Car "Keyless-Go" aka RKE - How it Works and Why it's Flawed by Design

[mendip_discovery]

From what I know of the thefts is,

They use the relay attack to unlock car and start it and drive off.

Or

They use the relay attack unlock the car, then plug into the ECU and then assign a new key to the car. Then drive off.

The second option is the more common. The manufacturer's have mentioned a few times that this is becuase the courts forced them to allow 3rd parties to program the ECU with new keys, shocking isn't it. The unlock part of thr key works from larger ranges so the time of flight stuff isn't so handy here.

I read that a few are going on about just breaking in to the house and taking the keys. That maybe the case in less developed parts of the world (USA) but some of us have brick buildings with doors that take a fair bit of a beating to get open, they also make unnecessary noise also there is the risk you might get attacked by the house cat. It is still a method of attack but not as common as this new technique that is running around welthly urban areas. Many people are buying these posh cars on lease and filling the drive with 2 of so desirable cars, the housing estate will have many more so in 1 night they can take lots of them and be gone before the owners realise they are missing.

Thing is if the criminals want it they will get it. They have time and a single goal. I have heard of cars just getting pinched with a recovery truck while you are in the shops.

As I have said before the best security you can use is security you will use. So get a pedal lock, steering lock, GPS tracker, put your car behind bollards, even put a wheel clamp on. Just make sure you use it all the time.

5 stolen, 3 I have had back. These days I drive a vehicle that criminals love to steal but I rely on its known unreliability to prevent them from taking it.

The Police in they UK at least are a little powerless to do anything but I think that is partly down to a lack of old skool policing and the groups being bigger and better prepared than back in the olden days.

[Benta]

From what I know of the thefts is,

They use the relay attack unlock the car, then plug into the ECU and then assign a new key to the car. Then drive off.

The second option is the more common.

That one's new to me, but interesting. In fact, it's the original relay trick taken one step further.
Needs more equipment (OBD2 programming), but that's no big issue.

[mendip_discovery]

I think that attack was the orignal.

The odb2 box would be programmed to set a new keyless starting key.

With my car I just moved the odb2 port to another location and 'hid' it so it's not so easy to get to it.

It's funny that the removal of the physical key to turn the barrel has made it easier to steal the cars.

[tom66]

Some people have taken to fitting dummy OBD-II ports or a switch to the port that isolates CANH/L on the connector.  Just make sure you tell your mechanic when you take it in for service!

[tooki]

There is no good fix to the repeater problem besides using reliable ToF measurement.  If the radio chipsets don't have ToF support then they are screwed in terms of a true solution to relay attacks, but they could still prevent CANbus/OBD-II attacks, and/or offer a feature like PIN-to-drive for free.

Motion sensing in the key would make a big improvement, with low cost to replace keys for existing users.

The PDF from ADAC actually includes a statement from BMW about this. In the models where the upgrade is possible, they do it by replacing all the fobs, with BMW covering 70% of the replacement cost and the customer 30%. Additionally, the customer must pay 150 euros to reprogram the car’s computer. (I assume that info is for Germany only, and that other countries may have other options. Or none. Who knows!)

[paulca]

There are a bunch of extra security features most of the "burn the strawman" hand wringing articles on this skip over.

My sensors do not work in isolation.  The car "knows WHERE the key is", not just that it is present.  It can, very accurately determine, for example if the key is inside the car in the drivers hand or outside the car in the drivers hand 3 inches away.

As an example, on a "normal" car use, if I pull up at the house, turn the car off, open the door ... then without getting out I shut the door and remain in the car with the key... the automatics are predicting that the next thing I will do is lock the car.  So it immediately starts beeping gently.  If you do try and lock the car while any key is inside it, it will BEEP much louder.  "No."  is the very clear answer.  I have fought this and swore at it. "Lock the car!" and it says, "No."  Eventually I end up going, "OH... wait... no... you are right my key is my coat pocket on the passenger seat.

To open the door in a passive way you need to be within 1 meter of the door handle.  If I stand at 6 ft and ask my daughter to open the door, it will not open.  If i close within 1 meter, it will allow her to unlock it.

