By on April 7, 2015

2014 Toyota Prius

Locking the doors may not be enough to deter would-be thieves now, thanks to wireless technology.

According to Jalopnik, New York Times tech blogger Nick Bilton watched from afar as his Toyota Prius’ defenses — specifically, the door locks — were disabled wirelessly by two youths before they entered the vehicle to steal whatever they could find. Bilton then chased down the two to ask what they used to break into his car, only to come away with nothing but a description and a price tag: a $100 device that broadcasts RF signals to unlock the doors.

Similar instances include a slew of break-ins in 2013 linked to devices pressed against new car doors, cycling through remote-entry codes before happening upon the correct code to unlock the vehicle, and a demonstration at a Blackhat conference with a setup involving a laptop and $1,000 of radio equipment.

Get the latest TTAC e-Newsletter!

Recommended

46 Comments on “NYT’s Bilton Finds Vehicle Broken Into Via Wireless Technology...”


  • avatar
    PeterKK

    This is just the curtain getting pulled back isn’t it? I mean. You add more entrypoints to a thing you add more vulnerabilities. It’s just the nature of the beast.

    This is why I like dead stupid simple things if they need to be reliable and safe.

    • 0 avatar
      PeterKK

      I guess should add, I mean in terms of overall complexity. And even then there are tradeoffs.

      • 0 avatar
        nine11c2

        The problem with your logic Peter is that we’ve already figured out how to break into a car with no real protection – a crow bar or a hangar work. Give me a slap hammer and I can take a car with an ignition lock.

        More technology reduces the number of people who can steal your car from anyone with a reasonable mechanical ability to someone who can hack your car. Adding layers of secured access further limits the ability to steal your car.

        • 0 avatar
          Vulpine

          The issue here appears to be more on car insurance rather than protecting the car any more. Insurance companies don’t like to pay for content theft UNLESS the car has been visibly broken into. They would rather blame you for not locking your car rather than pay for a few hundred dollars worth of contents. Odds are this will also initiate a new spate of in-car cameras to see what’s going on when you’re not in your car.

    • 0 avatar
      Jeff Waingrow

      Like a key.

    • 0 avatar
      Sigivald

      I’d rather have someone do that, than break a window to do a smash-and-grab, which is what thieves do if they think your car contains anything of value…

    • 0 avatar
      jjster6

      I’m dead stupid and simple but not sure if I’m reliable and safe.

  • avatar
    bk_moto

    This isn’t even a new angle of attack. I remember years ago when RF key fobs first started becoming prevalent that thieves were using equipment that could listen for the RF signal and then re-broadcast it to unlock the door at will.

    Not to mention this is how garage door openers have been attacked for decades.

    The alarming part is that Toyota has apparently not bothered to implement any defenses to this type of attack despite it being a well-known kind. I wonder how many other manufacturers are vulnerable.

    • 0 avatar
      psarhjinian

      Automotive OEMs don’t do security. Hell, embedded software as a whole is pretty lax. It isn’t a skill they have a lot of experience with, and they’ve traditionally relied on obscurity to secure assets.

      Back when it was hard to program microcontrollers and radios weren’t dime-a-dozen, this kind of worked. Now that most of this gear is pennies to acquire and the OEMs use more off-the-shelf standards, they’re finding they’re more of a target.

    • 0 avatar
      ClutchCarGo

      The difference is the advance of software defined radio, which makes the attack much easier to develop and implement. It used to require more complicated electronics involving custom built setups. SDR puts this into the hands of anyone with a couple of hundred bucks and some computer skills. This is why I don’t want a car with remote start, and I’m even suspicious of push button start.

      • 0 avatar
        psarhjinian

        ClutchCarGo: +1

      • 0 avatar
        George B

        ClutchCarGo, software defined radio is a non-issue for this attack. The RF link uses incredibly simple modulation and fixed frequencies. My guess is that someone has combined the same RF hardware already used in cars with software to automate the process of guessing the code based on a code transmitted earlier. The vulnerability is that 1) the car locks accept multiple guesses at automated speeds and 2) the code is much less secure if the thief receives a previously valid code to start the guessing process.

