New bluetooth hack to easily steal a Tesla model X in minutes

[wanderingfool2]

16 minutes ago, leadeater said:

It's also called not possible as simply a replay. You aren't doing a simple replay of a keyfob, only the worst garbage keyfobs using the oldest technology would be anything like that.

I'm guessing StDragon is referring to relay attacks instead of replay attacks (given the article in question is a relay attack) but wrote it wrong.  Replay attacks have rarely been viable, although relay attacks seem to still be quite viable.  (The only replay attack that I've seen is that you record the signal but also simultaneously jam it, so you get a valid replay code...but it's by no means a practical way of targeting a vehicle)

 

Here is a clip of thieves stealing a Lexus (back in July of this year)

https://www.youtube.com/watch?v=U_bok1c3TEk&feature=emb_logo

 

I'd imagine the fix for something like this though would be overly expensive (for car makers)...as it would mean needing to detect the actual response times of keys rather than what I assume to be key signal strength.

 

[StDragon]

27 minutes ago, wanderingfool2 said:

I'm guessing StDragon is referring to relay attacks instead of replay attacks

That's my screwup. I meant to say relay.

[leadeater]

57 minutes ago, wanderingfool2 said:

I'd imagine the fix for something like this though would be overly expensive (for car makers)...as it would mean needing to detect the actual response times of keys rather than what I assume to be key signal strength.

There's probably other things you could do like simultaneous wavelengths, time delays between those, and signal strength verification. Most relays won't be able to handle the first and last of those very well especially if during the authentication phase a signal strength offset check is done relational to the strength at the start. Relays will tend to be outside normal signal strengths (and SNR) as well as signal profile being altered. But anything like that gets a bit complex, possible but complex.

[wanderingfool2]

22 minutes ago, leadeater said:

There's probably other things you could do like simultaneous wavelengths, time delays between those, and signal strength verification. Most relays won't be able to handle the first and last of those very well especially if during the authentication phase a signal strength offset check is done relational to the strength at the start. Relays will tend to be outside normal signal strengths (and SNR) as well as signal profile being altered. But anything like that gets a bit complex, possible but complex.

Yea, I sort of began looking it up after I said that.  Ford is using an accelerator to turn off the key without movement (which doesn't get rid of the vector of attack at parking garage's where you get them while walk to the way station).  They are apparently switching to Ultra Wide Band, which would also utilize a time of flight (but by the sounds of it, it is a more costly tech. and couldn't quickly find any manufacturers who have fully moved to it...though I read somewhere that VW did)

 

I'd be curious as to whether such an implementation would affect the battery life in the key fob

[staticpage]

9 hours ago, TempestCatto said:

This is why I like older cars. They are so much easier to work on, cheaper [to work on], and when maintained properly they work amazingly well (and are reliable).

I have BMW with a fob but I'm not worried about that getting stolen, it's my clean 2000 civic I own that is still the most stolen car ever that I worry about.

 

Also the signal that a fob sends out for 99% of cars has zero control over the starting of the car only the lock mechanisms and lights.

[StDragon]

18 minutes ago, staticpage said:

I have BMW with a fob but I'm not worried about that getting stolen, it's my clean 2000 civic I own that is still the most stolen car ever that I worry about.

 

Also the signal that a fob sends out for 99% of cars has zero control over the starting of the car only the lock mechanisms and lights.

I recommend installing a hidden kill-switch for that civic; and that's assuming it doesn't get loaded on a flatbed anyways. It's not the car they want, it's the parts. So it's an instant chop-shop destination; you would never see again.

 

Dirty titles end up sold overseas or driving south of the border to Mexico and beyond.

[DrMacintosh]

Cars with 2FA and biometrics coming to a dealer near you! 

 

Slap TouchID on a key fob, give the key fob a secure enclave with multiple user profiles and wham, secure car. Downside is that you now need to charge your keys!

[AndreiArgeanu]

10 hours ago, LAwLz said:

They are so much easier to work on, cheaper [to work on], and when maintained properly they work amazingly well (and are reliable).

Except electric cars don't need much work or maintenance to start, therefore they are more reliable. After all you have electric motors and batteries compared to hundreds of moving parts in a combustion engine that can be damaged and require regular maintenance.

[Kisai]

11 hours ago, dalekphalm said:

bbbbbuuuttt in Gone in 60 seconds, they hacked keyfobs in seconds!

 

Movies aren't real????

 

One of the plausibly accurate things in movies is that keyfobs, rfid proximity cards, nfc, etc can be hacked by a replay attack. Yes, in theory they can, but the film/tv show has to over-simplify it for the audience to understand what is going on. A relay attack is very real however.

