This has bene known in the automtive/security world forever, you can google replay attacks and people demonstrate this.
German cars do have a rolling code, especially BMW with EWS2 around 1996'and it's a nicely documented system to break.
With that said, it would be fun to dump older car firmware to see how simple the security was, previous to 1996, most cars ECU firmware were litereally on eproms.
There are also communities and such dedicated to bypassing this, not for theft but for engine swapping and car modification - having an annoying security system that can disable the starter or fuel pump sucks when you engine swapped your car.
As far as I understand even physical car keys tended to be on the low end. With a decent chance that you could find a different car by the same manufacturer that you could at least unlock with your key.
Not my Bolt. Even if the key is nowhere on your person or in the car, it steadfastly refuses to let you lock the door that way. If you push the lock button while the door is open, it immediately unlocks it for you.
It would make sense to do that if it detected the fob inside the car. But it does it no matter what.
I agree, but realistically the car is already locked when you lose your keys, assuming you lock your car when you leave it. An exception would be, say, dropping your keys down a storm drain after getting out and before walking away, but even this is becoming unusual as more cars have push-to-start and capacitive exterior touch areas such that your key is always in your pocket.
My '82 Honda didn't work that way (it would pop the lock open again when the door was closed), I'd be surprised if anything modern still worked in such a manner (nothing I own does).
The key from a 2001 GMC Savannah opened the doors of our 2002 Chevy Express (same van model, different badges). Though the Express key could not open the Savannah. Either key did not work in each others ignition lock.
Barely on topic, but I accidentally stole a bike due to this issue. Somebody parked their bike in the same rack, same model, same color, same brand of lock, and my key popped it right open. About half way home I finally realized why the seat felt funny. Drove back and swapped it with my own, I hope nobody noticed.
Long ago, I unlocked the wrong VW Rabbit, and was briefly surprised when I couldn't start it. More recently (last dozen or so years) the NY Times Sunday Magazine had a short piece, something like "Dude, Where's Your Car", about a woman actually driving off with the wrong car, and having to arrange its return to the owner.
I used to drive a Nissan whose doors would unlock when you closed a door - I'm not sure if it was intentional or not. But I found I could also trigger the unlocking mechanism by punching the outside of the door at just the right spot. Very useful for when ice would get in the locks.
I had a Mazda with this feature, apparently very common among Japanese cars in the early 90s. At first I thought it was broken, until I started looking into how to fix it and found you just have to pull the handle as you're closing the door to stop it from popping up. It's supposed to make you think about grabbing your keys but after a while it sort of became automatic.
I've got an early 80s SAAB that handled this in a more straightforward way. The driver's door lock plunger will not go down while the door is open, forcing you to lock it with the key (or reach around from another door, and then lock that.)
When I was an auto mechanic back in the days before key fobs, I'd driven the wrong car into the bay...twice, that I recall. I even changed the oil on one of those cars, when it was in for a brake job. It was the other blue '85 Chevy Malibu that needed the oil change.
Someone once drove my car away from the SJ airport lot as a favor for his friend, who was quite surprised to be picked up in someone else's blue Camry.
The news here is the fact that this very old and well-known attack works on cars in the 2020/2021 model years. This is pretty surprising, since the appropriate countermeasures have been widely-deployed even in inexpensive cars for well over a decade. Modern “keyless” vehicles have largely moved on to dealing with relay attacks, which is at least a more challenging class of attack than this one.
Honestly keyless go is a clusterfuck. Cars are getting stolen all over the place. Police says to wrap keys in tinfoil.
It's not particularly obvious why insurers don't seem to care, though there have been some rulings where they didn't need to pay because stealing a car like this wasn't technically stealing under the insurance policy.
Insurers don't care because vulnerability can be predicted by make/model/year so they a) can readily predict how much they'll pay out, are all saddled with the same cost increase (per vulnerable vehicle) and are free to pass that on to customers knowing that the competition has to do the same so they won't be undercut. Basically they don't care because the cost passes right through them with minimal friction in this case.
