How are these car burglars hacking keyless remote locks?

There’s a video and article at this link. The police are asking the public for help in solving this so I thought that if anybody can, the Dope can.

It’s not as simple as cloning the signal since modern keyless remotes use encrypted rolling keys. I don’t know the precise algorithm but it’s probably a pseudo-random number generator with the signal encrypted using a public/private key pair. Something impossible to clone and next to impossible to hack.

So what’s going on here? The article says that the thief “aims” a device at the car and opens the locks. I think the part about “aiming” (there’s no aiming involved with keyless remotes) and unlocking may be assumptions on the part of police because, to me at least, you can’t tell any of that from the video. All I see is him standing next to the car and then opening the door.

Suppose instead they have a device that rapidly transmits over a strong signal a large number of possible codes of the right length one after another in a short period. They enter a parking garage, or a residential block, turn it on, let it run for a while, and then go through the garage or down the block trying door handles to see which ones have unlocked. I have no idea if this is feasible since I don’t know the size of the code search space and I don’t know how rapidly a code can be transmitted and still work. The videos seem to show immediate success, but they’d only check the videos near the cars that were broken into right? Maybe they went through that whole garage trying doors and just happened to get lucky with two right next to each other. This would also be consistent with the fact, also stated in the video, that it doesn’t seem to work with every car.

Another possibility may involve the way passenger door unlocking works. It’s mentioned in the video that they seem to always use the passenger door. This may simply be because it’s easier to access the interior of the car without the steering wheel in the way and it also gives easy access to the glove compartment.

But what if it’s more than that? In my car, and others that I’m aware of, one click of the fob unlock button unlocks the drivers door and a second click unlocks the the other doors. Could this system introduce some type of weakness? How does it work? Is there a timer that will open the other doors if a second signal is detected within x millseconds of the first? Is the security of this second signal as strong? Maybe not, since it’s only acted on after the first, very secure, signal has been received. If it’s not as secure, could there be a way to exploit this and trigger it without the first signal?

Thoughts? Other ideas? Maybe they’re exploiting some kind of flaw in the code, causing something like a buffer overflow or a comparison to a NULL or something?

There’s an ap for that.

Call me skeptical, but how do we know these cars were locked in the first place. If you read about car fobs on howstuffworks it seems very unlikely that any device could be cracking the codes with regularity.

But there could be a flaw in the software, or the hardware. Also, it’s conceivable that knowing something about the algorithms could help to reduce the number of codes to be searched to something more reasonable. From what I understand about the way these things work (or at least used to work), you can reduce the number of codes you’d have to search by a factor of 256. That would still leave an amount that would be impossible to search but maybe knowing more would make it possible to slash the number even further. Could it be reduced to a workable number? It’s doubtful, but who knows.

But I suppose it’s possible that these are cases of people who forgot to lock their cars and it’s being hyped into a mass hysteria.

I could also imagine that some coder put a back door into these things and is now making money selling black boxes that open cars.

From the news article,

“Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don’t know why.”

Sounds like a Honda problem

I don’t think we have enough data to decide it’s a problem with a specific brand, although it is notable that all the vehicles specifically mentioned in the video were Honda’s and were Acuras specifically. There’s no way of knowing if that holds true in other burglaries. Anyone recognize the brands in the security video?

Could it be something as simple as an electromagnet that manipulates the lock mechanism from outside the door? One problem with that is that it seems like that should activate the alarm. Not all cars have an alarm but I think it’s an option for pretty much any model and there’s no way I know of to tell from outside whether or not a car has an alarm.

Maybe it’s some sort of EMP thing that temporarily knocks out the electronics, but if that was the case then I’d think you’d still need to break a window or use a slim jim or something to actually open the door.

I wonder if these cars had been serviced recently. If you have access to the interior of the vehicle, you can clone a key, especially if you’re a dealer. The problem with that hypothesis is that the police would have thought of this already.

People have been cracking keyless entry systems for years. Especially been a problem for really high end (hundreds of thousands of $s) cars. Well worth the time and money to develop the hardware to do it. Also causes a problem for the owner when the insurance co. thinks the cars can’t be stolen this way despite repeated demos of how it is done.

Now it is more common for lesser value cars.

Note: Cryptographic systems are easy to design, impossible to implement right. We’re talking computer programs here. No significant computer program is ever bug proof. And people take shortcuts, make adaptations for reality, etc. So, they are never perfect.

The rolling code system cannot be done “right” in real life. Someone presses the fob too far away, it gets pressed a hundred times in your pocket of purse, etc. So some “slop” has to be built into the system. People do the math wrong on the slop and that leaves a hole that can be exploited. Throw in some bean counters who say that it needs only be a 24 bit code and not a 32 bit code since that will save 30 cents.

Remember, as far as the car makers go, they only want the appearance of security. True security is not their job.

Keyless entries are not as secure as old fashioned keys. Just like contact-less credit cards are even less secure than mag stripe ones. Ain’t progress grand?

There is slop built into the system by the fact that any of the next 256 codes are accepted, for the reason you stated, buttons get pushed accidentally in purses, pockets, etc. That reduces the search space by a factor of 256. Go from 32 bits to 24 bits (are they really that short?) and that’s another factor of eight. At this point, you’re down to only 64k possibilities. Would rapidly transmitting 64k possibilities work? I would hope that the system would lock out access for 5 minutes and perhaps alarm if something like that were attempted.

