Keyless-Entry Cars Vulnerable to Silent Theft

Really, it's a non-issue. Keyed cars can be stolen just as easy by a crook with the right tools. All the tech and tools do is make it hard or impossible for the lazy or stupid thieves.

 

i keep mine in an altoid tin in my aluminium pants.

 

The whole, what to use to block or diminish your Fob sks signal has been debated and discussed in numerous threads.

Personally? I'm NOT using my freezer of refrigerator.

The Microwave might be effective, but I'm not using that either because I think it's a button or two push away from becoming a " I Nuked My Fob Accidentally" thread. I tend to use my Microwave in the morning BEFORE coffee, and I think the risk of fob destruction goes up exponentially.

I've experimented with several altoid tin and tin box's and IMO they were almost useless, if they were diminishing the signal? My Prius couldn't tell.

In one of the other threads somebody had posted a link to where someone was experimenting with trying to block their cell phone signal. They put their cell phone in the refrigerator....total fail. They put their cell phone in a metal cocktail shaker? Seemed to work.

If this problem becomes more pervasive and common? I might be in the market for a metal cocktail shaker. If this problem becomes all too common? My guess is commerce and chance for profit will result in more than one effective commercial option surfacing. Much like the RFID blocking sleeves now available for you credit cards and in wallets.

 

Personally I wish our fobs had a simple, physical "off switch" that we could engage whenever we wanted to be extra sure (like when the car is full of cargo or it will be parked close to the fob)

 

Simple enough to test. I have a metalized plastic bag that came with an E-ZPass transponder, so I put my fob in it, tightly folded over the open end, and tried to get into my car. I was able to lock and unlock the car by touching the door handle no matter whether the fob was in or out of the bag.

I wondered if the toll transponder might be working at a different frequency which is blocked by the bags, so did a little research:

Massachusetts uses the same toll system as New York, and their website quotes the frequency as 912.750 to 918.750 MegaHertz.

And in another post here, Patrick Wong gives this info for the smart key system:
"The vehicle to SmartKey frequency is 134.2 kHz. The SmartKey to vehicle frequency is 312 - 315 mHz." (Info from a Toyota TSB for 2004-2006 Prius).

The vehicle to key frequency is in a completely different range, but the key to vehicle frequency seems close enough to the toll transponder frequency that it should be blocked by the bag, so perhaps it's a distance-related effect. The toll transponder will generally be quite a bit further away from its polling device than the keyfob is from the car, so its signal may well be weaker and more easily blocked.

Here's a $30 Faraday Cage designed specifically for car keys: Fob Guard: Ideal Car Keyless Entry

 

The tins may need metallic RF gaskets to seal the cover edges to the box. Without electrical contact there, the gaps act as slot antennas. Any insulating coating along the contact edges or gasket mount must also be removed or pierced.

 

Sad, but that might be where we are headed.

That would be the simplest way to counter these types of attacks. But unfortunately then it takes away one layer of the no-touch, no worry usage of the SKS system. Part of the convenience is really not having to do anything but have the fob on you, or NOT on you. Really NOT a big deal, but if I have to now turn off the fob, then remember to turn on the fob? It may be minimal but it's just a shade not as convenient as before.

But I suppose it is easier and more convenient than putting my fob in my microwave or a cocktail shaker. And surely more convenient than dealing with my vehicle being broken into and robbed.

 

Anyone getting their cars broken into this way? My car has been broken into twice in the past 2 months. No signs of forced entry. This is getting to be annoying.

 

A metal box where the lid slides over the sides of the box will work (at any frequency). A metalized plastic bag will work (at any frequency), IF the top is properly sealed, folded over or such. Shielding is, in general, not affected by frequency. Though if you get to extremes it can be. But a solid metal box will not loose shielding due to frequency at any power level you're likely to encounter.
Find a metal candy box. Metal top, bottom, and sides - no cardboard. The removable lid must slide over the sides of the box. There are still a few, but it may be soon I can say "good luck on that".

My wallet has a zippered "pouch" that I installed copper sheet in (used for hobby engraving). When the wallet is folded shut the copper shields the credit cards from being read. Even though it's just a "U" of copper. But RFID needs a very short and unfettered path to work. FOBs not so much. You need a metal box or proper shielding bag for them.

 

As I noted in my post #25 just above, an E-ZPass metalized plastic bag with the top tightly folded over provided no shielding at all for my fob.

 

DO keep in mind they have to be within about 10 ft of the FOB to do this. If it's in your home I'm pretty sure it's safe from copying.

 

I'd take that bet (although I'd keep the bet small).
Could have been a coat hanger/slim Jim. Or you were mistaken and left the door open.

As I understand the amplifiers, one person near you has a device that picks up your key fob, and retransmits it to another device which a thief can use to enter your car.

