Bit worrying....
Open sesame: the magic car thieves
Keyless ignition looks stylish, but the system is vulnerable to crooks using basic electronics to open and start your car in an undetectable crime
Dominic Tobin
Published: 6 February 2011
If your car has a keyless entry system, it may not be as secure against theft as you would expect. The Sunday Times has teamed up with university researchers to demonstrate how easy it is to steal the latest models fitted with the new system. All we used were basic components available cheaply from high street electronics shops or on the internet.
The demonstration has provoked concern within the motor industry about the security of vehicles, and prompted an admission by police that an unknown numbers of cars could already have been stolen in this way because the technique leaves no trace.
The problem affects those cars that, instead of having a traditional ignition key, are supplied with a fob or card to open the doors and enable the engine to be started. Also called proximity keys, these devices detect a low-frequency radio signal emitted by the car, and then send their own signal back to the vehicle that unlocks the doors automatically. Once inside, the driver has only to press a *button to start the car rather than turn a key. The flaw does not affect other so-called smart keys where drivers use buttons on the fob to lock and unlock doors.
The proximity key system has proved popular on every type of car — from the Ford Fiesta to Bentley Continental — because it is seen as less fiddly than struggling with keys and locks. It also allows car makers to introduce a starter button in the cabin, which many regard as more stylish than a mechanical key.
Thatcham, the centre that works with insurers and car makers to research and test vehicle security systems, says the flaw in security is so serious that manufacturers may be forced to return to using traditional keys. “We are aware of this phenomenon and obviously this is a potential problem,” says Mike Briggs, vehicle security manager for Thatcham. “You could beat anything if this new technique was used. It could be that manufacturers return to a mechanical key to start cars, though we’ve not as yet seen this technique being used in Britain.”
Previously, keyless systems were thought to be secure because the device communicates with the car by sending encrypted data on weak radio waves. An owner must stand no more than two yards or so from the car in order for the car to unlock itself.
However, researchers have discovered a way to capture and transmit the signals given off by the car and increase the transmission distance. The technique, known as a “relay attack” when used by thieves, fools the fob into thinking that the car is close by, triggering it to instruct the vehicle to unlock its doors.
In the interests of security The Sunday Times is not giving away the full details of the technique, though the basics are remarkably simple.
The theft requires two people. Each is equipped with a wire antenna — not unlike those used on many radios and available off the shelf from hardware stores. When a victim is spotted, perhaps in a supermarket car park, one thief makes his way to where the car is parked. The other follows the driver.
When the driver is a safe distance from the car, the thief shadowing him or her moves to within a couple of yards of them. His accomplice then transmits the car’s electronic fingerprint message (which is constantly being sent but limited to a radius of about two yards around the car). The message is received by the thief shadowing the owner and relayed to the fob in the owner’s pocket or bag.
When it receives the car’s signal, the fob assumes it is next to it and activates its own transmitter, sending a message instructing the car to unlock its doors. Unlike the car’s signal, the fob’s signal can travel as far as 100 yards, deactivating the locking system on the car and priming the engine to start.
All the thief now has to do is get behind the wheel and press the starter button. The whole process can take less than a minute and — unless they are watching their car from a distance — the owner is unaware anything is wrong until they discover their car is missing.
The technique was tested last month by computer scientists at ETH University in Zurich, Switzerland. InGear was invited by the university to assist with a demonstration using a real car. With just a few wires and connectors that cost less than £30, we captured the wireless signal sent between the car and fob.
We were then able to fool a Toyota Prius into thinking the fob was next to the car, allowing us to open the door and start the engine. Thanks to an industry-standard safety system, the car’s engine keeps running even when the fob is out of range — a feature designed to ensure that if the fob’s battery goes flat, or a child throws it out of the window mid-journey, the engine does not cut out.