That assumes a static level of exploitation. If criminal gangs decide that Honda/Acura is the low-hanging fruit and ramp up theft of these vehicles, the insurance companies will have to react with increased insurance costs, which will put pressure on the manufacturers since it raises TCOO.
Insurance renews every 6 or 12 months. At least in the US criminal gangs are fairly decentralized, so it seems insurance companies are on somewhat even ground with any shift in crime patterns.
>though there have been some rulings where they didn't need to pay because stealing a car like this wasn't technically stealing under the insurance policy.
I'm guessing it's because the key has to be present for a relay (not replay) attack, so it's analogous to the way "card present" shifts some of the liability in payment card fraud? Pretty wild that the authorized user should know to protect against key fob relays though.
Fun fact: they usually go to sleep (i.e., way more battery life) based on an accelerometer detecting no motion, because legitimate use would always be hand-held. To take advantage, put it on a table or hook (but not too close to your front door, perhaps) instead of keeping it in your pocket while home.
I had key pouches that I put my keys inside without fail. Wasn't a problem for me personally but it is a potential thing for average Joes to not think about or remember to do
It also really sux when you have to repair those security systems. I honestly would forgo the entire encryption fob thing in favor of a decent mechanical key for starting the car. Sure, they can be bypassed, but if someone is under your hood crossing wires then you have bigger problems.
Or better yet, an S&G digital safe lock. If it is good enough for missile launch codes it is good enough for my civic. Replacing an S&G lock body is far cheaper than any car immobilizer.
A digital keypad and a phone based system would be best. Apps can be updated for security, and the cars firmware can be updated via the app too. The keypad means even if a purse is stolen with the phone and keys in it, you can still start your car.
If someone wants to get in via the keypad, there is a list [0] that was mentioned on HN [1]. The list is 3129 numbers, which if pressed in sequence, will eventually open the door because all of the possible code permutations are contained in that sequence.
If they can't secure their own keyfob, I'd be worried that a phone app will open a remote vunerability.
My car has an optional subscription that would let me unlock it with my phone -- I didn't sign up for that subscription, but I bet that it's active on the car's side and if there's a remote vulnerability, it's exploitable whether I've signed up for it or not.
I stopped carrying my keyfob a few years ago, and just use the mechanical key - mainly because I hate how huge it is, but now I'm starting to think it was a good idea..
I really like the convenience of keyless entry, I keep my key in my backpack and like being able to walk up to the car, have it automatically unlock when I grab the door handle, then I just get in and press "start", and it's ready to go. Then when I get to work, I just grab my backpack and walk away and I know the car will lock behind me. I don't want to move back to a physical key.
That convenience shouldn't have to be traded for the huge vulnerability of allowing replay attacks.
Yeah, no. Key fobs are great. I wish I had them. My moms car unlocks the door if the key is in my pocket. Immensely useful while carrying bags and a decade old feature.
Door keys suck. Ignition keys suck more. The worst is the middle years of both immobilizers and physical keys.
Source: I can use 4 different keys to open 1 car right now. In fact, I only realized this after I locked my keys in the car and tried a few spares at the shop. A little jiggle and they all work
Yup. A Land Rover was stolen right near my house in broad daylight and I live in a very good neighbourhood. Cops came by and asked me if I had home cameras, but they explained to me this is very common. High-end SUVs are targeted and this is run by organized crime. Cars are overseas within days to be re-sold.
The thief just hangs around the target, waits for the fob to be used, clones the signal and can steal the car within 3 minutes.
The problem is so pervasive that Land Rover offers discounts to previous customers who are victims of theft:
The wifi pineapple equivalent of this would be a device that records all signals sent, filters it for unlock and start car commands, and then allows you to just bulk replay each set back until cars start.
You could effectively leave it in the bushes at a work parking lot, come back the next day, and unlock + start all of the cars with keyfobs that were present the day before.
