By on June 17, 2015

_MG_7657r

Automakers are not well known for their expertise in embedded security with vulnerabilities surfacing for many models. Nick Bilton of the New York Times decided to investigate a wireless key vulnerability after his Prius was broken into with a mystery black box. The investigation sounded somewhat promising at first, but quickly deflated, ending at a point where he told us to put our car keys in the freezer.

The story originally unfolded on Twitter as Bilton posted about the break-in and quickly followed up he’d figured out a $100 broadcasting device allowed teenagers to break into his car so easily.

My skepticism was already high based on the fact he was able to arrive at the answer for the device so quickly and his immediate recommendation for a more secure vehicle was to replace the Prius with something made in the ’70s. Unlike the Prius, which has an immobilizer and alarm, many cars from the ’70s can be defeated with a simple lock pick kit and a pair of wire cutters.

Nick Bilton covers technology for the Style section of The New York Times and writes about things like Snapchat, strollers, and wedding hashtags. While I couldn’t find previous automotive security coverage by Bilton, I hoped being with The Gray Lady would afford him access to top researchers and allow him to shed some light on the subject. Bilton did reach out to some of those researchers, including Boris Danev, an expert well known for proving the vulnerability of proximity key systems. However, the information that appeared in Bilton’s article was short of the full story.

Bilton’s article covered many of the recent high tech vehicle thefts and his article culminated with information he gleaned from Danev. According to Bilton’s discussion with Danev, the teenagers used a $17 device that could be found on eBay or Amazon and amplified the signal from the proximity key in his house.

Proximity key technology allows us to unlock and start a car without pressing an unlock button on the key fob by sensing when a door handle is touched or pulled. Once the car notices the touch or pull, it sends a low frequency signal to the proximity key in the 120-140 kHz range, usually only reaching a 2 foot proximity of the car. If the key is not in the vicinity of the vehicle, the request is denied. If the key is nearby, the proximity key responds over a higher frequency in the 315-433 mHz range to approve the request. The proximity key runs on a higher frequency as it usually serves double duty as a keyless remote that can unlock a car from a greater distance. As long as it hears the request from the car, it can respond from the other side of a parking lot. The low frequency signal is very similar to the signal you might find for an RFID reader for a building access card, while the high frequency signal is similar to what a garage door opener might use.

devices

The power amplifier mentioned in the article is purported to boost the low frequency signal so the proximity key, which might be 50 or 60 feet away, can hear it. The way Bilton writes it, the single small black box is brought near the car and turned on as the thieves try to open the car. Once they press a button on the device, the car door magically unlocks allowing the thieves entry. This explanation did not match up with the research I previously read from Danev, so I searched for information on the device and sent an email to Danev himself to try and piece it together.

A previous research paper by Danev shows the vulnerability exploited by using a set of amplifying devices. This set of devices is cumbersome and takes up the good part of a lab shelf. It includes a device on the car side up-converting the signal into the gigahertz spectrum for increased range, while another device near the key down-converts back to the proper signal in the kilohertz spectrum so the key can hear the request. They were able to prove this set up works – but it costs approximately $2,000 for all of the equipment and also requires an AC power source.

signalboost

The first clue something was amiss with the reports from Bilton was none of the cars were actually taken. Earlier research by Danev shows once a car was unlocked, it could also be started as they use the same proximity key signal. Once one of these cars is started, it can be driven away with ease as built-in safety measures will not shut off the car, even if the key is not present after the initial start. Of course, the car will not restart once it’s shut off, but the single drive is plenty for a thief to get it to a spot where they can chop it up or clean it out. Even if most of these thieves are only interested in pillaging the contents of the vehicles, I would think at least some would move them out of sight.

The second issue is only a single device was discussed in the article and, based on the previously mentioned research, I do not see how that is plausible. I searched Amazon and eBay on my own before I was able to get in touch with Danev. I spoke with him in regards to the subject and asked him about the testing and research of this single new device. He stated he has not tested such a device himself but theorized it would work based on a Texas Instruments white paper showing a RFID system being extended along with his prior research of the subject. I trust his knowledge and previous research, but feel this should have been mentioned in the Bilton article and not presented as an existing device.

