118 comments

[ 380 ms ] story [ 3817 ms ] thread
This has bene known in the automtive/security world forever, you can google replay attacks and people demonstrate this.

German cars do have a rolling code, especially BMW with EWS2 around 1996'and it's a nicely documented system to break.

With that said, it would be fun to dump older car firmware to see how simple the security was, previous to 1996, most cars ECU firmware were litereally on eproms.

There are also communities and such dedicated to bypassing this, not for theft but for engine swapping and car modification - having an annoying security system that can disable the starter or fuel pump sucks when you engine swapped your car.

As far as I understand even physical car keys tended to be on the low end. With a decent chance that you could find a different car by the same manufacturer that you could at least unlock with your key.
Yeah a friend of mine had that. Almost drove away in the wrong car, luckily he noticed "weird CDs" lying around.
Old Subaru by any chance…?
Literally any vehicle with a worn out ignition cylinder from 100k of keys hanging off of it.
Fun-fact: you can lock any Ford with a 6-sided key (not sure what those are called) of your Ford...
Funner-fact: you can lock any car that's unlocked by opening up the door and locking it.
Not my Bolt. Even if the key is nowhere on your person or in the car, it steadfastly refuses to let you lock the door that way. If you push the lock button while the door is open, it immediately unlocks it for you.

It would make sense to do that if it detected the fob inside the car. But it does it no matter what.

If you lose your keys, you can't lock the car up and come back with the spare?

That's not a feature.

Your spare would be your cell phone app.
I agree, but realistically the car is already locked when you lose your keys, assuming you lock your car when you leave it. An exception would be, say, dropping your keys down a storm drain after getting out and before walking away, but even this is becoming unusual as more cars have push-to-start and capacitive exterior touch areas such that your key is always in your pocket.
most modern cars will not let you do this as to prevent accidental car-on-while-locked or locked-keys scenarios.
My '82 Honda didn't work that way (it would pop the lock open again when the door was closed), I'd be surprised if anything modern still worked in such a manner (nothing I own does).
Many older cars require you to hold the handle up while you close the door to prevent you from accidentally locking yourself out.
The key from a 2001 GMC Savannah opened the doors of our 2002 Chevy Express (same van model, different badges). Though the Express key could not open the Savannah. Either key did not work in each others ignition lock.
Barely on topic, but I accidentally stole a bike due to this issue. Somebody parked their bike in the same rack, same model, same color, same brand of lock, and my key popped it right open. About half way home I finally realized why the seat felt funny. Drove back and swapped it with my own, I hope nobody noticed.
Long ago, I unlocked the wrong VW Rabbit, and was briefly surprised when I couldn't start it. More recently (last dozen or so years) the NY Times Sunday Magazine had a short piece, something like "Dude, Where's Your Car", about a woman actually driving off with the wrong car, and having to arrange its return to the owner.
I used to drive a Nissan whose doors would unlock when you closed a door - I'm not sure if it was intentional or not. But I found I could also trigger the unlocking mechanism by punching the outside of the door at just the right spot. Very useful for when ice would get in the locks.
It was intentional. It's so you can't lock your keys inside.
I had a Mazda with this feature, apparently very common among Japanese cars in the early 90s. At first I thought it was broken, until I started looking into how to fix it and found you just have to pull the handle as you're closing the door to stop it from popping up. It's supposed to make you think about grabbing your keys but after a while it sort of became automatic.

I've got an early 80s SAAB that handled this in a more straightforward way. The driver's door lock plunger will not go down while the door is open, forcing you to lock it with the key (or reach around from another door, and then lock that.)

When I was an auto mechanic back in the days before key fobs, I'd driven the wrong car into the bay...twice, that I recall. I even changed the oil on one of those cars, when it was in for a brake job. It was the other blue '85 Chevy Malibu that needed the oil change.
Someone once drove my car away from the SJ airport lot as a favor for his friend, who was quite surprised to be picked up in someone else's blue Camry.
The news here is the fact that this very old and well-known attack works on cars in the 2020/2021 model years. This is pretty surprising, since the appropriate countermeasures have been widely-deployed even in inexpensive cars for well over a decade. Modern “keyless” vehicles have largely moved on to dealing with relay attacks, which is at least a more challenging class of attack than this one.
Honestly keyless go is a clusterfuck. Cars are getting stolen all over the place. Police says to wrap keys in tinfoil.