In the US it seems like theft of parts is a lot more popular. Things like wheels, light housings, and catalytic converters are especially popular. Getting a car out of the country is a lot harder when you don't share land borders with eastern europe. When people steal cars they usually only use it for as long as it takes to commit another crime. A lot of the car chases are with stolen cars so police have no clue who is inside since running plates returns the owner.
GP's link is to landrover.ca, implying Canadian origin - a country which does not share land borders with Eastern Europe. By the time a group is big enough to be fencing cars overseas, I wouldn't be so quick to discount their ability to move through a seaport.
"We know our vehicles depreciate faster than average, and rather than fix common security flaws or encourage gap insurance, we'll offer a token discount."
I guess that falls in line with their reliabity standards and replace every 2 year business model.
"Rice Paddy" is also redundant, since the English paddy comes from the Malay padi, "rice plants".
And while "original rice paddy" is a correct if painfully literal translation, something like "Mainfield" probably captures the essence better. In Japanese, a field defaults to rice and there's a separate word (畑 hatake) for non-rice fields, with a little fire radical 火 added to the rice field 田 to show that this is a burned (dry) field instead of a wet one.
The HackRF or similar SDR is useful for creating a prototype, because they work across many frequencies and can modulate and demodulate essentially any modulation scheme in software.
Once you know that it's, say, 9600 baud FSK at 433MHz, you can buy a transceiver IC for a few dollars that can send and receive that frequency and modulation, and drive it with a microcontroller.
I wouldn't be surprised if we start seeing such devices on AliExpress for $10 within a year or so.
Ford has a key cloning issue too. Focus and Fiesta STs are prime targets in the UK to the point where you'd be crazy not to remove or lock the ODBII port on those vehicles. Luckily it's not as bad in the states. Criminals can clone a key in about 30 seconds with special tools.
Remote start is a safety issue, not just a security one. It doesn't take much to imagine replaying the start command while a vehicle is in an attached garage.
I agree about the remote start, but I’m dubious about the remote unlock being an issue for assaults in practice. I think if someone is planning to violently attack someone, going through the window is going to be the most common path taken.
It’s like home invasions. Perhaps someone might pick your weak lock or hack your smart lock, but in practice they usually just break a window or kick the door in.
Imagine being able to come up to anyone, open their car door, shove them over into the passenger seat while threatening them with a gun, start the car and drive away. Could probably do this in a busy street without anyone noticing.
Should be easy enough to do in a shopping mall. Maybe plant a few recording devices around the parking lot and replay all of them, if you want to get extreme.
It’s possible, but not likely. You’re describing a very sophisticated attack for a violent crime, especially since the typical attack involves nothing more complicated than a sawed off shotgun pointed at the driver.
It should still be fixed, but this strikes me as something that’s more likely to be used by a state or quasi-state level actor to take out a high value target more than something that’ll be used to randomly assault people at the mall.
The scenario I first imagined was a kidnapping or sexual assault by a stalker. Lying in wait in someone's car when they leave work or the gym may be a TV trope, but it's not inconceivable as a real attack method.
You can do that right now with any car on the road. Guns break windows easily and people aren’t going to risk their lives for a set of keys, they will let you have the car and whatever else.
Fwiw, on current Hondas the engine will only run for a set period, I believe 10 mins, unless the fob is used to reset the timer or the driver enters the cabin with the fob and presses the brake and start button.
I own a 2020 Honda and I wish this was true. I have left the car on for 8+ hours before while being miles away. I’m in shock this wasn’t addressed and it’s my biggest gripe in the car.
For remote start, my 2018 Civic shut off after ~10 minutes. According to the sibling comment, their 2021 was similar. Did you have an aftermarket remote start, or was it started using the actual ignition switch in the car in your case?
Carbon monoxide being present is an assumption in the perspective of the building codes. This is why attached garages must have ventilation to outside, doors with gaskets, etc. There’s some danger, but the codes were made for the case where people forget and leave their car running, which isn’t all that uncommon.
Lots of houses aren't up to code. I bought a house with an in-wall AC venting from a bedroom into the garage, no gaskets on the door to the house, and a workbench built over the venting to the outside. I fixed those; contractor said that all 3 was somewhat uncommon, but any one of those isn't that uncommon.
