Are “Keyless Entry” Hacks Really the Source of Recent Car Break Ins?

Charles “Chuck” McGill, the WiFi fearing pseudo-retired fictional lawyer on AMC Networks Inc.’s (AMCX) hit Better Call Saul was on the right track. But if wireless signals can harm you, it’s the pocketbook — and likely not the brain.  That’s the take home from a wild investigative piece by USA Today.  The claim in the piece is that car thieves are using homebrewed power amplifiers to pick up faint signals of car owners from key fobs.  The signal can then be amplified, cleaned up and outputted at full strength to a car which thinks its owner’s keyfob is telling it to unlock.

I. Hacking the Gibson?

It’s a wild claim and one worthy of skepticisim surely.  But it may be close to the truth.  (Or it may not be, as I later explain.)

First, while the piece mentions several strings of break-ins (in Toronto, Ontario; Tonawanda, N.Y.; and Springfield, Miss.) that might fit a profile of the wireless thief, it’s important to acknowledge that there’s no hard evidence in these cases that such a strategy was employed.

But there are some more credible reports.  A surveillance video posted by the Long Beach, Calif. Police Department shows a pair of thieves — who appear to be young white or hispanic males — breaking into a pair of SUVs.  In the video it’s clear that they somehow get the car too electronically unlock as there’s no shimmying of locks that typically occurs with mechanical breakins.  Instead the the culprits simply place their hands on the door handle, and seconds later open in it and walk inside.

One comes Nick Bilton, a Los Angeles, Calif.-based columnist for The New York Times, who reportedly caught a pair of kids in the act of middle of breaking in his 2013 Toyota Motor Corp. (TYO:7203) Prius hybrid.  He writes:
Let me explain: In recent months, there has been a slew of mysterious car break-ins in my Los Feliz neighborhood in Los Angeles. What’s odd is that there have been no signs of forced entry. There are no pools of broken glass on the pavement and no scratches on the doors from jimmied locks.

….

I watched as the girl, who was dressed in a baggy T-shirt and jeans, hopped off her bike and pulled out a small black device from her backpack. She then reached down, opened the door and climbed into my car.

As soon as I realized what had happened, I ran outside and they quickly jumped on their bikes and took off. I rushed after them, partly with the hope of catching the attempted thieves, but more because I was fascinated by their little black device. How were they able to unlock my car door so easily?
One answer might be a brute force wireless attack, in which a key assumes every possible identity until it succeeds in finding one that unlocks the target vehicle. Indeed, experts say it’s very possible to brute force keycodes for static remotes — even encrypted ones.

[Image Source: Gary Hallgren/The New York Times]
Diogo Mónica, a security researcher and chair of the Institute of Electrical and Electronics Engineers Public Visibility Committee, “said that some sophisticated thieves have laptops equipped with a radio transmitter that figures out the unique code of a car’s key fob by cycling through millions of combinations until the right one is found (a so-called “brute force” attack).”

Here’s a demonstration of security researcher Silvio Cesare employing a brute force attack to open up a locked car:

This makes sense.  A teen might park their car nearby with a laptop with the ability to broadcast a WiFi signal. They’d then receive that signal and rebroadcast via some sort of small fob as the laptop cycled throught millions of potential keys.

But there’s one problem with using that technical explanation on some of the recent incidents.  Brute force attacks tend to be slow taking minutes at minimum.  These attacks, like the one in the video above appeared to be carried out in seconds.

II. Passive Threat

Boris Danev, founder of 3DB Technologies, offered an even more exotic claim to Bilton — that there’s a new wave of electronic theft devices that are able to break-in in an even more devious strategy — amplification.  Say the owner of the car is inside the house or their keys were left on the entryway counter.  The premise goes that the thief would detect that faint signal — to weak to allow the door to unlock, amplify it, clean it up, and rebroadcast causing it to unlock in seconds.

Danev claims:
It’s a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, ‘hello.’  You can buy these devices anywhere for under $100.  You can buy these devices anywhere for under $100. Some of the lower-range devices cost as little as $17 and can be bought online on sites like eBay, Amazon and Craigslist.  [To avoid this] put your keys in the freezer, which acts as a Faraday Cage, and won’t allow a signal to get in or out.
It’s important to note that Danev does have a vested interest in selling that claim — simply put, he’s literally selling it.  His company makes proximity-based unlock solutions that he claims are more secure.  The claim pitched to potential automakers and aftermarket parties is that the 3DB Tech.’s chips will block known brute force attacks and amplification attacks as well.

There’s reason to be a bit skeptical of these claims as well.

First, there was a long running urban legend/email scam regarding thieves using cell phones to receive your key fob presses and resend them.  Signal engineers will recognize why this story is obviously false — cell phones don’t transmit on the same frequency ranges as typical car key fobs.

But what about specialty equipment that is designed to retransmit signals?  The most probable route would be the one presented back in 2011 [PDF] at the Network and Distributed System Security Symposium by none other than Danev and his colleagues Aurélien Francillon (researcher) and Srdjan Capkun (an assistant professor of computer science).  At the time the trio was working in the system security group at ETH Zürich, Switzerland’s top technical university.

