How Criminals are Exploiting your Vehicle's Keyless Entry System and What You Can Do - ITS Tactical

Shop the ITS Store!

 

How Criminals are Exploiting your Vehicle’s Keyless Entry System and What You Can Do

By Kris Q.

Keyless Vehicle Entry

Recent news articles have mentioned criminals “mysteriously” stealing items from inside locked vehicles while parked in front of a victim’s home. The suspects in these thefts are occasionally recorded by surveillance cameras and seen holding an “unknown device.”

Today I’ll be explaining how the same technology that makes it more convenient for you to get into your car and drive away, is being exploited by criminals to victimize drivers utilizing a Passive Keyless Entry and Start (PKES) system.

My goal is to clarify this complex technology in a way that everyone can understand, but for those who want more technical details, click here to view a report from an academic study on the relay attacks occurring with PKES.

Keyless Vehicle Entry

Quick Review of Vehicle Keys

Let me first elaborate on the circular “cat and mouse” game that criminals play.  When a security measure is exploited, it then forces the manufacturer to upgrade, only to find that upgrade exploited again. Because of this same game being played in the auto industry, vehicle keys have become more complicated and expensive.

Keys are meant to be a means of authentication; if you have a key that unlocks the door, you’re “authorized” to enter. If you have a key that turns the ignition switch, you’re “authorized” to drive the car. For decades, vehicle keys were just simple pieces of metal. It was easy to defeat the door lock by picking the lock, punching the lock, or breaking a window and then bypassing the need for an ignition key by pulling the ignition wires and “hot-wiring” the vehicle. A knowledgeable criminal could quickly drive your car away without needing a key.

To combat this issue, vehicle manufacturers added Radio-Frequency Identification (RFID) chips to the keys and a sensor in the vehicle that checks for the presence of a pre-programmed key, before allowing the engine to start. This added technology increased the cost of replacement car keys and required the vehicle to be programmed to recognize the new key as an authorized key.

Manufacturers also introduced the “FOB” with buttons that allowed you to lock and unlock the vehicle without inserting a key into the door lock. This increase in convenience was made possible by adding a radio transmitter to the FOB. The transmitter could reach out to 100 feet and ping the radio receiver in the vehicle, which recognized the signal and performed the requested function.

Keyless Vehicle Entry

However, criminals were also keeping up with technology and mimicking the radio signals. While you might not have noticed much difference in the technology, the communication between the key FOB and the vehicle was getting more complex. In the most recent quest for maximum convenience, some vehicle manufacturers have included “Passive Keyless and Start” (PKES) systems.

With PKES systems you can leave your key in your pocket or purse and simply walk up to the car. As you reach out to open the door, it unlocks without the need to push any buttons or use a key. When you get in the car you simply push a button on the dash and the vehicle engine starts. All of this is accomplished by two-way radio communication between the vehicle and the key.

Vehicles with a PKES system transmit radio signals that are received by any PKES key within range. Like magic and without any human interaction action, the key will respond. The vehicle transmits a short-range (usually about three feet) signal asking if there are any keys nearby. All PKES keys that are in range will respond.

If the vehicle recognizes that a key is authorized, the doors will unlock. There’s a second signal that’s broadcasted inside the vehicle, when responded to by an authorized key, the ignition button on the dash is activated allowing the engine to start. This technology is a great convenience, but as with any security item, it can be exploited.

Keyless Entry

Criminals Are Adapting Too

Removing the need for any physical action with the key has created an opportunity to exploit the wireless communication between the key and the vehicle. I mentioned earlier that the vehicle emits a short-range signal and the key responds with a longer range transmission.

Criminals have found that they’re able to amplify this short-range transmission so that your key thinks it’s getting the transmission request by your vehicle, asking if any keys are nearby. When your key receives this signal, which it would normally only get if it was close to your vehicle, it responds accordingly. The return signal your key broadcasts, causes the vehicle to behave as if the key is within the expected short-range distance and unlocks the doors.

After the criminal has entered the vehicle the “inside” signal can then be amplified and your key will reply, allowing the vehicle engine to be started. Some PKES implementations periodically check for the continued presence of an authorized key while the engine is running, but some don’t, which allows the car to be driven as long as the engine hasn’t stopped.

Even when you follow the standard vehicle security advice of locking your doors, not leaving valuables within sight, or leaving your keys within view, you’re still vulnerable to criminals searching or stealing your vehicle.

The devices needed to amplify the vehicle signals are relatively simple to acquire and there are reports of devices being sold on prominent auction websites for as little as $17. Using these devices, criminals could exploit this vulnerability whenever the key is relatively close to your vehicle. This means parking lots, coffee shops, convenience stores and more importantly, at home, where you probably leave your keys by the door closest to the car.