This sucks, of course, but the alternative has downsides as well. Volvo, for example, has rolling codes. But, if you lose your keys/fob the car has to be present to make new ones. At $500+ each.
Which is desirable because that's how keys do their job.
How is Volvo's system functioning properly considered a downside? You're saying that having a security system that downright does not work is comparable to a security system that actually works and prevents unauthorized entry to the vehicle because the former is more convenient to circumvent than the latter?
It doesn't need to cost $500+ per key. The monopoly it creates on key replacement is what enables that. It doesn't cost Volvo that much...the markup is crazy. It's especially pronounced for used cars, where it's common to only get 1 key with the car.
(Though it's funny that you decided the security was the part I felt was a downside.)
This one is significantly different, here fob is pressed outside the vehicle range, and then signal is replayed at vehicle range.
Rolling Code does not help here since the vehicle never received the original signal from the key. Thus it is for the first time played to the vehicle, and no rolling code increment is expected compared to the key's initial rolling code value.
The point of rolling code is that same signal cannot be used twice to open the vehicle.
"Vehicle ignition" should be a physical switch with 3 wires, and thats it. I don't want anything more complicated... perhaps put a relay inline if some other system really needs a kill switch.
Is a keyfob / "remote start" / "added security" really worth the trouble? How many people buy these things when its an option they have to wait for vs something already there to bulk up the price?
I'll always remember driving my dads car home from the airport (he was staying on vacation longer) and cranking it and cranking it until I remembered the little fuel pump security switch under the front seat... Ah that civic was truly a POS.
With rolling codes, if you (or a toddler) press your remote button too many time while out of range of the car, will the remote and car get out of sync? More than 60 or 255 presses or something like that?
I guess there must be a mechanism for the car to resync somehow?
depending on the type of the key - those with passive functions do it usually every time you press the engine start button, while classical key - once you put the key (physical blade) in the lock to start the car.
Presumably the keyfob transmits a generation number, so the car just needs to see that the keyfob code is e.g. 187 ahead of its number, and then do a trial roll forward. If it matches, it retains the new generation and secret state, and if not, it retains the old.
Does this attack work if you do not push any of the key fob buttons i.e. if you unlock the car by touching the front door handle with the key in your pocket; starting the car by pushing the engine start button with the key in your pocket?
This is my question. I've been keeping my key fob in a faraday box for almost a year because I heard that keyless entry and keyless start can be pinged during a night-time drive-by when the owner is likely to be home.
Obviously not a replay attack, but still seems to be a huge vulnerability.
I work at a major American automotive OEM on entry and starting systems. Yes, many passive-entry/passive-start systems (like those that use door handle sensors to trigger an unlock) are vulnerable to relay attacks. Relay attacks are separate from re_p_lay attacks, as you note.
Relay attacks on keyfobs seem to be much more common in the UK than in the US. Some manufacturers now include accelerometers in their keyfobs to mitigate the risk, as one of the most common attacks is stealing a vehicle out of a driveway when somebody has left their keys on a hook inside the house. With an accelerometer in the keyfob, it will refuse to authorize starting if it hasn’t been jostled recently.
In the US, I've seen relay attacks used to steal items from cars rather than the cars themselves. Either because police follow up much more vigorously on theft of cars vs petty theft of things in cars, or because it's harder to convert a stolen car to cash than it is to convert the stuff in it (which might even be cash) to cash.
Honda (and any well established OEM) has rolling code on their newer models for sure. There are 2 scenarios possible here regarding this article.
1st - message is recorded while key is outside of the vehicle range.
Rolling Code does not help here since the vehicle never received the original signal from the key.
The point of rolling code is that same signal cannot be used twice to open the vehicle.
There is no protection against this with unidirectional RF keys, but requires physical access to the key and your recorded message needs to be first one sent to the vehicle.
2nd - it's fake. This I say because the key gets out of the frame in the video when the signal is replayed...
