By on March 18, 2016


German automobile club ADAC has released a report showing they were able to easily break into cars from 19 different manufacturers using a set of devices they built for a few hundred dollars.

The devices allowed the ADAC technicians to perform a relay attack on proximity key enabled vehicles by repeating the signal from the key fob.

This type of attack was previously described by researcher Boris Danev and his colleagues but was done in a lab environment with devices costing thousands of dollars. The ADAC test should serve as a significant warning to manufacturers, since it was completed using re-purposed consumer electronics that are inexpensive and portable.

Proximity keys have become widely available in the last few years and can now be found in modestly priced vehicles like the Honda Accord and Mazda CX-5. The technology operates by having a module inside the car that can query the keyless fob when entry action occurs, such as when an exterior door handle is pulled.

In most cases, the fob has to be within a few feet of the vehicle in order to respond and unlock the vehicle. Starting the vehicle works in the same manner but the fob usually has to be inside the car in order to do so.


ADAC was able to defeat the vehicle’s security mechanism by building two devices that can extend the signals up to a few hundred feet. The tester with the amplification device would walk close to the fob location, while the tester with the receiving device would walk over to the vehicle and initiate the unlock procedure.

Once inside the vehicle, the car can be started by placing the receiving device close to the ignition module and repeating the signal once more.

The procedure requires two devices — unlike the amplifier described by Nick Bilton and Boris Danev last year — but poses just as much risk due to the low cost. In my previous research on the subject, I found that such devices were available but cost tens of thousands of dollars, putting them out of reach of common thieves.

Many of the proximity key systems ADAC was able to compromise were from common vehicles, including the Audi A4, Mazda CX-5, and Toyota RAV-4. ADAC representatives who spoke to Auto Express stated, “Owners of cars with keyless locking systems should exercise increased vigilance in the storage of the key.”

I agree with their recommendation and suggest storing your proximity key fob in a small Faraday cage-type pouch to reduce the risk of theft.

Storing your key in a secure pouch shouldn’t have to be a requirement for vehicle owners, as the responsibility lies with the manufacturers to find a way to make these systems more secure. Since this type of amplification attack takes a little more time to push the signal to the car, the first step might be adding a latency check that causes the authentication handshake to time out after a certain point.

[Title Image: : Yahya S/Flickr/CC BY 2.0; Diagram Photo: Aurelien Francillon, Boris Danev, Srdjan Capkun]

Get the latest TTAC e-Newsletter!

38 Comments on “This Group Defeated Keyless Entry Cars With Simple Homemade Devices...”

  • avatar

    “suggest storing your proximity key fob in a small Faraday cage-type pouch to reduce the risk of theft”

    While this measure might be effective it’s unlikely to be adopted by consumers. One of the biggest advantages of the keyless fob entry system is that you don’t have to retrieve the keys from your pocket or handbag.

    The manufacturers should now consider themselves about to lose the arms race with thieves if they don’t do something to resolve the issue.

    • 0 avatar

      Needs more two step. Presence of remote + facial recognition.

      • 0 avatar

        A two factor type system is appealing but I’m having trouble seeing how it would work in practice.

        You take the car to the garage to have maintenance done, hand them the keys and walk away with your face. How do they work on the car without your face? Same if the second factor is your voice or your cell phone.

      • 0 avatar

        @qfrog is on the right track, although facial recognition would be miserable in the winter when you are wearing a hat and scarf. And facial recognition isn’t good enough to work at night or in the rain. And you’d have to register your face, your wife’s, and any other driver.

        Adding a fingerprint sensor like the iPad could work. It would still be a nuisance in the winter where you’d have to remove your gloves. Ditto registering prints.

        Adding voice recognition is also possibility. If you’ve named your car “Hal”, you can say “Open the car door, Hal.” Ditto training the car to recognize your voice. Of course, the determined thief will then steal a recording of your voice.

        Any “two step” security option would add a bunch more sensors to the car. It won’t be worth it to manufacturers to add until thefts of cars with proximity keys significantly increases.

    • 0 avatar

      There are two kinds of car thieves: junkies and very sophisticated exporters.