Remote keyless entry (RKE) is divided into two categories — active and passive.  Both typically operated on encrypted channels in modern vehicles.  Active RKE involves actually pushing a button on a key fob to unlock doors.  Passive keyless entry — often found on luxury models — automatically unlocks the doors when the driver’s key comes in range of them (some models only unlock the driver’s side door).

A diagram of the attack describe by Danev, et al. is seen.
Passive RKE seems the more attractive target as all you have to do is somehow complete a call-and-response chain via signal interception and amplification of the signals between the vehicle and the owner’s keys.

Indeed Danev and his fellow researchers tapped into passive RKE systems’ low power, short range signals which are supposed to only be detected by the key fob and responded to when the owner is nearbly.

By intercepting and retransmitting that signal to a distant keyfob they were able to unlock the car.  But the attack wasn’t as simple as you might think. The attacker obviously needed an antenna near the car door to intercept the low power signal.  But they also needed an antenna near the fob itself to intercept and relay the signal.  The researchers put for a couple scenarios, including one where a key near a window responded to a cloned signal from the vehicle.

III. So Was It a Passive Keyfob Attack?

Bilton says his key was “on the kitchen counter” so that makes sense from a line of site premise.  So how did thieves get around placing the second antenna?  The answer may lie in the case of an amplifer.  A standard signal frequency of 315 MHz for North America-made vehicles and at 433.92 MHz for European/Asian-made vehicles is used in most OEM branded remote keyless entry (RKE) systems.

Thus a system like that described might be built out of a microcontroller, antenna, and other assorted off-the-shelf parts.  Indeed a team of student engineers at the Rochester Institute of Technology claim to have done precisely that [PDF].  However, most people would lack the knowledge to constructing a black box capable of automatically detecting nearby signals and boosting their range.

While I was unable to confirm Danev’s claim of complete solutions being available on eBay, Inc. (EBAY) I did however find a number of similar solutions on a shadier site named “ADK Auto Diagnostics”.  Notably I found a black box “433Mhz 315Mhz Rolling Code Remote Control Detector Duplicator” that is being billed as a “car locksmith tool.”

The Chinese “black box” keyless entry lockpicking tool.
  Assuming these are actually authentic (which they may not be) they may work in a couple of ways.  First they could be cloning the signals of passive RKE systems and found a more compact way to handle the interception of the low-power vehicle signal and higher power response from the key fob.

Second, they could be used by a lurking burglar or burglars to possibly intercept key codes from an active RKE system.  As modern active RKE systems typically cycle the keys on their signals to prevent easy theft, a car thief would have to act quickly — perhaps intercepting the signal of someone who walked out to their car and grabbed something. The thief could then strike a minute or two later as soon as the person went inside, depending on how long it takes for the code to cycle.

IV. The Truth is Out There

The real question I have is that if these premade sort of lockpicking tools are for real, why aren’t we seeing more of them?  Yes, that’s what the USA Today report seems to be trying to suggest, but ultimately it only offers up a handful of highly publicized incidents.  Overall there’s little sign that this is becoming a widespread technique to get into cars.  Typical “Slim Jim” style mechanical attacks remain the popular and somewhat ubiquitous solution.

A skilled thief can use a “slim jim” to perform a mechanical attack to circumvent car locks, leaving no signs of damage or forced entry. [Image Source: HPCWorld]
Assuming these isolated incidents are for real, its premature to suggest it’s some sort of new amplification-based passive RKE hack.  After all there are too many other possibilities.

For example, if you wanted to get really outlandish, perhaps the hackers didn’t even use the key fob, instead hacking directly into the wireless link of the CAN bus and injecting instructions, as seen in this Motherboard special.

Or yet another more down to Earth possibility is that the thieves simply worked by day at a local repair shop or dealership and cloned the car’s remote.  Many such remote duplicators exist on eBay, but they only work on static code chips not rolling code (cycling) chips.  Given that Bilton’s Prius uses the standard Toyota G chip — an EEPROM based static code — the idea of key duplication is one possibility that satisfies the Occam’s Razer principle.

A far less sensational hypothesis is that these car thieves may simply be cloning keys at auto shops when they go in for repairs. [Image Source: MichaelHyde]
Or yet another somewhat simpler explanation (that’s still somewhat exotic) is that the young thieves might have used a frequency jammer (perhaps the black box seen).  A jammer would provide a plausible explanation in both the Long Beach, Calif. theft and the theft experienced by Bilton in the LA area.  The victim might have thought they locked their car, when it really remained unlocked, thanks to the attacker’s jammer.  Such jammers are more widely available and a proven quantity, if rarely used by thieves due to their expense.  (They’re also illegal.)

USA Today and The New York Times both carry Danev’s suggestion to put your key in either the freezer or the microwave — Faraday cases.  But that may be an overly paranoid suggestion.  A simpler solution is to not leave anything valuable in your car (as most of these car thieves appear to be searching for valuables, not trying to steal the vehicle) or — alternatively — secure the vehicle physically (i.e. put it in your garage).

And while it’s one part scary, on part entertaining to think we’re entering some bold new era where hacker kids can unlock our cars reality may be far more boring.  Maybe they just used copied key fobs.  At worst it appears these kinds of electronic attacks are quite rare in the wild, although they draw much media attention.