It is not fake, and Honda does NOT have rolling codes. This assumption is why the problem was never found. Even I assumed they had rolling codes until I performed a rolljam attack on a Honda and found that the keys NEVER expired, meaning they DO NOT ROLL.
Then do a simple video - press unlock or RES with the key in vehicle range. Record that RF Tx and then replay the message. See if it does the same operation on the vehicle. Preferably with the key not disappearing out of the frame.
Dude uC used for keys come withe special sections of rolling code to have extended lifetime compared to conventional EEPROM. Same way they come with Transponder built in.
Wait, second key? Not all cars have a spare (not all owners know where it is). You're being so picky. Go away, troll. The keys were on the hood in the video. That owner didn't have a spare set.
Hello, I am the creator of this attack. I was very impressed by the traffic this URL drove to my Github. After reading closely:
No, it isn't fake. I'd love to show you more videos!
This attack does require the target to use their FOB, the range that is required is quite long! This can be performed from great distances away. Though recreation of this part of the attack, we know it's possible to convert a "lock" command (or any command at all) into any other command, and unlike the rolljam attack, these codes will work forever (until the key gets reset by a dealer).
118 comments
[ 380 ms ] story [ 3817 ms ] threadGerman cars do have a rolling code, especially BMW with EWS2 around 1996'and it's a nicely documented system to break.
With that said, it would be fun to dump older car firmware to see how simple the security was, previous to 1996, most cars ECU firmware were litereally on eproms.
There are also communities and such dedicated to bypassing this, not for theft but for engine swapping and car modification - having an annoying security system that can disable the starter or fuel pump sucks when you engine swapped your car.
It would make sense to do that if it detected the fob inside the car. But it does it no matter what.
That's not a feature.
> To lock all doors, with the driver door closed, press and hold 7•8 and 9•0 at the same time. You do not need to enter the keypad code first.
https://www.ford.com/support/how-tos/keys-and-locks/securico...
I've got an early 80s SAAB that handled this in a more straightforward way. The driver's door lock plunger will not go down while the door is open, forcing you to lock it with the key (or reach around from another door, and then lock that.)
It's not particularly obvious why insurers don't seem to care, though there have been some rulings where they didn't need to pay because stealing a car like this wasn't technically stealing under the insurance policy.
Link? This seems so wild.
Fun fact: they usually go to sleep (i.e., way more battery life) based on an accelerometer detecting no motion, because legitimate use would always be hand-held. To take advantage, put it on a table or hook (but not too close to your front door, perhaps) instead of keeping it in your pocket while home.
I guess sleep mode is really more about preventing relay attacks, with improved battery life being a side effect.
Or better yet, an S&G digital safe lock. If it is good enough for missile launch codes it is good enough for my civic. Replacing an S&G lock body is far cheaper than any car immobilizer.
1: https://arstechnica.com/tech-policy/2013/12/launch-code-for-...
[0] https://everything2.com/index.pl?node_id=1520430&displaytype...
[1] https://news.ycombinator.com/item?id=7622165
My car has an optional subscription that would let me unlock it with my phone -- I didn't sign up for that subscription, but I bet that it's active on the car's side and if there's a remote vulnerability, it's exploitable whether I've signed up for it or not.
That convenience shouldn't have to be traded for the huge vulnerability of allowing replay attacks.
Door keys suck. Ignition keys suck more. The worst is the middle years of both immobilizers and physical keys.
Source: I can use 4 different keys to open 1 car right now. In fact, I only realized this after I locked my keys in the car and tried a few spares at the shop. A little jiggle and they all work
The thief just hangs around the target, waits for the fob to be used, clones the signal and can steal the car within 3 minutes.
The problem is so pervasive that Land Rover offers discounts to previous customers who are victims of theft:
https://www.landrover.ca/en/ownership/protection-program/veh...
You could effectively leave it in the bushes at a work parking lot, come back the next day, and unlock + start all of the cars with keyfobs that were present the day before.
I guess that falls in line with their reliabity standards and replace every 2 year business model.
