There’s a video and article at this link. The police are asking the public for help in solving this so I thought that if anybody can, the Dope can.
It’s not as simple as cloning the signal since modern keyless remotes use encrypted rolling keys. I don’t know the precise algorithm but it’s probably a pseudo-random number generator with the signal encrypted using a public/private key pair. Something impossible to clone and next to impossible to hack.
So what’s going on here? The article says that the thief “aims” a device at the car and opens the locks. I think the part about “aiming” (there’s no aiming involved with keyless remotes) and unlocking may be assumptions on the part of police because, to me at least, you can’t tell any of that from the video. All I see is him standing next to the car and then opening the door.
Suppose instead they have a device that rapidly transmits over a strong signal a large number of possible codes of the right length one after another in a short period. They enter a parking garage, or a residential block, turn it on, let it run for a while, and then go through the garage or down the block trying door handles to see which ones have unlocked. I have no idea if this is feasible since I don’t know the size of the code search space and I don’t know how rapidly a code can be transmitted and still work. The videos seem to show immediate success, but they’d only check the videos near the cars that were broken into right? Maybe they went through that whole garage trying doors and just happened to get lucky with two right next to each other. This would also be consistent with the fact, also stated in the video, that it doesn’t seem to work with every car.
Another possibility may involve the way passenger door unlocking works. It’s mentioned in the video that they seem to always use the passenger door. This may simply be because it’s easier to access the interior of the car without the steering wheel in the way and it also gives easy access to the glove compartment.
But what if it’s more than that? In my car, and others that I’m aware of, one click of the fob unlock button unlocks the drivers door and a second click unlocks the the other doors. Could this system introduce some type of weakness? How does it work? Is there a timer that will open the other doors if a second signal is detected within x millseconds of the first? Is the security of this second signal as strong? Maybe not, since it’s only acted on after the first, very secure, signal has been received. If it’s not as secure, could there be a way to exploit this and trigger it without the first signal?
Thoughts? Other ideas? Maybe they’re exploiting some kind of flaw in the code, causing something like a buffer overflow or a comparison to a NULL or something?