Hey Everyone! Vote for the Site Favourite HOTM winner for the year of 2022 HERE!

Slew of Burglaries From Vehicles Using New Tech

10906 Views 76 Replies 28 Participants Last post by ezlife45, 12 mo ago

Robo21

Discussion Starter · May 23, 2016

In Los Angeles and elsewhere there has been a rash of burglaries from vehicles utilizing an RF amplifier that will boost your key fob signal, otherwise too weak to open your car, to open your doors and trunk. The little black box amplifies your own secure code so that your car thinks you are standing at the door.

The thief then enters the vehicle takes what he wants and leaves. Most often they are on bicycles to make quick getaways. Numerous instances have been captured on video.

The solution is simple, use a Faraday cage type pouch or container to prevent the signal from reaching the vehicle. The author of the article I will link you to below suggests using your freezer which I don't recommend as that will prematurely age your fob's battery. Aluminum foil does NOT work, some dumbass news reporter here in L.A. (John Gregory) suggested that without even testing it and I can assure you it does not work.

Amazon sells Faraday pouches which are ridiculously expensive but will work. My wife, genius that she is found the perfect solution for us in our kitchen, reasonably priced, incorporating a sort of Faraday technology (the mesh metal screen on top) and it works flawlessly blocking the signal right next to the vehicle. Our solution is a stainless steel sifter with stainless steel screen built into the lid.

The media also recommends a microwave oven as a storage device, I don't like that solution either for obvious reasons.

I found out by accident the other night that the Hellcat FOB has impressive range. From 40 feet way through 2 load bearing walls and one interior wall I unintentionally unlocked the doors. Apparently, these amplifiers the thieves are using are sensitive enough that they can work with signals too weak to open the car by fob alone. The amplifier can take the weak signal and boost it enough to access the car.

I am not taking any chances some of thefts occurred within 5 miles of my home. I strongly suggest that we take this seriously, secure your fob.

I searched the forum didn't find any info so I thought I would share my solution. I know many have heard the story but apparently not enough to prevent the thefts that occurred last week here in L.A. News story video, etc. below photo.

Product Audio equipment Cylinder Filter Microphone

CNN Story:

Article regarding thefts: http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html?_r=0

Fob guard: Fob Guard: Ideal Faraday Cage for Car Keyless Entry Fobs

See less See more

1 - 14 of 77 Posts

TallCool1

· #42 · May 27, 2016 (Edited)

SoCcal Dragger said:
There is probably more to it than the key fob and/or either unlocking sequence....

This whole thing, the way the media has spun it, and agencies "investigating" it, is 100% bs.

Whats shown in the vid was developed 14+ years ago. Its one of 3 methods that were, in controlled tests, in reponse to planned mass use of remote keyless entry systems with passive entry. To demonstrate the initial systems and now fast forward to today, have these vulnerabilities. But it didnt need to go this way, but did, to save a few pennies.

Tech to make this more difficult has been around for years (some of best solutuions were identified when the vulnerability testing occurred back then.)

I'm amazed we are here. I'm also blown away the auto insurance industry hasn't sued the auto industry (not all but many manufacturers based on their conscious choices to save < pennies per) for deciding to introduce remote entry, and as you see with really what were some of the worst methods that have so many security comprimises. Because there was a scientific community that was formed, it had global representation and the data and facts are out there to show why we are here now. Over 14 years ago.

And then the media and lord knows who else is out there saying "new tech bla bla bla" and while they are bringing it back into light, all the "what is it" "how does it work" in part must just be more bs spin to try to play to the masses to keep them from knowing the reality of how we got here.

Shameful.

See less See more

TallCool1

· #44 · May 27, 2016

Robo21 said:
Good move, I did that and put the fobs in the "Faraday" container. Why not? It's free and just in case, it makes sense to err on the side of safety. Besides there are only one or two naysayers while the preponderance of the evidence says that there is a credible threat. I would rather be safe than sorry.

Its the degree of threat which can differ car...car. Worst case a fob shield AND turning off passive entry are both required.

TallCool1

· #45 · May 27, 2016

fnkychkn said:
Since the passive entry sequence relies on the FOBIK battery to amplify the RFID signal, I wonder what would happen if you simply removed the battery from the FOBIK.

A+

TallCool1

· #46 · May 27, 2016

Catless said:
I watched the video.
It has been over a year now the "authorities" have supposedly had in their possession these devices, more than one according to the various reports. The have not figured it out? I bet I could figure it out in a few days at most if I had one of the alleged devices.

Complete 100% b.s. They have had schematics, devices and imperical data proving how this is done for over a decade.

TallCool1

· #47 · May 27, 2016

intercooler said:
Apparently, the frequency band normally used for passive entry cannot be used for distance measurement (between the car and the fob). I have not researched it, and I am not an RF Engineer, so can't say exactly why this would be the case.

However, It takes time for the amplifier to receive and amplify the signal.

This is fundamentally how distance measurement would work if it were implemented:

- In a scenario where the fob is really close to the car, the person touches the door handle. When the car computer detects this touch, it transmits a signal and starts measuring time. The fob receives the car signal and replies back to the car. The car computer receives the answer from the fob and stops measuring time. If the time duration is short enough, then the car computer knows that the fob is close by and therefore unlocks the door.

