, Qashqai
* Peugeot 508
* Porsche Cayenne, Panamera
* Renault Scénic, Laguna
* Saab 9-5
* Skoda Superb
* Vauxhall Zafira
* Volkswagen Passat
* Volvo C30, S80

listermint

langdang wrote: »

They are relaying the signals two-ways using the vehicle and key's own genuine signals.
They are not "hacking" the rolling code system.
They can use simple equipment from Maplin (for example)
It's as much kiddy stuff as ATM skimming. (use gear that people won't notice and don't look too suspicious carrying it out)

Fine, your operational knowledge of such a system seems vast, jimmy it up there and post a tube video of your findings.

Tea 1000

It looks like they depend on the key fob being within the range of the car for it to work. Seems they can capture the signal given out by the car easily, but the fob seems to be doing the unlocking from the owners pocket "100's of metres away".
The Lexus system seems to work differently to this. If you press the unlock button on the fob, the car unlocks as normal, as any car would. If you stand beside it with the fob in your pocket however, it won't unlock. If you're standing beside the drivers door, you need to hold the handle for it to unlock, and even then, only the drivers door will work. So if you're standing beside the passenger door with the fob, your mate could try the drivers door but it won't unlock, only the door that the fob is near will unlock the car. Even then, if you sit in without the fob, it won't start as there is a different sensor detecting the fob inside. There are 4 in total, one for each front door, one for the boot, and one for inside the cabin.
So I've a feeling that the above method wouldn't work for the Lexus system.

Tea 1000

langdang wrote: »

They are relaying the signals two-ways using the vehicle and key's own genuine signals.

No, it seems they're not doing this. They're relaying the car's signal, which seems to be the easy one to mimic. They are relaying this signal to the owners pocket, and they're then relying on the fob to do the unlocking, they're not replicating the fob's signal.
If they could do that, then they could do it for every key fob, keyless entry or not, they'd just need to wait for the owner to press the button and unlock it, and hey-presto! All cars become their haven!

listermint

One cant help but feel this story was released by an RFID shielded wallet manufacturer.


When you get a group of scientists together and give em some cash, they can do all sorts of crazy stuff. Blatant scaremongering for profit.

Padraig Mor

If I'm reading the article right, a thief doesn't actually 'send' the unlock signal himself to the car - just fools the fob into doing so by essentially pretending to be the car - and as long as it's within c. 100 metres, the car will unlock. However, I fail to see how this would let a thief steal the car. My Lexus has the system and it also requires the fob to be in the car to start the engine. Unlock the car, leave the fob outside and press the start button, and the car refuses to start. Presumably other systems are similar.

langdang

They have been (probably deliberately) inaccurate in the article.
If they can relay the ECU signal to the fob, they can relay the fob signal back to the ECU.

The signal from a normal "non keyless entry + pushbutton start" immobiliser key would not have the range of a keyless entry fob, the boyos would probably have to practically mount you to replicate your key

Padraig Mor

Tea 1000 wrote: »

The Lexus system seems to work differently to this. If you press the unlock button on the fob, the car unlocks as normal, as any car would. If you stand beside it with the fob in your pocket however, it won't unlock. If you're standing beside the drivers door, you need to hold the handle for it to unlock, and even then, only the drivers door will work. So if you're standing beside the passenger door with the fob, your mate could try the drivers door but it won't unlock, only the door that the fob is near will unlock the car. Even then, if you sit in without the fob, it won't start as there is a different sensor detecting the fob inside. There are 4 in total, one for each front door, one for the boot, and one for inside the cabin.
So I've a feeling that the above method wouldn't work for the Lexus system.

Mine definitely unlocks the car without touching the handle, although I need to be right next to the car. The system can be adjusted to automatically open the drivers door or all four (mine does this) when it detects the key signal.

mickdw

Most keyless go systems will allow the car to remain running even if the key leaves the car. It will not start the next time though obviously.
I think the theory in the article is flawed. Sure it will allow entry to the car but there is usually a second system which searches for an additional chip within the car in order to start.
Overall, not really worth the hassle. I dont have it myself, but I had a gs450h for a few days and while it was faultless, I was continually wondering where the key was.

langdang

listermint wrote: »

One cant help but feel this story was released by an RFID shielded wallet manufacturer.
When you get a group of scientists together and give em some cash, they can do all sorts of crazy stuff. Blatant scaremongering for profit.

I'll kinda agree with you here - despite this flaw, let's face it - having your actual keys taken will obviously always be a bigger threat

Tea 1000

langdang wrote: »

They have been (probably deliberately) inaccurate in the article.
If they can relay the ECU signal to the fob, they can relay the fob signal back to the ECU.

