How Criminals are Exploiting your Vehicle’s Keyless Entry System and What You Can Do

Recent news articles have mentioned criminals “mysteriously” stealing items from inside locked vehicles while parked in front of a victim’s home. The suspects in these thefts are occasionally recorded by surveillance cameras and seen holding an “unknown device.”

Today I’ll be explaining how the same technology that makes it more convenient for you to get into your car and drive away, is being exploited by criminals to victimize drivers utilizing a Passive Keyless Entry and Start (PKES) system.

My goal is to clarify this complex technology in a way that everyone can understand, but for those who want more technical details, click here to view a report from an academic study on the relay attacks occurring with PKES.

Quick Review of Vehicle Keys

Let me first elaborate on the circular “cat and mouse” game that criminals play.  When a security measure is exploited, it then forces the manufacturer to upgrade, only to find that upgrade exploited again. Because of this same game being played in the auto industry, vehicle keys have become more complicated and expensive.

Keys are meant to be a means of authentication; if you have a key that unlocks the door, you’re “authorized” to enter. If you have a key that turns the ignition switch, you’re “authorized” to drive the car. For decades, vehicle keys were just simple pieces of metal. It was easy to defeat the door lock by picking the lock, punching the lock, or breaking a window and then bypassing the need for an ignition key by pulling the ignition wires and “hot-wiring” the vehicle. A knowledgeable criminal could quickly drive your car away without needing a key.

To combat this issue, vehicle manufacturers added Radio-Frequency Identification (RFID) chips to the keys and a sensor in the vehicle that checks for the presence of a pre-programmed key, before allowing the engine to start. This added technology increased the cost of replacement car keys and required the vehicle to be programmed to recognize the new key as an authorized key.

Manufacturers also introduced the “FOB” with buttons that allowed you to lock and unlock the vehicle without inserting a key into the door lock. This increase in convenience was made possible by adding a radio transmitter to the FOB. The transmitter could reach out to 100 feet and ping the radio receiver in the vehicle, which recognized the signal and performed the requested function.

However, criminals were also keeping up with technology and mimicking the radio signals. While you might not have noticed much difference in the technology, the communication between the key FOB and the vehicle was getting more complex. In the most recent quest for maximum convenience, some vehicle manufacturers have included “Passive Keyless and Start” (PKES) systems.

With PKES systems you can leave your key in your pocket or purse and simply walk up to the car. As you reach out to open the door, it unlocks without the need to push any buttons or use a key. When you get in the car you simply push a button on the dash and the vehicle engine starts. All of this is accomplished by two-way radio communication between the vehicle and the key.

Vehicles with a PKES system transmit radio signals that are received by any PKES key within range. Like magic and without any human interaction action, the key will respond. The vehicle transmits a short-range (usually about three feet) signal asking if there are any keys nearby. All PKES keys that are in range will respond.

If the vehicle recognizes that a key is authorized, the doors will unlock. There’s a second signal that’s broadcasted inside the vehicle, when responded to by an authorized key, the ignition button on the dash is activated allowing the engine to start. This technology is a great convenience, but as with any security item, it can be exploited.

Criminals Are Adapting Too

Removing the need for any physical action with the key has created an opportunity to exploit the wireless communication between the key and the vehicle. I mentioned earlier that the vehicle emits a short-range signal and the key responds with a longer range transmission.

Criminals have found that they’re able to amplify this short-range transmission so that your key thinks it’s getting the transmission request by your vehicle, asking if any keys are nearby. When your key receives this signal, which it would normally only get if it was close to your vehicle, it responds accordingly. The return signal your key broadcasts, causes the vehicle to behave as if the key is within the expected short-range distance and unlocks the doors.

After the criminal has entered the vehicle the “inside” signal can then be amplified and your key will reply, allowing the vehicle engine to be started. Some PKES implementations periodically check for the continued presence of an authorized key while the engine is running, but some don’t, which allows the car to be driven as long as the engine hasn’t stopped.

Even when you follow the standard vehicle security advice of locking your doors, not leaving valuables within sight, or leaving your keys within view, you’re still vulnerable to criminals searching or stealing your vehicle.

The devices needed to amplify the vehicle signals are relatively simple to acquire and there are reports of devices being sold on prominent auction websites for as little as $17. Using these devices, criminals could exploit this vulnerability whenever the key is relatively close to your vehicle. This means parking lots, coffee shops, convenience stores and more importantly, at home, where you probably leave your keys by the door closest to the car.

Protecting Against This Exploit

A long term solution will have to come from the vehicle manufacturers, but until they feel the need to improve the security of their PKES style keyless-entry systems, these relatively simple ways to exploit the wireless communication between the vehicle and key will still exist.

When manufacturers decide to improve the PKES systems, they’ll include it in new vehicle models and aren’t likely to retrofit older versions. Before you post an advertisement to sell your vehicle, let me share some ideas that will hopefully bring you some peace of mind.

Vehicle manufacturers have included ways to disable some or all of the PKES features and you can disable the long-range functionality of your FOB by removing the battery. This will mean that you lose the conveniences you’ve become accustomed to using though. A better option is to block the wireless communication between the vehicle and keys when you don’t intend to open the doors or operate the vehicle.

I tested a few products that advertise blocking wireless radio signals. These bags and pouches were marketed using terms like Faraday, Anti-Tracking, Anti-Radiation and GPS signal blocking and were marketed towards cell phone users.

My test keys consisted of older remote entry FOBS as well as PKES keys from multiple manufacturers. I tested bags small enough to fit in your pants pocket, some that were larger and more suited for a purse or Everyday Carry (EDC) bag and some that were even big enough to hold multiple sets of keys (like you might leave by the door at home.) I found that the items marketed as blocking RFID, cell phone and GPS signals also blocked the frequencies that my set of test keys used to communicate with the cars, as long as the bags and pouches were completely closed.

I also tested two different credit card sleeves that claimed to block RFID signals emanating from the “Chip & Pin” credit cards that have been used in other parts of the world for several years and will soon be more widely used in the US.

One option was thin pieces of plastic pressed together and open on one end. That pouch was too small to contain a FOB and without being able to completely close it, the wireless signal was able to escape containment allowing the key to be detected by the vehicle during some of my tests.

I also purchased the ITS RFID Wallet Sleeve and found it was big enough to fit the PKES FOB while being completely closed. It blocked the radio signals and rendered the key useless. I liked the ITS sleeve as an option for my pocket because it didn’t take up much more room than the actual FOB and it’s softer and more flexible than the other options I purchased.

As a possible low-cost option I tested anti-static bags that are normally used to protect electronic equipment from damaging electrical discharges. As expected, the anti-static bags didn’t block wireless signals for any of my test keys.

Conclusion

If you own a vehicle with a Passive Keyless Entry and Start system and want to avoid the type of exploit I described, I recommend that you find a way to interrupt the radio communication between the vehicle and the key when you aren’t using the vehicle.

I prefer blocking the communication as opposed to disabling the convenience features that are a part of the PKES systems. Whatever you wind up doing, find a solution that fits your lifestyle and usage habits and test it to ensure it prevents the key from communicating with your car.

You can easily test your solution by placing the key in the container you think should block the signals and try unlocking your car while standing next to it. If your car doesn’t respond, your solution is working and you can sleep better at night knowing criminals can’t exploit your vehicle’s Passive Keyless Entry and Start System.

Editor-in-Chief’s Note: Kris Q. is one of our Life Members at ITS and his background includes information security, military and civilian law enforcement, which he applies to clients of his security patrol & consulting firm near Portland.