1. Attachments are working again! Check out this thread for more details and to report any other bugs.

NYTimes writer gets his Prius broken into by keyfob amplifier

Discussion in 'Gen 3 Prius Main Forum' started by Oatflake, Apr 15, 2015.

  1. Nora

    Nora Member

    Joined:
    Jul 7, 2013
    128
    44
    0
    Location:
    CO
    Vehicle:
    2013 Prius
    Model:
    Two
    Refrigerator makes a bad Faraday cage. Can You Use a Refrigerator as a Faraday Cage?
    He suggests a cocktail shaker. Excellent. Unless you didn't notice the fob in there before mixing up a couple.

    Best solution is a better neighborhood.
     
  2. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    107,571
    48,862
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    see post #9 :cool:
     
  3. RobH

    RobH Senior Member

    Joined:
    Sep 18, 2006
    2,369
    978
    70
    Location:
    Sunnyvale, California
    Vehicle:
    2006 Prius
    The primary vulnerability of the current SKS system is the 30+ foot range of the keyfob-to-car signal. If the range were reduced to 3 feet like the car-to-keyfob range the amplifier attack would be much more complicated. This is something that could be done with an aftermarket approach. Simply add an additional circuit to an existing keyfob that detects keypresses and the LED being powered. If the LED is powered without a keypress, then it is an SKS function and the output power needs to be limited. Maybe just switch to a less efficient antenna. All things an electronic hacker could put together rather simply.

    Full protection against a signal relay would be more difficult. Basically what needs to be done is to tightly control the response time between the car and the keyfob. If the signals are delayed longer than the current 3 foot transmission takes, then there is a relay occurring and that should invalidate the transaction. A lot more technology, but simpler than we already have with $100 gps devices that can see a distance of 10 feet.

    Actually, I'm rather amused at the idea of a Prius being a desirable theft target.
     
  4. fuzzy1

    fuzzy1 Senior Member

    Joined:
    Feb 26, 2009
    17,035
    10,010
    90
    Location:
    Western Washington
    Vehicle:
    Other Hybrid
    Model:
    N/A
    In the news stories I've seen, cars were not stolen. The devices have just been used to unlock a door, giving thieves access to the contents.

    Breaking through the ignition and immobilizer will be a more significant step.
     
  5. macman408

    macman408 Electron Guidance Counselor

    Joined:
    Mar 21, 2010
    1,179
    365
    1
    Location:
    California
    Vehicle:
    2010 Prius
    Model:
    V
    I don't think that would be sufficient to solve this. Even if the range of the fob-to-car signal strength is reduced, it would still be possible to have a two-piece system that would rebroadcast the signal at both ends. Here's an interesting slide deck where some researchers did that:
    http://www.isoc.org/isoc/conferences/ndss/11/slides/2_1.pdf
    It appears that they tested this type of attack both with a wired connection and a wireless connection between the attacker's transmitter and receiver, and with optional amplification of the signal. They still had to be within a few meters of the key, though (up to about 8m, with amplification). They also tested how long they could delay the response before the car wouldn't accept it any more - the best model they tested would only take a 35 µs delay - however, in that time, light can travel 10.5 km; so you could be 5 km away from the key and relay the signals back and forth. (!!) The worst model they tested still allowed entry at 10 ms, which is enough that the key and car could be 1500 km away from each other.

    Their suggested solution is another paper:
    https://www.usenix.org/legacy/event/sec10/tech/full_papers/Rasmussen.pdf
    That paper suggests a very low-latency protocol for proving distance. Basically, the car would send a random signal out, and the key would respond with exactly the same signal, delayed by only about 1 ns - that means that an attacker that can reduce the processing time would be interpreted as being at most 6 inches closer to the car than the actual key is. To ensure that it's actually the key responding and not the attacker, the key also reflects different parts of the signal back on different frequencies. Separately, it sends a secure message to the car telling it what frequencies those will be. So if the car receives the same message back on the frequencies it is supposed to and within the allotted time (probably 5 ns or so), then it knows that only the key could have sent the message, and it knows the key must be within only a few feet.
     
  6. Former Member 68813

    Former Member 68813 Senior Member

    Joined:
    Oct 3, 2010
    3,524
    981
    8
    Location:
    US
    Vehicle:
    Other Hybrid
    Model:
    N/A
    it's easily done by unhooking the ECU and plugging a laptop cable. laptop has ECU simulation software running and the car has no idea that a brain transplant just took place. this is how lots of toyota cars were stolen in montreal (likely other port cities too) and loaded on shipping containers for "export". this is what makes me weary about helping people in some exotic places when they ask for help with cars "imported" from USA or canada.

    BTW, i was never impressed with a "smart key", i always thought i was a dumb idea from the view of safety (and now security) appealing only to lazy customers. too bad toyota forced it on all. in my household, there is only one "smart key" (for a prius).
     
    #26 Former Member 68813, Apr 20, 2015
    Last edited: Apr 20, 2015
  7. Spryfly

    Spryfly Junior Member

    Joined:
    May 11, 2013
    29
    6
    0
    Vehicle:
    2010 Prius
    Model:
    III
    I came to the forums specifically to read more about this issue and see if anyone had this happen to them or someone they know with a Prius, so thank you for starting this thread.

    I know that stores like Amazon sells bags/pouches that you can put your cell phone or tablet in while traveling that will block all cell phone tracking/GPS, for security purposes. Does anyone know if this would work for the keys as well?

    Lifehacker suggests an Altoid tin or similar small tins as Faraday wallets. Thoughts? I will have to take some time out this weekend for experiments since my car is not garaged.
     
