Car "Keyless-Go" aka RKE - How it Works and Why it's Flawed by Design

[Siwastaja]

Car theft, especially expensive cars, is at an all-time high.

It's actually not.

Let's not ruin the "old men complaining about modern technology" thread with something as boring as facts. Although, old enough might remember how in 1990's you could get basically in 9 out of 10 cars with any screwdriver, in seconds.

[TimFox]

A good part of the recent spike likely has to do with Hyundai/Kia implementing no security. https://www.nhtsa.gov/press-releases/hyundai-kia-campaign-prevent-vehicle-theft

As a result of the surge in Kia/Hyundai thefts (helped by a social-media “challenge”), several cities have filed civil suits against that company.  In Chicago, these thefts often result in further serious crimes, followed by abandonment or crashes of the stolen vehicles.

[Benta]

Car theft, especially expensive cars, is at an all-time high.

It's actually not.

Let's not ruin the "old men complaining about modern technology" thread with something as boring as facts. Although, old enough might remember how in 1990's you could get basically in 9 out of 10 cars with any screwdriver, in seconds.

I've edited that sentence out from the OP, as it seems to turn a technical discussion into a more emotional one instead. Mea culpa.

[Benta]

A comment on the key fob movement-detector "solution" (read: desparate workaround).
It only helps when the fob is stationary somewhere.
But the "2nd thief" might also be standing next to you in the supermarket queue (he followed you from the car). The whole theft is a matter of seconds.

Smearing putty on a flaw only takes you so far.

And no, contrary to some Finnish guy's snide remark, I'm not an old Luddite. But I hate designs that are not thought through to the end. Like RKE.

[mikeselectricstuff]

A comment on the key fob movement-detector "solution" (read: desparate workaround).
It only helps when the fob is stationary somewhere.

Which it will be in the vast majority of cases - car in driveway, keys left near the door

But the "2nd thief" might also be standing next to you in the supermarket queue (he followed you from the car). The whole theft is a matter of seconds.

Much more involved as it needs wireless relaying in both directions, and that the car is in range of the fob's UHF transmission. Has this ever actually happenned ?

[Phil1977]

What´s really nasty is that the car industry has "improved" a principally very safe system (Rolling-code remote control with RFID transponder for motor start) by replacing it with something quite vulnerable.

AFAIK some new cars have a "time of flight"-check in the authentification process. This could fix the main vulnerability.

Anyhow, car industry could make cars much more theft proof. You easily could design authentication processes that really are hard to bypass by implementing strong cryptography into the communication between keyfob and ECU. But for some reason the industry also implements lot of bypasses like keyless go, universal backdoor keys for workshops or just unsafe key generation. I´m really not into conspiracies but here it really looks a little bit like theft is seen as a problem that makes you sell more.

[AVGresponding]

As I said multiple times already, technological tools & hacks are often not required (over-hyped).  The thief can easily take the car key fob from inside your house while you are sleeping.

They are NOT over-hyped at all, they are easy to use for those in the know.
Once you have seen such a system, you can only be amazed how simple it is.

No need to break in to a house, that is just too much hassle and old school.

And yet it remains one of the most common methods. It is by no means a "hassle", the methods used are simple, fast, and direct.

[WatchfulEye]

a hidden toggle switch

use a switch that matches those already in the vehicle and hide it in plain sight

There is a class of aftermarket device that will do something similar.

Because the control switches tend to connect via CAN, the device piggy backs on the CAN bus allowing a key sequence to be entered using the car's OEM controls.

Some can even immobilise car via CAN message, minimising wiring complexity and allowing flexibility in concealed installation.

[tom66]

My car has keyless entry (VW ID.3) and it is immune to the repeater attack that has plagued many keyless-go entry systems.   It uses UWB keys.  UWB keyless technology measures the distance to the car's key using the RF delay time.  Inserting a repeater into the system - short of breaking the laws of physics - will never make the key look like it is closer than it is.  So you cannot steal the car by using a repeater device.  You must have the keys yourself.

The system is incredibly precise - I can take the key up to the edge of the door frame of my car and the key is seen to be in the car.  If I move it just 5cm further, the key is now 'outside' and cannot be used to start the car.

None of this technology can protect against an attack on the car's own infrastructure, as has been seen with Toyota and Hyundai/Kia vehicles, of course.

