1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Repeater hack for keyless entry

Discussion in 'Fred's House of Pancakes' started by bwilson4web, Aug 31, 2015.

  1. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,068
    15,372
    0
    Location:
    Huntsville AL
    Vehicle:
    2017 Prius Prime
    Model:
    Prime Plus
    Source: http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html?_r=0

    . . .
    In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet.

    Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.

    “It’s a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, ‘hello,’ ” Mr. Danev said. “You can buy these devices anywhere for under $100.” He said some of the lower-range devices cost as little as $17 and can be bought online on sites like eBay, Amazon and Craigslist.
    . . .

    In effect, the device is a repeater for the car beacon and triggers the key fob to respond, a clever hack. The problem is the range was expected to be signal-strength limited. I hate to say it but 'tin foil' may be needed to keep the key fob 'off.'

    Easier, just keep the key fob in a small, metal cup when home or in the office. You can test it by waking to the car with the key fob in the cup. If the car does not open, the cup works.

    Bob Wilson
     
    Mendel Leisk likes this.
  2. Mendel Leisk

    Mendel Leisk Senior Member

    Joined:
    Oct 17, 2010
    54,474
    38,106
    80
    Location:
    Greater Vancouver, British Columbia, Canada
    Vehicle:
    2010 Prius
    Model:
    Touring
    Thanks for this Bob.

    I'm missing old school car keys for three reasons now:

    1. Crazy expense of replacement fob
    2. Danger of leaving car running
    3. Security
     
  3. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    107,571
    48,862
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    those faraday bags 'hgs' suggested look pretty cool.
     
  4. ftl

    ftl Explicator

    Joined:
    Jun 2, 2009
    1,812
    790
    0
    Location:
    Long Island NY
    Vehicle:
    2012 Prius c
    Model:
    Three
    Does anyone have a link to the devices on "eBay, Amazon and Craigslist."? I keep seeing lots of scare stories on this topic, but no evidence that any reporter has actually verified them.
     
  5. Mendel Leisk

    Mendel Leisk Senior Member

    Joined:
    Oct 17, 2010
    54,474
    38,106
    80
    Location:
    Greater Vancouver, British Columbia, Canada
    Vehicle:
    2010 Prius
    Model:
    Touring
    One big selling point of the no-touch fob was convenience. Kinda defeats the purpose if you've gotta rigorously store the thing in a transmission blocking container.
     
  6. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,068
    15,372
    0
    Location:
    Huntsville AL
    Vehicle:
    2017 Prius Prime
    Model:
    Prime Plus
    Back in 2009, I was looking a remote key-less entry ICs and development systems to resolve the 'blind' problem. At the time, I was thinking of a reduced volume, universal 'panic' alert, say horn clicks and light flash to let the driver know. Initially the few cars with the system would 'seed' this alert for older cars. The worst abuse would be every car at an intersection would click and light flash. This would only work if the car where in READY state.

    I subsequently came to the conclusion this remains a 'non-problem' addressed by a useless law. Fortunately the NHTSA continues to study the solution. I suspect they may have gone back and looked at the suspect numbers used to advocate for this law. It was actually legislation passed by Congress and signed by the President.

    Actually, the existing receivers are a good start for vehicle-to-vehicle except the security issues are too attractive for hackers. Cue: GM's On-Star hack. But on the technical issue, asking Google, you can find the IC specifications. For example:
    I've got the manuals back at the house but the frequencies are not that hard to figure out.

    Bob Wilson
     
    #6 bwilson4web, Aug 31, 2015
    Last edited: Aug 31, 2015
  7. ETC(SS)

    ETC(SS) The OTHER One Percenter.....

    Joined:
    Oct 28, 2010
    7,669
    6,485
    0
    Location:
    Redneck Riviera (Gulf South)
    Vehicle:
    Other Non-Hybrid
    Model:
    N/A
    Meh...
    Give me an RFID embedded key, any day.
    I'd also try an Altoids tin before attempting to build a Faraday cage or the Alcoa maneuver.
    That way your keyfob always smells minty fresh!

