Reply
 
Thread Tools Display Modes
  #1  
Old 06-09-2013, 12:28 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483

How are these car burglars hacking keyless remote locks?


There's a video and article at this link. The police are asking the public for help in solving this so I thought that if anybody can, the Dope can.
http://www.today.com/news/police-adm...fts-6C10169993
Quote:
This is a real mystery. You think when you lock your car and set the alarm, your car is pretty safe. But criminals have designed a new high-tech gadget giving them full access to your car. It's so easy, it's like the criminals have your actual door remote. Police are so baffled they want to see if you can help crack the case.

A Long Beach, Calif., surveillance video shows a thief approaching a locked SUV in a driveway. Police say he's carrying a small device in the palm of his hand. You can barely see it, but he aims it at the car and pops the locks electronically. He's in, with access to everything. No commotion at all.
It's not as simple as cloning the signal since modern keyless remotes use encrypted rolling keys. I don't know the precise algorithm but it's probably a pseudo-random number generator with the signal encrypted using a public/private key pair. Something impossible to clone and next to impossible to hack.

So what's going on here? The article says that the thief "aims" a device at the car and opens the locks. I think the part about "aiming" (there's no aiming involved with keyless remotes) and unlocking may be assumptions on the part of police because, to me at least, you can't tell any of that from the video. All I see is him standing next to the car and then opening the door.

Suppose instead they have a device that rapidly transmits over a strong signal a large number of possible codes of the right length one after another in a short period. They enter a parking garage, or a residential block, turn it on, let it run for a while, and then go through the garage or down the block trying door handles to see which ones have unlocked. I have no idea if this is feasible since I don't know the size of the code search space and I don't know how rapidly a code can be transmitted and still work. The videos seem to show immediate success, but they'd only check the videos near the cars that were broken into right? Maybe they went through that whole garage trying doors and just happened to get lucky with two right next to each other. This would also be consistent with the fact, also stated in the video, that it doesn't seem to work with every car.

Another possibility may involve the way passenger door unlocking works. It's mentioned in the video that they seem to always use the passenger door. This may simply be because it's easier to access the interior of the car without the steering wheel in the way and it also gives easy access to the glove compartment.

But what if it's more than that? In my car, and others that I'm aware of, one click of the fob unlock button unlocks the drivers door and a second click unlocks the the other doors. Could this system introduce some type of weakness? How does it work? Is there a timer that will open the other doors if a second signal is detected within x millseconds of the first? Is the security of this second signal as strong? Maybe not, since it's only acted on after the first, very secure, signal has been received. If it's not as secure, could there be a way to exploit this and trigger it without the first signal?

Thoughts? Other ideas? Maybe they're exploiting some kind of flaw in the code, causing something like a buffer overflow or a comparison to a NULL or something?
  #2  
Old 06-09-2013, 12:38 AM
Gatopescado is offline
Guest
 
Join Date: Aug 2001
Location: on your last raw nerve
Posts: 22,264
There's an ap for that.

Last edited by Gatopescado; 06-09-2013 at 12:39 AM. Reason: The irony of this post is, I don't even know what an "ap" is.
  #3  
Old 06-09-2013, 12:56 AM
Leaffan's Avatar
Leaffan is online now
Member
 
Join Date: Aug 2005
Location: Ottawa
Posts: 24,539
Call me skeptical, but how do we know these cars were locked in the first place. If you read about car fobs on howstuffworks it seems very unlikely that any device could be cracking the codes with regularity.
Quote:
There is no way to predict which random number the transmitter and receiver have chosen to use as the next code, so re-transmitting the captured code has no effect. With trillions of possibilities, there is also no way to scan through all the codes because it would take years to do that.

Last edited by Leaffan; 06-09-2013 at 12:57 AM.
  #4  
Old 06-09-2013, 01:13 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by Leaffan View Post
Call me skeptical, but how do we know these cars were locked in the first place. If you read about car fobs on howstuffworks it seems very unlikely that any device could be cracking the codes with regularity.
But there could be a flaw in the software, or the hardware. Also, it's conceivable that knowing something about the algorithms could help to reduce the number of codes to be searched to something more reasonable. From what I understand about the way these things work (or at least used to work), you can reduce the number of codes you'd have to search by a factor of 256. That would still leave an amount that would be impossible to search but maybe knowing more would make it possible to slash the number even further. Could it be reduced to a workable number? It's doubtful, but who knows.

But I suppose it's possible that these are cases of people who forgot to lock their cars and it's being hyped into a mass hysteria.

I could also imagine that some coder put a back door into these things and is now making money selling black boxes that open cars.
  #5  
Old 06-09-2013, 01:39 AM
santorum is offline
Guest
 
Join Date: Feb 2012
Posts: 46
From the news article,

"Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why."

