Proximity Keys

[ian]

this is from London insurance company's refuse to insure cars with smart keys

Car thieves have cracked the technology behind the smart key, to the point that insurance underwriters won’t cover some cars fitted with keyless entry and keyless start systems. According to the Metropolitan police, approximately half of all cars stolen in London are taken without the key. The situation is serious enough for the police to mail drop certain London boroughs, warning residents to take precautions.

Insurance company's are advising owners of cars with smart keys to keep their keys in the fridge because technology can read the keys up to 60 metres away and drive off with your car ,

[Sunny43.5]

I would suggest that anyone foolish to believe that this technology cannot be defeated and that you cannot buy them off the shelf is living in a blinkered world . I would guarantee you that the Chinese have these devices as it was the Chinese first that made a scanning device which fitted in a folder carried under your arm that was able to scan and copy hundreds of credit card details by just walking past a person . If they can do that then this one for car keys would be reality as for importing them I doubt any customs people would even know what they were looking at . I once used MR Minit to clone a key for one of our VW's and it took all of 20 seconds to do .

[ian]

Sunny. It's strange that at first no one believed me. That stealing smart key cars was possible It was a case of shooting the messenger instead of looking at the problem of these Devises.

[brad]

I don't think anyone questioned that smart keys weren't so smart - just the method of obtaining access to the vehicle. There have been previous threads about it on VWWC. Here is the link to it

The quote you made about the London insurers and keeping keys in the fridge is all about the method I was describing (signal boosting) and has nothing to do with the vehicle itself emitting a signal (or you'd have to keep the car in the fridge). Even keeping the keys in the fridge is misleading, you just have to keep them in a home made Faraday Cage (a tin can).

Searching for "Frequently Tracker /Ripper" reveals nothing. Maybe you mean "frequency trapper / ripper"? Even searching for that reveals nothing except for some earth moving attachments.

Basically you are saying "My baker's Aunty says..." and expecting belief without question. It would be helpful if you provided links (like I did above), even if it's just for the insurance thing you have copy/pasted.

[jamesatfish]

ian, it's not that I don't believe there are vulnerabilities with the keyless entry systems (I've even posted examples of how they are vulnerable), but my experience with these systems does not correlate with the existence of a single 'push button and unlock any car' device as a commodity item.

Sunny43.5 refers to credit card skimming - yes that's a reality but the technology involved is very different. The NFC chips in a tap&go credit card are designed to be read - it's a one-way communication process between the credit card and the reader. The NFC standard is well published, anyone can build their own NFC reader, improve the antenna gain and skim from NFC cards. I have no doubt you can buy that type of technology in a box if you're a script-kiddie, from China or otherwise.

The technology of keyless entry systems is vastly more complex than NFC credit cards. For a start, the digital 'key' to unlock the car changes each time the car is unlocked, from a proprietary encryption algorithm cycling through trillions of possible key combinations. Brute forcing a keyless entry system, which is what a 'one size fits all' magic box would need to do in order to be able to unlock any car, is not computationally viable for a supercomputer array, let alone a piece of hand-held hardware running an ARM chip at 1Ghz.

ian - you quoted above from an insurance company in London advising people hide their keys in the fridge - the faraday shield approach that brad mentioned in Post #2. That implies that these car thieves are using signal boosters and other key-based attacks to steal the cars - approaches that we've all confirmed are possible, valid and have occurred in the wild. Again, I am sure that these types of devices can be bought as a commodity somewhere.

For specific vehicles there have been proven attacks to unlock vehicles and perform other tasks electronically. I know of cases where Chrysler vehicles have been compromised through their always-on IP connection, and where certain cars with Bluetooth Audio have been compromised by BLE chips that stay awake whilst the car is switched off, allowing access to the CAN network. I am aware of the Cambridge University attack on particular VW models that was suppressed by court order, however to the best of my knowledge that attack was against a car that didn't have keyless entry and it certainly wasn't a brute-force style of attack.

What I don't believe is that you can jump onto AliExpress, or SilkRoad, or any other website, and buy a portable device that is able to unlock the doors, disable the immobiliser and start the engine in any car with a keyless entry system. As such, I don't believe that electronically stealing a keyless entry car (one without an IP connection) without the key being in electronic range is an attack vector I should be particularly concerned about at this time.

[ian]

You entitled to your opinion. Weather he locks onto the owners key signal or he captures the sign emitted from the car I can't say I only know what he told me and I have no reason to doubt. What he told me ,he unlocks and starts cars for repo. Company's.

[brad]

[AALocksmiths]

I once used MR Minit to clone a key for one of our VW's and it took all of 20 seconds to do .

It would of been an old VAG car, pre 2000? as these were using the first generation of the Megamos chip, like you said quick to clone. The second generation CAN NOT be cloned, Yet*.

I am aware of the Cambridge University attack on particular VW models that was suppressed by court order, however to the best of my knowledge that attack was against a car that didn't have keyless entry and it certainly wasn't a brute-force style of attack.

I think that the one you might be referring to is how they found a weakness in the encryption on the Megamos chip. This happened a couple of years ago and as you said there was a court order preventing them from releasing their full paper on it. What I understand is that Megamos actually patented part of the encryption which means that companies can not legally use it until the patent runs out. This would stop the companies that make the tools to clone the chips, but not the crooks that want to pinch your car.


The big issues that I know about in the UK was first with BMW keyless cars being pinched. This was being done by the window being smashed ( Or picking the lock) and then using an OBD tool to code in a new FOB, this only took 10 seconds to happen. BMW have since some up with a couple of software updates to "fix" this. They haven't stopped it but it does take longer now.

A year or so later the same thing was happening with Land Rover which was using a similar system to BMW. So the insurance companies said that they will not insure keyless cars unless they were garaged, good luck with that in London.

The problem that I see with how security has changed is that car thief's used to have to be skilled and know how to remove or bypass a cars security system. Now that everything is electronic all it takes is one smart nerd to work out how to bypass/ manipulate the security, make a tool that's easy to use and then an idiot can steal your car.

[Sunny43.5]

Yes AA it was a pre 2000 VW we did a complete engine swap from a diesel powered T4 van to a 2.5 petrol so everything including instrument cluster was changed . After fitting the old diesel stuff into the donor van for resale it would not start Jmac was the one who informed me about the keys being coded so Mr Minit cloned it , what a relief as I had spent days trying to figure out why the B would not start . Another way to defeat thieves would be to simply remove a fuse and rewire it into a hidden switch , lets face it with 120 plus fuses in some of VW's models who would bother with attempting to figure out which one to replace , and then you need to be a person who is able to decipher Egyptian hieroglyphic's as those fuse charts are murder to interpret .