Steve Gibson explains automobile keyless ignition exploit

Post by **FlyingPenguin** » Sun May 24, 2015 11:41 am

I cued up the video to where he starts discussing this. This affects most cars that use the presence of a key fob to allow you to open the door and start the engine without a key.

Regular keyless remote fobs that you have to press a button to open the door, and insert a key to start the car, aren't affected.

<iframe width="640" height="360" src="https://www.youtube.com/embed/0W64fhQdPQs?start=5220" frameborder="0" allowfullscreen></iframe>

Losbot · Post by **Losbot** » Mon May 25, 2015 7:51 am

I believe this is the pouch he was referring to:

http://www.amazon.com/gp/product/B00ITRBV54

Post by **FlyingPenguin** » Mon May 25, 2015 7:52 am

Altoids tin works in a pinch.

Executioner · Post by **Executioner** » Mon May 25, 2015 7:51 pm

but removing the battery is probably a better solution.

Post by **FlyingPenguin** » Mon May 25, 2015 8:08 pm

I heard someone mention in a forum thread that on some model cars, removing the battery resets the fob and then you have to pair it again. Sounds absurd, though. I assume that's not common.

Even before I ever heard about this, I have always thought that keyless ignitions weren't a good idea. ANYTHING like this can be potentially exploited, even with good security design. And we already know most of these companies never consider security.

How f'ing convenient do we need things to be? A key works fine, and pressing a button on a fob is a lot more secure.

It's the same reaction I had to those Mobile gas fast-pay fobs. A credit card is easy enough to use, what the heck do I need THAT for?

Oh it's only going to get more fun with the "Internet of Things". Me personally. I want NOTHING in my house on the internet other than my PCs and tablets thank you.

Err · Post by **Err** » Tue May 26, 2015 12:14 am

FlyingPenguin wrote:I heard someone mention in a forum thread that on some model cars, removing the battery resets the fob and then you have to pair it again. Sounds absurd, though. I assume that's not common.

Even before I ever heard about this, I have always thought that keyless ignitions weren't a good idea. ANYTHING like this can be potentially exploited, even with good security design. And we already know most of these companies never consider security.

How f'ing convenient do we need things to be? A key works fine, and pressing a button on a fob is a lot more secure.

It's the same reaction I had to those Mobile gas fast-pay fobs. A credit card is easy enough to use, what the heck do I need THAT for?

Oh it's only going to get more fun with the "Internet of Things". Me personally. I want NOTHING in my house on the internet other than my PCs and tablets thank you.

Agreed. I never thought the fast pay fobs were a good idea. I also don't know what it's all of a sudden so inconvenient to put a key or fob in the ignition. Fortunately, I don't have to re-pair my fob (2010 Dodge) if the battery dies. However, the car will shut off if it's dead. I keep a spare in my wallet just in case.

Losbot · Post by **Losbot** » Tue May 26, 2015 10:28 am

FlyingPenguin wrote:It's the same reaction I had to those Mobile gas fast-pay fobs. A credit card is easy enough to use, what the heck do I need THAT for?

I will admit that I had the Mobil SpeedPass but not the key-chain fob. I had the one you placed in your car, tucked away in the corner of the rear window. You'd just pull up to the pump. By the time I walked around to the passenger side, to pump fuel, it was already authorized and I just filled up. It was pretty cool for its time.

Post by **FlyingPenguin** » Tue May 26, 2015 11:28 am

And in case anyone didn't watch the whole video, let me summarize.

This affects keyless ignitions. The common way it's being exploited is most people leave their keys on a table near the front door, and that is sometimes close enough to allow the car to be unlocked. You can't start the car in this case because the fob needs to be inside the car to allow ignition start. This is how kids are ransacking locked cars in their owners driveway. Easy fix for this is to put the fob in a Faraday cage of some kind (metalized pouch, altoids tin), or leave the fob on your bedroom nightstand (assuming it's far enough away from the car - you need to test it).

The second, and more sophisticated method is to use a radio relay. Someone can follow you into a retail store carrying a backpack or briefcase that contains half the radio relay. Someone else stands near your car with the other half.

The car pings the fob and gets a response, even though it's WAY out of range. The door can be unlocked, and also fooled into thinking the fob is inside the car allowing the engine to start. Once started, you no longer need the fob. This is a safety feature to prevent the engine from being killed due to radio interference or fob battery failure.

Steve mentioned at the end of the show that MOST of these fobs have a backup battery failure mode which uses NFC. So if your battery is dead (or removed) you can still open the car and start the motor using NFC. You just have to be VERY close to open the door (probably nearly touching the car with the fob) and once inside the NFC will also allow you to start the car - he implied that on some car you may have to hold the fob against an NFC receiver pad on the dash.

So one way around this exploit, if you don't mind the inconvenience of not having the remote buttons work, is to remove the batteries and use the backup NFC mode in your fob.

One EASY way the car manufacturers could fix this - possibly with a firmware update - is to add a bit of inconvenience, and ONLY allow the door to be unlocked and engine started if you press the unlock button on the remote.

Pugsley · Post by **Pugsley** » Tue May 26, 2015 2:34 pm

FlyingPenguin wrote: One EASY way the car manufacturers could fix this - possibly with a firmware update - is to add a bit of inconvenience, and ONLY allow the door to be unlocked and engine started if you press the unlock button on the remote.

I was thinking the exact same thing the whole time.

Post by **FlyingPenguin** » Tue May 26, 2015 4:02 pm

I would easily accept that for more security. But try telling an existing Lexus or Cadillac owner that they can't leave their fob in their purse or pocket anymore.

"Oh bother, I have to take it out and press a button."

Pugsley · Post by **Pugsley** » Tue May 26, 2015 6:44 pm

My work phone that I just got (iphone 5?) has a thingy that can read fingerprints. Why can't they put something like that in the door handle to unlock the doors and the fob to start the car?

wvjohn · Post by **wvjohn** » Tue May 26, 2015 8:22 pm

People will always shoot the angles. I was watching some guys in a parking lot a few years ago kind of sneak a round with something with an antenna on it. They looked like they were up to something, so I stood and watched. After a couple of minutes there was a horn/light flash from a car quite a distance away (beyond push the key on the fob) range. They saw me watching them (along with a couple of others) and took off. Never went near the car that beeped. Figured they had some kind of gizmo that worked through iterations of known key fob transmissions.

Pugsley · Post by **Pugsley** » Tue May 26, 2015 10:03 pm

How long ago was this? I would think such a device would not work... or that device they had was a relay.

Post by **FlyingPenguin** » Tue May 26, 2015 10:26 pm

Yeah, had to be a relay. Remotes don't work like that on any car remote made in the last 20 years or more. They use a cryptographic challenge. The fob doesn't send the same thing every time, so playing back recorded signals won't work, at it would take years (probably more like thousands) to brute force the private key crypto.

On some models there is some kind of powerful radio used to scramble the electronics in the door lock, but that required you hold it right up against the door.

wvjohn · Post by **wvjohn** » Wed May 27, 2015 7:17 am

might've been a relay. it was in a strip mall, so people might have been close to their cars.