I spoke with Danev a few more times and was able to get a link to the exact device on Amazon he discussed with Bilton along with a link to the Texas Instruments paper. I wanted to try and replicate the device and test it out myself. I am nowhere in the vicinity of Danev’s knowledge of this technology, but have pursued Electrical Engineering at one point along with many electrical projects, such as my homemade hybrid charger. I figured my experience and knowledge should at least put me on par with the supposed teenage thieves Bilton encountered. Danev already ordered similar equipment to test on his own as well and anticipated to receive it around the first week of May.

I received my $17 power amplifier device from Amazon the third week of April. The first issue was the device was not intended to amplify wireless transmissions, so no antennas were included. Secondly, it lacked a power source. I found a suitable AC adapter on Amazon for $8 along with a set of antennas that suited the frequency for $22. While not a crazy increase, we are already up to $47 and are still tied to an AC outlet. I consulted with Danev, assembled the device and started testing. I was able to test on my Cadillac and a Prius but could not achieve successful results. After a few different approaches, I could not amplify the signal. Since Danev was set to receive his device soon, I opted to continue my research and wait on his results.

My initial path took me down the signal jammer route. These signal jammers are marketed as cell phone blockers but actually function by blocking the signal from a key fob. Thieves use these by waiting for a person to walk out of a car and then turning on the jammer to block the lock signal going to a car. They work well with key fobs that require a button press to lock the car but are hit and miss with proximity systems. However, they do match up to some of the thefts and break-ins of the past and look very similar to the device shown in the NICB blog. Affordable, too – they can be ordered from China for about $50. Since Bilton mentioned the car was broken into after it had been left alone overnight, I decided to pass on this idea and continue with my research.

My next foray took me into the world of software-defined radio (SDR). This radio communication system allows users to implement things like amplifiers, mixers, and modems through a software path instead of relying on hardware. This has been researched in the past and shown effective for breaking into cars by researcher Silvio Cesare. The basic premise is with a computer and an SDR device, you can fool the car into thinking you are transmitting a signal from a key fob. This system requires brute force pushing of codes at the car until the right one is hit, which can take hours in many cases. Some manufacturers also leave back-doors in their code that can be figured out with enough testing, allowing you to enter the vehicle on the first try. Another development since the initial Cesare research is some of the manufacturer rolling codes have been partially compromised, allowing the brute force attacks to be reduced to minutes in some cases.

The Cesare report shows equipment costing around $1,000 – but with the advent of cheaper and smaller RTL-SDR devices, that cost has come down significantly to the point where you could purchase a $300 laptop, a $15 RTL-SDR, and $30 worth of communication parts to replicate the experiment. Looking at all the research and information available, this seems like the most likely choice for what the teenagers would have used to break into the car. The hack could be made smaller and packaged nicely by using something like a Netbook or an Arduino as the basis instead of a laptop. Also, since the SDR hack is only able to unlock the car, it matches up to the fact none of the cars Bilton reported on were ever driven off.

I continued to search for a device similar to what was described and reached out to some friends and acquaintances back home in Bosnia and Serbia previously familiar with the flow of stolen cars and parts through Europe. There is a big market for such goods as it’s fairly easy to get them into the country and give them new VIN and serial number. My friends were able to point me to a company out of Lebanon that’s basically a Radio Shack for car thieves. It sells devices ranging from automated lock picks to odometer programmers. As I looked through their catalog, I stumbled upon their proximity key amplifier, basically the same design as the devices in Danev’s research paper and made up of 2 backpacks. The first backpack had the device that was to go up against the car along with batteries to run it. The second backpack contained the device that needed to be near the key along with its own batteries. Intrigued, I reached out to them to see how much it would cost to obtain such a device and was quite surprised when they threw down a figure of $35,000 for the whole setup. Although this set of devices supposedly worked, it was 2000 times the cost of the $17 device Bilton mentioned, so I knew it was almost an impossibility for a set of teenagers to own.

I gave Danev some time to set up the Amazon devices and reached back to him around the first week of June, figuring he would have additional information after a month with it. His initial response was he was busy with other projects but would try to finish it by August. While I understand Danev is trying to get his company off the ground and present the idea to automotive manufacturers, I would think he would be able to assemble the device easily if a couple of teenagers could do it. I followed up and asked him if he had changed his initial reports. He stood firm stating he was 90 percent certain he would be able to build the Amazon device for $20 and make it work. I will follow up with him again in August to see if he can demonstrate, but at this time he does not have a working device. Asking him about his company – 3DB Technologies – and what it is working on at this time, he stated they have a proof of technology to measure physical distance of a key fob that will fix these vulnerabilities. They have presented the technology to most of the major players and hope to see it used in the next generation of cars.