Having said all this about how it's quite a clever technology, do I regard keyless entry as important?  Not really. I still have to put the key somewhere in the car (the fob is a little too bulky to fit in my pocket comfortably).  I still have to remember to take the key out.  If I had a choice, I would not pay for the keyless entry system... If it were a cost-free option I'd *probably* go for the mechanical key instead, even though both are just telling a computer to turn on or off.  Just because I feel like a mechanical key is less likely to be forgotten.  I have also had some issues with one keyfob failing which was replaced under warranty, where the key would be intermittently not detected, this feels like an issue that would not exist with a mechanical key (since the immobiliser is RFID and can be read even with a dead keyfob battery.)  There's still a backup mechanical key in the keyfob itself, hidden away, in case you need to get into the car when the battery is dead, so there's no reduction in simplicity there.  It does feel a bit like a solution looking for a problem.

[Halcyon]

As I said multiple times already, technological tools & hacks are often not required (over-hyped).  The thief can easily take the car key fob from inside your house while you are sleeping.

They are NOT over-hyped at all, they are easy to use for those in the know.
Once you have seen such a system, you can only be amazed how simple it is.

No need to break in to a house, that is just too much hassle and old school.

You over-estimate crooks I think.

99% of criminals are fucking stupid. Especially those involved in crimes like stealings, break and enters, etc... Half the time their brain is fried from the drugs they smoked that morning.

Usually, the simplest is the most effective; Entering in unlocked doors/windows, breaking a window, forcing a lock etc... Most people probably keep their car keys in a predictable place, like a hook or in a bowl by the front door, on the kitchen bench, in their purse, etc...

These types of opportunistic criminals aren't carrying around lock picking sets and technology used to steal cars. Largely because they don't have the skills to use them, and that it would be illegal in many parts of the world. Sometimes you get lucky and they might have a decent flat blade screwdriver on them for such purposes.

I used to lock these guys up for over 14 years. The percentage of criminals using high-tech means is incredibly small.

[mikeselectricstuff]

As I said multiple times already, technological tools & hacks are often not required (over-hyped).  The thief can easily take the car key fob from inside your house while you are sleeping.

They are NOT over-hyped at all, they are easy to use for those in the know.
Once you have seen such a system, you can only be amazed how simple it is.

No need to break in to a house, that is just too much hassle and old school.

You over-estimate crooks I think.

99% of criminals are fucking stupid. Especially those involved in crimes like stealings, break and enters, etc... Half the time their brain is fried from the drugs they smoked that morning.

I used to lock these guys up for over 14 years. The percentage of criminals using high-tech means is incredibly small.

99% of the ones that get caught are stupid- the smart ones don't get caught so easily.
That doesn't mean that there aren't also smarter crooks with the tech, going round targetting certain cars in driveways, with established routes to fence them - a replay attack can be done in a few seconds, so an easy container-load of cars & parts in one night. 

[Marco]

I can't find euphemistically named kits on aliexpress, so it can't be that widespread

Did find a worked out paper to hack ISO/IEC 14443A for an office door.
https://eprint.iacr.org/2023/450.pdf

Silicon is so cheap, putting a time of flight calculation would be trivial when using a higher frequency carrier. For instance send challenge, dongle computes result and loads into a shift register for very fast on the fly encoding/transmitting of a salt from a second challenge for time of flight calculation.

[tom66]

I can't find euphemistically named kits on aliexpress, so it can't be that widespread

Did find a worked out paper to hack ISO/IEC 14443A for an office door.
https://eprint.iacr.org/2023/450.pdf

Silicon is so cheap, putting a time of flight calculation would be trivial when using a higher frequency carrier. For instance send challenge, dongle computes result and loads into a shift register for very fast on the fly encoding/transmitting of a salt from a second challenge for time of flight calculation.

If you want to accurately range a device (with, say, 10cm level accuracy), you need a very short pulse.  If you don't do that then you have multipath and pulse distortion effects which make it impossible to distinguish your pulses from reflections in the multipath.

This is why UWB is used for rangefinder functions on e.g. AirTags, and some car key fobs.  The pulses are around 1-2ns long... which requires a very high bandwidth RF transceiver IC.