Sounds like a Honda problem
  #6  
Old 06-09-2013, 06:38 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
I don't think we have enough data to decide it's a problem with a specific brand, although it is notable that all the vehicles specifically mentioned in the video were Honda's and were Acuras specifically. There's no way of knowing if that holds true in other burglaries. Anyone recognize the brands in the security video?

Could it be something as simple as an electromagnet that manipulates the lock mechanism from outside the door? One problem with that is that it seems like that should activate the alarm. Not all cars have an alarm but I think it's an option for pretty much any model and there's no way I know of to tell from outside whether or not a car has an alarm.

Maybe it's some sort of EMP thing that temporarily knocks out the electronics, but if that was the case then I'd think you'd still need to break a window or use a slim jim or something to actually open the door.

I wonder if these cars had been serviced recently. If you have access to the interior of the vehicle, you can clone a key, especially if you're a dealer. The problem with that hypothesis is that the police would have thought of this already.
  #7  
Old 06-09-2013, 08:17 AM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,038
People have been cracking keyless entry systems for years. Especially been a problem for really high end (hundreds of thousands of $s) cars. Well worth the time and money to develop the hardware to do it. Also causes a problem for the owner when the insurance co. thinks the cars can't be stolen this way despite repeated demos of how it is done.

Now it is more common for lesser value cars.

Note: Cryptographic systems are easy to design, impossible to implement right. We're talking computer programs here. No significant computer program is ever bug proof. And people take shortcuts, make adaptations for reality, etc. So, they are never perfect.

The rolling code system cannot be done "right" in real life. Someone presses the fob too far away, it gets pressed a hundred times in your pocket of purse, etc. So some "slop" has to be built into the system. People do the math wrong on the slop and that leaves a hole that can be exploited. Throw in some bean counters who say that it needs only be a 24 bit code and not a 32 bit code since that will save 30 cents.

Remember, as far as the car makers go, they only want the appearance of security. True security is not their job.

Keyless entries are not as secure as old fashioned keys. Just like contact-less credit cards are even less secure than mag stripe ones. Ain't progress grand?
  #8  
Old 06-09-2013, 08:41 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
There is slop built into the system by the fact that any of the next 256 codes are accepted, for the reason you stated, buttons get pushed accidentally in purses, pockets, etc. That reduces the search space by a factor of 256. Go from 32 bits to 24 bits (are they really that short?) and that's another factor of eight. At this point, you're down to only 64k possibilities. Would rapidly transmitting 64k possibilities work? I would hope that the system would lock out access for 5 minutes and perhaps alarm if something like that were attempted.

In any case I'm skeptical that the codes are really as short as 32 bits let alone 24 (maybe you have a cite?). Remember that, if the reporting is to be believed, the experts are stumped by this.

I think they're most likely either exploiting a bug in the code or bypassing that stuff altogether and somehow exploiting some factor in the mechanical aspect of things.
  #9  
Old 06-09-2013, 08:51 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
I'll give you an example about what I mean by mechanical aspect. Years ago I did a short stint writing software for a company that made change machines.

They received a complaint from a customer who had a machine located in a college dorm next to some snack and soda machines. It was designed to accept bills and dispense quarters.

It had the latest in bill scanning and sensing hardware and software to prevent people using things like photocopied bills. All of this high tech was used to decide whether or not, and how many times, to activate an electromechanical relay which caused a quarter to be released each time it clicked.

Someone had discovered that if you hit the machine at just the right spot, the relay contact would jump and a quarter would be dispensed. All of the high tech security was being bypassed completely by interfering at the end of the chain of events.

Car locks ultimately are electromechanical. The only thing I'm not sure about is the alarm system.

Last edited by davidm; 06-09-2013 at 08:51 AM. Reason: Spelling
  #10  
Old 06-09-2013, 09:10 AM
AaronX is offline
Guest
 
Join Date: Feb 2011
Location: 127.0.0.1
Posts: 3,469
The easiest way I know of is to just jam the locking signal. Like Leaffan said, are you sure the car was locked?
  #11  
Old 06-09-2013, 09:24 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by AaronX View Post
The easiest way I know of is to just jam the locking signal. Like Leaffan said, are you sure the car was locked?
Jamming the locking signal is very clever, but only if you're targeting a specific profitable item such as a GPS unit that you know is always left in the car. Most cars audibly indicate that the alarm has been armed, but I suppose someone not paying attention might miss that. There is the issue that they've been seen unsuccessfully trying to open some cars. Perhaps in those instances the owner accessed the car and then locked it in between the jamming and the burglary attempt.
  #12  
Old 06-09-2013, 09:28 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
I just had a thought. You wouldn't necessarily have to be targeting a specific vehicle in order for locking signal jamming to be profitable.