Bilton’s recommendation for protecting yourself against these attacks was to stick your keys in the freezer as it would act as a Faraday cage and block the signal. This is a bad idea. The electronics will get ruined by the temperature changes and moisture in the freezer. A much better idea is to buy an actual Faraday pouch for $10, similar to ones used to protect passports. Also, if you lock your car with a button press, you may want to make sure you actually see it lock and not get jammed.

Bozi has worked as a car salesman, owned a small used car lot, and exported and sold vehicles to Europe. He also has extensive technical experience due to refurbishing auction and repo vehicles as well as working on his personal projects and swaps. His background also includes IT consulting as well as electrical hacking. He daily drives a salvage rebuilt Cadillac STS, owns a project V8 Subaru Legacy GT and has wired up an LS1 Miata from scratch.

[Photo Credit: Caitlin Regan/Flickr/CC BY 2.0; Aurelien Francillon, Boris Danev, Srdjan Capkun]

Get the latest TTAC e-Newsletter!

Recommended

41 Comments on “The $17 Car Key Hacking Device Does Not Exist...”


  • avatar
    carguy

    Thanks Bozi for that enlightened piece of journalism.

    If I have learned anything from my years of working in cyber security, it is that mainstream media’s coverage of electronic security tends to be both woefully uninformed and predictably sensationalist.

    So hearing that some guy from the NYT style section has made unsubstantiated claims about car security and offered impractical advice to his readers comes as no surprise.

  • avatar
    hf_auto

    Thank you, really interesting article, I’m loving these technical articles on TTAC.

    I’m curious as to possible reasons you think the amplifier didn’t work? I’d imagine you have to contend with a lot of interference in the 2.5GHz band and filtering could affect the 130kHz signal to the point that it’s not “accepted”. This seems like one of those problems that is conceptually easy when you’re designing in a vacuum (or Faraday cage), but gets complicated in the real world.

    • 0 avatar

      Danev’s original design used two devices that communicated over the 2.5GHz range to extend the signal and that worked. The proposed $17 power amplifier attempted to do this using a single device in between the car and the key and that did not work for me.

      • 0 avatar
        ckb

        Seconded, great article and great job on the research. My question is why upconvert to 2.5GHz at all? If anything the lower frequency should travel farther at a given power level due to decreased attenuation from the environment. The only thing you’d want a higher frequency for is to get more bandwidth which doesn’t matter since its just a repeater. In any case, I’ll be preventing this attack by parking in the garage.

  • avatar
    kmoney

    Awesome article. I remember following the original story of this when it came out and, despite somewhat calling BS on it, still being somewhat paranoid about my smart keys. Great to see someone actually drill down to a scientific and proper conclusion. This is the kind of stuff that makes me like TTAC.

    • 0 avatar
      Sigivald

      It’s also useful to remember that the alternative to smart keys and fobs and immobilizers is … physical locks that someone can punch with a screwdriver in three seconds, if they’re inclined, and ignitions that hotwire rapidly with just pliers.

      (Or, for that matter, if they just want to steal stuff IN the car, windows are still easily broken by anyone, instantly.

      If they’re gonna snatch-and-grab I’d PREFER a Magic Decoder that opened my door – at least I wont’ have to replace a window.)

  • avatar
    mcs

    For car theft, nothing beats “flatbed” technology. Works every time.

    • 0 avatar

      Right. That’s not to mention the fact that many cars can be put into neutral without the key, if you can gain access to the cabin. My Golf SportWagen lets you manually put the car in neutral by pulling up the gear selector trim and using a tool…no key required. I know that BMW’s electronic gear selector lets you do the same. By contrast, my buddy’s 2015 Mustang has an actual slot in the center console in which you’d stick the key in order to move the gear selector, even though the ignition uses a smart key.

      If someone really wants your car, he/she can get it.

      • 0 avatar
        mcs

        Doesn’t even need to be in neutral. I’ve seen them pull up cars with the wheels locked. Lots of torque in those winch motors.

        • 0 avatar
          redmondjp

          Doesn’t matter if wheels are locked – have you ever seen a tow truck? Most of them have a set of dolly wheels that are placed on each side of the locked axle and then ratcheted together, lifting the locked axle/wheels right off of the ground. Yes, that takes an extra few minutes to use.

          In Detroit, they were (still are?) stealing cars by just dragging them off with the wheels locked (Suburbans/Escalades).