It's not particularly obvious why insurers don't seem to care, though there have been some rulings where they didn't need to pay because stealing a car like this wasn't technically stealing under the insurance policy.

Insurers don't care because vulnerability can be predicted by make/model/year so they a) can readily predict how much they'll pay out, are all saddled with the same cost increase (per vulnerable vehicle) and are free to pass that on to customers knowing that the competition has to do the same so they won't be undercut. Basically they don't care because the cost passes right through them with minimal friction in this case.
That assumes a static level of exploitation. If criminal gangs decide that Honda/Acura is the low-hanging fruit and ramp up theft of these vehicles, the insurance companies will have to react with increased insurance costs, which will put pressure on the manufacturers since it raises TCOO.
Insurance renews every 6 or 12 months. At least in the US criminal gangs are fairly decentralized, so it seems insurance companies are on somewhat even ground with any shift in crime patterns.
Insurers don't care because risk is proportionate to cost. Hence actuaries.
>though there have been some rulings where they didn't need to pay because stealing a car like this wasn't technically stealing under the insurance policy.

Link? This seems so wild.

I'm guessing it's because the key has to be present for a relay (not replay) attack, so it's analogous to the way "card present" shifts some of the liability in payment card fraud? Pretty wild that the authorized user should know to protect against key fob relays though.

Fun fact: they usually go to sleep (i.e., way more battery life) based on an accelerometer detecting no motion, because legitimate use would always be hand-held. To take advantage, put it on a table or hook (but not too close to your front door, perhaps) instead of keeping it in your pocket while home.

I had key pouches that I put my keys inside without fail. Wasn't a problem for me personally but it is a potential thing for average Joes to not think about or remember to do
It also really sux when you have to repair those security systems. I honestly would forgo the entire encryption fob thing in favor of a decent mechanical key for starting the car. Sure, they can be bypassed, but if someone is under your hood crossing wires then you have bigger problems.

Or better yet, an S&G digital safe lock. If it is good enough for missile launch codes it is good enough for my civic. Replacing an S&G lock body is far cheaper than any car immobilizer.

A digital keypad and a phone based system would be best. Apps can be updated for security, and the cars firmware can be updated via the app too. The keypad means even if a purse is stolen with the phone and keys in it, you can still start your car.
Ford has keypad entry on a number of models, for example.
If someone wants to get in via the keypad, there is a list [0] that was mentioned on HN [1]. The list is 3129 numbers, which if pressed in sequence, will eventually open the door because all of the possible code permutations are contained in that sequence.

[0] https://everything2.com/index.pl?node_id=1520430&displaytype...

[1] https://news.ycombinator.com/item?id=7622165

If you have 20 minutes with a car you can get in many ways..
If you have that much time, you might as well pick the lock or shim the door.
If they can't secure their own keyfob, I'd be worried that a phone app will open a remote vunerability.

My car has an optional subscription that would let me unlock it with my phone -- I didn't sign up for that subscription, but I bet that it's active on the car's side and if there's a remote vulnerability, it's exploitable whether I've signed up for it or not.

I stopped carrying my keyfob a few years ago, and just use the mechanical key - mainly because I hate how huge it is, but now I'm starting to think it was a good idea..
I really like the convenience of keyless entry, I keep my key in my backpack and like being able to walk up to the car, have it automatically unlock when I grab the door handle, then I just get in and press "start", and it's ready to go. Then when I get to work, I just grab my backpack and walk away and I know the car will lock behind me. I don't want to move back to a physical key.

That convenience shouldn't have to be traded for the huge vulnerability of allowing replay attacks.

Yeah, no. Key fobs are great. I wish I had them. My moms car unlocks the door if the key is in my pocket. Immensely useful while carrying bags and a decade old feature.

Door keys suck. Ignition keys suck more. The worst is the middle years of both immobilizers and physical keys.

Source: I can use 4 different keys to open 1 car right now. In fact, I only realized this after I locked my keys in the car and tried a few spares at the shop. A little jiggle and they all work

For doors, ya, but to start the engine i hate these new cars that dont have any mechanical key.
I took a class on SDRs one time and replay attack against a Honda was one of the toy examples they used as homework.
Has anyone else verified this? I'm shocked to the point of disbelief that this would be a thing in a car manufactured in 2020.
Yup. A Land Rover was stolen right near my house in broad daylight and I live in a very good neighbourhood. Cops came by and asked me if I had home cameras, but they explained to me this is very common. High-end SUVs are targeted and this is run by organized crime. Cars are overseas within days to be re-sold.