 

Likewise, it's easier to steal a car by getting a towtruck.

 

IMO, car thieves aren't fancy hackers. Towtruck drivers acting as repossession bounty hunters is more likely to be the case, as they're not going to get the bounty if they destroy the car in doing so.

[trag1c]

6 hours ago, leadeater said:

There's probably other things you could do like simultaneous wavelengths, time delays between those, and signal strength verification. Most relays won't be able to handle the first and last of those very well especially if during the authentication phase a signal strength offset check is done relational to the strength at the start. Relays will tend to be outside normal signal strengths (and SNR) as well as signal profile being altered. But anything like that gets a bit complex, possible but complex.

Another possible solution seeing how the auto industry takes years to push anything through.

 

 

[Brooksie359]

13 hours ago, trag1c said:

See below...You're not trying to brute force attack the software. You're just extending the range of the keyfob to way beyond what it should be. 

 

Sure you can do this but my car will not run if the key gets out of range for a certain amount of time. They could open the car and start it but it would turn off way before they got to their destination. 

[LAwLz]

11 minutes ago, Brooksie359 said:

Sure you can do this but my car will not run if the key gets out of range for a certain amount of time. They could open the car and start it but it would turn off way before they got to their destination. 

Are you sure it works that way? Pretty sure that once a car is started it won't stop even if the key is away. 

It would be incredibly dangerous for the car to just stop working all of a sudden if the key was missing. 

[leadeater]

3 minutes ago, LAwLz said:

Are you sure it works that way? Pretty sure that once a car is started it won't stop even if the key is away. 

It would be incredibly dangerous for the car to just stop working all of a sudden if the key was missing. 

Both my cars will not shut off if key moves away from car, they don't because that means power steering disables and ESC + anti lock as well as steering lock engaging i.e. you're dead if moving at speed.

[Kroon]

14 hours ago, trag1c said:

You're not actually trying to decode any signals or anything its nothing but a repeater tuned to ~315MHz (typical of most fobs within NA). You're just making it appear as if the fob is within the short range of wireless transceivers. The pringles can is nothing but a dish to replicate an extremely directional antenna so that you capture the weak signal and retransmit it on the 2nd antenna within range of the wireless transceivers on the car. This functions no different then a cellular repeater.

 

There is a huge difference there.  The method you are talking about works to open the the vehicle but as soon as you start driving you will loose the connection to key the vehicle will stop. Someone breaking in to you car is bad enough but far from the same thing as someone generating their own key and so they can do what ever they want with the vehicle.

[williamcll]

What's the hardware costs to crack the key fob?

[Brooksie359]

3 hours ago, LAwLz said:

Are you sure it works that way? Pretty sure that once a car is started it won't stop even if the key is away. 

It would be incredibly dangerous for the car to just stop working all of a sudden if the key was missing. 

I believe it waits for the car to stop before doing so. Same with my mothers car as well. My dad started the car and drove away and accidentally forgot the key wasn't with him and in the house instead and ended turning off once he stopped. 

[trag1c]

8 hours ago, Brooksie359 said:

Sure you can do this but my car will not run if the key gets out of range for a certain amount of time. They could open the car and start it but it would turn off way before they got to their destination. 

 

8 hours ago, leadeater said:

Both my cars will not shut off if key moves away from car, they don't because that means power steering disables and ESC + anti lock as well as steering lock engaging i.e. you're dead if moving at speed.

 

7 hours ago, Kroon said:

 

There is a huge difference there.  The method you are talking about works to open the the vehicle but as soon as you start driving you will loose the connection to key the vehicle will stop. Someone breaking in to you car is bad enough but far from the same thing as someone generating their own key and so they can do what ever they want with the vehicle.

 

5 hours ago, Brooksie359 said:

I believe it waits for the car to stop before doing so. Same with my mothers car as well. My dad started the car and drove away and accidentally forgot the key wasn't with him and in the house instead and ended turning off once he stopped. 