    The good thing about this 'hack' is that right now it's like a unicorn.
    Everybody knows what they are, and lots of stuff about them, but nobody has ever really seen one, let alone touched a for-real example.

    It also seems to be a just a high tech rock---intended only to get into the car.
    Since I choose to live where I can keep my car unlocked pretty much all the time, it's not the top turd on my pile.
    In fact....the only time I ever had a vehicle broken into, it was actually unlocked at the time....AND in a lot with an armed guard. I immediately suspected an inside job, but the guard's car was also broken into - and you cannot fake that level of anger. I was actually pretty happy about that - since he was obviously not very good at his job.

    We're required to keep our work cars locked at all times, and when they're parked at night they're supposed to be well away from fences, since some of our vehicles have some fairly spendy stuff inside......and some of the cities I work in are NOT crime-free.
    Still.....I've never heard of a vehicle that was hacked into outside unconfirmed reports here in PC.

    If it starts happening?
    It's Big Bell's problem. My personal car has proper locks.
    Currently not..... :)
     
  8. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    107,571
    48,862
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    i think you're okay if you live outside cali and florida.
     
  9. HGS

    HGS Member

    Joined:
    Aug 15, 2015
    307
    122
    0
    Location:
    Florida
    Vehicle:
    2013 Prius
    Model:
    Two
    "Easier, just keep the key fob in a small, metal cup when home or in the office. You can test it by waking to the car with the key fob in the cup. If the car does not open, the cup works."

    I tried an Altoids tin, but it did not work. I bought two Faraday Bags from Amazon, and they work great. See my thread with pictures, articles, and video of a break-in.

    Faraday Bag for Smart Key (SKS) Break-in Protection | PriusChat
     
  10. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,068
    15,372
    0
    Location:
    Huntsville AL
    Vehicle:
    2017 Prius Prime
    Model:
    Prime Plus
    Hummm, the very thing needed with every pack of zucchini seeds . . .

    Bob Wilson
     
  11. hkmb

    hkmb Senior Member

    Joined:
    Sep 27, 2010
    279
    1,855
    0
    Location:
    Sydney, Australia
    Vehicle:
    Other Non-Hybrid
    Model:
    N/A
    My cousins were clearly way ahead of their time: they'd mastered keyless entry and keyless ignition way before Toyota or Ford or anyone.

    In the 80s, we went to visit my uncle in a fairly rough town about 40 or 50 miles from where I lived (the town Rick Astley is from, in fact). While we were there, my uncle wanted to go out and get some cigarettes, but he'd lost his car keys.

    "Don't worry, Dad," said his helpful elder son (who was about 11 at the time). "I'll sort it out."

    It took him 30 seconds with a coat hanger to unlock the door, and another minute to hotwire it.

    Keyless entry. Keyless ignition. And all in the mid-80s.

    Oooh, I felt some familial pride that day, I can tell you.
     
  12. drysider

    drysider Active Member

    Joined:
    Apr 14, 2008
    823
    332
    1
    Location:
    Liberty Lake WA
    Vehicle:
    2012 Prius
    Model:
    Four
    As I understand the system, the key does the calling, not the car. The amplifier would need to work with the key, which actually makes more sense. It would take two devices- one near the key and the other near the car.
     
  13. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,068
    15,372
    0
    Location:
    Huntsville AL
    Vehicle:
    2017 Prius Prime
    Model:
    Prime Plus
    The key has a small battery between the size of a nickel and dime. Transmitting is very energy intensive but receiving can be a very low load. In contrast, the 12V battery weights nearly 30 lbs and is recharged every time the car runs.

    From the story, it only takes a broadband repeater close to or touching the car transmitter antenna. It sends the signal that triggers the key fob to send the authorization OK. But this is sent at normal, maximum transmitter power. If the key fob reduced the signal to one so low that it has to be in close proximity would the system be less vulnerable. The other alternative would turn down the gain of the car receiver. But neither really works.

    A better approach would be passive RFID, the key fob must be brought to close proximity of the RFID reader. We're talking distances of either touching or within a few inches.