      The junkies don’t have the technical skills to take advantage of this type of security hole. They’ll keep stealing ancient Civics and F-150s.

      The exporters have already won the battle. If someone wants to steal your vehicle for export and you leave it in a publicly accessible place, it’s gone, with or without this hack.

      • 0 avatar

        Don’t get your drift.

        If the two devices can be built for just a few hundred dollars the thief doesn’t need to build them, he/she just needs to obtain the devices from someone interested in making money by building/selling the devices.

        One can make the selling of the devices illegal, but some enterprising dude in another country will build/sell them and thieves being thieves won’t mind buying them illegally.

        • 0 avatar

          I don’t believe the devices will be easy enough for the technically unskilled to operate.

          • 0 avatar

            Not only does this require technical skill, it requires multiple people who coordinate well enough to find the car’s driver and the car at the same time. People with that level of organizational skill, and people who associate with others they can trust with this kind of job, don’t tend to need to steal cars for a living. For the moment, the low-hanging fruit is far too low-hanging to make this endeavor attractive.

            In fifteen or twenty years, maybe that’ll change. But at that point everything else will be different too.

          • 0 avatar

            I know criminals can be dumb, but not that dumb. Pickpockets work in pairs, two thieves working together is hardly unique.

            As for the devices being too difficult to use. Petty criminals have figured out how to install skimming devices onto ATM’s and return later to get the skimmers with the CC numbers then sell those on or use them.

            The opportunistic thief won’t bother, the more determined will have no problems.

            Live with your heads buried in the sand if you wish, but I do believe that insurance companies will see an uptick of car thefts of cars that were previously difficult to enter and start.

  • avatar

    I think the answer to the title of the video is: Kein sehr sicher.

    • 0 avatar

      * Nicht sehr sicher.

      Aber sie scheinen trotzdem sicherer als traditionelle Schluessel zu sein.

      • 0 avatar

        * I need to work on my German.

        I’m not feeling all warm and fuzzy about the older key systems either with Megamos being hacked and written about. Sure some critical details were redacted from the paper the Dutch published (which VW very much didn’t want published) but that doesn’t mean the missing info isn’t something a couple of computer security/comp sci geeks couldn’t figure out and utilize.

        I agree with dal20402, if exporters want your car and it is accessible they will have it.

  • avatar

    Faraday cage khakis!

    *patent pending

  • avatar

    I live around unsophisticated people without this level of technology.

    And as long as the cops keep shooting them to death – that should make em think twice about attempting to even touch my Hellcat.

    • 0 avatar
      Kyree S. Williams

      You say that now, but your brawn and guns won’t exactly do anything to the nerdy hacker that might be able to access your Hellcat from across the ocean. And, to someone who gets sick pleasure from such things, a Hellcat-anything is an alluring toy to hack.

    • 0 avatar

      I seriously hope you never have to face that cop who doesn’t care that you’re the mythical unicorn (black conservative/republican/Trump supporter) and deals you a dose of institutional racism you won’t live to regret.

      You are so much bluster and so much ego that I just can’t take you seriously when you get this authoritarian without atleast acknowledging your own skin color is what authoritarians are seeking to exploit and even destroy on some level.

      Just stay safe, BTSR, and maybe tune down the hate radio every so often. :(

      • 0 avatar

        The media has turned Good White cops and even the racists into scardey cats.

        I watch them conducting arrests with “kid gloves” wherein I would have beaten the crap out of the suspect or tased them…

        Those institutionalized racist cops you speak of don’t worry me at all.

        It’s the thug/gangsters who want to steal my riches I worry about.

        The enemy of my enemy is my friend.

        SOLUTION: use my enemies to destroy my enemies – and keep them off guard – and with each and every fallen criminal, my main enemies will lose their jobs and turn their pistols on themselves.

  • avatar
    Kyree S. Williams

    Speaking as a web designer / developer who deals with complex, security-dependent code on a regular basis…

    As cars become closer and closer to rolling computers, we’re beginning to see issues where the automotive industry hasn’t yet caught up with the kind of security that you’d see with other wireless and Internet-enabled devices. While one of the most harmful, this isn’t the most egregious example of that. Such honors probably go BMW for not using HTTPs for its ConnectedDrive service, or Nissan, whose Leaf App API didn’t authenticate or filter clients that it received requests from.