  8. Former Member 68813

    Former Member 68813 Senior Member

    Joined:
    Oct 3, 2010
    3,524
    981
    8
    Location:
    US
    Vehicle:
    Other Hybrid
    Model:
    N/A
    if you are serious about it, there are small metal safes for storing valuables. you can make it a designated car keys spot at your home. i'm not as concerned because i keep my car in a garage at home.
     
  9. ITgem679

    ITgem679 Junior Member

    Joined:
    Apr 10, 2015
    73
    17
    0
    Location:
    California
    Vehicle:
    2012 Prius
    Model:
    Two
    The solution to it, outside of it being stolen, is to never allow anything to be in sight in the vehicle. I learned, as a teen, never to leave anything under the seat, on the floor, seat, etc.
     
  10. walter Lee

    walter Lee Hypermiling Padawan

    Joined:
    Oct 26, 2009
    1,126
    376
    5
    Location:
    Maryland
    Vehicle:
    2010 Prius
    Model:
    III
    The premise of this hack is to intercept a passive signal from the fob and then extending its range and repeating that signal to make initial first contact with the Prius (to unlock the doors and priming the system to start). A network extender only repeats a network signal it doesn't understand/analyze the data on the network - this hack takes advantage of assumptions built into the handshake protocol.

    The easiest hardware solution is to block the automatic entry signal so it can not be intercepted by the bad actor. - a faraday cage for the fob .. So the simplest solution would be just to turnoff the network automatic entry system via a dealer visit (but allegedly this is not cheap)... a more expensive dealer oriented solution is to reprogramming the Prius on board computer initial first contact handshake software so that the doors stay lock unless the fob open button be *actively* pressed down( for one or two seconds). A more expensive and intrusive solution is to add an proximity test that validate the proximity of the fob - this would requires extra hardware. ...
     
  11. IanIanIanIan

    IanIanIanIan Member

    Joined:
    Sep 20, 2013
    152
    56
    0
    Location:
    Royal County of Berkshire, UK.
    Vehicle:
    2013 Prius Plug-in
    A friend had their car's back window smashed so the thief could get in. It cost hundreds to be repaired. The thief wanted and took a newspaper off the back seat.

    How much will you spend on security when it is so easy to get into a car and the thieves just don't care anyway?
     
  12. ITgem679

    ITgem679 Junior Member

    Joined:
    Apr 10, 2015
    73
    17
    0
    Location:
    California
    Vehicle:
    2012 Prius
    Model:
    Two
    When we live in a society where a car alarm goes off and no one even looks up from their hand held device...you know having a car alarm is futile for anyone in ear shot, unless the owner knows what his own car alarm sounds like...
     
  13. CR94

    CR94 Senior Member

    Joined:
    Dec 2, 2014
    2,642
    1,133
    0
    Location:
    Northwestern S.C.
    Vehicle:
    2011 Prius
    Model:
    Two
    Yes, that should work, but doesn't it shorten the life of the battery? I recall reading in other threads that keeping the fob near any metal increases battery drain. Too bad simply removing the battery is so cumbersome.
     
  14. co_prius_3

    co_prius_3 Member

    Joined:
    Aug 7, 2011
    174
    32
    0
    Location:
    Colorado, USA
    Vehicle:
    2011 Prius
    Model:
    Two
  15. eeek

    eeek Junior Member

    Joined:
    Feb 22, 2015
    18
    1
    0
    Vehicle:
    2015 Prius
    Model:
    Four
    I never understood why he chose the freezer when the microwave would block the signal better and not cause any damage from wetness or humidity.

    I read this story and then bought this. I just take the keyfob off the key and stick it in. Even with the fob right next to the car in the pouch, it will not get signal.

    http://www.idstronghold.com/item.asp?cID=0&PID=285
     
  16. walter Lee

    walter Lee Hypermiling Padawan

    Joined:
    Oct 26, 2009
    1,126
    376
    5
    Location:
    Maryland
    Vehicle:
    2010 Prius
    Model:
    III
    No. A Faraday cage should not shorten the life of the battery. (think about this for a moment.... if this were the case shielded audio-video/network cable would require more power than non shielded audio-video/network cable - which it doesn't in the real world) The fob transmitter power is fixed until you press the button . I think you might be confusing power usage by effective-efficient radio performance. A long metal rod (which we all call an -antenna) of the proper length and impedance can increase the efficiency and power of any transmitter (without any additional power to the fob RF transmitter). To validate my comments - double check with any experienced shortwave, Ham or CB radio enthusiast . You actually donot need much power to send out a Radio transmission if you do it correctly - you just need a *clean* air way ...congested radio frequencies is the bane of Radio enthusiasts.


    A wireless Wi-fi network extender is pretty common tech - I suppose it was a matter of time that someone adapted this tech for car fob transmitters - albeit I think the proper and legitimate usage of this tech is questionable at best - and it suggest a path to bad things rather than good things to me.
     
    #36 walter Lee, Apr 26, 2015
    Last edited: Apr 26, 2015
  17. Oatflake

    Oatflake Junior Member

    Joined:
    Jul 3, 2014
    13
    6
    0
    Location:
    Glendale, CA
    Vehicle:
    2014 Prius c
    Model:
    Four
  18. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    107,571
    48,862
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    on the plus side, there should be some good cheap batteries on the market.
     
    ftl likes this.
  19. mrbigh

    mrbigh Prius Absolutum Dominium

    Joined:
    Sep 6, 2005
    3,686
    699
    2
    Location:
    Long Island, NY
    Vehicle:
    Other Electric Vehicle
    NOOOO...:barefoot:!!!
     
    bisco likes this.
  20. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    107,571
    48,862
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    i'd rather be the windshield than the bug.:)