In any case I’m skeptical that the codes are really as short as 32 bits let alone 24 (maybe you have a cite?). Remember that, if the reporting is to be believed, the experts are stumped by this.

I think they’re most likely either exploiting a bug in the code or bypassing that stuff altogether and somehow exploiting some factor in the mechanical aspect of things.

I’ll give you an example about what I mean by mechanical aspect. Years ago I did a short stint writing software for a company that made change machines.

They received a complaint from a customer who had a machine located in a college dorm next to some snack and soda machines. It was designed to accept bills and dispense quarters.

It had the latest in bill scanning and sensing hardware and software to prevent people using things like photocopied bills. All of this high tech was used to decide whether or not, and how many times, to activate an electromechanical relay which caused a quarter to be released each time it clicked.

Someone had discovered that if you hit the machine at just the right spot, the relay contact would jump and a quarter would be dispensed. All of the high tech security was being bypassed completely by interfering at the end of the chain of events.

Car locks ultimately are electromechanical. The only thing I’m not sure about is the alarm system.

The easiest way I know of is to just jam the locking signal. Like Leaffan said, are you sure the car was locked?

Jamming the locking signal is very clever, but only if you’re targeting a specific profitable item such as a GPS unit that you know is always left in the car. Most cars audibly indicate that the alarm has been armed, but I suppose someone not paying attention might miss that. There is the issue that they’ve been seen unsuccessfully trying to open some cars. Perhaps in those instances the owner accessed the car and then locked it in between the jamming and the burglary attempt.

I just had a thought. You wouldn’t necessarily have to be targeting a specific vehicle in order for locking signal jamming to be profitable.

Suppose you hid a powerful transmitter in a neighborhood around the time that people get home from work and jam all, or most, of the locking signals in the area? Then, when you come around later, some would be unlocked, and some would be locked because they had been there before the jamming started. The only problem I have with this is that it’s almost certain that more than one person would notice that their car hadn’t locked and neighbors comparing experiences might become suspicious. Still, it’s an interesting thought.

Yes, just set up a jammer in a car in an office parking lot. During office hours, just check all the cars around that car. I know someone who was struck by this before (he doesn’t check his car). Speaking of checking your car - won’t that prevent locking a child in the car?

Most cars have 2 step unlocking where the driver’s door unlocks first.
Next is the security system. Getting the door to the unlock position by whatever means does not disable the security system.
After that comes the antenna for the security system is usually not located in the door. An exception to this would be cars with proximity keys ( the kind you leave in your pocket, and start the car with a push button). I wonder if these were all proximity key cars?
Lastly I would assume that the odds of a functional code for Honda being the same as that for another brand of car as being very very slim.

If I’m not mistaken, my car, which is a Honda, automatically locks and arms if the doors are closed but not locked for more than X seconds. Of course, that’s just my car.

That’s… Inconvenient. Especially when you think about kids in cars.

I just Googled it. What I said isn’t entirely correct. If I get out and just walk away, it won’t lock on it’s own.

What will happen is if I unlock the doors but don’t open one, it will relock after 10 or 15 seconds. Once you open a door the auto relocking doesn’t occur. So if someone jammed my locking signal and I failed to notice that the second (arming) click didn’t sound the horn, I would walk away with the car unlocked.

I suppose if someone was targeting a specific car and was really clever, they could sit in a nearby car with a jammer and then at the moment you click your button the second time, tap on their horn, but I can’t imagine someone actually trying to do that.

Thinking about the signal jamming, it seems like the police would be aware of this possibility (since you say it has been done); yet they don’t seem to be considering it. They seem convinced that it’s being done with some sort of handheld device at the time of the breakin. Maybe they have other video where they can see the device more clearly.

I suppose if I were doing the signal jamming thing, and I knew there might be security cameras, I might hold some object and act as if I was using it just to throw them off the scent, but that’s probably too clever by half.

I haven’t looked at a car door locking mechanism in years, but aren’t they still using solenoids to do the job? I wonder if it’s somehow possibly to dump a buttload of RF energy near the lock, cause the solenoid coil to energize and then Bob’s your uncle. I agree with the poster who said its most likely a mechanical weakness being exploited, not a code bug.

The only thing with that is I presume this mystery device is also disabling the OE alarm. If you bypass the central locking and unlock and open the door via mechanical means, the alarm should go off. If it doesn’t disable the alarm, I don’t see what major advantage the mystery device would have over this tried and true device:

Note that people aren’t just breaking into cars. They are also, for some models, driving off with them. So jamming clearly isn’t what is going on with the later.

David Beckham had a couple of high end cars stolen this way, one of which ended up being driven by a Macedonian government minister!

BTW: I was just using the 32 vs 24 bit thing as an example. But cost cutting is a typical problem for a lot of systems. WiFi security is heavily compromised due to the hardware manufacturers not wanting to use the next most expensive chips.

Just because something is unbreakable in theory doesn’t mean it’s unbreakable in practice. Quantum cryptography was touted as being perfectly secure and then some exploits have been found.