    Either way, I suspect the industry at large will begin to take network security a lot more seriously in the coming years.

    • 0 avatar

      In the case of the Nissan app, nothing really critical was exposed. If someone were to activate the climate control, you’d get an immediate email – and if you are plugged in it doesn’t even matter. When I unplug the car, the email that it’s no longer connected to the charger hits me before I can even get into the car. There are even settings that cause the car to send a text or email anytime someone accesses the car, even for status.

      • 0 avatar
        Kyree S. Williams

        No, but it’s such a rookie mistake to not authenticate API requests; that’s why I find it egregious. Besides, if crucial functions of the car are networked to the on-board computer that interprets the remote signals and a similarly-lax approach was taken to the design of the API itself, it is not impossible for the hackers to have gained access to something more dangerous within the cars.

        • 0 avatar

          True, it was a rookie mistake to not authenticate, but the on-board computers aren’t directly accessed. The requests are filtered through Nissan’s servers – making it most likely impossible to get to something more dangerous in the cars. They seem to pass through only a couple of functions. By the way, I have written code to access those servers and have written my own apps to talk to the car (via the servers), so I have actual experience communicating with a Leaf over the internet.

    • 0 avatar

      Yeah, that’s something I can’t help but wonder how car manufacturers are so behind the curve as they slap full-fledged PCs into their vehicles and give them actual auto-controls. I don’t think chop shops are going to be really reaping rewards from these situations but I can imagine careful and smart players can abuse the situation.

      As stated, exporters seem like the likeliest threat, eventually telling the cars to drive themselves to the export location…

      • 0 avatar

        I am speculating, but I think there’s a disconnect in their organizations between the mechanical engineers/designers and the software people.

        • 0 avatar
          Kyree S. Williams

          Well…my take is rather that either the software designers or their overseers are the types of people who are more classically-trained to write automotive software. They may be the kinds of people that wrote ECU maps or CAN BUS instructions. And it’s fine to have that kind of lax attitude toward security when the car isn’t wireless and Internet-enabled. Once it is, you have to take all of these things into consideration.

          People like me, who write software specifically for the Internet understand, that there are all kinds of malignant people who wish to gain unauthorized access to closed systems…and we do our best to minimize the risk of that happening.

          People who design automotive security systems, it seems, rely on security through obscurity, figuring that no one will bother to try and hack these systems…which isn’t good when your car is connected to the Internet or uses wireless signals for crucial functions.

          Without being an expert in the particular realm of proximity-fob technology, the two things that strike me as troubling are:

          a) That these cars use the same signal to unlock/lock and start the car.

          b) That automakers don’t design their security protocols more frequently.

    • 0 avatar
      Kevin Jaeger

      Cars have been rolling computer networks for quite a while, but that was okay as long as there was little or no outside access to the CANBUS.

      If you had physical access to a car it’s been possible to plug things in and cause mischief on the CANBUS for quite a while. What’s new is all of the wireless access and things like proximity keys, making modern cars a much more accessible target.

      They really should have anticipated this hack of proximity keys, but I guess these days convenience trumps all other considerations.

  • avatar

    Here’s how I feel about these proximity keys:

    The Firesign Theatre sez:

    “As seen on Who Asked For It!”

    My parking garage was in the habit of leaving the keys in the vehicle. the result? The car was always “awake”, expecting to be started. If I didn’t use my car for a week or two it would kill the battery. This happened at least four times before they got the message and started storing the key in the office.

  • avatar

    I always love these sensationalist stories. Compared to how easy a car is to break into by conventional means, I’m not panicking about this. It also requires the key to be very close. If it wasn’t placed right inside the wall his little repeater wouldn’t work. If someone wants to steal your car hard enough, they’ll always find a way.

    • 0 avatar

      This is NOT hypothetical. About a year or two ago there was an article about thefts where the thief would walk up to the car, hold something close and the door would open (it was all on security video). At the time, police were baffled and asked for some input from the public. It wasn’t till much later that it was understood what was going on.