 

You can defeat the keyless entry by taking the batteries out of both of your fobs. Would that work? You could use the mechanical key to get into the car and then hold the fob to the start button. Or would there be some long-term griping from the car? I rather like the keyless entry, though.

The Fob Guard sounds intriguing, albeit overpriced. Someone needs to buy it and tell us if it works. Should be easier to carry than a cocktail shaker, although the cocktail shaker at least has another, excellent use.

 

that would work fine, but i wouldn't give up the sks either.

 

I think people might get the wrong idea if I keep walking around with a cocktail shaker in my hand . . .

 

As I understand this particular amplifier attack, the key fob signal is not retransmitted. The fob just needs to be within remote button range of the car. This covers many cars parked at home.

The shorter range signal emitted by the car is the only signal that needs to be amplified and retransmitted. A thief does not need an accomplice.

 

May as well put on my Maxwell's Equations hat and make a few comments.

First: I have my doubts about metalized bags. Once upon a time it was my responsibility to shepherd some equipment through FCC Class 2 EMI/EMC testing. The equipment was EMI hot; we had built a metal box around it and put on some fancy metal doors with EMI gasketing. As you might guess, the equipment didn't pass the first time around. It didn't matter that the elastomeric gasket material made solid contact with the metal frame and all that. The material itself was not a solid metal and therefore did not absorb/reflect all the electromagnetic energy directed at it. Further, the metal doors themselves, with their shiny metal plating, wasn't sufficiently conductive. We ended up putting several different metals, one plated on top of another, to lower the skin resistance, and switching to a gasketing material that actually dug into the metal, as compared to just lying on top, like the elastomeric stuff did.

We were told that properly built doors using metal-impregnated rubber gaskets had a max attenuation of 40 dB, if memory serves.

What this all means: Different materials have different attenuations to electromagnetic energy; further, I can attest to the fact that whatever attenuation something has, it varies as a function of frequency.

In fact, let's hit the obvious one: Skin depth. The EE's who paid attention in Sophomore electromag know about this one. Let's see if I can explain it cleanly for everybody else.

Suppose I have an electromagnetic wave that impacts a conducting material. By "conducting material" we mean a material in which electrons are free to move about. You can tell one of these, generally, because they're shiny. They're shiny because they not only reflect electromagnetic frequencies in the radio area, but electromagnetic frequencies like, say, "light".

Now, suppose an electromagnetic wave hits a conducting material. Further, let's give this wave a frequency: 100 MHz. The wavelength of this wave is (speed-o-light)/f = 3e8/1e8 = 3 meters.If this wave hits the side of a 15-foot square piece of metal, there will be at one instant (say) a positive E field point at, say, the left edge; a negative E field point in the center of the plate; and another positive point at the right edge of the plate.
Electrons respond to the E field by accelerating away from the negative points and moving towards the positive one. That acceleration causes the electrons to emit another E field, opposite in direction to the one impinging on the plate. You've seen that kind of thing: It's called a reflection. Like, and I'm not kidding here, the reflection of your face in a mirror.

However, there's an interesting bit about how far the E field penetrates into the conductive material. Say you have a 15 foot wide superconductor. Electrons in a superconductor move without resistance; that's what makes it a superconductor. So, when the impinging E-field hits the superconductor, the electrons instantly accelerate with no slow-down, and the E field terminates right at the edge of the conductor.

Suppose, now, you've got something with some resistance. Like, say, copper. The electrons at the surface attempt to accelerate, but they get slowed down by bouncing off of the stationary electron shells of the metal in question. So, in the first increment into the conductor, some of the electromagnetic field gets cancelled, but not all; hence the wave penetrates further into the conductor, where it encounters more electrons, which also attempt to accelerate, attenuates the E field more, and so on.

If the frequency goes up, the wavelength goes down, which makes the E field, for a given energy level, shorter. Since the magnitude of the potential of the E field + and - points doesn't change, but the distance between these points gets shorter, the Field Strength goes up with shorter wavelengths, making the electrons accelerate faster. What this means: High frequency signals don't penetrate as far into the conductor. It also means that the electron currents become concentrated in a thinner and thinner layer, leading to higher losses. This is why, for example, the really high frequency components in your cell phone are plated with silver, which has less resistivity that copper. It's also why coaxial cable gives out at a GHz or three, since that center conductor isn't conducting through the bulk of the wire, but just on the surface of the wire. Above a few GHz if one is trying to move a signal around it's convenient to switch to waveguides, which don't have a center conductor where the current is concentrated. There's currents on the walls, true, but at least they're spread out. And at high enough frequencies even waveguides peter out.