You could argue 5m accuracy is enough for car key fobs... but I wonder what 5m actually looks like in somewhere like a multistorey carpark surrounded by rebar.  Could it be that the valid pulse seen actually has a TOF of far more than 5m because other paths are attenuated?  So you start to get to thresholds as to exactly where you determine a key to be valid... And then you are not doing much better than RSSI range finding because you could have keys within a valid range in the clear and open, but out of valid range in an obstructed environment.  People tend to put their car keys (stupidly, but they do) near their front door, so you might still be able to break such a system with a repeater attack there.

[HighVoltage]

99% of criminals are fucking stupid. Especially those involved in crimes like stealings, break and enters, etc... Half the time their brain is fried from the drugs they smoked that morning.

Usually, the simplest is the most effective; Entering in unlocked doors/windows, breaking a window, forcing a lock etc... Most people probably keep their car keys in a predictable place, like a hook or in a bowl by the front door, on the kitchen bench, in their purse, etc...

These types of opportunistic criminals aren't carrying around lock picking sets and technology used to steal cars. Largely because they don't have the skills to use them, and that it would be illegal in many parts of the world. Sometimes you get lucky and they might have a decent flat blade screwdriver on them for such purposes.

I used to lock these guys up for over 14 years. The percentage of criminals using high-tech means is incredibly small.

Maybe this is different from country to country.
We have a family member that is working for the car thief department of the police in a bigger city, here in Germany. And they are very familiar with the tools these crooks are using.

So, the stupid crooks are getting caught.

But ... the more educated crooks work on a totally different level. They have specialists for every step of the way and they take cars that have been ordered on a sophisticated system and these cars will leave Germany within hours after they have been obtained. There have been cases were car owners of expensive cars have been charged with fraud because the insurance companies could not believe that these sophisticated cars could easily be taken and expected the car owners to be in on the deal.

[Marco]

The pulses are around 1-2ns long... which requires a very high bandwidth RF transceiver IC.

So 10 cents worth of silicon instead of 1 cents.

[Phil1977]

You could argue 5m accuracy is enough for car key fobs... but I wonder what 5m actually looks like in somewhere like a multistorey carpark surrounded by rebar.  Could it be that the valid pulse seen actually has a TOF of far more than 5m because other paths are attenuated?  So you start to get to thresholds as to exactly where you determine a key to be valid... And then you are not doing much better than RSSI range finding because you could have keys within a valid range in the clear and open, but out of valid range in an obstructed environment.

I can't agree. The time-of-flight measurement only needs to verify that the authentic keyfob is inside the car while the engine starts / gets ready to drive.
Each repeater also adds many nanoseconds or microseconds to the signal delay. This attack should really be impossible with that measurement.

[tszaboo]

You over-estimate crooks I think.

99% of criminals are fucking stupid. Especially those involved in crimes like stealings, break and enters, etc... Half the time their brain is fried from the drugs they smoked that morning.

Usually, the simplest is the most effective; Entering in unlocked doors/windows, breaking a window, forcing a lock etc... Most people probably keep their car keys in a predictable place, like a hook or in a bowl by the front door, on the kitchen bench, in their purse, etc...

These types of opportunistic criminals aren't carrying around lock picking sets and technology used to steal cars. Largely because they don't have the skills to use them, and that it would be illegal in many parts of the world. Sometimes you get lucky and they might have a decent flat blade screwdriver on them for such purposes.

I used to lock these guys up for over 14 years. The percentage of criminals using high-tech means is incredibly small.

There is a positive correlation between low IQ levels and tendency to commit crime, you are absolutely right about that. I think its about 1 standard deviation, so about 85 for criminals.
There is an entirely different class of criminals though, sociopaths and psychopaths, that commit crimes because the lack of any regard for anything other than themselves (zero empathy). There is no correlation between IQ and these personality traits. These two are about 2-3% of the population. They also commit the most crime, and get caught less. Some of them become CEOs like Elizabeth Holmes.

[tom66]

The pulses are around 1-2ns long... which requires a very high bandwidth RF transceiver IC.

So 10 cents worth of silicon instead of 1 cents.

Well sure, UWB keyfobs aren't expensive, probably cost barely any more than standard keyfobs.  But it does require a different IC to normal keyfob remote systems which have no pulse time measurement, they are just looking at RSSI meeting a threshold.