        • 0 avatar
          Exfordtech

          If I recall correctly when programming key fobs to a vehicle back in the day, each fob had its own unique identifier that would be stored in the keyless entry module during the programming procedure. I don’t know how many particular individual identifiers existed but the number I’m sure is finite. Once an entry module is no longer in programming mode, and functioning normally, it will only respond to the identifiers it had stored in memory. There was no lockout fail-safe in the case of a multiple number of incorrect “guesses” by another key-fob, and I assume this would be to prevent the possibility of being locked out of your car because several other vehicles in the area were accessed by their respective owners using their own RKE fobs. Thus an automated guessing system would have little trouble in cycling through all the possible identifiers to unlock the vehicle. Driving the vehicle away, however, would be a different story, because (in the case of Ford’s PATS) multiple incorrect guesses of the PATS code needed to start the vehicle results in a timed lockout of the system before guessing can resume. Getting into a vehicle is easy, no matter what system it has, but driving it away is significantly harder.

        • 0 avatar
          ClutchCarGo

          While your concept may well be what is going on in the Bilton case, it’s not out of the question that SDR is or will soon be the method of choice:

          http://www.wired.com/2014/08/wireless-car-hack/

    • 0 avatar
      redav

      “I remember years ago when RF key fobs first started becoming prevalent that thieves were using equipment that could listen for the RF signal and then re-broadcast it to unlock the door at will.”

      I have a feeling this is more of an urban legend than a real thing.

      If a person uses the fob when leaving the car, they broadcast the lock command, not the unlock. Intercepting that signal & rebroadcasting it only serves to lock the car. Rather, the criminal would need to catch the signal as someone opens their car, which presumably is done when they are about to get in and (most often) drive away.

  • avatar
    Fred

    Is there any wireless/internet connected device that can’t be hacked? I doubt it, it’s just a matter if it’s worth it.

    • 0 avatar
      psarhjinian

      There are a number of devices and platforms that can’t be easily hacked, but they’re designed from the ground up with security in mind.

      Automotive OEMs traditionally haven’t even thought about interoperability, upgradability or security. They tend to be fire-and-forget.

    • 0 avatar
      Sigivald

      Yes.

      The trouble is that it’s hard (or impossible) to know which ones they are, in advance.

    • 0 avatar
      George B

      It would be possible to make the RKE system that makes use of precise timing to make breaking in very close to impossible. First, the short range low frequency RFID system could measure the time delay of the response of the signal reflected from the key to limit distance where it works. The system could also use time synchronized codes and an extremely long code book so that it would take years to break into a car.

    • 0 avatar
      redav

      You can only ‘hack’ what’s modifiable/actionable in the device through the channel being hacked. For example, my TV has a remote control & receptor that can be used to ‘hack’ into it. However, there is no signal that can be sent into it through that point that can modify its hard-wiring.

  • avatar
    28-Cars-Later

    Add a manual kill switch and the car should still be there in most cases. Thieves only have a short window in which to start the car, if you waste their time forcing them to look for a switch they should abandon it.

    • 0 avatar
      sportyaccordy

      Car theft is a non issue these days, with how complex car electronics are (which also makes the kill switch in something like a Prius a non starter). It’s about getting in and grabbing stuff like Garmins and cellphones and getting out.

      • 0 avatar
        28-Cars-Later

        Vandals are another issue I agree, but theft is still very much a reality based on the list of these MY13s:

        “And here’s the top 10 list of new vehicles (from the 2013 model year) stolen last year, also based on NICB data:

        Nissan Altima, 810
        Ford Fusion, 793
        Ford F-150, 775
        Toyota Corolla, 669
        Chevrolet Impala, 654
        Hyundai Elantra, 541
        Dodge Charger, 536
        Chevrolet Malibu, 529
        Chevrolet Cruze, 499
        Ford Focus, 483”

        http://www.forbes.com/sites/jimgorzelany/2014/08/18/the-most-stolen-new-and-used-cars-in-america/

    • 0 avatar
      WheelMcCoy

      “Add a manual kill switch and the car should still be there in most cases.”

      Add a manual and the car should still be there in most cases — there, fixed it for you. :)

    • 0 avatar
      TMA1

      I’m sure a manual transmission helps too.

  • avatar

    Don’t some cars use a frequency-hopping algorithm in their remote keys to thwart this kind of attack?

    • 0 avatar
      WheelMcCoy

      “Don’t some cars use a frequency-hopping algorithm in their remote keys to thwart this kind of attack?”

      I believe so. If the thieves captured the unlock code, it would have changed. There is a “resync” sequence, a tiny window of opportunity where the thieves could get x number of tries to unlock the car, but they would have to be very lucky. Without more details, I can’t even guess how they managed to break in.

      I suppose the paranoid among us would just use the key to lock and unlock the car, and never broadcast their credentials. But starting the car (with the key or push button) still exchanges a code between the key fob and the ignition… so watch for strangers who tail you, especially if they also carry an antennae (which could be disguised as an umbrella).