But let's take this in the opposite direction. The nominal equation for skin depth of a non-magnetic material is the depth by which the currents in a conductor fall off by 1/e. (Engineers like e, 2.718 and change.) This equation is:

where delta = depth, rho is the resistivity, mur is 1.0 for non-magnetic material, mu0 is 4*pi*1e-7, and omega = 2*pi*frequency.
So, what's the skin depth of copper when we're playing with 60 Hz power? Do the math, and delta=8.4217e-3 m, or 8.4 mm. So, how thick that that copper need to be to knock off the current interior by 90%? That'll be 5*delta, or 42mm.

So, if you walk into some power station carrying bus bars with a lot of current, and the bus bars are, say, 5" across, the thickness of the bus bars will be an inch - because there will be no current flowing inside to speak of, roughly an inch deep into the copper, and nobody wants to waste expensive copper carrying current that's not there.

So, back to our shielding. If one is going to shield a Prius key fob, according to our fun above, there's one frequency, 134 kHz, from the car to the key, and another frequency, from the key to the car at 313 MHz. (That's a large M, for Mega, as compared to a small m, for milli. )

So, to get a decent amount of shielding, we'd like to see at least 5*delta for the first, 134 kHz signal, to prevent the fob from seeing the (amplified) car signal. Go through the math, assuming the metal on the mylar has the same conductivity as copper (unlikely), we get
5*delta = 5*sqrt(2*1.68e-8/(134e3*2*pi*4*pi*1e-7)) = 1.57 mm.

Ha. If that film has a conductive layer 1.57 mm thick, I'll eat my hat. It's probably around 100 um (micro meters).

Let's see what we get at 313 MHz:
5*delta=5*sqrt(2*1.68e-8/(313e6*2*pi*4*pi(1e-7)) = 18.6 um.

So, with a fob inside of a mylar bag with a shimmery, thin, metal coating, a miscreant outside the house with an amplifier can boost the 134 kHz signal to a huge level, and the fob will see it. The signal will go right through the bag with hardly any attenuation. The fob then reacts and broadcasts back at 314 MHz. Now, folding over that mylar bag, even if done tightly, doesn't mean that one has metal-to-metal contact. In fact, there's such a thing as a slot antenna (see: Fighter aircraft) where a very thin, narrow opening can pass radiation fairly well. (See the top of this post - yes, I've had to play with inadvertent slot antennas. Not fun.). So I wouldn't bet that the mylar bag would do the trick.

The mylar bag probably does work for, say, those EZ-Pass transponders. First, the transponders work up in the hundreds of MHz range, which means that the film, as thin as it is, does impose some serious attenuation on signals going in and out. Second, because (I think) the transponders are based upon RFID technology, which implies that they're powered from the incident radio energy. Attenuate the incoming signal by, say, 20 dB or so, and there's likely not enough energy present to power up the electronics.

A second point about those bags. What those bags are supposed to do is to prevent static charges from building up and damaging ESD (electrostatic discharge) sensitive devices that might be inside of them. ESD sensitive devices include RAM chips, memory cards, SIM cards, and the like. Now, one might think that having the bag Highly Conductive would be a good idea to prevent ESD. One would be wrong. Having something really conductive means that if something with a high elecrostatic charge is put into the bag, then the high voltage on the device would be shorted out with a high discharge current.. And that's what an ESD event is. So, they don't make that "conductive" film very conductive; it's just conductive enough to bleed off the charge, slowly, so as not to damage the device in the bag. If one could actually get an ohmmeter to make decent contact with the sort-of-metallic film on the bag, one would discover that the film has high resistivity, rho.

And, going to the equation above, a high rho would mean a bigger skin depth, which means, as a shielding tool, that bag isn't really worth all that much.

Conclusion: A metal altoids box is a better bet.

KBeck

 

OK, finally got around to "doing the test".
First, metalized bags, mylar or otherwise, are intended to reduce damage to components from -electrostatic discharge-. They were NEVER intended to shield from RF fields. There may be bags that do that but I haven't ever seen them.

I took a "high quality" metalized bag (3M) that the electronics industry uses to ship semiconductor parts in. Placed the FOB in it, folded the opening over several times, and tried the SKS (door unlock/lock) system on the drivers door at different distances, in the bag and out of the bag.

Distance to "working" - about 2m or 6 ft. Bag or no bag. An aluminized bag won't work.

Folding over the end of the bag creates a "labyrinth seal", which can be very effective, depending on frequency and power level.

Do keep in mind, the RF field strength here is very low (a few milliwatts of RF power). It doesn't take much to attenuate it enough to stop it from being effective.
But an aluminized bag won't stop RF. The aluminum layer is just too thin. In fact, if you have even just a few watts of RF power even aluminum foil won't stop it.

But you can go ahead and try aluminum foil to see if it might work. Or an Altoids tin. Knock yourself out.

Personally I have more dangerous things to worry about. The morons who drive around here have hit me twice in the last three years, while stopped at a red light with lots of other vehicles around me. No excuses.

 

Math has been introduced into the thread.

We are all doomed.