Suppose you hid a powerful transmitter in a neighborhood around the time that people get home from work and jam all, or most, of the locking signals in the area? Then, when you come around later, some would be unlocked, and some would be locked because they had been there before the jamming started. The only problem I have with this is that it's almost certain that more than one person would notice that their car hadn't locked and neighbors comparing experiences might become suspicious. Still, it's an interesting thought.
  #13  
Old 06-09-2013, 09:32 AM
AaronX is offline
Guest
 
Join Date: Feb 2011
Location: 127.0.0.1
Posts: 3,469
Yes, just set up a jammer in a car in an office parking lot. During office hours, just check all the cars around that car. I know someone who was struck by this before (he doesn't check his car). Speaking of checking your car - won't that prevent locking a child in the car?
  #14  
Old 06-09-2013, 09:34 AM
Rick is offline
Guest
 
Join Date: Aug 1999
Posts: 16,451
Odd.
Most cars have 2 step unlocking where the driver's door unlocks first.
Next is the security system. Getting the door to the unlock position by whatever means does not disable the security system.
After that comes the antenna for the security system is usually not located in the door. An exception to this would be cars with proximity keys ( the kind you leave in your pocket, and start the car with a push button). I wonder if these were all proximity key cars?
Lastly I would assume that the odds of a functional code for Honda being the same as that for another brand of car as being very very slim.
__________________
Remember this motto to live by: Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather one should aim to skid in sideways, chocolate in one hand, glass of Scotch in the other, your body thoroughly used up, totally worn out and screaming "WOO HOO! Man, what a ride!"
  #15  
Old 06-09-2013, 09:43 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by AaronX View Post
Yes, just set up a jammer in a car in an office parking lot. During office hours, just check all the cars around that car. I know someone who was struck by this before (he doesn't check his car). Speaking of checking your car - won't that prevent locking a child in the car?
If I'm not mistaken, my car, which is a Honda, automatically locks and arms if the doors are closed but not locked for more than X seconds. Of course, that's just my car.

Last edited by davidm; 06-09-2013 at 09:44 AM.
  #16  
Old 06-09-2013, 09:46 AM
AaronX is offline
Guest
 
Join Date: Feb 2011
Location: 127.0.0.1
Posts: 3,469
Quote:
Originally Posted by davidm View Post
If I'm not mistaken, my car, which is a Honda, automatically locks and arms if the doors are closed but not locked for more than X seconds. Of course, that's just my car.
That's... Inconvenient. Especially when you think about kids in cars.
  #17  
Old 06-09-2013, 10:03 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by AaronX View Post
That's... Inconvenient. Especially when you think about kids in cars.
I just Googled it. What I said isn't entirely correct. If I get out and just walk away, it won't lock on it's own.

What will happen is if I unlock the doors but don't open one, it will relock after 10 or 15 seconds. Once you open a door the auto relocking doesn't occur. So if someone jammed my locking signal and I failed to notice that the second (arming) click didn't sound the horn, I would walk away with the car unlocked.

I suppose if someone was targeting a specific car and was really clever, they could sit in a nearby car with a jammer and then at the moment you click your button the second time, tap on their horn, but I can't imagine someone actually trying to do that.

Thinking about the signal jamming, it seems like the police would be aware of this possibility (since you say it has been done); yet they don't seem to be considering it. They seem convinced that it's being done with some sort of handheld device at the time of the breakin. Maybe they have other video where they can see the device more clearly.

I suppose if I were doing the signal jamming thing, and I knew there might be security cameras, I might hold some object and act as if I was using it just to throw them off the scent, but that's probably too clever by half.
  #18  
Old 06-09-2013, 11:22 AM
Patty O'Furniture is offline
Guest
 
Join Date: May 1999
Location: Bangkok/52/Male
Posts: 8,871
I haven't looked at a car door locking mechanism in years, but aren't they still using solenoids to do the job? I wonder if it's somehow possibly to dump a buttload of RF energy near the lock, cause the solenoid coil to energize and then Bob's your uncle. I agree with the poster who said its most likely a mechanical weakness being exploited, not a code bug.
  #19  
Old 06-09-2013, 11:34 AM
GreasyJack is offline
Guest
 
Join Date: Feb 2008
Location: Montana
Posts: 4,965
Quote:
Originally Posted by Patty O'Furniture View Post
I agree with the poster who said its most likely a mechanical weakness being exploited, not a code bug.
The only thing with that is I presume this mystery device is also disabling the OE alarm. If you bypass the central locking and unlock and open the door via mechanical means, the alarm should go off. If it doesn't disable the alarm, I don't see what major advantage the mystery device would have over this tried and true device: http://www.homedepot.com/p/2-in-x-3-...x#.UbSt49Lvtc0

Last edited by GreasyJack; 06-09-2013 at 11:35 AM.
  #20  
Old 06-09-2013, 11:47 AM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,038
Note that people aren't just breaking into cars. They are also, for some models, driving off with them. So jamming clearly isn't what is going on with the later.