      In this case, the cars were parked outside homes, the keys were in the houses. The thieving pair would place one person near the house and the other at the car. Once the engine was started, it does not (for safety if nothing else) shut down if it starts losing a key signal.

      Sometimes escalating the war has a price. As the penalty for pickpocketing got changed to more severe, people moved into armed robbery, with the resulting greater risk to the public.

      The same with auto theft. In the old days it was a relatively low risk (for both the criminal and the owner) night time operation. As the electronic key systems became more sophisticated, many times the only practical way to quickly steal a car is to get the key too, hence car-jacking … far more dangerous. I’d rather a thief hotwire my car at night than hijack me.

      • 0 avatar
        Kevin Jaeger

        I agree this one is actually a serious weakness. It allows thieves to open and drive away with your car just by getting close to your key – possibly by just having someone follow you after you park. As soon as you’re out of sight they drive away with your car, and if you’re near a port it can be driven straight into a shipping container.

        I think they need to rethink use of proximity keys, which can be passively hacked. I think they should at least require a button push to activate for a while and then shut themselves off.

        • 0 avatar
          Chicago Dude

          Eh, the connected car deals with this just fine. My Volvo sends a push notification to my phone if it’s been unlocked for a configurable amount of time, and I can use my phone to find its current location at any time, and can tell Volvo that its been stolen, right from the app.

          Unlike police with their jurisdictional limitations, the car manufacturer is global and can work with whatever the appropriate local police department is depending on the geographic location of the vehicle.

  • avatar

    And this fuss is just over a fancy electronic key. I await the autonomous vehicle fandango with great anticipation, remembering Baruth’s recent exposition of what can easily happen to them in the real world, no external electronics required.

    • 0 avatar

      @wmba I await the autonomous vehicle fandango with great anticipation

      Now even Google is admitting it could take up to 30 years for NHTSA Level 4 fully autonomous cars:

  • avatar

    One immediate fix: have the onboard control module ping the fob every minute for up to say 20 minutes after the engine is started and/or up to half a mile or so. When the fob signal gets lost post a warning and shut the engine down 30 sec later. There are some edge cases where this might create problems for the legitimate owner, or still allow the car to be stolen, but it practically defeats the effectiveness of this repeater for situations where it is now so easy. The thieves will eventually figure out what those delays and limitations are but it will require a much more organized team to pull that off on just any car. They could always drive it up to a flatbed real fast obviously.

    Wireless anything requires serious security.

    Two factor authentication works great.

  • avatar

    It used to be a sharp rap in the right place would cause the door of a Mazda 3 to unlock. But there were issues before that… Ever notice that door locks used to be more like a knob sticking out the top of the door? Then a thin shaft that you couldn’t hook a coat hanger around, now many/most are built into the door handle. Manufacturers will never be perfect, but their security designs are reactionary. The faults just move from physical to electronic.

  • avatar

    So what do the thieves do once they’ve stolen the car by this means? Assuming that other such cars are like mine (Golf R), once started the engine will continue to run without the key in proximity only until the engine is turned off, and then you’re stuck. What does the thief do with it then?

    I guess if its going to a chop shop then OK, but they’re not going to get a usable, runnable car. Wouldn’t it have been easier just to tow it away in the first place?

    Seems to me that manufacturers could fix this vulnerability simply by requiring the key to be in proximity for run, not just start. That might take no more than a simple software update.

Read all comments

Recent Comments

  • MitchConner: Tool Guy (great username by the way — as it fits), Nikola already conceded they fraudulently represented...
  • Inside Looking Out: I always liked the bold futuristic style of end of 1950s American cars given that I saw them only...
  • Pinkharlem: We have a beautiful 1981 Corona Hatchback that belonged to my father. My mother has been trying to sell...
  • Lou_BC: “The same people who recognize the greed will stay away” Agreed. I’d like to buy a new...
  • mcs: You’re probably thinking of their gas-powered models which do have a problem with catching fire. Hopefully...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Jo Borras
  • Mark Baruth
  • Ronnie Schreiber