If we had been real thieves, we would have headed straight for a back-street garage, which would be able to hack into the car’s computer and supply another fob, allowing the car to be sold on or exported abroad. For the purposes of our demonstration, the equipment carried by the two “thieves” was connected by electrical cable, but for an outlay of a few hundred pounds, wireless transmitters/receivers could have been used.
“Car companies buy these keyless systems from component suppliers,” says Srdjan Capkun, a professor for system and network security at ETH’s computer science department. “We tested all of the major component suppliers we could identify. We tested 10 cars from eight manufacturers and did not find any that were remotely protected against this type of attack. It didn’t matter if they were high-end cars or low-end cars — don’t assume if a car is more expensive it is better protected. That is not the case. It was surprising that it was that easy to overcome this [keyless] system.”
In Britain the Association of Chief Police Officers says it has recently become aware of the technique, and that because there are no visible signs of breaking in, it is hard to detect. “We are working with partners within the motor manufacturing industry to discover the extent of the problem highlighted,” says Detective Chief Inspector Mark Hooper, head of the association’s vehicle crime intelligence service. “Due to the sensitive nature of the type of threat identified we would not want to discuss in depth any suspected flaws.”
Police have said that thieves need to be caught in the act, or with the necessary equipment, to establish that this is happening. “Unless you catch somebody in the act, even if you recover a car and interrogate its computer, all it will tell you is that the owner was the last person to open and start it. If we know about it, thieves do,” says one senior police source.
Stuart Chapman, the police relationship manager at Tracker, a company that fits systems that allow police to trace stolen cars, says the number of thefts where cars are mysteriously stolen while the owners still have the fobs and without any sign of entry is on the increase. “Sometimes you just don’t know which method they are using unless you catch them in the act,” says Chapman, a former police officer. “We have had customers whose cars were stolen being suspected of fraud because that seemed like the only logical explanation.”
Car makers seem reluctant to admit that they are affected. Toyota claims it is not aware that any of its cars have been stolen using this method. “Since 1999 Toyota GB has worked with independent security experts, the police and insurance industry to ensure we gain the fullest possible awareness of trends and techniques,” says a spokesman.
The Society of Motor Manufacturers and Traders says it is concerned about the development and is reviewing the research from Zurich. Some manufacturers claim their cars are immune to the problem. Audi says its vehicles are unaffected and Jaguar Land Rover claims its cars are “robust” against the hack, though the firm declined to elaborate.
“I am very sceptical about claims that these systems are protected,” says Capkun. “In principle, this attack will work on each system that uses this design. We know how to build a more secure keyless system but the technology at the moment is expensive and it depends on whether manufacturers think it is worth the while to invest in it.
“If you believe you might fall victim to this attack, you should probably shield the key — perhaps in a small case lined with aluminium. Some of the convenience of keyless entry would be lost, but this would make the relay attack very difficult in practice.”
Key fob (Kevin Dutton)If you are able to keep your fob shielded, your car should remain safe (Kevin Dutton)
How to protect your fob
For the scam to work, the thieves have to establish wireless communication with your fob, so if you are able to keep your device shielded, your car should remain safe. Luckily, fobs operate on the same wireless frequency as RFID (radio frequency identification) devices — the sort of chips now built into credit and debit cards, and even passports — which means there are already a number of shields on the market.
For example, the Ogon RFID wallet (£27.95, clickshop.com) is a click-shut metal container with seven expandable pouches for holding your plastic, and a well into which most fobs will fit. It is available in 10 colours. For a cheaper option, buy a tin of Altoids (90p, victoriahealth.com), eat the mints inside and then keep your fob safe in the aluminium container.
Woman using cell phone by car Keyless ignition may seem convenient but it is easy to find yourself stranded (Jupiterimages)
This gimmick is a real turn-off
Don’t get Keith Crain started on keyless ignition — he has too many tales of woe to ever believe the technology is of any use
My son, Chris, from New York, was spending time with his family in northern Michigan. On Sunday afternoon, Carinna, his wife, took him to an airport some 90 miles away to catch a plane back to work in New York while she stayed on with the family.
Everything was great with their new Mercedes. He hopped out of the car and headed for the plane, and she headed back to their summer place — except he had the fob in his pocket, heading for New York.
Late on that Sunday afternoon, after stopping far short of her destination, she could not restart the car. While you don’t need the fob mechanically to start the car, you do need to have the fob with you.
Keyless ignition has become the hottest feature today on any number of luxury and not-so-luxury cars, but I don’t have the slightest idea why.
Were consumers clamouring for this feature? I don’t think so. I figure some very good salesman for a supplier sold it to one car company, and it spread like wildfire — but for no good reason.
Mercedes even has a feature that allows you to pull a key out of the fob, pop off the start button, put in the key and turn it to start the engine. A key to start the ignition, that you can’t mislay while you’re driving. What a novel idea.
Some systems tell you not to store the fob anywhere near the car or it will run down the battery in the fob. Huh?
I don’t know who thinks up some of these features, but they should do a little more real-world research before they foist them on unsuspecting customers.
I’m not against new features. I really like most of them, but this one is a dud. I’ve heard more stories about someone leaving a car running, going into a hotel or restaurant and having the car stuck because the valet didn’t have the fob to restart it later.
There may be a lot of value to this feature, but I can’t think of any.
And, sadly, if you lose the fob on a weekend, you may be stuck until the dealership opens on Monday when you can reprogram the car.
Keith Crain is editor-in-chief of Automotive News
Keyless cars
Cars that offer keyless entry and start systems include:
* Audi A4, Q7
* Bentley Continental GT
* BMW 1, 3, 5-series
* Ford Fiesta, Focus, Mondeo
* Infiniti EX
* Jaguar XF
* Land Rover Freelander, Discovery
* Lexus LS, RX
* Nissan Juke, Qashqai
* Peugeot 508
* Porsche Cayenne, Panamera
* Renault Scénic, Laguna
* Saab 9-5
* Skoda Superb
* Vauxhall Zafira
* Volkswagen Passat
* Volvo C30, S80
Open sesame: the magic car thieves
Keyless ignition looks stylish, but the system is vulnerable to crooks using basic electronics to open and start your car in an undetectable crime
Dominic Tobin
Published: 6 February 2011
If your car has a keyless entry system, it may not be as secure against theft as you would expect. The Sunday Times has teamed up with university researchers to demonstrate how easy it is to steal the latest models fitted with the new system. All we used were basic components available cheaply from high street electronics shops or on the internet.
The demonstration has provoked concern within the motor industry about the security of vehicles, and prompted an admission by police that an unknown numbers of cars could already have been stolen in this way because the technique leaves no trace.
The problem affects those cars that, instead of having a traditional ignition key, are supplied with a fob or card to open the doors and enable the engine to be started. Also called proximity keys, these devices detect a low-frequency radio signal emitted by the car, and then send their own signal back to the vehicle that unlocks the doors automatically. Once inside, the driver has only to press a *button to start the car rather than turn a key. The flaw does not affect other so-called smart keys where drivers use buttons on the fob to lock and unlock doors.
The proximity key system has proved popular on every type of car — from the Ford Fiesta to Bentley Continental — because it is seen as less fiddly than struggling with keys and locks. It also allows car makers to introduce a starter button in the cabin, which many regard as more stylish than a mechanical key.
Thatcham, the centre that works with insurers and car makers to research and test vehicle security systems, says the flaw in security is so serious that manufacturers may be forced to return to using traditional keys. “We are aware of this phenomenon and obviously this is a potential problem,” says Mike Briggs, vehicle security manager for Thatcham. “You could beat anything if this new technique was used. It could be that manufacturers return to a mechanical key to start cars, though we’ve not as yet seen this technique being used in Britain.”
Previously, keyless systems were thought to be secure because the device communicates with the car by sending encrypted data on weak radio waves. An owner must stand no more than two yards or so from the car in order for the car to unlock itself.
