Proximity Keys

[Idle]

we have been putting a key in our ignition and turning it to start for the last hundred years and now someone wants to make us get in with a remote and press a button to start . .

Hardly a hundred years — my first car had a magneto and a starting handle. Key starts trickled in after WW2.

Somewhat in the same vein is the experience of one of my relatives a couple of days ago — she betook herself to the local golden arches for a snack, parked the car (which she's only had for a couple of weeks,) unbuckled, tried to open the door and found herself locked in.
Panic Stations! Rang No 2 son who, as is his habit, didn't answer his phone.
Tried again, same result.
Rang RACV and explained the situation. "How long will it take someone to get here?'
Call taker: "Do you have your car key with you?"
"Yes, I do."
Call taker: "Press the button." Problem solved.

Automation is the name of the game nowadays — I think it's a bit brain-numbing.

[jamesatfish]

The. Lock smith does repo work for finance. Company's He does not need your key. I suppose it's like those after market. Remotes for your TV / dvd. They just scroll the signal being sent. From the car and lock onto it. He said he could open any. Car. And drive away.

Breaking into a modern KESSY system in a VW without a key nearby is a bit harder than that. The key length (that's the bits-and-bytes encryption key) is too long to brute force attack (test each possible key in sequence), and KESSY includes measures that will slow down responses to rapid key requests to prevent this kind of attack. I doubt a pure electronic attack without a physical key would be a fruitful exercise against most rolling code systems.

A good locksmith would more likely compromise the physical door lock to gain access to the cabin, at which point your options increase rapidly. In some VWs at this point the easiest way to drive off with the car is to bring a dash cluster (which is where the immobiliser is housed) and a key coded to that cluster. Swap the dash cluster (30 second job), use your own key to start the car.

With a key nearby it's much easier. You can use a signal booster to bridge the physical gap between car and key, so if the key is within the range of your antennas you can start the car as if it was in your pocket. Useful if stealing a car when the owner is home.

Another more recent innovation is a key storer. Essentially it's a device with 3 radios and some shaped antennas that captures digital keys and plays them back at a future time.

It works like this - as the car thief you hide the device near the car. It sends out a signal on one radio that provides background noise on the frequency the car key uses to communicate with KESSY to prevent the real key talking to the car.

When the real key comes close and the owner goes to unlock their car, a second radio captures the encryption key. The car doesn't unlock though as the noisy radio has blocked the signal.

The owner tries again, and again a new encryption key is captured by the device, but this time it plays back the first key on the 3rd radio. The car recognises the valid key and unlocks.

Sometime in the future the owner goes away, taking their keys and leaving the car. Your device has one valid encryption key stored, so you play that back, the car unlocks and off you drive.

All scary stuff, though unless you're a professional targeting high-end cars you'd probably just as easily break into the house, grab the actual car keys and go from there.

[ian]

Well the Master Locksmith. I spoke to he has the latest equipment available

[AALocksmiths]

Breaking into a modern KESSY system in a VW without a key nearby is a bit harder than that. The key length (that's the bits-and-bytes encryption key) is too long to brute force attack (test each possible key in sequence), and KESSY includes measures that will slow down responses to rapid key requests to prevent this kind of attack. I doubt a pure electronic attack without a physical key would be a fruitful exercise against most rolling code systems.

A good locksmith would more likely compromise the physical door lock to gain access to the cabin, at which point your options increase rapidly. In some VWs at this point the easiest way to drive off with the car is to bring a dash cluster (which is where the immobiliser is housed) and a key coded to that cluster. Swap the dash cluster (30 second job), use your own key to start the car.

With a key nearby it's much easier. You can use a signal booster to bridge the physical gap between car and key, so if the key is within the range of your antennas you can start the car as if it was in your pocket. Useful if stealing a car when the owner is home.

Another more recent innovation is a key storer. Essentially it's a device with 3 radios and some shaped antennas that captures digital keys and plays them back at a future time.

It works like this - as the car thief you hide the device near the car. It sends out a signal on one radio that provides background noise on the frequency the car key uses to communicate with KESSY to prevent the real key talking to the car.

When the real key comes close and the owner goes to unlock their car, a second radio captures the encryption key. The car doesn't unlock though as the noisy radio has blocked the signal.

The owner tries again, and again a new encryption key is captured by the device, but this time it plays back the first key on the 3rd radio. The car recognises the valid key and unlocks.

Sometime in the future the owner goes away, taking their keys and leaving the car. Your device has one valid encryption key stored, so you play that back, the car unlocks and off you drive.