Any vehicle that allows you to start it with a dead key fob will only validate the key once through the TDM (Theft Deterrent Module) when the start button is initially pressed. The reason being is that a dead key fob has to be held up to the push button (others might have a different place but Mazda, ford , gm definitely at the button) of your vehicle so that its close enough that even a microscopic signal will be validated. But once its validated you're not required to hold the key there as that would be an unsafe practice and the vehicle will not be able to validate the key other wise as it will be out of range. If you shut the vehicle off it has to be validated again but if its still running they're gonna keep driving. I can verify this on every GM, Ford, Mazda that I have ever worked on because a common customer complaint is that their key fob isn't working and sure enough its dead key fob. Every instance I was able to use the dead key fob to start and road test the vehicle. That module I listed earlier is aptly name because at the end of the day these systems are only designed to make it slightly harder for a thief and not impossible. I would imagine that VW/Audi would be the same. RAMs/Chryslers that don't use the "Keyed" FOBs will most likely be the same as well. At the end of the day this is a good thing because if your fob runs out of battery when you go stop to take a piss on the side of the road you won't be left stranded where you last parked. @leadeaterwas correct in his post on how to stop this because at the end of the day by requiring multiple validations means you get left stranded at probably the worst times because you have no way of knowing the battery state of your fob. And multiple validations is only good for draining the battery in your fob as the transmitter is the only thing that uses any measurable power on those.

 

I also did this all the time with my own 2014 Mazda 3 and my 2019 GMC Sierra because I would hand my key to buddy while I went off to do some skids or a burny as joke at local cars and coffee's.

[Kroon]

2 hours ago, trag1c said:

Any vehicle that allows you to start it with a dead key fob will only validate the key once through the TDM (Theft Deterrent Module) when the start button is initially pressed.

 

That is actually wrong.  Friend of mine have a Dodge and as long as his key are close to the vehicle you can start it but once the car are about 100 meters from the key it shuts down.  I have similar experience both with Ford and Koenigsegg.  TV series GrandTour (with old Top Tour crew) have also demonstrate this behaviour on several car models, Including Jeremy Clarkssons Ford GT40.  The GT40 actually shot down for him several times even with the correct key in range. ;)

 

 

Edit:

After speaking with coworkers and googling this I realised that this is different depending on countries, even withing EU.  Some countries actually have laws that the key must be i inside the cabin for the engine to run.  Others lie Sweden, it have been impossible to insure the a car if they allow cars to be driven without a key inside the cabin  (It's illegal to dive a car without insurance in Sweden)  Any how some car manufacturers have different systems in different countries.

[trag1c]

42 minutes ago, Kroon said:

 

That is actually wrong.  Friend of mine have a Dodge and as long as his key are close to the vehicle you can start it but once the car are about 100 meters from the key it shuts down.  I have similar experience both with Ford and Koenigsegg.  TV series GrandTour (with old Top Tour crew) have also demonstrate this behaviour on several car models, Including Jeremy Clarkssons Ford GT40.  The GT40 actually shot down for him several times even with the correct key in range. ;)

I can't say on Koenigsegg as I've never even seen one in person. But in my experience as working as tech I have yet to encounter a vehicle that doesn't allow this behavior for the reasons I listed in my previous post. Key fobs with dead batteries are not visible to the TDM after moving them away from the push button since their signal strength is so low. This is what I've witnessed with my own eyes performing diagnostics on vehicles using factory scan tools to view live data as well as operating my own vehicles. As far as Grand tour and top gear go I will always question validity because reality is never interesting enough for reality television. My experience is also backed up by the fact that relay attacks are real and are performed quite frequently, much of which is caught on CCTV with footage of them booking it down the road. My uncle has had his 2018 jeep compass stolen right out of his own driveway through this method. Do you think they had the key fob for the 40km trek to other side of the city where the police found it abandoned? And with clarksons GT40 you just stated it shutdown for him with the key in range that, sounds a lot like reality television where reality is not interesting enough.

 

There may be exceptions even within brands but on the whole the key/key fob validation is only required once. Even with older keyed systems you don't need the key once its started. Go try with a vehicle that as a worn or smashed out ignition lock cylinder. Every security system on vehicle comes down to deterrence not prevention. How secure do you think the door locks are on a modern vehicle? Takes about 30s to a minute to break into any vehicle without damaging it using the right tools. That in it self seems like a big oversight by auto manufacturers but your door locks are only their to stop people from pulling on your door handles as they walk by. Same thing for trying to stop people from stealing the vehicle, if they really want it they're going to steal it. Think of it like a fake camera, it does nothing more than make people think that committing a crime is bad idea but does very little in the way of preventing the crime or catching the guy who did it.

[Lord Vile]

On 11/24/2020 at 3:54 PM, dalekphalm said:

bbbbbuuuttt in Gone in 60 seconds, they hacked keyfobs in seconds!

 

Movies aren't real????

Just want to point out they didn’t hack key fobs they intercepted the remote unlock and nothing else. With the mercs they had to buy replacement keys of a shady dealer. 

[Kroon]

  

2 hours ago, trag1c said:

And with clarksons GT40 you just stated it shutdown for him with the key in range that, sounds a lot like reality television where reality is not interesting enough.