David Beckham had a couple of high end cars stolen this way, one of which ended up being driven by a Macedonian government minister!

BTW: I was just using the 32 vs 24 bit thing as an example. But cost cutting is a typical problem for a lot of systems. WiFi security is heavily compromised due to the hardware manufacturers not wanting to use the next most expensive chips.

Just because something is unbreakable in theory doesn't mean it's unbreakable in practice. Quantum cryptography was touted as being perfectly secure and then some exploits have been found.
  #21  
Old 06-09-2013, 12:09 PM
Rick is offline
Guest
 
Join Date: Aug 1999
Posts: 16,451
Quote:
Originally Posted by Patty O'Furniture View Post
I haven't looked at a car door locking mechanism in years, but aren't they still using solenoids to do the job? I wonder if it's somehow possibly to dump a buttload of RF energy near the lock, cause the solenoid coil to energize and then Bob's your uncle. I agree with the poster who said its most likely a mechanical weakness being exploited, not a code bug.
Yes they use solenoids.
I thought of this but it won't work.
You have two wires to the solenoid. Call them a and b. At rest both are connected to ground. Go to lock the car wire a is energized for a moment and since b is grounded the solenoid energizes and pulls the lock to the locked position. Go to unlock b gets energized, a is grounded so the solenoid magnetic field is reversed and the lock is pushed to the unlock position.
Here are the problems with your theory
1. How do induce voltage in just one wire, not both? They are side by side in the harness. Voltage in both wires = no current flow.
2. How do you get the voltage in the unlock wire and not in the lock wire?
__________________
Remember this motto to live by: Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather one should aim to skid in sideways, chocolate in one hand, glass of Scotch in the other, your body thoroughly used up, totally worn out and screaming "WOO HOO! Man, what a ride!"
  #22  
Old 06-09-2013, 12:12 PM
Chronos's Avatar
Chronos is offline
Charter Member
Moderator
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 84,730
First of all, it would be nearly impossible to hack a proper cryptographic keyless entry system. But I've never heard of any keyless entry system using proper cryptographic techniques. It'd be a lot easier to hack a rolling sequential code system.

Second, as others have already pointed out, some of these cars might not have been locked in the first place. Even aside from jamming, there are always going to be people who just plain forget to lock their doors.

Third, it's not at all remarkable that somebody can walk through the parking lot, push a button on a handheld device, and cause the car to unlock. That's exactly how the system is supposed to work, after all. Maybe the thieves have just somehow gotten ahold of the actual OEM fobs themselves-- Picking pockets, maybe, or grabbing one that accidentally got left on a restaurant table, or pursesnatching, or whatever.

Fourth, there are almost certainly backdoors. What does the repairman do if your fob gets broken? There has to be some other way to get in, or to attune a new fob, or whatever. Maybe the thief has a buddy who used to work at a dealership, and gave him the equipment the dealer uses to do that.
  #23  
Old 06-09-2013, 12:33 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
I think if the owners had lost a key it would be realized that that is what has happened, yet the police claim to be baffled. As far as repairmen and a backdoor, what happens if a key is lost is you mechanically open the door, perhaps using a slim jim, then go through an involved procedure to shut off the alarm (while it's alarming the whole time). You can then link a new OEM fob to the car by putting it in the ignition and following another involved procedure, and there is no dealer shortcut for this, so linking a new key to the car involves FIRST gaining access to the interior of the car, Obviously none of this is what's happening.
  #24  
Old 06-09-2013, 12:41 PM
GreasyJack is offline
Guest
 
Join Date: Feb 2008
Location: Montana
Posts: 4,965
Quote:
Originally Posted by ftg View Post
Note that people aren't just breaking into cars. They are also, for some models, driving off with them. So jamming clearly isn't what is going on with the later.

David Beckham had a couple of high end cars stolen this way, one of which ended up being driven by a Macedonian government minister!
With the BMW security flaws, once you gained access to the OBD port inside the car you could program a new key from a blank, which you weren't supposed to be able to do without the old key. You still have to use that device I linked to earlier to get into the car.

Quote:
Originally Posted by davidm View Post
You can then link a new OEM fob to the car by putting it in the ignition and following another involved procedure, and there is no dealer shortcut for this, so linking a new key to the car involves FIRST gaining access to the interior of the car, Obviously none of this is what's happening.
These cars aren't being stolen, though, they're just being rifled through. While the device is an intriguing mystery, it doesn't seem to me to be all that much different than a normal smash-n-grab. A way to bypass the immobilizer systems and actually drive off with a newer car would be a big development in the car theft arena, but this isn't so much.