All scary stuff, though unless you're a professional targeting high-end cars you'd probably just as easily break into the house, grab the actual car keys and go from there.

KESSY is the immo not the dash. Changing the dash or the KESSY to get the car started is also not that straight forward. VAG cars use what is called component security where a lot of the electronic components ( Like the key) are coded together, so if you changed out any of these you will have to adapt it to the car, not a quick job.

As you said, brute forcing a cars security system is not that straight forward, there are some cars that are simpler and there have been a few cases of them being easily stolen.

Well the Master Locksmith. I spoke to he has the latest equipment available

Sorry, but there is no such thing as a tool that will do it all, a lot of these security systems are very complex, however once the car is open and you have access to the OBD they can then become an easier job. But not easy like walk up to it, press a button on a little black box and then drive off. What he most likely have is what has been mentioned and he is amplifying the signal from an existing key, this is a much simpler process.

[jamesatfish]

KESSY is the immo not the dash. Changing the dash or the KESSY to get the car started is also not that straight forward. VAG cars use what is called component security where a lot of the electronic components ( Like the key) are coded together, so if you changed out any of these you will have to adapt it to the car, not a quick job.

My bad, my comment about replacing the dash to swap the immobiliser was based on non-KESSY, older VWs - Mk5 and earlier, or other models where the immobiliser process happens in the dash cluster.

You're right of course about the component security - though that can be somewhat avoided using a man-in-the-middle device at the right point on the CAN bus to replace key data in the authentication / security CAN packets with the appropriate key data from your known cluster/ignition key.

Yet again of course simpler is better - a flatbed truck will bypass every one of those electronic anti-theft devices.

[Sunny43.5]

Hardly a hundred years — my first car had a magneto and a starting handle. Key starts trickled in after WW2.

Somewhat in the same vein is the experience of one of my relatives a couple of days ago — she betook herself to the local golden arches for a snack, parked the car (which she's only had for a couple of weeks,) unbuckled, tried to open the door and found herself locked in.
Panic Stations! Rang No 2 son who, as is his habit, didn't answer his phone.
Tried again, same result.
Rang RACV and explained the situation. "How long will it take someone to get here?'
Call taker: "Do you have your car key with you?"
"Yes, I do."
Call taker: "Press the button." Problem solved.

Automation is the name of the game nowadays — I think it's a bit brain-numbing.

Okay maybe not a hundred years but I was just making a point that the system we all grew up with worked fine , but as an old school person I hate them . As for automation again I like to think that I have a brain and I like to use it to make decisions for myself . Example 1 it,s raining and I see that it is getting wet on the windscreen so I TURN on the wipers . 2/ Its getting dark so I TURN on the lights .3 I want to change lanes so I LOOK before I change lanes not rely on some lane change avoidance system to do what GOD gave me eyes for . I could go on about self parking and all the other s^&%t but I may end up blowing a gasket . Give me a key any day over a remote thing one writer on VW's Facebook page could not stop his VW it just kept running and would not turn off until it ran out of fuel pretty damn stupid if you ask me .

[ian]

I decided to get a spare key cut just for my wallet ,So I went and saw the Master locksmith and showed him what you had posted He laughed , As he said you didn't know what you were talking about Modern cars with Proximity keys are constantly sending out a signal an ORB searching for the sender . He said to tell you that what he uses is a Frequently Tracker /Ripper He said to tell you once he locks onto the signal being sent from the car it also disarms the Immobilizer He only has to hop in and push the push button and he can drive off He said he has repossessed heaps of these cars , and he doesn't need to break into any ones house to get their keys ,
And he cut a new laser cut key for me $30 as I had a spare blade just for the door , works a treat , The last time I had one cut I was charged $60 so it was very cheap ,

[brad]

As I said before, your master locksmith sounds very irresponsible telling you all this.

And please have some respect for other folk that obviously have quite a bit of knowledge on the subject.

[jamesatfish]

I'm glad to hear your locksmith had a laugh. I've never had to repossess a car using the techniques I described so I didn't realise my info was so far off base - I can only share what I've learned from running a company that writes CAN code and low level interface hardware for VWs.

Your locksmith might be interested in the Blackhat conference - https://www.blackhat.com/us-15/ - this years conference focussed on automotive hacking although most of the attack vectors there are IP based rather than directly attacking the keyless entry radio and encryption system.

[ian]

Well James this is his profession id imagine you can not buy theses devices off the shelf , You might not believe what he told me about what he does ,And as far as being irresponsible Brad how could that be ,You or I could not buy this kind of equipment with out proper licensing and checks , He was just explaining the weaknesses in the Proximity key adaptation in cars and how easily it could be over ridden .