This Group Defeated Keyless Entry Cars With Simple Homemade Devices

Bozi Tatarevic
by Bozi Tatarevic

German automobile club ADAC has released a report showing they were able to easily break into cars from 19 different manufacturers using a set of devices they built for a few hundred dollars.

The devices allowed the ADAC technicians to perform a relay attack on proximity key enabled vehicles by repeating the signal from the key fob.

This type of attack was previously described by researcher Boris Danev and his colleagues but was done in a lab environment with devices costing thousands of dollars. The ADAC test should serve as a significant warning to manufacturers, since it was completed using re-purposed consumer electronics that are inexpensive and portable.

Proximity keys have become widely available in the last few years and can now be found in modestly priced vehicles like the Honda Accord and Mazda CX-5. The technology operates by having a module inside the car that can query the keyless fob when entry action occurs, such as when an exterior door handle is pulled.

In most cases, the fob has to be within a few feet of the vehicle in order to respond and unlock the vehicle. Starting the vehicle works in the same manner but the fob usually has to be inside the car in order to do so.

ADAC was able to defeat the vehicle’s security mechanism by building two devices that can extend the signals up to a few hundred feet. The tester with the amplification device would walk close to the fob location, while the tester with the receiving device would walk over to the vehicle and initiate the unlock procedure.

Once inside the vehicle, the car can be started by placing the receiving device close to the ignition module and repeating the signal once more.

The procedure requires two devices — unlike the amplifier described by Nick Bilton and Boris Danev last year — but poses just as much risk due to the low cost. In my previous research on the subject, I found that such devices were available but cost tens of thousands of dollars, putting them out of reach of common thieves.

Many of the proximity key systems ADAC was able to compromise were from common vehicles, including the Audi A4, Mazda CX-5, and Toyota RAV-4. ADAC representatives who spoke to Auto Express stated, “Owners of cars with keyless locking systems should exercise increased vigilance in the storage of the key.”

I agree with their recommendation and suggest storing your proximity key fob in a small Faraday cage-type pouch to reduce the risk of theft.

Storing your key in a secure pouch shouldn’t have to be a requirement for vehicle owners, as the responsibility lies with the manufacturers to find a way to make these systems more secure. Since this type of amplification attack takes a little more time to push the signal to the car, the first step might be adding a latency check that causes the authentication handshake to time out after a certain point.

[Title Image: : Yahya S/ Flickr/ CC BY 2.0; Diagram Photo: Aurelien Francillon, Boris Danev, Srdjan Capkun]

Bozi Tatarevic
Bozi Tatarevic

More by Bozi Tatarevic

Join the conversation
2 of 38 comments
  • TDIGuy TDIGuy on Mar 21, 2016

    It used to be a sharp rap in the right place would cause the door of a Mazda 3 to unlock. But there were issues before that... Ever notice that door locks used to be more like a knob sticking out the top of the door? Then a thin shaft that you couldn't hook a coat hanger around, now many/most are built into the door handle. Manufacturers will never be perfect, but their security designs are reactionary. The faults just move from physical to electronic.

  • NeilM NeilM on Mar 21, 2016

    So what do the thieves do once they've stolen the car by this means? Assuming that other such cars are like mine (Golf R), once started the engine will continue to run without the key in proximity only until the engine is turned off, and then you're stuck. What does the thief do with it then? I guess if its going to a chop shop then OK, but they're not going to get a usable, runnable car. Wouldn't it have been easier just to tow it away in the first place? Seems to me that manufacturers could fix this vulnerability simply by requiring the key to be in proximity for run, not just start. That might take no more than a simple software update.

  • Carguy949 You point out that Rivian and Tesla lack hybrids to “bring home the bacon”, but I would clarify that Tesla currently makes a profit while Rivian doesn’t.
  • Cprescott I'm sure this won't matter to the millions of deceived Honduh owners who think the company that once prided itself on quality has somehow slipped in the real world. Same for Toyoduhs. Resting on our Laurel's - Oh, what a feeling!
  • Jrhurren I had this happen numerous times with my former Accord. It usually occurred when on a slow right curve in the road. Somehow the system would get confused and think the opposite lane (oncoming traffic) was an impending head-on collision.
  • Cprescott The Ford Shamaro is ugly, thick bodied, and a Mustang pretender.
  • Analoggrotto Speaking of mud, does anyone here enjoy naked mud wrestling?