      • 0 avatar
        VCplayer

        Security of both vehicles and the home is much more about discouragement than outright prevention. It takes very serious measures to make theft difficult to the point that it isn’t practical, but making it just difficult enough is usually enough.

        Thieves tend to be lazy, it’s way easier to play on that than to make something un-stealable. When I’m looking for a new vehicle I usually try to find a good combination of “kind of a pain to break into” and “not really worth stealing.”

        • 0 avatar
          Sigivald

          Yup.

          If a really professional thief wants into your house, and you don’t have live guards (and highly paid ones at that), they’re going to get in.

          The saving grace is that really professional thieves don’t care about your house or mine.

          Same thing with a car.

          (Put a boot on it? Grinder will fix that.)

        • 0 avatar
          Lou_BC

          VCplayer – HD pickups used to be a prime target for thieves since manufacturers went with simple ignition keys based on the premise that fleets would want multiple cheap keys. Full bling HD diesel trucks retail over 80k in Canada so parts are worth a lot of money. Most tailgates have back up cameras and are a quick and easy target since they are designed to be removed easily.

    • 0 avatar
      VenomV12

      Yep, when I was in undergrad this girl I knew told me a story about how she and her family were eating dinner and saw car thieves steal her brand new Mustang out the driveway with a flatbed truck, in a pretty nice neighborhood, took no time at all. I should also mention this happened in Metro Detroit. If they want it, they can get it.

  • avatar
    CoreyDL

    This NYT writer sounds like a sensationalist hack, so I wouldn’t bet on getting in touch with him again.

    He’s probably better qualified to write about which Michael Kors purse best matches the Gold iWatch.

  • avatar
    krhodes1

    I rarely lock my cars. I NEVER lock a convertible. A locked car means you get to replace the stuff in the car AND repair the damage to the door, window, or Dog-forbid, top, in my experience. I rarely have anything in the car worth stealing, and without a flatbed, they are not taking any of my modern cars. With one they are taking it regardless. The choke alone on the Spitfire is enough to ensure 85% of car thieves couldn’t drive it, and the stickshift rules out most of the rest. Both BMWs have that anti-theft measure as well. :-)

  • avatar
    Vulpine

    I don’t even see how a jamming device would be totally effective if the owner is paying attention. I have used my key fob many times and quite honestly if I don’t hear the car beep its horn or at least blink its lights, I hit the button again until it does, even if it means walking back to the car to do so. If that continues to fail, I manually lock the car either with the key or with the interior button, which can’t be jammed.

  • avatar
    wmba

    This has been going on for some time, despite the author’s reassurances to the contrary. Whether with a $17 device or something more elaborate.

    The Sunday Times of London has had a series of articles on the problem, and even teamed up with a Swiss university to see how it could be done.

    http://www.driving.co.uk/news/no-car-is-safe-how-hi-tech-thieves-are-defeating-sophisticated-security-systems/

    http://www.driving.co.uk/car-clinic/how-thieves-hack-into-and-steal-keyless-entry-cars/

    So are the theft of the Range Rover and the Audi, the latter captured on CCTV, just the imagination of the brain? Seems unlikely.

    So how about some comments on these articles? They are three years old.

    • 0 avatar
      spw

      it does not seem you have read the article you quoted… it talks about thieves accessing OBD port or changing car computers.

      Also their suggestion of bringing metal keys is laughable and shows how they dont have a clue what they are talking about – “metal” keys have low frequency immobilizer transmitter inside, same as smart keys as thats what provides security.

  • avatar
    anomaly149

    First order low and high pass filters aren’t complicated, nor is a noninverting op-amp. (check wikipedia if you’re curious, they’re like 3 components each) Chain them together, pick the right values for the various parts, and you’ll get a (poorly) filtered RF amplifier. The components have gotta be cheap from radio shack. (just resistors, caps, wires, and some thicker wire for hand wound inductors) Whether or not it would actually work? I don’t think so.

    • 0 avatar
      psarhjinian

      This really requires you to get a clean signal from the prox key. I can’t imagine that would be easy: you’d need to be within a few feet of your mark.

      A question about prox keys (because I legitimately don’t know): do they use some kind of public-key encryption on the signal? Is there any kind of handshake between the key and the vehicle?

      • 0 avatar
        anomaly149

        Your vehicle answers to any of the next massive pile of codes, in case you walk by other keyless vehicles. Or your 5 year old pushes the buttons repeatedly. Or etc.