If you accidentally unlock the car by .. say... touching a door handle after locking it, it will automatically lock itself after 5 seconds unless you open a door.  Inversely if you look the car and try to open a door within 5 seconds, it will prevent you.  Allowing you to confirm the is actually locked.  Personally I listen for the mechanism and watch the side indincator flash.

Can this be hacked?  Probably.  Is it going to be a profressional car jacking outfit that does it, very probably.

Paranoid?  Faraday wallet.  Test it.  If it fails, by another more expensive one.

Personally, on occasion I will put my car key in such a wallet.  If I leave it by the back door, there is a farady wallet to hint to me to put it in there.  This is not 100% for security, but so that the car can sleep like a baby and not have it and the key wake each other up all night, which does wonders for boths batteries.

[Marco]

The reliability of signal strength in a non adversarial environment isn't the same as in an adversarial one.

[MT]

I think that attack was the orignal.

The odb2 box would be programmed to set a new keyless starting key.

With my car I just moved the odb2 port to another location and 'hid' it so it's not so easy to get to it.

It's funny that the removal of the physical key to turn the barrel has made it easier to steal the cars.

Volkswagen group of cars are famous for their door lock mechanism(on all 5 doors) to fail after 4-5 years due to faulty design and plastics making doors unlocked
when you press the lock button on the key fab.

[coppice]

There is no good fix to the repeater problem besides using reliable ToF measurement.  If the radio chipsets don't have ToF support then they are screwed in terms of a true solution to relay attacks, but they could still prevent CANbus/OBD-II attacks, and/or offer a feature like PIN-to-drive for free.

Motion sensing in the key would make a big improvement, with low cost to replace keys for existing users.

The PDF from ADAC actually includes a statement from BMW about this. In the models where the upgrade is possible, they do it by replacing all the fobs, with BMW covering 70% of the replacement cost and the customer 30%. Additionally, the customer must pay 150 euros to reprogram the car’s computer. (I assume that info is for Germany only, and that other countries may have other options. Or none. Who knows!)

That 30%/70% split is amusing. Most car makers charge a crazy price for replacement electronic keys, as the poor sucker generally has no option but to pay. So with that split the customer is still covering far more than 100% of the COST, even though they the may only be paying 30% of the retail price of the key.

[paulca]

Toyota want £75 to replace the battery in the key fob.  There is literally a notch to put the emergency key into and twist to pop it open.  Literally the tool is in the key.  The battery is a standard coin cell. 

They charge £300 to reprogram your tire pressure sensors.  However, due to EU regulations the "Toyota Tech Stream" laptop software for dealers is available to download and you can update your own sensors codes in 5 minutes.  Catch is... at your own risk.  If you wipe your fuel map and brick your ECU ... tough.

This is why they are generally referred to as "Stealers".

[themadhippy]

Volkswagen group of cars are famous for their door lock mechanism

there vans had a great security feature,lock the cab doors,open the rear doors to unload, cab stays locked.But if you opened the side cargo doors the cab would unlock

[coppice]

Toyota want £75 to replace the battery in the key fob.

How often do you need to replace that? Most car keys need a new battery every 2 to 3 years. My Volvo's keyless entry gadget came in 2 forms. I got two of a larger design, with some buttons for remote control, and an exchangeable CR2032 cell, and a dsingle "lifestyle" key that is completely sealed, without buttons, so you can go swimming with it. The lifestyle key battery ran down after 3 years, and they want an unreasonable price for a new one. Its not important to me, so I didn't replace it.

[TimFox]

Toyota want £75 to replace the battery in the key fob.

How often do you need to replace that? Most car keys need a new battery every 2 to 3 years. My Volvo's keyless entry gadget came in 2 forms. I got two of a larger design, with some buttons for remote control, and an exchangeable CR2032 cell, and a dsingle "lifestyle" key that is completely sealed, without buttons, so you can go swimming with it. The lifestyle key battery ran down after 3 years, and they want an unreasonable price for a new one. Its not important to me, so I didn't replace it.

My Toyota dealer doesn't charge quite that much, but it is still overpriced.
I found a website of another dealer that detailed how to change the cell, and it is readily available at retail for a reasonable price.
https://www.chicagotoyota.com/toyota-key-replacement.htm

[Bud]

I drove a Toyota sedan for 13 years (bought it brand new) , fob never needed a new battery. I traded the car in after 13 years with the fob being just fine.