  • avatar
    George B

    WheelMcCoy and johng, the RF link is a fixed frequency, typically 315 MHz, not frequency hopping. You’re probably thinking of the information coding which uses a rolling code. http://en.wikipedia.org/wiki/Rolling_code

    If the thieves are receiving the transmission to lock the car and then using the resync window, they have to be lurking fairly close to receive the fairly weak signal from the key fob.

    • 0 avatar
      WheelMcCoy

      Thanks for the clarification about frequency vs rolling code.

      I have been able to chirp my car a half block away… further if I touch the remote to my forehead. Some opportunist could be trolling in a busy mall parking lot and get lucky. Another possibility is an insider sold an important piece of the algorithm used to generate the rolling codes in Toyotas.

  • avatar
    nine11c2

    If you’re worried about the car codes being captured – then turn off your house garage door opener or they are going to get your car and your home contents.

    I drive a manual – Hidden Pro – hard to steal. Hidden Con – hard to valet. Hidden Pro – valets let you park it yourself…

  • avatar
    mkirk

    This makes it out like someone utilized the car’s wi-fi hotspot or something. People have done this to garage doors for years. It is not espicially high tech. Key Fob is a simple RF transmitter. Sure you could go more complex and use some sort of encrypted signal, but the odds are much higher I am going to somehow destroy my Fob versus someone stealing or breaking into the car and replacement of keys and keyless entry components can already be an expensive proposition. This will only make it moreso. Plus, if someone wants in that bad the car has a bunch of glass begging to be smashed although there is less and less of that on modern cars.

    Having said all that, my base Frontier has no keyless entry and no anti theft system and I never lock the doors. Old habit from living in Naples, Italy where it was common practice to not only leave the doors unlocked but leave the glovebox open so the thieves of which there were many could see there was nothing worth stealing. That and unlocking the back doors is kind of a pain so I just let em’ ride.

  • avatar
    oldguy

    Am I the only one that is just a bit suspicious regarding the validity of this Jalopnik story of a ‘tech blogger’ that just happened to have his vehicle broken into while he happened to be watching. Oh, and naturally the crooks were using ‘new tech’??

    • 0 avatar
      WheelMcCoy

      “Am I the only one that is just a bit suspicious …”

      It does raise a lot of questions. The journalist was actually able to catch up to the thieves? And he was able to ask them what they used to break into the car? And then the thieves got away?

      Usually, the thieves just run away and vanish into the crowd. If you manage to catch up to them, they won’t be in the mood to answer questions. If given the opportunity, the thieves will pound you and steal your wallet.

      A journalist might offer money in exchange for information, but that wasn’t mentioned.

    • 0 avatar
      Rod Panhard

      I wouldn’t say “suspicious,” but I certain question the validity. He just happened to be watching, and he was able to almost chase them down the street, and he assumed that it was done with a gizmo that costs about $100.

      Smells like tauroscatological material to me.

  • avatar
    LuciferV8

    “Bilton then chased down the two to ask what they used to break into his car, only to come away with nothing but a description and a price tag: a $100 device that broadcasts RF signals to unlock the doors.”

    Really?

    “Hey, I know you just robbed me, but I’d like to ask you a few questions on your technique.”

    “Why sure, I’ve got loads of free time, especially to educate my victims. Let me show you how it works.”

    That sounds pretty damn suspect, but can you really trust anything published by the clickbait empire?

  • avatar
    LuciferV8

    But wait, autonomous cars are going to be unhackable and super safe.

    They will save lives, just like locking cockpit doors have.

  • avatar
    TW5

    Market demands wireless lock/unlock capability and wireless start. Journalist freaks out when is car is unlocked wirelessly.

    Anyone who can operate a zipper can break into a Wrangler.

    The article was published because it will make the old people have psychotic paranoia attacks, and demand changes from the manufacturers. I can’t take it seriously.

  • avatar
    turbosaab

    One good thing about driving a Saab, the security handshake is probably as overcomplicated as the rest of the car and no thief in their right mind would bother trying to figure it out.

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Lie2me: Avoid the cheap plastic shelves they sag over time :(
  • Tim Healey: There is an M Sport package available.
  • Scoutdude: I’m leaning to an alternate universe car. So head north to Canada and pick up a full size...
  • jmo: Since the CRV has an interior noise level of 72db at 70 and the GLC is 68 at 70 and 3 decibels represents a...
  • kavatski: We’ve had a 2019 X1 for just over a year and still really like it. After trying out a number of its...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Matthew Guy
  • Timothy Cain
  • Adam Tonge
  • Bozi Tatarevic
  • Chris Tonn
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber