How Criminals are Exploiting your Vehicle's Keyless Entry System and What You Can Do - ITS Tactical
 

How Criminals are Exploiting your Vehicle’s Keyless Entry System and What You Can Do

By Kris Q.

Keyless Vehicle Entry

Recent news articles have mentioned criminals “mysteriously” stealing items from inside locked vehicles while parked in front of a victim’s home. The suspects in these thefts are occasionally recorded by surveillance cameras and seen holding an “unknown device.”

Today I’ll be explaining how the same technology that makes it more convenient for you to get into your car and drive away, is being exploited by criminals to victimize drivers utilizing a Passive Keyless Entry and Start (PKES) system.

My goal is to clarify this complex technology in a way that everyone can understand, but for those who want more technical details, click here to view a report from an academic study on the relay attacks occurring with PKES.

Keyless Vehicle Entry

Quick Review of Vehicle Keys

Let me first elaborate on the circular “cat and mouse” game that criminals play.  When a security measure is exploited, it then forces the manufacturer to upgrade, only to find that upgrade exploited again. Because of this same game being played in the auto industry, vehicle keys have become more complicated and expensive.

Keys are meant to be a means of authentication; if you have a key that unlocks the door, you’re “authorized” to enter. If you have a key that turns the ignition switch, you’re “authorized” to drive the car. For decades, vehicle keys were just simple pieces of metal. It was easy to defeat the door lock by picking the lock, punching the lock, or breaking a window and then bypassing the need for an ignition key by pulling the ignition wires and “hot-wiring” the vehicle. A knowledgeable criminal could quickly drive your car away without needing a key.

To combat this issue, vehicle manufacturers added Radio-Frequency Identification (RFID) chips to the keys and a sensor in the vehicle that checks for the presence of a pre-programmed key, before allowing the engine to start. This added technology increased the cost of replacement car keys and required the vehicle to be programmed to recognize the new key as an authorized key.

Manufacturers also introduced the “FOB” with buttons that allowed you to lock and unlock the vehicle without inserting a key into the door lock. This increase in convenience was made possible by adding a radio transmitter to the FOB. The transmitter could reach out to 100 feet and ping the radio receiver in the vehicle, which recognized the signal and performed the requested function.

Keyless Vehicle Entry

However, criminals were also keeping up with technology and mimicking the radio signals. While you might not have noticed much difference in the technology, the communication between the key FOB and the vehicle was getting more complex. In the most recent quest for maximum convenience, some vehicle manufacturers have included “Passive Keyless and Start” (PKES) systems.

With PKES systems you can leave your key in your pocket or purse and simply walk up to the car. As you reach out to open the door, it unlocks without the need to push any buttons or use a key. When you get in the car you simply push a button on the dash and the vehicle engine starts. All of this is accomplished by two-way radio communication between the vehicle and the key.

Vehicles with a PKES system transmit radio signals that are received by any PKES key within range. Like magic and without any human interaction action, the key will respond. The vehicle transmits a short-range (usually about three feet) signal asking if there are any keys nearby. All PKES keys that are in range will respond.

If the vehicle recognizes that a key is authorized, the doors will unlock. There’s a second signal that’s broadcasted inside the vehicle, when responded to by an authorized key, the ignition button on the dash is activated allowing the engine to start. This technology is a great convenience, but as with any security item, it can be exploited.

Keyless Entry

Criminals Are Adapting Too

Removing the need for any physical action with the key has created an opportunity to exploit the wireless communication between the key and the vehicle. I mentioned earlier that the vehicle emits a short-range signal and the key responds with a longer range transmission.

Criminals have found that they’re able to amplify this short-range transmission so that your key thinks it’s getting the transmission request by your vehicle, asking if any keys are nearby. When your key receives this signal, which it would normally only get if it was close to your vehicle, it responds accordingly. The return signal your key broadcasts, causes the vehicle to behave as if the key is within the expected short-range distance and unlocks the doors.

After the criminal has entered the vehicle the “inside” signal can then be amplified and your key will reply, allowing the vehicle engine to be started. Some PKES implementations periodically check for the continued presence of an authorized key while the engine is running, but some don’t, which allows the car to be driven as long as the engine hasn’t stopped.

Even when you follow the standard vehicle security advice of locking your doors, not leaving valuables within sight, or leaving your keys within view, you’re still vulnerable to criminals searching or stealing your vehicle.

The devices needed to amplify the vehicle signals are relatively simple to acquire and there are reports of devices being sold on prominent auction websites for as little as $17. Using these devices, criminals could exploit this vulnerability whenever the key is relatively close to your vehicle. This means parking lots, coffee shops, convenience stores and more importantly, at home, where you probably leave your keys by the door closest to the car.

Keyless Vehicle Entry

Protecting Against This Exploit

A long term solution will have to come from the vehicle manufacturers, but until they feel the need to improve the security of their PKES style keyless-entry systems, these relatively simple ways to exploit the wireless communication between the vehicle and key will still exist.

When manufacturers decide to improve the PKES systems, they’ll include it in new vehicle models and aren’t likely to retrofit older versions. Before you post an advertisement to sell your vehicle, let me share some ideas that will hopefully bring you some peace of mind.

Vehicle manufacturers have included ways to disable some or all of the PKES features and you can disable the long-range functionality of your FOB by removing the battery. This will mean that you lose the conveniences you’ve become accustomed to using though. A better option is to block the wireless communication between the vehicle and keys when you don’t intend to open the doors or operate the vehicle.

Keyless Vehicle Entry

I tested a few products that advertise blocking wireless radio signals. These bags and pouches were marketed using terms like Faraday, Anti-Tracking, Anti-Radiation and GPS signal blocking and were marketed towards cell phone users.

My test keys consisted of older remote entry FOBS as well as PKES keys from multiple manufacturers. I tested bags small enough to fit in your pants pocket, some that were larger and more suited for a purse or Everyday Carry (EDC) bag and some that were even big enough to hold multiple sets of keys (like you might leave by the door at home.) I found that the items marketed as blocking RFID, cell phone and GPS signals also blocked the frequencies that my set of test keys used to communicate with the cars, as long as the bags and pouches were completely closed.

Keyless Vehicle Entry

I also tested two different credit card sleeves that claimed to block RFID signals emanating from the “Chip & Pin” credit cards that have been used in other parts of the world for several years and will soon be more widely used in the US.

One option was thin pieces of plastic pressed together and open on one end. That pouch was too small to contain a FOB and without being able to completely close it, the wireless signal was able to escape containment allowing the key to be detected by the vehicle during some of my tests.

I also purchased the ITS RFID Wallet Sleeve and found it was big enough to fit the PKES FOB while being completely closed. It blocked the radio signals and rendered the key useless. I liked the ITS sleeve as an option for my pocket because it didn’t take up much more room than the actual FOB and it’s softer and more flexible than the other options I purchased.

As a possible low-cost option I tested anti-static bags that are normally used to protect electronic equipment from damaging electrical discharges. As expected, the anti-static bags didn’t block wireless signals for any of my test keys.

Conclusion

If you own a vehicle with a Passive Keyless Entry and Start system and want to avoid the type of exploit I described, I recommend that you find a way to interrupt the radio communication between the vehicle and the key when you aren’t using the vehicle.

I prefer blocking the communication as opposed to disabling the convenience features that are a part of the PKES systems. Whatever you wind up doing, find a solution that fits your lifestyle and usage habits and test it to ensure it prevents the key from communicating with your car.

You can easily test your solution by placing the key in the container you think should block the signals and try unlocking your car while standing next to it. If your car doesn’t respond, your solution is working and you can sleep better at night knowing criminals can’t exploit your vehicle’s Passive Keyless Entry and Start System.

Editor-in-Chief’s Note: Kris Q. is one of our Life Members at ITS and his background includes information security, military and civilian law enforcement, which he applies to clients of his security patrol & consulting firm near Portland.

Are you getting more than 14¢ of value per day from ITS?

Thanks to the generosity of our supporting members, we’ve eliminated annoying ads and obtrusive content. We want your experience here at ITS to be beneficial and enjoyable.

At ITS, our goal is to provide different methods, ideas and knowledge that could one day save your life. If you’re interested in supporting our mission and joining our growing community of supporters, click below to learn more.

Discussion

36 comments
A Srinivasan
A Srinivasan

Dont use your smart key to lock and unlock while parking in common place like malls, shopping complex, hotels and other common parking lot manually close with the key and open that would help you thwart the intruders.

David Sherfield
David Sherfield

My tact for my semi urban environment, keep nothing in the truck that's not replaceable. Security box for when I have to look something up and good insurance.

Sean Toomey
Sean Toomey

My keyless entry system is removing the doors from my Jeep;)

Chris Fultz
Chris Fultz

Me too Steven Eaton... I drive a jeep... With a soft top. No fancy device to lock or unlock the doors ... They are unlocked all the time...

Smokeybehr
Smokeybehr

I have a keyless entry system on my truck, and unless I'm home, I lock it with the keypad on the door, just in case someone is sitting around with a receiver to pick up on the string transmitted by the fob. 

Steven Eaton
Steven Eaton

I drive a jeep. It may or may not even have doors on it.

Devin Lipari
Devin Lipari

As a working locksmith, we have a saying in the industry: You can security or you can have convenience. You can't have both.

Tim Covington
Tim Covington

As more security holes are found in modern vehicles, I find myself contemplating buying something like a 1970s model Ford Bronco for my next vehicle.

Alex Tabor
Alex Tabor

Technological advances are also making issues for old school physical key systems. Extreme high resolution photography/video and creative math is enabling people to accurately duplicate even complex keys on a visual basis alone. While picking/bumping many locks can be a quick and easy process, walking up to a door an casually opening it with a ready made key draws a whole lot less attention.