The signal from a normal "non keyless entry + pushbutton start" immobiliser key would not have the range of a keyless entry fob, the boyos would probably have to practically mount you to replicate your key

Nope, this is kind of all wrong. Firstly the ECU isn't sending any signal to the FOB. There is a seperate transmitter to detect the key. Then the key fob sends the signal in the same way as any other key out there, the range of a keyless fob is no different to a normal fob, all will work around 100 metres.
The only difference is that with a normal system, the car does nothing until the person presses the button on the fob, which then sends an encrypted signal to unlock the car. With the keyless, the car listens for the fob, only up to two metres approx. When detected, the fob reacts to this signal by sending an unlock signal in the normal way back to the car, just like a regular system. So according to that article, all they're doing is tricking the fob into sending the signal.

Padraig Mor wrote: »

Mine definitely unlocks the car without touching the handle, although I need to be right next to the car. The system can be adjusted to automatically open the drivers door or all four (mine does this) when it detects the key signal.

Have you a GS? In the IS you have to touch the handle of the door that you are beside, then the 4 doors will unlock. However, as you said, it will only start if the key is detected inside. So the above method would fail.

pajo1981

The car sends out a random signal and on receiving the correct response in a timely manor, oks the unlocking of the door.

Capturing the random signal an retransmitting it to the key will not work because the key will then be sending back a response to a signal that is no longer valid.

langdang

Tea 1000 wrote: »

Nope, this is kind of all wrong. Firstly the ECU isn't sending any signal to the FOB. There is a seperate transmitter to detect the key.

ECU/BC1/GEM whatever -"a module within the car"

Tea 1000 wrote: »

Then the key fob sends the signal in the same way as any other key out there, the range of a keyless fob is no different to a normal fob, all will work around 100 metres.

No. There is no way it would work if you cut a chipless copy of a standard key, and use it to start the car without an actual chip within a very short distance of the car (far less than 100m). All keys/fobs are not created equal. You may be confusing remote central locking with the immobiliser signal. In which case you would be kinda all wrong.

Tea 1000 wrote: »

The only difference is that with a normal system, the car does nothing until the person presses the button on the fob, which then sends an encrypted signal to unlock the car. With the keyless, the car listens for the fob, only up to two metres approx. When detected, the fob reacts to this signal by sending an unlock signal in the normal way back to the car, just like a regular system. So according to that article, all they're doing is tricking the fob into sending the signal.

This bit is correct AFAIK.

Padraig Mor

Tea 1000 wrote: »

Have you a GS? In the IS you have to touch the handle of the door that you are beside, then the 4 doors will unlock. However, as you said, it will only start if the key is detected inside. So the above method would fail.

GS yeah. Manual says you need to touch the door, but you actually don't.

Tea 1000

langdang wrote: »

No. There is no way it would work if you cut a chipless copy of a standard key, and use it to start the car without an actual chip within a very short distance of the car (far less than 100m). All keys/fobs are not created equal. You may be confusing remote central locking with the immobiliser signal. In which case you would be kinda all wrong.

What are you talking about?

Tea 1000

Padraig Mor wrote: »

GS yeah. Manual says you need to touch the door, but you actually don't.

Cool. You do in the IS alright, I've never tried the GS.

langdang

Tea 1000 wrote: »

What are you talking about?

Ah, I see, you didn't read my original comparison of "standard old school immobiliser keys" and keyless entry keys/cards/fobs correctly.

Tea 1000

langdang wrote: »

Ah, I see, you didn't read my original comparison of "standard old school immobiliser keys" and keyless entry keys/cards/fobs correctly.

OK, here's your post:

langdang wrote: »

The signal from a normal "non keyless entry + pushbutton start" immobiliser key would not have the range of a keyless entry fob, the boyos would probably have to practically mount you to replicate your key

"Non keyless entry and pushbutton start" immobiliser keys - well, how to quantify these? There are a few types. If you take a Civic for example, You have a regular key with the immobiliser chip and wireless fob all built in. You press the unlock button, works like all wireless fobs, unlocks the car from 100m or so away. Then you need to insert the key in the ignition like all normal cars and turn it. Then you press the engine start button. So it doesn't matter if the thief "mounts you", he won't get any signal that'll enable him to start your car, he needs a key with the chip.
However, if, as you say, he has some device in his pocket that can read the unlock signal from a key fob to a car which has keyless entry and copy it and retransmit it, then he'd be also able to do this with any keyfob, the only difference is that the user needs to press the unlock button.
I don't think that's what these guys were doing, according to that article. The article is incomplete cause they didn't want to give away the details, but both myself and Padraig got the same impression from the article.

stevenmu

pajo1981 wrote: »

The car sends out a random signal and on receiving the correct response in a timely manor, oks the unlocking of the door.

Capturing the random signal an retransmitting it to the key will not work because the key will then be sending back a response to a signal that is no longer valid.