However, researchers have discovered a way to capture and transmit the signals given off by the car and increase the transmission distance. The technique, known as a “relay attack” when used by thieves, fools the fob into thinking that the car is close by, triggering it to instruct the vehicle to unlock its doors.
In the interests of security The Sunday Times is not giving away the full details of the technique, though the basics are remarkably simple.
The theft requires two people. Each is equipped with a wire antenna — not unlike those used on many radios and available off the shelf from hardware stores. When a victim is spotted, perhaps in a supermarket car park, one thief makes his way to where the car is parked. The other follows the driver.
When the driver is a safe distance from the car, the thief shadowing him or her moves to within a couple of yards of them. His accomplice then transmits the car’s electronic fingerprint message (which is constantly being sent but limited to a radius of about two yards around the car). The message is received by the thief shadowing the owner and relayed to the fob in the owner’s pocket or bag.
When it receives the car’s signal, the fob assumes it is next to it and activates its own transmitter, sending a message instructing the car to unlock its doors. Unlike the car’s signal, the fob’s signal can travel as far as 100 yards, deactivating the locking system on the car and priming the engine to start.
All the thief now has to do is get behind the wheel and press the starter button. The whole process can take less than a minute and — unless they are watching their car from a distance — the owner is unaware anything is wrong until they discover their car is missing.
The technique was tested last month by computer scientists at ETH University in Zurich, Switzerland. InGear was invited by the university to assist with a demonstration using a real car. With just a few wires and connectors that cost less than £30, we captured the wireless signal sent between the car and fob.
We were then able to fool a Toyota Prius into thinking the fob was next to the car, allowing us to open the door and start the engine. Thanks to an industry-standard safety system, the car’s engine keeps running even when the fob is out of range — a feature designed to ensure that if the fob’s battery goes flat, or a child throws it out of the window mid-journey, the engine does not cut out.
If we had been real thieves, we would have headed straight for a back-street garage, which would be able to hack into the car’s computer and supply another fob, allowing the car to be sold on or exported abroad. For the purposes of our demonstration, the equipment carried by the two “thieves” was connected by electrical cable, but for an outlay of a few hundred pounds, wireless transmitters/receivers could have been used.
“Car companies buy these keyless systems from component suppliers,” says Srdjan Capkun, a professor for system and network security at ETH’s computer science department. “We tested all of the major component suppliers we could identify. We tested 10 cars from eight manufacturers and did not find any that were remotely protected against this type of attack. It didn’t matter if they were high-end cars or low-end cars — don’t assume if a car is more expensive it is better protected. That is not the case. It was surprising that it was that easy to overcome this [keyless] system.”
In Britain the Association of Chief Police Officers says it has recently become aware of the technique, and that because there are no visible signs of breaking in, it is hard to detect. “We are working with partners within the motor manufacturing industry to discover the extent of the problem highlighted,” says Detective Chief Inspector Mark Hooper, head of the association’s vehicle crime intelligence service. “Due to the sensitive nature of the type of threat identified we would not want to discuss in depth any suspected flaws.”
Police have said that thieves need to be caught in the act, or with the necessary equipment, to establish that this is happening. “Unless you catch somebody in the act, even if you recover a car and interrogate its computer, all it will tell you is that the owner was the last person to open and start it. If we know about it, thieves do,” says one senior police source.
Stuart Chapman, the police relationship manager at Tracker, a company that fits systems that allow police to trace stolen cars, says the number of thefts where cars are mysteriously stolen while the owners still have the fobs and without any sign of entry is on the increase. “Sometimes you just don’t know which method they are using unless you catch them in the act,” says Chapman, a former police officer. “We have had customers whose cars were stolen being suspected of fraud because that seemed like the only logical explanation.”
Car makers seem reluctant to admit that they are affected. Toyota claims it is not aware that any of its cars have been stolen using this method. “Since 1999 Toyota GB has worked with independent security experts, the police and insurance industry to ensure we gain the fullest possible awareness of trends and techniques,” says a spokesman.
The Society of Motor Manufacturers and Traders says it is concerned about the development and is reviewing the research from Zurich. Some manufacturers claim their cars are immune to the problem. Audi says its vehicles are unaffected and Jaguar Land Rover claims its cars are “robust” against the hack, though the firm declined to elaborate.
“I am very sceptical about claims that these systems are protected,” says Capkun. “In principle, this attack will work on each system that uses this design. We know how to build a more secure keyless system but the technology at the moment is expensive and it depends on whether manufacturers think it is worth the while to invest in it.
“If you believe you might fall victim to this attack, you should probably shield the key — perhaps in a small case lined with aluminium. Some of the convenience of keyless entry would be lost, but this would make the relay attack very difficult in practice.”
Key fob (Kevin Dutton)If you are able to keep your fob shielded, your car should remain safe (Kevin Dutton)
How to protect your fob
For the scam to work, the thieves have to establish wireless communication with your fob, so if you are able to keep your device shielded, your car should remain safe. Luckily, fobs operate on the same wireless frequency as RFID (radio frequency identification) devices — the sort of chips now built into credit and debit cards, and even passports — which means there are already a number of shields on the market.
For example, the Ogon RFID wallet (£27.95, clickshop.com) is a click-shut metal container with seven expandable pouches for holding your plastic, and a well into which most fobs will fit. It is available in 10 colours. For a cheaper option, buy a tin of Altoids (90p, victoriahealth.com), eat the mints inside and then keep your fob safe in the aluminium container.
Woman using cell phone by car Keyless ignition may seem convenient but it is easy to find yourself stranded (Jupiterimages)
This gimmick is a real turn-off
Don’t get Keith Crain started on keyless ignition — he has too many tales of woe to ever believe the technology is of any use
My son, Chris, from New York, was spending time with his family in northern Michigan. On Sunday afternoon, Carinna, his wife, took him to an airport some 90 miles away to catch a plane back to work in New York while she stayed on with the family.
Everything was great with their new Mercedes. He hopped out of the car and headed for the plane, and she headed back to their summer place — except he had the fob in his pocket, heading for New York.
Late on that Sunday afternoon, after stopping far short of her destination, she could not restart the car. While you don’t need the fob mechanically to start the car, you do need to have the fob with you.
Keyless ignition has become the hottest feature today on any number of luxury and not-so-luxury cars, but I don’t have the slightest idea why.
Were consumers clamouring for this feature? I don’t think so. I figure some very good salesman for a supplier sold it to one car company, and it spread like wildfire — but for no good reason.
Mercedes even has a feature that allows you to pull a key out of the fob, pop off the start button, put in the key and turn it to start the engine. A key to start the ignition, that you can’t mislay while you’re driving. What a novel idea.
Some systems tell you not to store the fob anywhere near the car or it will run down the battery in the fob. Huh?
I don’t know who thinks up some of these features, but they should do a little more real-world research before they foist them on unsuspecting customers.
I’m not against new features. I really like most of them, but this one is a dud. I’ve heard more stories about someone leaving a car running, going into a hotel or restaurant and having the car stuck because the valet didn’t have the fob to restart it later.
There may be a lot of value to this feature, but I can’t think of any.
And, sadly, if you lose the fob on a weekend, you may be stuck until the dealership opens on Monday when you can reprogram the car.
Keith Crain is editor-in-chief of Automotive News
Keyless cars
Cars that offer keyless entry and start systems include:
* Audi A4, Q7
* Bentley Continental GT
* BMW 1, 3, 5-series
* Ford Fiesta, Focus, Mondeo
* Infiniti EX
* Jaguar XF
* Land Rover Freelander, Discovery
* Lexus LS, RX
* Nissan Juke, Qashqai
* Peugeot 508
* Porsche Cayenne, Panamera
* Renault Scénic, Laguna
* Saab 9-5
* Skoda Superb
* Vauxhall Zafira
* Volkswagen Passat
* Volvo C30, S80