Matthew Skibert
Matthew Skibert

Most thieves cannot. But some still can. When I was in network security in the 90s and early 2000s most couldn't hack, especially WiFi rfid etc, now its as common as html.

Sura-Quay Arbon
Sura-Quay Arbon

I watched video from my friends security cam of a guy with a small box point it at his truck, unlock it, get in and rifle through his stuff, get out and lock it. So it's very true.

bfgreen
bfgreen

Great article Kris, but a bummer for me and my new car with PKES! I like the lined pants pocket solution for sure. Quick question: Does blocking the signal of the key fob put any additional burden on the batteries (car or fob) in an effort to search for a signal? Thinking it doesn't but thought I'd ask. 

Kris_Q
Kris_Q

@bfgreen Blocking the communication will save battery energy on the FOB because they are always listening and replying to signals from any PKES equipped vehicle.  Preventing the reception of the initial signal will prevent the transmission, which uses more battery power. Remember that your key will reply to any PKES equipped vehicle that you get near.  There is a second reception and transmission that the vehicle uses to determine if the key is an authorized key.


Your vehicle is always broadcasting a signal, if not constantly, very frequently.  Blocking the communication will not reduce the energy expended by the car, but it won't increase it either.  Fortunately, the battery in your car stores a lot of energy.


The owner's manuals I checked described a battery saving option where the PKES shuts down if it is not triggered for some length of time.  I think the default with one manufacturer was two days and another was four days.  In both cases, the PKES system is awakened by pulling on the door handle and returns to the standard behavior of unlocking the doors as you reach for a door handle.

MSPSA
MSPSA

In South Africa there has been a different way of stealing out of a "locked" vehicle going for a few years already. The criminal simply get a gate/garage door opener remote control and if they are in the vicinity of your vehicle while you press the button to lock it, they simultaneously press the garage door remote and it "jams" the signal causing your vehicle not to lock. If you don't physically look for the indicator lights flashing or the beep indicating your vehicle is locked and simply walk away they help themselves to whatever they can.

Kris_Q
Kris_Q

@MSPSA That's a good reminder of maintaining your situational awareness.  I left situational awareness reminders out of this article because the article was already getting long.  I think you should also be aware of people near your vehicle as you approach it because, by default, all the doors unlock.  Some manufacturers let you set whether all the doors unlock or just the driver's door.


Thanks for the reminder.

El_Rey_Dallas
El_Rey_Dallas

So basically, I need to have my tailor change out the fabric in my pockets with the ITS wallet sleeve fabric?

Kris_Q
Kris_Q

@El_Rey_Dallas I like they way you think. Just one pocket though so you can have your cell phone in the other pocket.

Jody
Jody

I'd go for battery removal.  I can't imagine fishing that pouch out of my pocket every time I needed to get into my vehicle.

Kris_Q
Kris_Q

@Jody If you take the batter out, you would need to fish the key out of your pocket every time you needed to get into your vehicle.

NoaIsumi
NoaIsumi

I like the guy saying this is over hyped and exaggerated...I just got hit for 40 bucks and my truck gun last week. Mabey he'd like to buy me a new 9mm. Let my loss be a lesson. Your gear isn't safe locked up out of sight in your own driveway. Bring it in.



Kris_Q
Kris_Q

@NoaIsumi Sorry to hear that you were a victim.  Hopefully the article was helpful to you in preventing a recurrence.

NoaIsumi
NoaIsumi

I like the guy saying this is over hyped and exaggerated...I just got hit for 40 bucks and my truck gun last week. Mabey he'd like to buy me a new 9mm.

Kris Quinby
Kris Quinby

This doesn't describe a "hack" in the terms of infiltrating the computers of your vehicle. It merely makes your vehicle's radio signals work beyond their intended range. There are plenty of videos of criminals exploiting the flaw. The academic report describes exactly how the exploit works and I offered solutions to give back some security to those who are interested.

Dave Osborne
Dave Osborne

This story was originally on a major network and found to be highly exaggerated a few months ago. Most thieves can't "hack" your vehicle. Too bad these types of stories still circulate causing concern. I guess anything goes these days for a "like" or "share" on bookface!

Mike
Mike

http://bfy.tw/OWE

I did some research after this happened in my neighborhood. I find it intriguing that the authorities are still puzzled after I found this stuff during an afternoon.

Kris Quinby
Kris Quinby

There is not enough room on the blooper reel for me to attempt on camera work. You can, however, watch the 2013 news report that has actual bad guys exploiting this problem. https://youtu.be/l7OadDz3Ums

JohnM89
JohnM89

Good article. Good info. Stay safe.

Do you have what you need to prevail?

Shop the ITS Store for exclusive merchandise, equipment and hard to find tactical gear.

Do you have what you need to prevail? Tap the button below to see what you’re missing.