This is why they use two people for the attack, one person captures the signal from the car and sends it to the other who is already beside the owner and transmits it to the owners keyfob, which is then responding to the cars signal very close to instantaneously.

langdang

No, I think Padraig got a slightly different and more correct interpretation -
One car/key exchange to unlock car.
Car may then need a second exchange with the key to start. (provided by thief 1 sitting into car while thief 2 is still standing next to owner, still relaying signals)

You are saying that all fobs transmit the same info for 100 metres, the only difference being the need to push a button.
I'm saying that the immobiliser info is not (necessarily) transmitted by pushing a button and works over a much shorter distance on the older style keys.
It's not coming across well because I'm rushed here - you're not way off but maybe you're not picking up on the difference between RCL and immobiliser chip signals

langdang

stevenmu wrote: »

very close to instantaneously.

This is important - if there is too much delay then some systems are apparently clever enough to suspect a relay attack.

Dymo

I always regarded this as a bit of an urban myth, I remember hearing this happening years ago but all hearsay and never heard of anybody who it actually happened to.

Here's snopes article on it http://www.boards.ie/vbulletin/showthread.php?threadid=2056180635

The theoretical attack requires detailed knowledge of the system implementation and a combination of data, specialized skills, equipment and access to various components of a system which is seldom feasible. These theoretical attacks are not unique to the Keeloq system and could be applied to virtually any security system.

Cuddlesworth

langdang wrote: »

This is important - if there is too much delay then some systems are apparently clever enough to suspect a relay attack.

Doubtful. Rolling codes tend to get out of sync, the base unit tends to have a re-sync mechanism rather then disabling the token.

langdang

Cuddlesworth wrote: »

Doubtful. Rolling codes tend to get out of sync, the base unit tends to have a re-sync mechanism rather then disabling the token.

I wasn't aware of "delay" thing being an issue until I read this wiki article on one type of keyless entry/engine start

"delay" in this case is in terms of RF signals and processing/filtering etc.
A signal straight through a load of cable should be ok, but an attempt to relay and boost the signal through a criminals set of RF transceivers might not work on cars that are sensitive to group delay.

Tea 1000

langdang wrote: »

No, I think Padraig got a slightly different and more correct interpretation -
One car/key exchange to unlock car.
Car may then need a second exchange with the key to start. (provided by thief 1 sitting into car while thief 2 is still standing next to owner, still relaying signals)

You are saying that all fobs transmit the same info for 100 metres, the only difference being the need to push a button.
I'm saying that the immobiliser info is not (necessarily) transmitted by pushing a button and works over a much shorter distance on the older style keys.
It's not coming across well because I'm rushed here - you're not way off but maybe you're not picking up on the difference between RCL and immobiliser chip signals

OK, now you're making it a bit clearer. So the equipment the thieves have is just stuff to relay any kind of signal, encrypted or not and retransmit it on a wider scale. The difference with the keyless systems and the other ones are that older ones just unlock the doors, physical contact is required to read the immobiliser code, where as the keyless ones have to also transmit the immobiliser codes.

langdang

Spot on* as far as I can see Tea , I realise myself my communication isn't the clearest sometimes...

*altho physical contact is not essential even in older systems, it's pretty much RFID stuff implemented in different ways.


I reckon on the older systems you could have a chipless copy of a key in the ignition and still start the car IF you had a chip within, say 1m of the whatever module looks for the code. But that's just off topic here and confusing...

Some of the keyless entry systems it seems have a transmitter on the car constantly polling for a reply from a keyless entry key/fob/card outside the car.
Once it gets a reply from this it gets itself ready to start - especially an advantage on diesels - everything is primed and ready to go before your bum hits the seat.

Some systems rely on a sensor in the doorhandle to realise "hey, who's this?", so it then sends out a signal to the keyless entry key/fob/card to see if it's an authorized user.

Guy:Incognito

mickdw wrote: »

Most keyless go systems will allow the car to remain running even if the key leaves the car. It will not start the next time though obviously.
I think the theory in the article is flawed. Sure it will allow entry to the car but there is usually a second system which searches for an additional chip within the car in order to start.
.

Yeah. I've played around with the mothers Megane a bit. The car will unlock once the key is in range (a couple of metres radius) but the car wont start unless the key is inside it. I've stuck my hand out the open window with the key and the car knew it was outside and wouldnt start.

Theres a card slot on the Megane in the dash but you dont have to use it. If I'm using her car the keycard doesnt come out of my pocket at any stage.

The missus 05 Scenic needs the buttons to be pressed to open the doors and the card has to be in the reader to start the car, after that you can take the card out and the car will keep running. You have to press the start/stop button twice to turn the car off with no key in the reader.

RedorDead

R.O.R wrote: »

Nope - it just means you have to keep the (usually bulky) key in your pocket while driving. I prefer to have a nice place to keep the key in the car, say an ignition or something similar.

My old boss left the spare key in the glovebox of her car for about 18 months. Had the keyless entry so anyone could have just jumped in the car and sped off. Wouldn't have been a bad way to pick up a nice CL500 :eek:

Bravo that woman. Sharon?

pissed

Another point to note with the keyless entry (megane). If you get out of the car and close the door and press the keyfob button for locking the door, when you return the doors will not open automatically ... it requires you to push the unlock button on the fob.