Last edited by GreasyJack; 06-09-2013 at 12:42 PM.
  #25  
Old 06-09-2013, 12:43 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Actually replacing a key is apparently even more involved than I said. My brother tells me that he lost his valet key (a special key that only does two things - open the drivers door and work in the ignition). He asked the dealer if they could order a new one. They told him that they would have to order a whole new set of keys because programming one new key would disable all of the old ones. So if someone did somehow manage to link an OEM key to a car, all of the other keys would be disabled; something the driver would be sure to notice. This may not be true for all makes but my brother drives a Honda which is the make mentioned in the article as having been broken into.
  #26  
Old 06-09-2013, 12:52 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by GreasyJack View Post
...
These cars aren't being stolen, though, they're just being rifled through. While the device is an intriguing mystery, it doesn't seem to me to be all that much different than a normal smash-n-grab. A way to bypass the immobilizer systems and actually drive off with a newer car would be a big development in the car theft arena, but this isn't so much.
But we don't know that for sure. All we know about are the ones that were rifled through. It's possible that some have been stolen that way and it was assumed that they were hauled off on a flatbed.

But if it is true that they aren't being stolen with this method that raises the question of why. If all they're doing is unlocking a door and disabling an alarm without making it possible to actually start the car then that in itself is a clue and may indicate that they're doing something other than hacking the security software.

I'm leaning towards the idea that they're jamming the locking signal and the cars were therefore never locked in the first place, and that the police are mistaken that there is some device involved at the actual moment of breakin.
  #27  
Old 06-09-2013, 01:01 PM
Leaffan's Avatar
Leaffan is online now
Member
 
Join Date: Aug 2005
Location: Ottawa
Posts: 24,539
Wait a minute, it appears to be easy to program a new fob using instructions in the car manual or found on-line, from what I can see googling around. People do drop cars off for repair work, cleaning, etc. and leave their keys. It would be easy for someone to get your address from papers in the car, and program a fob to open the door.

And that would also explain why they're not driving away in the car, not to mention this is happening at home addresses apparently.

How is this stumping to the police or security experts?

Last edited by Leaffan; 06-09-2013 at 01:02 PM.
  #28  
Old 06-09-2013, 01:02 PM
Shalmanese is offline
Charter Member
 
Join Date: Feb 2001
Location: Shenzhen, China
Posts: 7,287
Quote:
Originally Posted by ftg View Post
Keyless entries are not as secure as old fashioned keys. Just like contact-less credit cards are even less secure than mag stripe ones. Ain't progress grand?
This is ridiculous. It's far easier to pick a lock than it is to hack a remote entry system. Here's a guy who did it in under 20 seconds
  #29  
Old 06-09-2013, 01:18 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by Leaffan View Post
Wait a minute, it appears to be easy to program a new fob using instructions in the car manual or found on-line, from what I can see googling around. People do drop cars off for repair work, cleaning, etc. and leave their keys. It would be easy for someone to get your address from papers in the car, and program a fob to open the door.

And that would also explain why they're not driving away in the car, not to mention this is happening at home addresses apparently.

How is this stumping to the police or security experts?
Because, as has been said repeatedly in this thread, it is NOT that easy. You need to already be inside the car to do what needs to be done to reprogram a key.
  #30  
Old 06-09-2013, 01:23 PM
Leaffan's Avatar
Leaffan is online now
Member
 
Join Date: Aug 2005
Location: Ottawa
Posts: 24,539
Quote:
Originally Posted by davidm View Post
Because, as has been said repeatedly in this thread, it is NOT that easy. You need to already be inside the car to do what needs to be done to reprogram a key.
Yes, and as I mentioned it could be taking place anywhere where people do have access to the inside of your car, such as repair shops, cleaners, etc. Or maybe it's someone at work who grabs your keys off your desk and borrows them for a few minutes. There are lots of opportunities here.

Last edited by Leaffan; 06-09-2013 at 01:24 PM.
  #31  
Old 06-09-2013, 01:29 PM
GreasyJack is offline
Guest
 
Join Date: Feb 2008
Location: Montana
Posts: 4,965
Quote:
Originally Posted by Leaffan View Post
Wait a minute, it appears to be easy to program a new fob using instructions in the car manual or found on-line, from what I can see googling around. People do drop cars off for repair work, cleaning, etc. and leave their keys. It would be easy for someone to get your address from papers in the car, and program a fob to open the door.

And that would also explain why they're not driving away in the car, not to mention this is happening at home addresses apparently.