Keyless Vehicle Entry

Protecting Against This Exploit

A long term solution will have to come from the vehicle manufacturers, but until they feel the need to improve the security of their PKES style keyless-entry systems, these relatively simple ways to exploit the wireless communication between the vehicle and key will still exist.

When manufacturers decide to improve the PKES systems, they’ll include it in new vehicle models and aren’t likely to retrofit older versions. Before you post an advertisement to sell your vehicle, let me share some ideas that will hopefully bring you some peace of mind.

Vehicle manufacturers have included ways to disable some or all of the PKES features and you can disable the long-range functionality of your FOB by removing the battery. This will mean that you lose the conveniences you’ve become accustomed to using though. A better option is to block the wireless communication between the vehicle and keys when you don’t intend to open the doors or operate the vehicle.

Keyless Vehicle Entry

I tested a few products that advertise blocking wireless radio signals. These bags and pouches were marketed using terms like Faraday, Anti-Tracking, Anti-Radiation and GPS signal blocking and were marketed towards cell phone users.

My test keys consisted of older remote entry FOBS as well as PKES keys from multiple manufacturers. I tested bags small enough to fit in your pants pocket, some that were larger and more suited for a purse or Everyday Carry (EDC) bag and some that were even big enough to hold multiple sets of keys (like you might leave by the door at home.) I found that the items marketed as blocking RFID, cell phone and GPS signals also blocked the frequencies that my set of test keys used to communicate with the cars, as long as the bags and pouches were completely closed.

Keyless Vehicle Entry

I also tested two different credit card sleeves that claimed to block RFID signals emanating from the “Chip & Pin” credit cards that have been used in other parts of the world for several years and will soon be more widely used in the US.

One option was thin pieces of plastic pressed together and open on one end. That pouch was too small to contain a FOB and without being able to completely close it, the wireless signal was able to escape containment allowing the key to be detected by the vehicle during some of my tests.

I also purchased the ITS RFID Wallet Sleeve and found it was big enough to fit the PKES FOB while being completely closed. It blocked the radio signals and rendered the key useless. I liked the ITS sleeve as an option for my pocket because it didn’t take up much more room than the actual FOB and it’s softer and more flexible than the other options I purchased.

As a possible low-cost option I tested anti-static bags that are normally used to protect electronic equipment from damaging electrical discharges. As expected, the anti-static bags didn’t block wireless signals for any of my test keys.

Conclusion

If you own a vehicle with a Passive Keyless Entry and Start system and want to avoid the type of exploit I described, I recommend that you find a way to interrupt the radio communication between the vehicle and the key when you aren’t using the vehicle.

I prefer blocking the communication as opposed to disabling the convenience features that are a part of the PKES systems. Whatever you wind up doing, find a solution that fits your lifestyle and usage habits and test it to ensure it prevents the key from communicating with your car.

You can easily test your solution by placing the key in the container you think should block the signals and try unlocking your car while standing next to it. If your car doesn’t respond, your solution is working and you can sleep better at night knowing criminals can’t exploit your vehicle’s Passive Keyless Entry and Start System.

Editor-in-Chief’s Note: Kris Q. is one of our Life Members at ITS and his background includes information security, military and civilian law enforcement, which he applies to clients of his security patrol & consulting firm near Portland.

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.

Discussion

  • JohnM89

    Good article. Good info. Stay safe.

    • Kris_Q

      JohnM89 Thanks John!

  • Ashley Morris

    ITS Tactical will there be a video?

  • Michael Rodriguez

    Lets work together so we can produce a video

  • Aaron Furey

    Time to break out the tin foil! 😉

  • Kris Quinby

    There is not enough room on the blooper reel for me to attempt on camera work. You can, however, watch the 2013 news report that has actual bad guys exploiting this problem. https://youtu.be/l7OadDz3Ums

  • Mike

    http://bfy.tw/OWE
    I did some research after this happened in my neighborhood. I find it intriguing that the authorities are still puzzled after I found this stuff during an afternoon.

  • Dave Osborne

    This story was originally on a major network and found to be highly exaggerated a few months ago. Most thieves can’t “hack” your vehicle. Too bad these types of stories still circulate causing concern. I guess anything goes these days for a “like” or “share” on bookface!

  • Jaime Hasette

    Where there’s a will, there is a way.

  • Kris Quinby

    This doesn’t describe a “hack” in the terms of infiltrating the computers of your vehicle. It merely makes your vehicle’s radio signals work beyond their intended range. There are plenty of videos of criminals exploiting the flaw. The academic report describes exactly how the exploit works and I offered solutions to give back some security to those who are interested.

  • NoaIsumi

    I like the guy saying this is over hyped and exaggerated…I just got hit for 40 bucks and my truck gun last week. Mabey he’d like to buy me a new 9mm.

