This Group Defeated Keyless Entry Cars With Simple Homemade Devices

Bozi Tatarevic
by Bozi Tatarevic
this group defeated keyless entry cars with simple homemade devices

German automobile club ADAC has released a report showing they were able to easily break into cars from 19 different manufacturers using a set of devices they built for a few hundred dollars.

The devices allowed the ADAC technicians to perform a relay attack on proximity key enabled vehicles by repeating the signal from the key fob.

This type of attack was previously described by researcher Boris Danev and his colleagues but was done in a lab environment with devices costing thousands of dollars. The ADAC test should serve as a significant warning to manufacturers, since it was completed using re-purposed consumer electronics that are inexpensive and portable.

Proximity keys have become widely available in the last few years and can now be found in modestly priced vehicles like the Honda Accord and Mazda CX-5. The technology operates by having a module inside the car that can query the keyless fob when entry action occurs, such as when an exterior door handle is pulled.

In most cases, the fob has to be within a few feet of the vehicle in order to respond and unlock the vehicle. Starting the vehicle works in the same manner but the fob usually has to be inside the car in order to do so.

ADAC was able to defeat the vehicle’s security mechanism by building two devices that can extend the signals up to a few hundred feet. The tester with the amplification device would walk close to the fob location, while the tester with the receiving device would walk over to the vehicle and initiate the unlock procedure.

Once inside the vehicle, the car can be started by placing the receiving device close to the ignition module and repeating the signal once more.

The procedure requires two devices — unlike the amplifier described by Nick Bilton and Boris Danev last year — but poses just as much risk due to the low cost. In my previous research on the subject, I found that such devices were available but cost tens of thousands of dollars, putting them out of reach of common thieves.

Many of the proximity key systems ADAC was able to compromise were from common vehicles, including the Audi A4, Mazda CX-5, and Toyota RAV-4. ADAC representatives who spoke to Auto Express stated, “Owners of cars with keyless locking systems should exercise increased vigilance in the storage of the key.”

I agree with their recommendation and suggest storing your proximity key fob in a small Faraday cage-type pouch to reduce the risk of theft.

Storing your key in a secure pouch shouldn’t have to be a requirement for vehicle owners, as the responsibility lies with the manufacturers to find a way to make these systems more secure. Since this type of amplification attack takes a little more time to push the signal to the car, the first step might be adding a latency check that causes the authentication handshake to time out after a certain point.

[Title Image: : Yahya S/ Flickr/ CC BY 2.0; Diagram Photo: Aurelien Francillon, Boris Danev, Srdjan Capkun]

Join the conversation
2 of 38 comments
  • TDIGuy TDIGuy on Mar 21, 2016

    It used to be a sharp rap in the right place would cause the door of a Mazda 3 to unlock. But there were issues before that... Ever notice that door locks used to be more like a knob sticking out the top of the door? Then a thin shaft that you couldn't hook a coat hanger around, now many/most are built into the door handle. Manufacturers will never be perfect, but their security designs are reactionary. The faults just move from physical to electronic.

  • NeilM NeilM on Mar 21, 2016

    So what do the thieves do once they've stolen the car by this means? Assuming that other such cars are like mine (Golf R), once started the engine will continue to run without the key in proximity only until the engine is turned off, and then you're stuck. What does the thief do with it then? I guess if its going to a chop shop then OK, but they're not going to get a usable, runnable car. Wouldn't it have been easier just to tow it away in the first place? Seems to me that manufacturers could fix this vulnerability simply by requiring the key to be in proximity for run, not just start. That might take no more than a simple software update.

  • NJRide Now more than ever, the US needs a brand selling cheaper cars. I know the old adage that a "good used car" is the best affordable transportation, but there has to be someone willing to challenge the $45k average gas crossover or $60k electric one that has priced out many working and middle class people from the market. So I think Mitsu actually may be onto something. Call me crazy but I think if they came up with a decent sedan in the Civic space but maybe for $19-20k as opposed to $25 they might get some traction there's still some people who prefer a sedan.However, I just compared a Trailblazer on Edmunds to an Outlander Sport. Virtually same size, the Trailblazer has heated seats, keyless ignition and satellite radio and better fuel economy for almost same price as the Mitsu. Plus a fresher body and a normal dealer network. This has always been the challenge off brands have had. Mitsu probably would have to come in $2-3k less than the Chevy unless they can finance more readily to the subprime crowd.
  • MaintenanceCosts At least on the US West Coast, Waze is perfectly happy to send cut-through drivers down residential streets or to disregard peak-hour turn or travel restrictions. I hope if it's going to be standard equipment the company starts taking a more responsible approach.
  • MaintenanceCosts I'm more curious about the effect (if any) on battery lifetime than range. Drawing current faster creates more heat and if that heat is not promptly drawn away it could affect life of the cells.I agree this sort of thing can make sense as a one-time option but is consumer-hostile as a subscription.
  • Ajla "The upgrade is permanent" 🤔Journos really should be calling out the automakers like Mercedes that are attempting to make this sort of thing subscription only because it obviously doesn't need to be."with a one-time price tag of $1,195"This also shows the poor consumer "value" of Mercedes wanting $1200 per year for a 60hp jump on the EQE350.
  • Dukeisduke Will the next owner have to pay up, too, like with Tesla? What's the starting price of the Polestar 2? I saw a clean used one listed locally the other day, and it was under $50k. I wasn't sure if that was a deal or not.