        As for the proximity, you can make amplifiers that are silly powerful compared to the strength the signals usually are. I don’t think it’s really a signal strength issue, but more of a “does a silly strong RF amplifier made from Radio Shack bits actually do this?” issue.

  • avatar
    Lou_BC

    Great article. It is nice to see a journalist do some leg work beyond cut and paste of corporate press releases.

    KUDOS.

  • avatar
    rpn453

    Interesting stuff. I didn’t know anything about how a smart key operated.

    I look forward to reading about what Mr. Danev can come up with.

  • avatar
    CoreyDL

    This would be a good follow-up article, by the way.

    Which of the major manufacturers has the best smart keys for effectiveness, features, security, intelligence. And now I am wondering if Volvo is still doing the silly “heartbeat inside car” thing, which was optional and would rarely be useful.

  • avatar
    spw

    I can believe that anything can be cracked with right equipment but I cant believe that “security experts” recommended for smart keys to be put in the freezer.

  • avatar

    The statements in this article match my experience too. I just would like to note that the $30 SDR receives only. You still need a transmiting SDR if you want to unlock the car. The cheapest transmitting SDR that I was able to find is HackRF, made by Great Scott Gadgets. It costs $300, although it’s impossible find at the price.

    Note that with enough expertise and money one can construct a transmitting SDR using a computer adapter like FX2, a general purpose DAC, and a couple OP-amps of suitable performance. The budget estimate for such a project is going to be way north of $1000. Heck I think the BOM alone will be. However, if you want to steal a $80k Jag, might as well go for it.

  • avatar
    JohnTaurus_3.0_AX4N

    A news reporter who is clueless on the subject of which (s)he is reporting? Say it aint so! From calling all SUVs “Jeeps” or “4-wheel-drives” (many are 2wd, and non-SUVs can have 4WD) to twisting an expert’s words to make it fit their narritive (or fabricating the entire story to push their agenda like Dan Rather), its just not worth watching or reading the news anymore.

    Even that idiot who hosted Worlds Wildest Police Chases calling a red Ford Escort hatchback a “hot rod sports car” (and it wasnt even a GT!) makes you want to question everything they say, because it could be (and probably is) complete bullshit.

    How out of touch does this NYT moron have to be to think you must go back to the 1970s to avoid a car with smart key technology? Oh, wait, what does he drive? Lol

    When I own a vehicle that is prone to theft (like my 95 Honda Accord I had a few years back), I often disable it in some way when leaving it unattended, such as by pulling the fuse for the ECU or fuel pump (I usually leave it in place, but out of contact enough so it wont work). Of course, that wont prevent a flatbed operation, and isnt really practical to do every time you leave the car. But, it can be effective when youre forced to leave the car for quite a while (like if youre going out of town without the car), or if you have to leave it parked in a “shady” area. I knew a guy who used a small piece of paper wrapped around the bottom of the fuse to prevent contact, and therefor put the fuse perfectly back in place so a casual observer wouldnt notice.

    Rigging up a kill switch isnt a bad idea, either, and is fairly easy with basic skills. The trick is to have it well hidden and be able to access it without drawing attention from passengers or people around the car.

  • avatar
    overflow

    I know I’m commenting on an older story, but my research has brought me into this area recently and I’m finding a lot of misinformation. Such devices do exist, but you’re right – they’re not available for $17. However, they are far cheaper than the $2,000 lab setup in the article. The added cost comes from the upmixing and downmixing the researcher performed. The researcher most likely did this because the 130kHz was simply outside the range of his equipment. A standalone device would skip this upmixing and downmixing, simply replaying the signal at the same frequency at a greater power. With some basic electronics knowledge, I estimate a device like this could be built for around $100. I may even attempt to build a proof of concept device; will update here if successful.

  • avatar
    aclint

    I had this happen to my car. They stole my phone and gym bag and all my change. Did some research and find out they make a KeyFob Guard that blocks the radio signal from your key fob. I bought one for each car and they work great. Search Amazon for KeyFob guard or active devices. I think they have a website too. ActiveDevices.Net
    $20 is a small price to pay for peace of mind.


Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

New Car Research

Get a Free Dealer Quote

Staff

  • Contributors

  • Matthew Guy, Canada
  • Seth Parks, United States
  • Ronnie Schreiber, United States
  • Bozi Tatarevic, United States
  • Chris Tonn, United States
  • Moderators

  • Adam Tonge, United States
  • Kyree Williams, United States