How is this stumping to the police or security experts?
That does sound very plausible. The only potential pitfall there is that when you add a fob, all the other existing ones have to be reprogrammed. So if the victim had two fobs, the spare one would quit working. But, hey, those stupid things quit working all by themselves just fine.
  #32  
Old 06-09-2013, 01:46 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by Leaffan View Post
Yes, and as I mentioned it could be taking place anywhere where people do have access to the inside of your car, such as repair shops, cleaners, etc. Or maybe it's someone at work who grabs your keys off your desk and borrows them for a few minutes. There are lots of opportunities here.
Correct. And it may be something like that, but remember that the police and security experts are stumped. Surely they would have thought of this explanation and checked with the victims to see if they had any repair shops, etc. in common.

Of course it could be that these are unrelated incidents that they're mistakenly lumping them together because they appear to be similar. And it could be that the occurrences of this kind of "mysterious break in aren't really on the rise but that the appearance that they are is simply due to an increased use of security cameras.

But the scenario in this video doesn't fit too nicely into that hypothesis. We see two different vehicles being broken into right next to each other in the same driveway. Of course they could belong to two members of the same family, but how often do two family members get both of their cars repaired on the same day at the same shop? And if they did, wouldn't the police have determined that? And would the thieves clever enough to do this be dumb enough to clone both cars of the same family and then rob both of them simultaneously? That's like pointing a neon sign at yourself.

And all of this is being done apparently for petty theft? It's not like a lot of people keep their life savings or their expensive jewelry in their car.
  #33  
Old 06-09-2013, 01:59 PM
Rick is offline
Guest
 
Join Date: Aug 1999
Posts: 16,451
Quote:
Originally Posted by GreasyJack View Post
With the BMW security flaws, once you gained access to the OBD port inside the car you could program a new key from a blank, which you weren't supposed to be able to do without the old key. You still have to use that device I linked to earlier to get into the car.
Umm that isn't a flaw. You have to be able to reprogram keys to a car where all the originals have been lost.
The alternative would be to throw the car away.
__________________
Remember this motto to live by: Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather one should aim to skid in sideways, chocolate in one hand, glass of Scotch in the other, your body thoroughly used up, totally worn out and screaming "WOO HOO! Man, what a ride!"
  #34  
Old 06-09-2013, 02:02 PM
Leaffan's Avatar
Leaffan is online now
Member
 
Join Date: Aug 2005
Location: Ottawa
Posts: 24,539
Quote:
Originally Posted by davidm View Post
Correct. And it may be something like that, but remember that the police and security experts are stumped. Surely they would have thought of this explanation and checked with the victims to see if they had any repair shops, etc. in common.

Of course it could be that these are unrelated incidents that they're mistakenly lumping them together because they appear to be similar. And it could be that the occurrences of this kind of "mysterious break in aren't really on the rise but that the appearance that they are is simply due to an increased use of security cameras.

But the scenario in this video doesn't fit too nicely into that hypothesis. We see two different vehicles being broken into right next to each other in the same driveway. Of course they could belong to two members of the same family, but how often do two family members get both of their cars repaired on the same day at the same shop? And if they did, wouldn't the police have determined that? And would the thieves clever enough to do this be dumb enough to clone both cars of the same family and then rob both of them simultaneously? That's like pointing a neon sign at yourself.

And all of this is being done apparently for petty theft? It's not like a lot of people keep their life savings or their expensive jewelry in their car.
Good points. Now I'm stumped!
  #35  
Old 06-09-2013, 02:31 PM
GreasyJack is offline
Guest
 
Join Date: Feb 2008
Location: Montana
Posts: 4,965
Quote:
Originally Posted by davidm View Post
And all of this is being done apparently for petty theft? It's not like a lot of people keep their life savings or their expensive jewelry in their car.
That's a big part of why I think the "car wash dude cloning fobs" theory is more likely than the "new high tech hacking tool" one. Cloning a fob is not difficult and I think it's quite possible that there's some not-too-bright criminal doing it who's simply been lucky nobody's put two and two together thus far.

Quote:
Originally Posted by Rick
Umm that isn't a flaw. You have to be able to reprogram keys to a car where all the originals have been lost.
The alternative would be to throw the car away.
Ah, yeah, reading a little more on that they were indeed using the same tool a dealer or locksmith would use to reprogram the ECU to the new key/fob. I was thinking there was some way they were reprogramming the keys without the tool. The flaw really was that the motion-sensor couldn't "see" the driver's window or the OBD port, so the thieves could break the window and plug in their tool without the alarm going off. Plus they were keyless models, so no need to replicate the actual physical key or change the lock cylinder.
  #36  
Old 06-09-2013, 02:50 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by GreasyJack View Post
That's a big part of why I think the "car wash dude cloning fobs" theory is more likely than the "new high tech hacking tool" one. Cloning a fob is not difficult and I think it's quite possible that there's some not-too-bright criminal doing it who's simply been lucky nobody's put two and two together thus far.
And how does the car wash dude know where all of these people live?