[tooki]

There is no good fix to the repeater problem besides using reliable ToF measurement.  If the radio chipsets don't have ToF support then they are screwed in terms of a true solution to relay attacks, but they could still prevent CANbus/OBD-II attacks, and/or offer a feature like PIN-to-drive for free.

Motion sensing in the key would make a big improvement, with low cost to replace keys for existing users.

The PDF from ADAC actually includes a statement from BMW about this. In the models where the upgrade is possible, they do it by replacing all the fobs, with BMW covering 70% of the replacement cost and the customer 30%. Additionally, the customer must pay 150 euros to reprogram the car’s computer. (I assume that info is for Germany only, and that other countries may have other options. Or none. Who knows!)

That 30%/70% split is amusing. Most car makers charge a crazy price for replacement electronic keys, as the poor sucker generally has no option but to pay. So with that split the customer is still covering far more than 100% of the COST, even though they the may only be paying 30% of the retail price of the key.

Oh, without a doubt!!

I’d be surprised if the actual COGS of a fob is more than 20% of what they charge for them, and much of that is likely to be paperwork/logistics, not BOM.

[coppice]

I drove a Toyota sedan for 13 years (bought it brand new) , fob never needed a new battery. I traded the car in after 13 years with the fob being just fine.

The older fobs only wake up when someone presses a button, so the batteries last a long time. We have a 12 year old Honda, where I changed a battery a couple of years ago, and I suspect that was its first change. Our Volvo, bought new in 2019, with "keyless" entry gets through a battery in 2-3 years, as its regularly listening for the car to interrogate it.

[mikeselectricstuff]

I drove a Toyota sedan for 13 years (bought it brand new) , fob never needed a new battery. I traded the car in after 13 years with the fob being just fine.

The older fobs only wake up when someone presses a button, so the batteries last a long time. We have a 12 year old Honda, where I changed a battery a couple of years ago, and I suspect that was its first change. Our Volvo, bought new in 2019, with "keyless" entry gets through a battery in 2-3 years, as its regularly listening for the car to interrogate it.

One of the benefits of using 125kHz is that it is possible it make a receiver that uses very close to zero current, as enough voltage can be developed in the  receive antenna coil's tuned circuit to wake up an MCU with no active amplification.
 

[mikeselectricstuff]

That 30%/70% split is amusing. Most car makers charge a crazy price for replacement electronic keys, as the poor sucker generally has no option but to pay. So with that split the customer is still covering far more than 100% of the COST, even though they the may only be paying 30% of the retail price of the key.

Third-party fobs are available for many (most?) cars from auto locksmiths, way cheaper.

[tszaboo]

I drove a Toyota sedan for 13 years (bought it brand new) , fob never needed a new battery. I traded the car in after 13 years with the fob being just fine.

The older fobs only wake up when someone presses a button, so the batteries last a long time. We have a 12 year old Honda, where I changed a battery a couple of years ago, and I suspect that was its first change. Our Volvo, bought new in 2019, with "keyless" entry gets through a battery in 2-3 years, as its regularly listening for the car to interrogate it.

Same here, 3-4 years battery life on my Toyota. Although I don't know the replacement costs, because I just bough half a dozen CR2010 or whatever is inside for one EUR and replace it when the car tells me to.

[tom66]

Funnily enough I went through 2-3 key fob batteries for my Golf Mk7, which did NOT use keyless technology.  Some manufacturers aren't good at low power design it seems.

[Phil1977]

The BMW E46 LCI has a really attractively small keyfob with a built in supercap that´s charged while driving by the NFC coils. It´s watertight and didn't need any care in over 20 years of usage.

Okay, it didn't feature keyless entry and keyless go - but it was safe and sustainable. Then car manufacturers decided that their customers want big super chunky and obviously unsafe keys that need a new battery each few years. 

[paulca]

I would say, if you have keyless.

1.  Take the battery out of the spare.  That or put one of those plastic insulator strips in.
2.  Store a spare battery for the key in the same place as the spare and another in the glove box.

I recall at least one US owner installing a switch on the back of his key.

[tom66]

Or just put it in a Faraday-kind of pouch.  They are commonly sold nowadays, you can readily test if it will work by trying to unlock the car with it.