Researchers Hack Remote Keyless Car Entry Devices

Researchers have figured out a way to hack remote keyless car entry devices. The threat to the consumer is minimal, it takes several hours to crack the code, but it does give one pause, especially considering that if the Keeloq’s manufacturer added a few simple measures they could render the exploit nearly useless.

GM, Chrysler, Daewoo, FIAT, GM, Honda, Jaguar, Toyota, Volvo, and VW all use Keeloq.

Once, there was a car with a very reactive car security system sitting outside my apartment. Following a light rain, it would go bloop-bloop! every time a drop of water fell on it from the tree above. My room was in the front of the house and this annoying sound easily penetrated the walls, over and over again. Finally I went out there and kicked the car’s tires, causing it to explode with klaxons, screeches and warbles…

I walked up the street a bit. My neighborhood dashed out of his brownstone, looked around for culprits, and examined his car to make sure it was ok. I sidled on over and made casual conversation about how extremely sensitive his car’s alarm was. I think he got the message because after I went back inside the car didn’t make any more bloop blops to warn its owner that raindrops might be trying to get inside his car.

Now, if those researchers could just use the same method to develop a tool to silence people’s car alarms that keep going off unnecessarily…

How To Steal Cars — A Practical Attack on KeeLoq [cosic.esat.kuleuven.be]
[Red Tape Chronicles]

Comments

Edit Your Comment

  1. hubris says:

    Car alarms are so friggin worthless. In this day and age, after years of car alarms going off randomly and annoyingly, people don’t even notice them anymore. When I was in college, I replaced my car stereo with a couple of friends in a campus parking lot. We sat there for like an hour, the alarm going off randomly the whole time, and no one even came over to ask what we were doing.

  2. speedwell (propagandist and secular snarkist) says:

    I’ve been worthless since I swore off coffee… but I started hearing about this yesterday and thought it referred to the key-with-a-chip security device that makes you have to have a specially programmed key to start the car. This is talking about those keychain doodads that let you remotely lock and unlock the car while standing outside, right?

  3. nweaver says:

    Actually, its a lot worse..

    Because of how the keyspace works, it takes several hours to hack the first “Brand X” key. After that, it takes a few minutes, and you could do it standing next to someone.

    This is particularly bad for the new “keyless” ignition systems. The thief stands next to you for 2 minutes and can then drive off in your car. Bad Crypto strikes again.

  4. bbbici says:

    The justice system really needs to go back to hanging horse theives, or their modern day equivalent.

  5. Hawkins says:

    Today’s lesson: two-factor authentication (the crypto in your key-fob, plus the actual physical key) is better than one-factor authentication.

    Or: keyless = significantly less secure.

    Who’d have thought?

  6. 2Legit2Quit says:

    “key-with-a-chip security device that makes you have to have a specially programmed key to start the car. This is talking about those keychain doodads that let you remotely lock and unlock the car while standing outside, right?”

    There is two different systems at work. They differ from manufacturer but remain relatively the same. There is the key fob (the remote that opens/locks) which sends a unique radio frequency to your car to do the deed. It only takes seconds to program one of these if you have some spares. However, you need a key.

    Most keys today ranging for about eight years come with a chip inside the key. Each car key is identical, however, unless you have the unique chip that goes with the car, igniting is a no go.g

  7. brettbee says:

    I, for one, don’t want a super-secure entry system or ignition key (mechanical or electronic). If a car is nearly impossible to steal without the key, that key is worth however much my car is worth. I don’t want to carry $20k around in my pocket, thank-you-very-much. If you want to steal my car, go ahead. Just leave me out of it!

  8. Sudonum says:

    @MaxPayne3476:
    In GM vehicles (at least the one I own) that have the chip there are 15 different chips. So theoretically if a thief had all 15 chips he could simple keep trying until he got the one that worked on your car.

    Far easier is the thief simply writing down your VIN from the tag on your dashboard and going to a dealer and convincing the dealer that the thief is the owner and has lost the key. There have also been reports of people working in the parts department in concert with the thieves, cutting keys with the correct chip when their thief friend walks in with a VIN of a car he wants to steal.