 

Well the incident in question was on BBC news too and in the show he explained what had happened.  But that problem had something to do with the anti theft system´not connecting the key properly.  He actually got a phone call saying the car was stolen while he was driving it and they where going to remotely shutdown the car.  

 

 

On the way home from work today we tested this out.

 

Ford (Mustang Mach-E): Few steps away and engine shuts down, perhaps 5 m/ 16ft

Volvo (XC90 REcharge):  Actually was derivable for a few hundred meters.

Coolest of them all was the BMW (Think it's a 530e but not sure, it's a plugin hybrid): The owner hold the key just inside the side window when he started the car, and same second the key was outside the engine shutdown. 

 

Know this is was was was of topic at this moment but:  EU are actually looking in to regulations for "key less" cars at the moment and if current suggestion is passed the key must be inside the car for the engine to work (Just like the BMW example above).

[wanderingfool2]

44 minutes ago, Kroon said:

  

 

Well the incident in question was on BBC news too and in the show he explained what had happened.  But that problem had something to do with the anti theft system´not connecting the key properly.  He actually got a phone call saying the car was stolen while he was driving it and they where going to remotely shutdown the car.  

 

 

On the way home from work today we tested this out.

 

Ford (Mustang Mach-E): Few steps away and engine shuts down, perhaps 5 m/ 16ft

Volvo (XC90 REcharge):  Actually was derivable for a few hundred meters.

Coolest of them all was the BMW (Think it's a 530e but not sure, it's a plugin hybrid): The owner hold the key just inside the side window when he started the car, and same second the key was outside the engine shutdown. 

 

Know this is was was was of topic at this moment but:  EU are actually looking in to regulations for "key less" cars at the moment and if current suggestion is passed the key must be inside the car for the engine to work (Just like the BMW example above).

This could be pretty dangerous.  i.e. Driving cross country in an area without cell service and your key's batteries died.  Even in areas that aren't as remote, it's easy enough to have the key get drained of all batteries...camping trip where you are consistently hitting the unlock button etc.

 

Actually any situation where a running vehicle turns off because it can't detect a key could potentially be dangerous or cause a significant issue...even if it only does so when stopped.  e.g. Imagine driving along in rush hour and having your car turn off while at a light...or on a cold snowy day where vehicle operation could be critical to safety. Twice I've had key fobs run out of juice/break, once while driving (my vehicle never shut down).

 

There are actually people who die every year because their vehicle gets stuck on the side of the road, and they have to walk for help (or freeze to death in their car)

 

I'm curious in your testing though, at what state did the vehicles turn off?  (Like was the BMW in drive would it turn off, did they only turn off while they weren't moving)

[Kroon]

1 hour ago, wanderingfool2 said:

I'm curious in your testing though, at what state did the vehicles turn off?  (Like was the BMW in drive would it turn off, did they only turn off while they weren't moving)

 

According to the owner of the BMW the engine will shutdown as soon as the key leave the vehicle no matter what state the car are in, including moving.   However you still got things like break and steering servos running so you can safely come to a stop.  

 

 

All cars I know of do have mechanical keys built into the key fob. From what I have read about it (today) that is the law in EU, even if you have what EU call "key less" system you must also have a mechanical key system, normally hide away in a place place. Small metal thing you can pull out from the key fob.

[wanderingfool2]

8 minutes ago, Kroon said:

 

According to the owner of the BMW the engine will shutdown as soon as the key leave the vehicle no matter what state the car are in, including moving.   How ever you still got things like break and steering servos running so you can safely come to a stop.  

 

...well that is a bit scary.

 

Literal thought, making a left turn and losing power.  It's a good way to get t-boned.

 

I would rather thieves be able to steal a car by doing a relay attack or hacking the bluetooth than have the potential of the vehicle turning off mid-drive....as that just seems like a disaster waiting to happen.

[Kroon]

4 minutes ago, wanderingfool2 said:

...well that is a bit scary.

 

Literal thought, making a left turn and losing power.  It's a good way to get t-boned.

 

I would rather thieves be able to steal a car by doing a relay attack or hacking the bluetooth than have the potential of the vehicle turning off mid-drive....as that just seems like a disaster waiting to happen.

If it's anything like the Volvo you will know that car is about to stop!  It first started to beep, then varning on the dashboard that it will soon stop and before it stopped the sound of the alarm was so dam loud you couldn't think.

 

And turn off a car mid drive due to "mixing" with Bluetooth is possible any way with most vehicles any any way so I would't worry about that.  We have played around with coworkers Toyota that way several times he are quite fed up with it by now.