UK police catch criminals on CCTV stealing a keyless Mercedes in under a minute

[Master Disaster]

I find this both fascinating and scary tbh...

 

The Car appears to be a brand new Mercedes so you would think it's incredibly secure, think again. While the owners are sleeping inside the house 2 criminals appear carrying a box each, one criminal goes to the house and waves his box around by the front door while another waves his box by the car and in seconds the car unlocks and allows the criminal to enter, start the engine and drive away (video is in the source article)

 

West Midlands police are saying it's the first time this crime has even been caught on CCTV

Quote

CCTV footage has been released showing thieves using a "relay" device, which receives a signal from the victim's key inside their home, to steal a car.

 

West Midlands Police believe it is the first time the high-tech crime has been caught on camera.

Relay boxes work by picking up the keys signal from inside the house and relaying it to the second box near the car. The stolen car has never been seen again

Quote

The theft took just one minute and the Mercedes car, stolen from the Elmdon area of Solihull on 24 September, has not been recovered.

 

In the footage, one of the men can be seen waving a box in front of the victim's house.

 

The device receives a signal from the key inside and transmits it to the second box next to the car.

 

The car's systems are then tricked into thinking the key is present and it unlocks, before the ignition can be started.

UK Police are advising owners with cars that have keyless systems to buy a steering lock to prevent this from happening to them.

 

Important note: keyless entry cars are not fully affected, they could gain entry but still need the key to start the car. It's cars with full keyless start that are fully affected.

 

http://www.bbc.co.uk/news/uk-england-birmingham-42132689

 

So, gone in 60 seconds anyone? In a weird way you almost have to respect the ingeniousness of the crime, it's very clever.

 

So be wary folks, ironically the newer and more expensive your car is the more likely it is to be affected by this.

[Xander Cousins]

Seems like Keyless Car fobs are gonna need those pouches that the new Bank cards have to keep that from happening. 

 

As great as a keyless car is I still would prefer some counter measures against this. Make cars into Phones by adding a FPS to start the car after unlocking or something. 

 

In all honesty I thought Mercedes would have thought that this could have happened and make counter measures against this but it seems not. 

[mr moose]

Build a better mouse trap and they'll build a better mouse.   

[Castdeath97]

18 minutes ago, Master Disaster said:

The Car appears to be a brand new Mercedes so you would think it's incredibly secure, think again. While the owners are sleeping inside the house 2 criminals appear carrying a box each, one criminal goes to the house and waves his box around by the front door while another waves his box by the car and in seconds the car unlocks and allows the criminal to enter, start the engine and drive away (video is in the source article)

Ahh the good old Mig-in-the-middle attack! Simple yet effective.

[Master Disaster]

13 minutes ago, Alex Colson said:

Seems like Keyless Car fobs are gonna need those pouches that the new Bank cards have to keep that from happening. 

 

As great as a keyless car is I still would prefer some counter measures against this. Make cars into Phones by adding a FPS to start the car after unlocking or something. 

 

In all honesty I thought Mercedes would have thought that this could have happened and make counter measures against this but it seems not. 

 

7 minutes ago, mr moose said:

Build a better mouse trap and they'll build a better mouse.   

Wouldn't the obvious solution be to make the car require a constant connection to the fob to continue running the engine?

 

That way they'd have to go full Gone In 60 Seconds and instead of just relaying the signal to gain entry and start they'd have to capture the signal and constantly mimic it back to the car.

 

Then some sort of signal encryption would mean they might be able to get the car moving but once they get out of range on the real key the car would simply stop running.

[Castdeath97]

1 minute ago, Master Disaster said:

Wouldn't the obvious solution be to make the car require a constant connection to the fob to continue running the engine?

You can also measure the delay in the challenge-response. If it's longer than usual then the signal is probably being relayed, but this might not work in close ranges.

[Xander Cousins]

3 minutes ago, Master Disaster said:

 

Wouldn't the obvious solution be to make the car require a constant connection to the fob to continue running the engine?

 

That way they'd have to go full Gone In 60 Seconds and instead of just relaying the signal to gain entry and start they'd have to capture the signal and constantly mimic it back to the car.

 

Then some sort of signal encryption would mean they might be able to get the car moving but once they get out of range on the real key the car would simply stop running.

It Then comes down to just a modification to what they used. Instead of Relaying the Fob it Clones it, Which isn't entirely impossible but would require them to be standing there waving boxes longer  

[Guest]

So the relay in the box recieved the signal from the keyless remote and saved the code in its own database, then it transfered the signal to the second relay of which used the code from the keyless remote and unlocked the car. But, if the relay chip is in the car of which is surrounded by metal, how could the second relay box transfer the signal to the relay chip in the car? I would have to think that there is some sort of chip that can delay the code in a matter of seconds before it reaches the relay chip inside of the car.

[Master Disaster]

1 minute ago, Castdeath97 said:

You can also measure the delay in the challenge-response. If it's longer than usual then the signal is probably being relayed, but this might not work in close ranges.

Thats also a pretty smart idea but has cases where the system might fire false positives, that being said so might my idea.

 

Honestly I think the best suggestion came from Alex, sell all keys with fully caged off pouches and require the owners to remove the fob to trigger the system. Usually the simplest solution is also the best solution.

[Master Disaster]

2 minutes ago, TheBeastPC said:

So the relay in the box recieved the signal from the keyless remote and saved the code in its own database, then it transfered the signal to the second relay of which used the code from the keyless remote and unlocked the car. But, if the relay chip is in the car of which is surrounded by metal, how could the second relay box transfer the signal to the relay chip in the car? I would have to think that there is some sort of chip that can delay the code in a matter of seconds before it reaches the relay chip inside of the car.