  9. Sudonum says:

    @brettbee:
    A replacement key and fob can easily set you back a couple hundred bucks

  10. pestie says:

    Once, there was a car with a very reactive car security system sitting outside my apartment. Following a light rain, it would go bloop-bloop! every time a drop of water fell on it from the tree above. My room was in the front of the house and this annoying sound easily penetrated the walls, over and over again.

    Heh.. I was in a similar situation years ago, except it was even worse in that the little prick who owned this vehicle was parking it illegally, and it was set off every night when the sprinklers came on. Complaining to the apartment complex management did no good, so I hit it with an egg from the third floor. That got the owner’s attention.

  11. Frost Face says:

    @Sudonum: Immobilizers don’t really work like that. The dealer can cut you the key, but you need to either have the hardware to wipe and refresh the immobilizer’s sync with the code in the keys or have 2 keys for the car already to reprogram it/add keys.

  12. Sudonum says:

    @Frost Face:
    I own a 2000 Corvette with a chip in the key. I almost had to buy a replacement key when the wife needed to move the car while I was out of town (long story). She went to the dealer, where they knew me, and tried to get a key. The dealer did not have a key blank with that particular chip. I overnighted her a key. They key, if they had would have cost something like $125

    I had the car in for service, the dealer lost the key and fob. They did not require the other key. They simply cut a new key with the correct chip using the VIN as to tell them which chip to use. They took a new fob and synced it with the car using the same programming instructions in my owners manual for when I change the battery in the fob.

    I have not heard the term “Immobilizer” used in conjunction with this system so I don’t really think we are talking about the same system. I do know that if a key with the wrong chip is used to try and start the car it won’t start. Same if a thief removes the existing ignition switch and wires in his own.

  13. Sudonum says:

    @Frost Face:
    Oh, and I also forget to add that there were a few news articles about 3-4 years ago explaining how thieves were just taking the VIN off the car (with the chip in the key) and going to dealers and getting keys.

  14. phobs says:

    @MaxPayne3476: Are you sure the car keys are identical to each other, or did you mean identical in use to the non-chip keys?

    On the topic of replacement keys, I think the ones for my car are somewhere between 90-200. Never got an exact figure since I never needed one.

  15. FLConsumer says:

    @Frost Face: Actually, the GM cars really do (did?) use a simple resistor system like what was described. No “registering” the keys with the car. As long as the resistor was the correct value and the cylinder turned (or was hotwired), the engine would start.

  16. Bryan Price says:

    It isn’t the rain that sets off my car alarm, it’s my stupid cats. They get on the roof just fine. I don’t know what they are doing, but they manage to set off the car alarm. Then they run off. At least it was self correcting. They didn’t like the alarm, so they’ve stopped doing whatever was setting it off.

  17. Kat says:

    Your neighborhood rushed out of its brownstone?

  18. MaxRC says:

    Why is it that most of my fellow engineers can’t express themselves out of a wet paperbag? The press release and PDF detailing tha attack is borderline geek-speak.

    Also, neither these “researchers” nor the various reports on this story differentiates between the keyless entry system and the car’s electronic ignition security system: these are two separate different systems. From my own research KeeLoq is used only in keyless entry systems. While being able to unlock a car is indeed a neato thing to do, but it isn’t nearly as serious as being able to crack the ignition security system. You’d be able to unlock the car, but you will NOT be able to start the car and drive it off, as implied by the researchers and reports.

    Professional thieves are not worried about keyless entry systems, because it is very easy to unlock a car. People who work in the repo business do this on a daily basis without damaging the cars they tow away. What is much tougher, and much more interesting to thieves, is being able to defeat a car’s ignition security system.

  19. buggy_bee says:

    car alarms are out of style this days that they dont even catch attention to anyone if they set off.

    Cant wait until a foldable car is available. It can keep me safe from car robbers.
    *Saturn cargo liner

  20. speedwell (propagandist and secular snarkist) says:

    “Ignition security system,” yes, that’s the phrase I was looking for. Thanks, everyone.

    Incidentally, while you still have two working keys for your vehicle, you can program your own spares. I bought a pair of keys and instructions from an Ebay seller very inexpensively, and made mine. Now the pair of spares is under lock and key in case I ever need to make more.

  21. Frost Face says:

    @FLConsumer: Well damn these damnfangled ‘Merican/Euro cars… mitsubishi doesn’t work like that!