Hmm. Maybe their registration is in their glove compartment! All of the break ins discussed in that video and article apparently occurred with the vehicles parked in or near the owners residence. That may be because the break ins are done at night, or it may be that they aren't random cars and the fobs have been cloned.

But if so, it's not just one car wash dude, since the article mentioned this happening in several different areas of the country.

And of course, again the big objection to this kind of theory is that the police and security experts surely would have ruled out something so obvious before declaring themselves stumped. At least I hope that they would have.

And there's also the issue of these break ins always occurring on the passenger side, as if that is somehow necessary to the process.

I wish we had more information, such as how many of these types of break ins have occurred, and did they always occur at the owner's residence.

Last edited by davidm; 06-09-2013 at 02:51 PM. Reason: Spelling
  #37  
Old 06-10-2013, 08:02 AM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,038
Quote:
Originally Posted by davidm View Post
Actually replacing a key is apparently even more involved than I said. My brother tells me that he lost his valet key (a special key that only does two things - open the drivers door and work in the ignition). He asked the dealer if they could order a new one. They told him that they would have to order a whole new set of keys because programming one new key would disable all of the old ones. So if someone did somehow manage to link an OEM key to a car, all of the other keys would be disabled; something the driver would be sure to notice. This may not be true for all makes but my brother drives a Honda which is the make mentioned in the article as having been broken into.
Dealers are not the way to go here, if you have the time. Online sites for replacement tech keys are much cheaper. The newest issue of Consumer Reports has an article about doing this.

==

I really don't think much about the tricks of just breaking into a car. My other posts were concerned with driving off with the car. If someone wants to get into a car to steal items, the only tech he needs is a rock.
  #38  
Old 06-10-2013, 11:25 AM
Diceman is offline
Guest
 
Join Date: Mar 1999
Location: Suburbs of Detroit, MI
Posts: 9,859
The way the modern automotive industry works, most parts are purchased from suppliers. For a hidden electronic system (like a door-locking mechanism) there are probably only a handfull of different systems available. It's possible that one of these systems has a flaw which theives have learned how to exploit. If I was investigating this, I'd want to see a list of which car models seem to fall victim to this sort of attack, and then see if the same supplier made the door locking system for all of them.
  #39  
Old 08-05-2013, 05:38 AM
DougSt is offline
Guest
 
Join Date: Aug 2013
Posts: 1
This happened to me just last night.

About 8 months ago the same thing happened, the car was broken into and the work laptop and my Cell was stolen overnight with no damage to the car at all. Now I couldn't be positive that I'd locked it but I was sure I had. I put it down to poor judgement and bad luck however the police did say that a few other cars had been broken into in the street just over in the same manner, no damage at all. The police believed that jammers were being used then.

Since the last time I lock the car with the remote and make sure that it's locked physically by checking all 4 doors and I don't keep valuables in the car anymore.

However this morning I unlocked the car and got in as usual to find the glove compartment down...Once I started the car the computer told me that the passenger door was open and the boot (trunk) as well.

I'm going to get CCTV now to catch them in the act.
  #40  
Old 08-05-2013, 10:34 AM
Clothahump is offline
BANNED
 
Join Date: May 2000
Location: Houston, TX
Posts: 14,654
Quote:
Originally Posted by davidm View Post
Actually replacing a key is apparently even more involved than I said. My brother tells me that he lost his valet key (a special key that only does two things - open the drivers door and work in the ignition). He asked the dealer if they could order a new one. They told him that they would have to order a whole new set of keys because programming one new key would disable all of the old ones. So if someone did somehow manage to link an OEM key to a car, all of the other keys would be disabled; something the driver would be sure to notice. This may not be true for all makes but my brother drives a Honda which is the make mentioned in the article as having been broken into.
And it's expensive as hell, too. I lost my keys a while back and had to get new fobs for both my car and SWMOS's, as well as the house alarm. 630 clams for the cars and another 125 for the house. Grrrrrr....
  #41  
Old 08-06-2013, 07:55 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by DougSt View Post
This happened to me just last night.

About 8 months ago the same thing happened, the car was broken into and the work laptop and my Cell was stolen overnight with no damage to the car at all. Now I couldn't be positive that I'd locked it but I was sure I had. I put it down to poor judgement and bad luck however the police did say that a few other cars had been broken into in the street just over in the same manner, no damage at all. The police believed that jammers were being used then.

Since the last time I lock the car with the remote and make sure that it's locked physically by checking all 4 doors and I don't keep valuables in the car anymore.

However this morning I unlocked the car and got in as usual to find the glove compartment down...Once I started the car the computer told me that the passenger door was open and the boot (trunk) as well.