No, I'm not sure it's that complicated. It's more like box a pulls the signal out of the air, boosts it, repeats it and box b then does the same thing so the car receives the signal from it.

[Guest]

1 minute ago, Master Disaster said:

No, I'm not sure it's that complicated. It's more like box a pulls the signal out of the air, boosts it, repeats it and box b then does the same thing so the car receives the signal from it.

Is it a device that is being sold on the market today?

[Master Disaster]

3 minutes ago, TheBeastPC said:

Is it a device that is being sold on the market today?

I would doubt it but I remember around a year ago there was a story about a 16 year old boy who built a device out of consumer electronics that cost him around $50 and allowed him to gain entry into many different types of cars.

 

I'm sure there is probably some dark web website selling these devices or instructions on how to make them but general sale, no. No government would allow a device like that to be put on general sale.

[AlTech]

I've said it time and again but the UK government really has a hard on for Security Cameras .

 

There are tons of them around the UK especially in large cities.

[Guest]

Well that sucks

[Master Disaster]

2 minutes ago, Windspeed36 said:

Well that sucks

The "enhanced" security made it easier and faster for them. Turns out a physical security system is still best, who knew

[Taf the Ghost]

52 minutes ago, AluminiumTech said:

I've said it time and again but the UK government really has a hard on for Security Cameras .

 

There are tons of them around the UK especially in large cities.

Big Brother wasn't invented fiction, but Orwell knowing the British impulses very well.

 

As to this attack, I'm going to guess that it's only a single exchange and so a signal copy allows them to keep it unlocked.

[Bouzoo]

That's actually impressive.

[CommandMan7]

This stuff is surprisingly common. For example, nearly every Audi, VW, Seat and Skoda model sold since 1995 is vulnerable to a similar attack:

 

https://www.reuters.com/article/us-autos-cyber-volkswagen/keyless-systems-of-many-vw-group-cars-can-be-hacked-researchers-idUSKCN10M1JN

 

That's almost 100,000,000 cars, just for this single vulnerability. Imagine how many other vulnerabilities exist worldwide....

[nexus6]

Shit, the BBC has footage of me?  

 

Thanks for the heads up.

[LAwLz]

3 hours ago, Master Disaster said:

Wouldn't the obvious solution be to make the car require a constant connection to the fob to continue running the engine?

 

That way they'd have to go full Gone In 60 Seconds and instead of just relaying the signal to gain entry and start they'd have to capture the signal and constantly mimic it back to the car.

 

Then some sort of signal encryption would mean they might be able to get the car moving but once they get out of range on the real key the car would simply stop running.

Battery in the key dies while you're on the highway? Pray to God that there is nobody behind you or else you will be in a crash!

 

Stopping the engine is a quite dangerous solution.

 

 

2 hours ago, Master Disaster said:

Thats also a pretty smart idea but has cases where the system might fire false positives, that being said so might my idea.

 

Honestly I think the best suggestion came from Alex, sell all keys with fully caged off pouches and require the owners to remove the fob to trigger the system. Usually the simplest solution is also the best solution.

If we're going to mess around with Faraday bags for car keys then why not just go back to the old system where you need to click a button to unlock the door?  That way the signal is only sent out when you click the key, and that would fix the issue. The issue that the car key is constantly transmitting the signal which both unlocks the doors and allows the engine to start.

[graceinc]

Well, that hurts really!!

[Xander Cousins]

1 hour ago, Bouzoo said:

That's actually impressive.

Not really it's just radio waves in all fairness. The two boxes talk to each other One grabs the frequency the car is giving off while the other finds the frequency that matches. TBH a normal radio rig could do the same. Only thing would be you need to transmit a Code on that frequency for it to acknowledge you.

 

38 minutes ago, LAwLz said:

Stopping the engine is a quite dangerous solution.

Not exactly as turning a car engine off will stop the drive going to the wheels all other functions would still work. The company would have to have power steering and assisted brakes to still get power while cutting off the engine. So the car can come to a stop gradually. It would only be dangerous if the driver was doing something stupid. Secondly the Fob is for quickness Having it in one of those cage bags while sleeping isn't much to worry about. Or when your in work.

 

Like I mentioned before a secondary percussion should have been added. Constant Fob within range thing would work but is iffy like you pointed out. Having your phone RFID with the car to know your driving or in the vehicle would counter that or even Bluetooth.

 

Technology changing to make things easy for everyday. being a busy person can cause you to forget keys in house if having to be taken out of bags or pockets constantly. So ya sucks that they did that in under a minute but hopefully wont be like that for ever...Hopefully

[Master Disaster]

44 minutes ago, LAwLz said:

Battery in the key dies while you're on the highway? Pray to God that there is nobody behind you or else you will be in a crash!

 

Stopping the engine is a quite dangerous solution.

 

 

If we're going to mess around with Faraday bags for car keys then why not just go back to the old system where you need to click a button to unlock the door?  That way the signal is only sent out when you click the key, and that would fix the issue. The issue that the car key is constantly transmitting the signal which both unlocks the doors and allows the engine to start.

1) Good point and well made

2) Which begs the question, why did we move away from a physical switch to transmit the signal in the first place?

[Xander Cousins]

@Master Disaster I noticed the Mercedes has a secondary authentication on it.

Among the video clip the second box had to walk back towards the house before the Mercedes pulled off. So it requires a second signal to start the car.

[Zodiark1593]

2 hours ago, Master Disaster said:

The "enhanced" security made it easier and faster for them. Turns out a physical security system is still best, who knew

Well, as far as the old keys go, not really. Merely much cheaper. Tbh, the manual transmission in my car is a better security device than my door locks.