    Bob Wilson
     
    fuzzy1 and HGS like this.
  14. HGS

    HGS Member

    Joined:
    Aug 15, 2015
    307
    122
    0
    Location:
    Florida
    Vehicle:
    2013 Prius
    Model:
    Two
    Some PC members have the idea that just because it's not easy to find these key fob boosters online for sale on, Amazon, EBay, etc, that they do not exist.

    Though I don't know how to make one, it makes sense that a person that knows how to build circuits and small transmitters could make a transmitter that could pick up a very weak key fob signal and boost the power so the car thinks the key fob is within a few feet. Or, if it's the car transmitter that is boosted, same idea. Probably not hard to make for the "circuit board building, electrically inclined"' type.
     
    #14 HGS, Sep 1, 2015
    Last edited: Sep 1, 2015
  15. ftl

    ftl Explicator

    Joined:
    Jun 2, 2009
    1,812
    790
    0
    Location:
    Long Island NY
    Vehicle:
    2012 Prius c
    Model:
    Three
    I'm quite prepared to believe they exist - as soon as I see one, along with a technical description of exactly how it works.
     
  16. ETC(SS)

    ETC(SS) The OTHER One Percenter.....

    Joined:
    Oct 28, 2010
    7,669
    6,485
    0
    Location:
    Redneck Riviera (Gulf South)
    Vehicle:
    Other Non-Hybrid
    Model:
    N/A
    Actually?
    I hope that they DO exist!
    The last time my car was broken into (while traveling) the moron broke out a window only to discover that (1) the car was unlocked and (2) I don't leave valuables in my car.
    If that person would have used an RF booster?
    Then I wouldn't have had to replace my glass. ;)

    Besides.....the fix for this "problem" would entail dealing with the only real problem that I have with the car.....the weirdly named "smart-key" system.



    EDIT: OK.....I'll admit it. There ARE a few other small problems! :D
     
  17. fuzzy1

    fuzzy1 Senior Member

    Joined:
    Feb 26, 2009
    17,039
    10,013
    90
    Location:
    Western Washington
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Basic electrical physics demands that the pickup be placed very close to the weak signal. A certain floor level of electrical noise exists in all our devices, from the random thermal motion of the electrons in the matter they are built from. This noise overwhelms very weak signals and cannot be removed, amplifier gain boosts both equally. Therefore the receiving antenna must be placed close enough to the transmitter for the received signal to exceed the electron noise.

    The thieves do not know where the fob is, so cannot place their amplifying device close to it. As described, this purported hack works only if the car side is the weak one, the key fob side must be strong.
    Prepackaged miniature RF amplifiers have been readily available as catalog items for decades, greatly easing the construction.
     
  18. HGS

    HGS Member

    Joined:
    Aug 15, 2015
    307
    122
    0
    Location:
    Florida
    Vehicle:
    2013 Prius
    Model:
    Two
    Good explanation. I have no idea how the signal works between the car and the fob. From what you're saying, it sounds like the bad guys boost the car signal and the fob responds.

    I wonder what the max range is on the key fob signal? Could the distance be figured out by seeing how far way one could open the doors using the unlock button, or this that a different transmitter/receiver from the SKS? Kind of like my old Ford truck remote working at about a 100 feet or so.
     
    #18 HGS, Sep 1, 2015
    Last edited: Sep 1, 2015
  19. fuzzy1

    fuzzy1 Senior Member

    Joined:
    Feb 26, 2009
    17,039
    10,013
    90
    Location:
    Western Washington
    Vehicle:
    Other Hybrid
    Model:
    N/A
    As best we can assume so far, it uses the very same transmitter, saving hardware and system complexity. If it used a separate transmitter, an extremely simple and no-cost part substitution would give it a very short range to match the car side.
     
  20. HGS

    HGS Member

    Joined:
    Aug 15, 2015
    307
    122
    0
    Location:
    Florida
    Vehicle:
    2013 Prius
    Model:
    Two
    It's all coming together for me now. Thanks. I'll keep using my Faraday Bag as needed.

    Cheers!