[coppice]

There is a positive correlation between low IQ levels and tendency to commit crime, you are absolutely right about that. I think its about 1 standard deviation, so about 85 for criminals.
There is an entirely different class of criminals though, sociopaths and psychopaths, that commit crimes because the lack of any regard for anything other than themselves (zero empathy). There is no correlation between IQ and these personality traits. These two are about 2-3% of the population. They also commit the most crime, and get caught less. Some of them become CEOs like Elizabeth Holmes.

That is often stated, but the evidence seems unclear. Its hard to differentiate from studies whether a high IQ makes you less likely to commit a crime, or just way better at avoiding detection and never getting into the statistics.

[tszaboo]

There is a positive correlation between low IQ levels and tendency to commit crime, you are absolutely right about that. I think its about 1 standard deviation, so about 85 for criminals.
There is an entirely different class of criminals though, sociopaths and psychopaths, that commit crimes because the lack of any regard for anything other than themselves (zero empathy). There is no correlation between IQ and these personality traits. These two are about 2-3% of the population. They also commit the most crime, and get caught less. Some of them become CEOs like Elizabeth Holmes.

That is often stated, but the evidence seems unclear. Its hard to differentiate from studies whether a high IQ makes you less likely to commit a crime, or just way better at avoiding detection and never getting into the statistics.

There are plenty of evidence, but they are "controversial". There are metrics that take an entire country's average IQ (that's also racist according to some people) and compare it to the crime rate, and that shows negative correlation as well. Looked up the number, and a study was showing r=-0.64.

[coppice]

There is a positive correlation between low IQ levels and tendency to commit crime, you are absolutely right about that. I think its about 1 standard deviation, so about 85 for criminals.
There is an entirely different class of criminals though, sociopaths and psychopaths, that commit crimes because the lack of any regard for anything other than themselves (zero empathy). There is no correlation between IQ and these personality traits. These two are about 2-3% of the population. They also commit the most crime, and get caught less. Some of them become CEOs like Elizabeth Holmes.

That is often stated, but the evidence seems unclear. Its hard to differentiate from studies whether a high IQ makes you less likely to commit a crime, or just way better at avoiding detection and never getting into the statistics.

There are plenty of evidence, but they are "controversial". There are metrics that take an entire country's average IQ (that's also racist according to some people) and compare it to the crime rate, and that shows negative correlation as well. Looked up the number, and a study was showing r=-0.64.

That kind of measure seems to suffer from exactly the vagueness I described. Crimes that go undetected don't appear in the statistics. People of low IQ are so incapable of covering their tracks there is no question that get caught a lot. For high IQ people the jury is out... although the lynch mob may be in.

[jpanhalt]

I've edited that sentence out from the OP, as it seems to turn a technical discussion into a more emotional one instead. Mea culpa.

 

We are all guilty of side-tracking a potentially extremely interesting technical discussion.  Now 2 pages later, can we please get back to the original purpose?  That is something I know nothing about and am eager to learn.

[tszaboo]

That kind of measure seems to suffer from exactly the vagueness I described. Crimes that go undetected don't appear in the statistics. People of low IQ are so incapable of covering their tracks there is no question that get caught a lot. For high IQ people the jury is out... although the lynch mob may be in.

Ah cool. Let's try this.
At what correlation factor do you say: Yeah, actually you are right.
Hm? 0.8? 0.9? 1.000?

[Marco]

This is why UWB is used for rangefinder functions on e.g. AirTags, and some car key fobs.  The pulses are around 1-2ns long...

No reason this can't be used with the XOR concept BTW. Challenger sends a bit of the salt by either transmitting or not in a time slot, the dongle XORs and sends a pulse back or not. With 24 GHz (5 GHz bandwidth) a couple ns range round trip delay should be doable.

[coppice]

That kind of measure seems to suffer from exactly the vagueness I described. Crimes that go undetected don't appear in the statistics. People of low IQ are so incapable of covering their tracks there is no question that get caught a lot. For high IQ people the jury is out... although the lynch mob may be in.

Ah cool. Let's try this.
At what correlation factor do you say: Yeah, actually you are right.
Hm? 0.8? 0.9? 1.000?

Huh? what are you talking about? The question is not about the level of correlation, but what exactly are you seeing correlate.