This should be "paddy" rather than "patty". Note that Honda is a family name (after founder Soichiro Honda).
And while "original rice paddy" is a correct if painfully literal translation, something like "Mainfield" probably captures the essence better. In Japanese, a field defaults to rice and there's a separate word (畑 hatake) for non-rice fields, with a little fire radical 火 added to the rice field 田 to show that this is a burned (dry) field instead of a wet one.
Once you know that it's, say, 9600 baud FSK at 433MHz, you can buy a transceiver IC for a few dollars that can send and receive that frequency and modulation, and drive it with a microcontroller.
I wouldn't be surprised if we start seeing such devices on AliExpress for $10 within a year or so.
Looks like maybe a custom case, but 99% sure it's this hardware that has been customized.
edit: Actually you can find the exact model they are using on eBay...just google the first line of text in this comment.
edit: ok, direct link https://www.ebay.com/itm/224339096828?chn=ps&mkevt=1&mkcid=2...
Remote unlock is a safety issue for assaults.
Thankfully according to https://owners.honda.com/Linked-Content/PDF/RemoteEnginestar... the remote engine stop doesn't work if the engine was started with the ignition key rather than the remote.
It’s like home invasions. Perhaps someone might pick your weak lock or hack your smart lock, but in practice they usually just break a window or kick the door in.
It should still be fixed, but this strikes me as something that’s more likely to be used by a state or quasi-state level actor to take out a high value target more than something that’ll be used to randomly assault people at the mall.
Remote unlock actually doesn't work on [most?] Honda vehicles if the engine is running.
Carbon monoxide being present is an assumption in the perspective of the building codes. This is why attached garages must have ventilation to outside, doors with gaskets, etc. There’s some danger, but the codes were made for the case where people forget and leave their car running, which isn’t all that uncommon.
How is Volvo's system functioning properly considered a downside? You're saying that having a security system that downright does not work is comparable to a security system that actually works and prevents unauthorized entry to the vehicle because the former is more convenient to circumvent than the latter?
(Though it's funny that you decided the security was the part I felt was a downside.)
https://www.youtube.com/watch?v=JomewN_1OdE
Rolling Code does not help here since the vehicle never received the original signal from the key. Thus it is for the first time played to the vehicle, and no rolling code increment is expected compared to the key's initial rolling code value.
The point of rolling code is that same signal cannot be used twice to open the vehicle.
Is a keyfob / "remote start" / "added security" really worth the trouble? How many people buy these things when its an option they have to wait for vs something already there to bulk up the price?
I guess there must be a mechanism for the car to resync somehow?
Obviously not a replay attack, but still seems to be a huge vulnerability.
Relay attacks on keyfobs seem to be much more common in the UK than in the US. Some manufacturers now include accelerometers in their keyfobs to mitigate the risk, as one of the most common attacks is stealing a vehicle out of a driveway when somebody has left their keys on a hook inside the house. With an accelerometer in the keyfob, it will refuse to authorize starting if it hasn’t been jostled recently.
[0]: https://gist.github.com/ryjones/73739f6a7e662b9ed9ba64d9141f...
1st - message is recorded while key is outside of the vehicle range. Rolling Code does not help here since the vehicle never received the original signal from the key. The point of rolling code is that same signal cannot be used twice to open the vehicle. There is no protection against this with unidirectional RF keys, but requires physical access to the key and your recorded message needs to be first one sent to the vehicle.
2nd - it's fake. This I say because the key gets out of the frame in the video when the signal is replayed...
Dude uC used for keys come withe special sections of rolling code to have extended lifetime compared to conventional EEPROM. Same way they come with Transponder built in.
P.S. And the second key in the frame as well...
That's why I never use the remote and always use key-in-hole.
No, it isn't fake. I'd love to show you more videos! This attack does require the target to use their FOB, the range that is required is quite long! This can be performed from great distances away. Though recreation of this part of the attack, we know it's possible to convert a "lock" command (or any command at all) into any other command, and unlike the rolljam attack, these codes will work forever (until the key gets reset by a dealer).