The thief just hangs around the target, waits for the fob to be used, clones the signal and can steal the car within 3 minutes.

The problem is so pervasive that Land Rover offers discounts to previous customers who are victims of theft:

https://www.landrover.ca/en/ownership/protection-program/veh...

Don't even need to hang around. Just plant a small official looking box near a car or hide it in the bushes or something. Easy.
The wifi pineapple equivalent of this would be a device that records all signals sent, filters it for unlock and start car commands, and then allows you to just bulk replay each set back until cars start.

You could effectively leave it in the bushes at a work parking lot, come back the next day, and unlock + start all of the cars with keyfobs that were present the day before.

In the US it seems like theft of parts is a lot more popular. Things like wheels, light housings, and catalytic converters are especially popular. Getting a car out of the country is a lot harder when you don't share land borders with eastern europe. When people steal cars they usually only use it for as long as it takes to commit another crime. A lot of the car chases are with stolen cars so police have no clue who is inside since running plates returns the owner.
GP's link is to landrover.ca, implying Canadian origin - a country which does not share land borders with Eastern Europe. By the time a group is big enough to be fencing cars overseas, I wouldn't be so quick to discount their ability to move through a seaport.
"We know our vehicles depreciate faster than average, and rather than fix common security flaws or encourage gap insurance, we'll offer a token discount."

I guess that falls in line with their reliabity standards and replace every 2 year business model.

> "Honda" in Japanese translates to "Original Rice Patty"

This should be "paddy" rather than "patty". Note that Honda is a family name (after founder Soichiro Honda).

"Rice Paddy" is also redundant, since the English paddy comes from the Malay padi, "rice plants".

And while "original rice paddy" is a correct if painfully literal translation, something like "Mainfield" probably captures the essence better. In Japanese, a field defaults to rice and there's a separate word (畑 hatake) for non-rice fields, with a little fire radical 火 added to the rice field 田 to show that this is a burned (dry) field instead of a wet one.

"Ford in English translates to River Cropping"
Very hard to believe that this was not fixed 20 years ago
For years Honda has known the door lock mechanism is trivial to bypass and they haven’t fixed it, so I’m not surprised.
What is the handheld SDR and where can I buy one?
(comment deleted)
And how much does it cost... if this is cheap, it seems that insurance rates on Honda/Acura vehicles are about to increase.
Looks like a HackRF. About $350 + knowledge of how to use it and leverage the attack.
The HackRF or similar SDR is useful for creating a prototype, because they work across many frequencies and can modulate and demodulate essentially any modulation scheme in software.

Once you know that it's, say, 9600 baud FSK at 433MHz, you can buy a transceiver IC for a few dollars that can send and receive that frequency and modulation, and drive it with a microcontroller.

I wouldn't be surprised if we start seeing such devices on AliExpress for $10 within a year or so.

Can you comment or recommend any resources on the legality of owning a PortaPack H2 in the US? (eg. is an Amateur Radio License required?)
I'm not a licensee but it depends on the frequency used and the power.
New PortaPack H2 And HackRF One SDR Software Defined Radio (check Banggood)

Looks like maybe a custom case, but 99% sure it's this hardware that has been customized.

edit: Actually you can find the exact model they are using on eBay...just google the first line of text in this comment.

edit: ok, direct link https://www.ebay.com/itm/224339096828?chn=ps&mkevt=1&mkcid=2...

Ford has a key cloning issue too. Focus and Fiesta STs are prime targets in the UK to the point where you'd be crazy not to remove or lock the ODBII port on those vehicles. Luckily it's not as bad in the states. Criminals can clone a key in about 30 seconds with special tools.
Remote start is a safety issue, not just a security one. It doesn't take much to imagine replaying the start command while a vehicle is in an attached garage.

Remote unlock is a safety issue for assaults.

Thankfully according to https://owners.honda.com/Linked-Content/PDF/RemoteEnginestar... the remote engine stop doesn't work if the engine was started with the ignition key rather than the remote.