    • Kris_Q

      NoaIsumi Sorry to hear that you were a victim.  Hopefully the article was helpful to you in preventing a recurrence.

    • NoaIsumi

      Kris_Q NoaIsumi  Thanks.

  • I’d go for battery removal.  I can’t imagine fishing that pouch out of my pocket every time I needed to get into my vehicle.

    • Kris_Q

      @Jody If you take the batter out, you would need to fish the key out of your pocket every time you needed to get into your vehicle.

  • El_Rey_Dallas

    So basically, I need to have my tailor change out the fabric in my pockets with the ITS wallet sleeve fabric?

    • Kris_Q

      El_Rey_Dallas I like they way you think. Just one pocket though so you can have your cell phone in the other pocket.

    • El_Rey_Dallas A cheap option would be to line your pocket with aluminum foil

  • MSPSA

    In South Africa there has been a different way of stealing out of a “locked” vehicle going for a few years already. The criminal simply get a gate/garage door opener remote control and if they are in the vicinity of your vehicle while you press the button to lock it, they simultaneously press the garage door remote and it “jams” the signal causing your vehicle not to lock. If you don’t physically look for the indicator lights flashing or the beep indicating your vehicle is locked and simply walk away they help themselves to whatever they can.

    • Kris_Q

      MSPSA That’s a good reminder of maintaining your situational awareness.  I left situational awareness reminders out of this article because the article was already getting long.  I think you should also be aware of people near your vehicle as you approach it because, by default, all the doors unlock.  Some manufacturers let you set whether all the doors unlock or just the driver’s door.

      Thanks for the reminder.

  • Great article Kris, but a bummer for me and my new car with PKES! I like the lined pants pocket solution for sure. Quick question: Does blocking the signal of the key fob put any additional burden on the batteries (car or fob) in an effort to search for a signal? Thinking it doesn’t but thought I’d ask.

    • Kris_Q

      bfgreen Blocking the communication will save battery energy on the FOB because they are always listening and replying to signals from any PKES equipped vehicle.  Preventing the reception of the initial signal will prevent the transmission, which uses more battery power. Remember that your key will reply to any PKES equipped vehicle that you get near.  There is a second reception and transmission that the vehicle uses to determine if the key is an authorized key.

      Your vehicle is always broadcasting a signal, if not constantly, very frequently.  Blocking the communication will not reduce the energy expended by the car, but it won’t increase it either.  Fortunately, the battery in your car stores a lot of energy.

      The owner’s manuals I checked described a battery saving option where the PKES shuts down if it is not triggered for some length of time.  I think the default with one manufacturer was two days and another was four days.  In both cases, the PKES system is awakened by pulling on the door handle and returns to the standard behavior of unlocking the doors as you reach for a door handle.

  • Sura-Quay Arbon

    I watched video from my friends security cam of a guy with a small box point it at his truck, unlock it, get in and rifle through his stuff, get out and lock it. So it’s very true.

  • Matthew Skibert

    Most thieves cannot. But some still can. When I was in network security in the 90s and early 2000s most couldn’t hack, especially WiFi rfid etc, now its as common as html.

  • daveaitel

    rickhholland I wish you’d posted a picture of a car window with that post…

  • Alex Tabor

    Technological advances are also making issues for old school physical key systems. Extreme high resolution photography/video and creative math is enabling people to accurately duplicate even complex keys on a visual basis alone.
    While picking/bumping many locks can be a quick and easy process, walking up to a door an casually opening it with a ready made key draws a whole lot less attention.

  • Tim Covington

    As more security holes are found in modern vehicles, I find myself contemplating buying something like a 1970s model Ford Bronco for my next vehicle.

  • Devin Lipari

    As a working locksmith, we have a saying in the industry: You can security or you can have convenience. You can’t have both.

  • Steven Eaton

    I drive a jeep. It may or may not even have doors on it.

  • Smokeybehr

    I have a keyless entry system on my truck, and unless I’m home, I lock it with the keypad on the door, just in case someone is sitting around with a receiver to pick up on the string transmitted by the fob.

  • Chris Fultz

    Me too Steven Eaton… I drive a jeep… With a soft top. No fancy device to lock or unlock the doors … They are unlocked all the time…

  • Sean Toomey

    My keyless entry system is removing the doors from my Jeep;)

  • William Hamilton

    Just leave the doors unlocked with nothing in it. Wtf are they gonna steal?

  • David Sherfield

    My tact for my semi urban environment, keep nothing in the truck that’s not replaceable. Security box for when I have to look something up and good insurance.

  • Harold_Giddings
  • A Srinivasan

    Dont use your smart key to lock and unlock while parking in common place like malls, shopping complex, hotels and other common parking lot manually close with the key and open that would help you thwart the intruders.

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.