- In a scenario where the fob is 200 ft away, but the person has one of these fob amplifiers, the person touches the door handle. When the car computer detects this touch, it transmits a signal and starts measuring time. The signal must travel 200 ft to get to the fob. The fob replies, but the signal is too weak for the car to detect. The signal from the fob travels another 200 ft to the sensitive receiver of the black box amplifier. The amplifier receives the signal. It must finish receiving the signal before it transmits, otherwise it will drown out the signal that is it trying to receive from the fob. Once the black box amplifier has finished receiving the signal, then it can re-transmit the signal so that the car can detect it. Finally, the car computer gets the signal (after it has traveled 200 ft to the fob, 200 ft back to the transponder, read into the transponder buffer, and then retransmitted). All of this signal travel and processing takes time. Once the car computer receives the input signal, it stops measuring time. Due to the slowness of the response of the amplifier, the car computer should be able to deny entry.

NOTE: These are speed-of-light times, not human-discernible, but can be measured sensors and circuits and computers.

In actual implementation, the car could stop trying to receive the answer from the fob once the signal has had time to travel perhaps 10 or so feet round-trip, so that it would never even "listen" to an attempt from an amplifier.

There are multiple methods to determine distance. Some extremely difficult to hack.

This hack can be done at a distance of over 90 meters from the car, depending of the tech used by the car manufacturer.

TallCool1

· #49 · May 27, 2016

Catless said:
So the manufacturers have known about this problem and specifics of the vulnerability for over a decade and they have done nothing to mitigate it?
Sounds like time for a class action suit.

100% true they absolutely know. And were presented from simple to complex, methods to reduce and in some cases make this hack almost impossible. And some changes that would make it impossible; those would just slightly alter the user experience, that technically might not be considered purely passive.

I see a very real possibility of some legal action. It will be interesting to see if some (manufacturers) come forward with mitigation measures, or idenitfy their choices are not as exposed, or are exposed.

There are simple changes to the fobik, that could be implemented, that don't require changes to the car. That would still be passive entry, at the time a user starts to enter the car. That would extinguish the vast majority of this, except perhaps to those of us who could still bypass it, although that ain't easy, or cheap, and when we could the car owner (fobik) would be very near, and the time window small, making odds very very minimal we wouldn't get caught.

See less See more

TallCool1

· #50 · May 27, 2016

This is worthy of 60 minutes or an exposure cover up on tv. Make it happen, make it almost impossible to happen, show the costs tiny to the size of the auto behemouths in terms of parts or changes to the original fobik, not changing anything in the car, and then the date of the transfer and publication of the original papers. All on film, to the public. Then see what happens next. (Oh and loop in about a bazillion government agencies, standards bodies, regulating entities that all KNOW what really went down.)

Reactions: 1

TallCool1

· #52 · May 27, 2016 (Edited)

It may be Hellcats are less exposed. Seeing this done on one would confirm or not. The specs on the tech used would identify that. You could tell over the air too (not wasting my time to know.) (Or by examing tech in fobik.)

Until then I'll disable passive entry. Which until is known is something to consider if leave your car in busy public areas if the fobik is within say 100' and isnt in a shielded environment. Doing so greatly reduces the risk based on what I see is being used (by a lot.) Sheilding the fobik further reduces odds this hack might work ( much less than in combination with no passive entry.)

(What I see being used has range limits, fobik...intrusion device.)

TallCool1

· #58 · May 28, 2016

fnkychkn said:
Gotta link to all this great info?

I'll answer this way Pete how's that.

relay attacks on passive keyless entry - Google Search flip between list and google pics.

TallCool1

· #67 · Jun 7, 2016

If the key fob can't be detected by the car there's no threat. Keeping it sheilded is the only real defense. If you unshield it at car to enter exit whatever you are there too.

Not seen amything yet on Hellcats that says what type of interface is used it may be relay risk is minimal, or not.

TallCool1

· #68 · Jun 7, 2016 (Edited)

intercooler said:
I have disabled "passive entry" to disallow easy entry by door. Since the keyless opening of the trunk cannot be disabled in software, I am now considering disconnecting the external trunk lid button.

Don't car still polls for nearby key fob. If one doesn't respond there's nothing to relay, which is why sheilding it (if hellcats are more openly exposed to a relay hack and that's not known, to me anyway) is the best option.

TallCool1

· #71 · Jun 7, 2016

intercooler said:
There was some discussion on this earlier in the thread. The thief tech discussed here ONLY bypasses passive entry (aka keyless entry). If you get rid of this feature (passive entry), then the thief's amplifier tech becomes useless.

If your car is locked, including the trunk, if you attempt to open the trunk, minus the key fob in range, will you get in, will it open?

If the key fob is out of range of the car, but is within relay hack range, if the trunk is locked and the fob poll response (from car) is relayed and car detects response, and trunk access is attempted, what do you think will happen then?

Im asking as I may have missunderstood if defeating passive entry also defeats trunk access? Relay hacks only work if the fob can be activated, manually or otherwise like getting polled, get that.

TallCool1

· #72 · Jun 8, 2016

Well better hope fca gets on board using this

MCS3142 - Security- KEELOQ® Encoder Devices

(As of last year not.)

Or adjusts too similar ota.

Or anytime you use your fob, your exposed, unless you know what key sequence to use to clear last authentication key generated amd when.

TallCool1

· #73 · Jun 10, 2016

Which may mean still exposed to rolljam.

1 - 14 of 77 Posts

This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.