I agree about the remote start, but I’m dubious about the remote unlock being an issue for assaults in practice. I think if someone is planning to violently attack someone, going through the window is going to be the most common path taken.

It’s like home invasions. Perhaps someone might pick your weak lock or hack your smart lock, but in practice they usually just break a window or kick the door in.

Imagine being able to come up to anyone, open their car door, shove them over into the passenger seat while threatening them with a gun, start the car and drive away. Could probably do this in a busy street without anyone noticing.
You’d have to stalk them first when they opened and started the car earlier. This is a replay attack, you need to be around to record the original.
(comment deleted)
Should be easy enough to do in a shopping mall. Maybe plant a few recording devices around the parking lot and replay all of them, if you want to get extreme.
It’s possible, but not likely. You’re describing a very sophisticated attack for a violent crime, especially since the typical attack involves nothing more complicated than a sawed off shotgun pointed at the driver.

It should still be fixed, but this strikes me as something that’s more likely to be used by a state or quasi-state level actor to take out a high value target more than something that’ll be used to randomly assault people at the mall.

Yeah, it seems more like a mission impossible or heist movie plot device than a common crime.
The scenario I first imagined was a kidnapping or sexual assault by a stalker. Lying in wait in someone's car when they leave work or the gym may be a TV trope, but it's not inconceivable as a real attack method.
You can do that right now with any car on the road. Guns break windows easily and people aren’t going to risk their lives for a set of keys, they will let you have the car and whatever else.
Guns are also loud and people notice them. Just casually opening the door and getting in is different.
Guns are loud, and you’d be amazed how many people’s first response is “not my problem”.
Fwiw, on current Hondas the engine will only run for a set period, I believe 10 mins, unless the fob is used to reset the timer or the driver enters the cabin with the fob and presses the brake and start button.
I own a 2020 Honda and I wish this was true. I have left the car on for 8+ hours before while being miles away. I’m in shock this wasn’t addressed and it’s my biggest gripe in the car.
I own a 2021 Honda and it definitely shuts off after 10 mins for me.
For remote start, my 2018 Civic shut off after ~10 minutes. According to the sibling comment, their 2021 was similar. Did you have an aftermarket remote start, or was it started using the actual ignition switch in the car in your case?
> Remote unlock is a safety issue for assaults.

Remote unlock actually doesn't work on [most?] Honda vehicles if the engine is running.

The issue with remote unlock is that someone can enter the vehicle while it is off and wait inside.
> while a vehicle is in an attached garage.

Carbon monoxide being present is an assumption in the perspective of the building codes. This is why attached garages must have ventilation to outside, doors with gaskets, etc. There’s some danger, but the codes were made for the case where people forget and leave their car running, which isn’t all that uncommon.

Lots of houses aren't up to code. I bought a house with an in-wall AC venting from a bedroom into the garage, no gaskets on the door to the house, and a workbench built over the venting to the outside. I fixed those; contractor said that all 3 was somewhat uncommon, but any one of those isn't that uncommon.
I agree that this can be a problem. I disagree that it would be a problem of any significance.
Both Lock and Remote Engine Start are considered as safety relevant in automotive.
This sucks, of course, but the alternative has downsides as well. Volvo, for example, has rolling codes. But, if you lose your keys/fob the car has to be present to make new ones. At $500+ each.
Which is desirable because that's how keys do their job.

How is Volvo's system functioning properly considered a downside? You're saying that having a security system that downright does not work is comparable to a security system that actually works and prevents unauthorized entry to the vehicle because the former is more convenient to circumvent than the latter?

It doesn't need to cost $500+ per key. The monopoly it creates on key replacement is what enables that. It doesn't cost Volvo that much...the markup is crazy. It's especially pronounced for used cars, where it's common to only get 1 key with the car.

(Though it's funny that you decided the security was the part I felt was a downside.)

Here is a similar attack using HackRF:

https://www.youtube.com/watch?v=JomewN_1OdE

This one is significantly different, here fob is pressed outside the vehicle range, and then signal is replayed at vehicle range.

Rolling Code does not help here since the vehicle never received the original signal from the key. Thus it is for the first time played to the vehicle, and no rolling code increment is expected compared to the key's initial rolling code value.

The point of rolling code is that same signal cannot be used twice to open the vehicle.

"Vehicle ignition" should be a physical switch with 3 wires, and thats it. I don't want anything more complicated... perhaps put a relay inline if some other system really needs a kill switch.

