Depends on the implementation. Most times you just have to click it a few times in a row. The receiver then realizes it missed a few button presses and it re-syncs. I’m not sure what that window is though, at some point it might get so out of sync that the receiver ignores it and assumes it is a wrong fob.
Cool, I was planning to get a spare car key, not anymore!
Also, glad I have one before they would ban it. It’s a neat tool that I have everything I want there, instead of having 4 fobs, one garage remote, plenty of IR remotes, it’s AIO. Plus I don’t have to pay fees to replace my lost fobs
Kind of insane that this works... Surely whoever implemented this knew it was insecure? I honestly wouldn't have thought to check for this vulnerability because... who would do that??
What practical use does this have? From my reading if I capture an unlock signal, the car will not unlock for the owner, so they’ll press their remote a few times.
If I capture a lock signal, presumably I can instead prevent it from locking. The only real world malicious action I can see is being viable is to block the car lock, meaning the car is still in an unlocked state, open the boot (which I’m guessing can be done from the car dash anyway) then locking it afterwards?
I sometimes imagine how much of this could be avoided if the communication signals weren't (a) broadcast or (b) a imperceptible to humans.
If it an electrical contact in the door handle, it would be very difficult for anyone to monitor or inject other signals.
If the signals were audible sound, you'd know when someone was jamming it.
In practice, my number one use of a fob from a remote distance is locking, rather than unlocking, and those two operations don't have the equivalent security risk.
I guess this attack is against the keeloq protocol. There are no known total breakage of this kind AFAIK, against the cryptography implemented in the chip. This will be interesting to understand, I mean: what they are exactly doing here.
If the attack causes the original key to no longer work, imo the major threat vector is someone sitting in a parking lot, capturing key presses, performing the attack, and forcing the user to tow+re-program the key as a nuisance, rather than stealing the vehicle
This is why keyless "start button" functions on cars is a bad idea.
The old approach of keyfob to unlock the car and a real key for the ignition is safer.
Having multiple levels of security is good.
However, having worked in the car security industry many years ago, I discovered that car manufacturers actually like it when their customer's cars are stolen - Insurance payouts often result in another sale.
Tons of the rolling key systems on the market are based on KeyLoq, and keyloq is a fairly well designed system with a big lynch pin.
It has something called a 'manufacturer key', which needs to be available to any device that allows field pairing of remotes. If that manufacturer key is known, it only takes two samples from an authenticator to determine the sequence key.
Absent the manufacturer key, jamming+replay attacks work, but brute forcing a sequence key is generally prohibitively costly.
However, since any receiver that supports field programming needs the magic "manufacturer key", one could purchase such a unit, and may be able to extract said key.
Am I the only one that just hates push to start in every way? Sure, I don't need to have the "insert key and crank" to be real, but physical key seems so superior.
Feels like getting rid of the light switches in your house in favor of "smart home" stuff.
> For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob's functions, including lock, unlock, and unlock trunk.
If I don't press the buttons on my keyfob am I safe from this?
The only keyfob functionality I normally use is that when it is outside the car but within about a meter of the door handle the door can be locked or unlocked by pressing a button on the door handle.
For the past 20 or 30 years, my insurer made car theft insurance conditional on having an immobilizer device installed that requires code entry through a physical keyboard.
And there were a few years this seemed onerous, but most of the time, there were popular attack in use by car thieves that were prevented (or at least made much longer and more complicated) by this.
34 comments
[ 74.9 ms ] story [ 1154 ms ] threadI always wonder about this: what is the consequence of that? Can the user reset it, or does it have to be done by a retailer or something?
Also, glad I have one before they would ban it. It’s a neat tool that I have everything I want there, instead of having 4 fobs, one garage remote, plenty of IR remotes, it’s AIO. Plus I don’t have to pay fees to replace my lost fobs
If I capture a lock signal, presumably I can instead prevent it from locking. The only real world malicious action I can see is being viable is to block the car lock, meaning the car is still in an unlocked state, open the boot (which I’m guessing can be done from the car dash anyway) then locking it afterwards?
If it an electrical contact in the door handle, it would be very difficult for anyone to monitor or inject other signals.
If the signals were audible sound, you'd know when someone was jamming it.
In practice, my number one use of a fob from a remote distance is locking, rather than unlocking, and those two operations don't have the equivalent security risk.
The old approach of keyfob to unlock the car and a real key for the ignition is safer.
Having multiple levels of security is good.
However, having worked in the car security industry many years ago, I discovered that car manufacturers actually like it when their customer's cars are stolen - Insurance payouts often result in another sale.
It has something called a 'manufacturer key', which needs to be available to any device that allows field pairing of remotes. If that manufacturer key is known, it only takes two samples from an authenticator to determine the sequence key.
Absent the manufacturer key, jamming+replay attacks work, but brute forcing a sequence key is generally prohibitively costly.
However, since any receiver that supports field programming needs the magic "manufacturer key", one could purchase such a unit, and may be able to extract said key.
Feels like getting rid of the light switches in your house in favor of "smart home" stuff.
For this project let's say
If I don't press the buttons on my keyfob am I safe from this?
The only keyfob functionality I normally use is that when it is outside the car but within about a meter of the door handle the door can be locked or unlocked by pressing a button on the door handle.
And there were a few years this seemed onerous, but most of the time, there were popular attack in use by car thieves that were prevented (or at least made much longer and more complicated) by this.