I'm going to get CCTV now to catch them in the act.
What model was it? Do you know the models of the others that were broken into?
  #42  
Old 08-06-2013, 07:56 PM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
Quote:
Originally Posted by Clothahump View Post
And it's expensive as hell, too. I lost my keys a while back and had to get new fobs for both my car and SWMOS's, as well as the house alarm. 630 clams for the cars and another 125 for the house. Grrrrrr....
Maybe someone should sell key insurance for a couple bucks a year.
  #43  
Old 09-01-2013, 07:41 AM
JsonR is offline
Guest
 
Join Date: Sep 2013
Posts: 1
I just purchased a Dodge Ram and with the purchase comes a year subscription to Uconnect. Uconnect is able to send an unlock request to my vehicle via a cell phone app or from a web browser. I believe Uconnect is powered by Sprint. I think this is going to be the weakness.

Would like to know more about the security they use for this.
  #44  
Old 09-01-2013, 07:53 AM
JustinC is offline
Guest
 
Join Date: Jun 2007
Location: Any
Posts: 1,928
You can hack into wifi signals, cell phone signals, CB signals etc. Could a savvy thief hack into a fob signal as the door's being locked?
  #45  
Old 09-01-2013, 09:18 AM
ftg's Avatar
ftg is offline
Member
 
Join Date: Feb 2001
Location: Not the PNW :-(
Posts: 20,038
Quote:
Originally Posted by JustinC View Post
You can hack into wifi signals, cell phone signals, CB signals etc. Could a savvy thief hack into a fob signal as the door's being locked?
These systems use "rolling" codes. So that the code to unlock the door changes each time. Having the code from the previous time doesn't (hopefully) help.

But the people who write the firmware for these systems aren't perfect, bugs happen, shortcuts are taken, etc. and on some systems, after recording a few codes, the "pattern" can be figured out and a legitimate code can be faked.

Sometimes these systems are more like security theater than actual security.
  #46  
Old 09-01-2013, 03:09 PM
JFLuvly is offline
Guest
 
Join Date: Dec 2008
Posts: 886
I read an article on making a gps using a nintendo ds and a salvaged on star receiver which I was reminded of while reading this thread. I know that on star can unlock your car doors for you so I wonder if , instead of hacking the key fob, are they hacking the on star or whatever system the manufacturer is using? To be honest I don't know if other manufacturers have a similar system to on star.

Last edited by JFLuvly; 09-01-2013 at 03:10 PM.
  #47  
Old 07-29-2014, 10:49 AM
ControlNode is offline
Guest
 
Join Date: Jul 2014
Location: Eastern NC
Posts: 1
I just saw this video (or one on the same topic) and have a guess on how. I think they are tricking convenience devices (like OnStar or such) by by using a "microcell" in a box that pretends to be the cell tower for the cellular based communications for the convenience device that also contains a fake online server/service provider that the convenience device expects to communicate with. When the microcell is close enough to the car the convenience device seeing the microcell as a stronger signal connects to the microcell . One for first tasks would be to update its network address it gets from the new microcell connection in the online service's database, its now talking to a fake online service in the box with the microcell. Once the microcell box confirms the address update it likely follows that with a request to unlock. If all of the authentication of the user when calling the online service call center or using the remote app happens on the online services servers and the command sent to the car is just the command with no other validation when the command is received it would just unlock since it trust the online service that it thinks is the correct one.

I think the convenience service designers figured thieves would be targeting the car so the authentication would be the key itself to start it rather than targeting what people are leaving in their cars.

I know this thread is a little old. I agree that it is unlikely that cars with standard key fobs are the ones at risk here. I think it is related to the newer "always connected cars."
  #48  
Old 07-31-2014, 07:51 AM
davidm's Avatar
davidm is offline
Charter Member
 
Join Date: Mar 2002
Location: Near Philadelphia PA, USA
Posts: 12,483
In the original article, it says that the police are baffled and are looking to the public for help. If the break ins were only occurring with cars with Onstar (or similar) systems I'd think the police would have noticed that and would have mentioned it if they truly want help from the public. In any case, I would hope that Onstar type systems would be encrypted to prevent the type of attack you described.
__________________
Check out my t-shirt designs in Marketplace. https://boards.straightdope.com/sdmb...php?p=21131885
  #49  
Old 08-01-2014, 01:03 AM
usedtobe is offline
Guest
 
Join Date: Jul 2008
Posts: 7,411
I'll pass this along for the young-uns:

The first "Remote Activated" garage door openers did not use radio transmitters - they used, essentially, tuning forks to produce a sound (too high for human ears) wave which the opener recognized.

Burglars would get a clicker and drive down the street, clicking away and see if an interesting-looking door opened.

In the late 80's I lived in an apt complex which still used audio clickers to open the gate. This was Salinas, but even there, I'd expect a bit more sophistication.
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 04:37 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright 2018 STM Reader, LLC.

 
Copyright © 2017