Is a keyfob / "remote start" / "added security" really worth the trouble? How many people buy these things when its an option they have to wait for vs something already there to bulk up the price?

Remote start is very useful in climates which require either the heater or AC to run before a car is comfortable to sit inside.
I'll always remember driving my dads car home from the airport (he was staying on vacation longer) and cranking it and cranking it until I remembered the little fuel pump security switch under the front seat... Ah that civic was truly a POS.
With rolling codes, if you (or a toddler) press your remote button too many time while out of range of the car, will the remote and car get out of sync? More than 60 or 255 presses or something like that?

I guess there must be a mechanism for the car to resync somehow?

There's a sync procedure using the physical key.
depending on the type of the key - those with passive functions do it usually every time you press the engine start button, while classical key - once you put the key (physical blade) in the lock to start the car.
Presumably the keyfob transmits a generation number, so the car just needs to see that the keyfob code is e.g. 187 ahead of its number, and then do a trial roll forward. If it matches, it retains the new generation and secret state, and if not, it retains the old.
Well just use a 128 bit counter and let it roll by a million if need be.
Does this attack work if you do not push any of the key fob buttons i.e. if you unlock the car by touching the front door handle with the key in your pocket; starting the car by pushing the engine start button with the key in your pocket?
This is my question. I've been keeping my key fob in a faraday box for almost a year because I heard that keyless entry and keyless start can be pinged during a night-time drive-by when the owner is likely to be home.

Obviously not a replay attack, but still seems to be a huge vulnerability.

I work at a major American automotive OEM on entry and starting systems. Yes, many passive-entry/passive-start systems (like those that use door handle sensors to trigger an unlock) are vulnerable to relay attacks. Relay attacks are separate from re_p_lay attacks, as you note.

Relay attacks on keyfobs seem to be much more common in the UK than in the US. Some manufacturers now include accelerometers in their keyfobs to mitigate the risk, as one of the most common attacks is stealing a vehicle out of a driveway when somebody has left their keys on a hook inside the house. With an accelerometer in the keyfob, it will refuse to authorize starting if it hasn’t been jostled recently.

In the US, I've seen relay attacks used to steal items from cars rather than the cars themselves. Either because police follow up much more vigorously on theft of cars vs petty theft of things in cars, or because it's harder to convert a stolen car to cash than it is to convert the stuff in it (which might even be cash) to cash.
Honda (and any well established OEM) has rolling code on their newer models for sure. There are 2 scenarios possible here regarding this article.

1st - message is recorded while key is outside of the vehicle range. Rolling Code does not help here since the vehicle never received the original signal from the key. The point of rolling code is that same signal cannot be used twice to open the vehicle. There is no protection against this with unidirectional RF keys, but requires physical access to the key and your recorded message needs to be first one sent to the vehicle.

2nd - it's fake. This I say because the key gets out of the frame in the video when the signal is replayed...

It is not fake, and Honda does NOT have rolling codes. This assumption is why the problem was never found. Even I assumed they had rolling codes until I performed a rolljam attack on a Honda and found that the keys NEVER expired, meaning they DO NOT ROLL.
Then do a simple video - press unlock or RES with the key in vehicle range. Record that RF Tx and then replay the message. See if it does the same operation on the vehicle. Preferably with the key not disappearing out of the frame.

Dude uC used for keys come withe special sections of rolling code to have extended lifetime compared to conventional EEPROM. Same way they come with Transponder built in.

P.S. And the second key in the frame as well...

You can also try it for yourself, but I'll gladly record a new demo soon.
Wait, second key? Not all cars have a spare (not all owners know where it is). You're being so picky. Go away, troll. The keys were on the hood in the video. That owner didn't have a spare set.
People unlock cars in my street and steal stuff with this nearly every week.

That's why I never use the remote and always use key-in-hole.

Hello, I am the creator of this attack. I was very impressed by the traffic this URL drove to my Github. After reading closely:

No, it isn't fake. I'd love to show you more videos! This attack does require the target to use their FOB, the range that is required is quite long! This can be performed from great distances away. Though recreation of this part of the attack, we know it's possible to convert a "lock" command (or any command at all) into any other command, and unlike the rolljam attack, these codes will work forever (until the key gets reset by a dealer).