Cars and Key Fobs: Attacks on Car Remotes
133 comments
·April 24, 2025sorenjan
pwarner
I believe this was ratified into a standard so it should show up in more new cars. https://carconnectivity.org/car-connectivity-consortium-publ...
H8crilA
The core problem is that older systems never proved distance in any rigorous sense, they only proved connectivity/liveness. Pretending that you're closer than you are is sometimes called in research "the mafia fraud attack".
throw0101d
For a good modern day automobile security system, at least in the US, get a car with a manual transmission.
recursive
How do people learn to drive manuals in 2025? It used to be that you used your buddy's/parent's beater in the back of the mall parking lot.
But no one has one anymore. I tried to learn in the 90s for about an hour, and never managed to get the car moving forward rather than bouncing. At this point, I don't have much desire to try again, but I wouldn't know how to try if I wanted to.
ge96
Cheap standard cars like a miata are fun to drive
edit: if you buy em old I mean
me I want an Exige
ge96
So funny the guy towing my car couldn't drive it so I had to drive it onto the ramp
madphilosopher
Vulnerabilities like this lead to car thefts. Some models of cars are more susceptible than others, and the manufacturers seem unwilling to fix the problem. The insurance companies know which models are more trouble for them, and so they set higher rates for these, which punishes the driver/owner for something outside of their control.
My solution? Require the manufacturers of vulnerable models to pay the insurance on behalf of the driver/owner as long as the vulnerabilities go unfixed.
emeril
part of what helps is, at least, before buying a car, to get insurance quotes and then you see the true cost of THAT car
pinko
Consumer Reports will also inform you of things like this in advance, if you look. (For this and 100 other reasons, It's worth paying for a digital sub.)
potato3732842
Consumer Reports reporting is bought and paid for by the OEMs. They'll make a big issue out of nothing or minimize real issues depending on where the money is coming from. This goes back at least as far as the Samurai rollover scandal.
Pretty much all industry journalism where the journalists depend on being in the good graces of the manufacturers to get the access they need to make their content is like this.
Mister_Snuggles
Do people not look at the operating costs before buying a vehicle? Do they really just negotiate a monthly payment and get surprised at the amount they have to pay for fuel/maintenance/insurance?
When I bought my most recent car I had a spreadsheet which projected fuel (whether that's gas, electricity, or gas+electricity) and maintenance costs (there was some ball-parking here) for a dozen different models based on our driving habits. Once the list was narrowed down a bit I did some online quotes at my insurance company to add that in.
There were no financial surprises when I bought the car.
lsy
This is unnecessarily self-congratulating. The problem is that vulnerabilities are found in cars after they are on the market for a while and already purchased, so existing owners get their rates hiked, but the manufacturer never fixes the issue. No amount of research is going to guarantee your operating cost next year.
vel0city
> When I bought my most recent car I had a spreadsheet
Yeah so already different from like 90% of car buyers out there.
H8crilA
BTW, car keys (physical keys) are notoriously weak, generally susceptible to simple raking attacks. You can learn how to rake a lock in a few minutes, and the rake+tensioner itself costs around $5. And all cars include a physical key as a backup entry method. This was partially solved by adding another device that cuts off the engine, the immobilizer, which still allows the attacker to get in, but not to drive off.
graemep
> And all cars include a physical key as a backup entry method.
Which means you are safer with just keys rather than keys plus another way to open the doors.
> This was partially solved by adding another device that cuts off the engine, the immobilizer
If they key does not need to be physically inserted to start the engine (which is true in many cars) then that is liable to attack using the remotes too, right?
PinguTS
Funfact: in the past Ford and Volkswagen had only a number of different variations for the coding of the physical keys. So that you could open and start several cars with the very same physical key.
I assume that this was also true for other brands.
stevenAthompson
Many fleet vehicles are still this way. The 1284x key, for example, can open a surprising number of things including many older police vehicles.
A few hundred dollars more on Amazon will net you a magic keyring that can open a surprising number of vehicles, buildings, control systems, and vending machines.
If you're into that sort of thing check out Deviant Ollam's physical pentesting videos on Youtube.
fnord77
> magic keyring
Are you talking about the "1284x FEO-K1 16120 222343 CH751 CH501 C346A C390A E114 " set?
jabart
This happened to me! Friend had a similar car and at night they went to mine and the door unlocked but the car wouldn't start. The door only had a few pins it checked while the ignition used every pin. We compared our keys and sure enough one part of it was the same.
thrtythreeforty
OBS Ford F-150s do this and it's not common knowledge even among enthusiasts. The back 4 pins work the door, the front 6 or so pins work the ignition. A common problem is that the ignition barrel keyswitch dies and you have to replace it, but then you have separate keys for the door and ignition. I took the new ignition key to a locksmith and had him copy the 4 back pins from the factory key, and I was back to a single key!
devmor
I had a similar experience once when I drove a Prius. Walked out of the grocery store, hit the unlock button, got into my car, then wondered why the seat was too far forward - before realizing it was not my Prius.
CableNinja
My mom amd my friends mom both drove toyotas, completely different models and many years apart. By coincidence the key for my friends moms car worked for my moms, for unlock and start, but, my moms could only unlock the other one.
dornan
Fun fact: the same applies to common household locks. If you take your household key and try all the same-brand locks in your neighborhood (~50) you'll likely find a match. Don't actually do this, your neighbors will think you're causing trouble.
XorNot
The thing is if you have time to rake a car lock, you can also just break the window if you're going to rob the interior.
The key fob attack is superior since no one looks twice if you walk up to a car, it unlocks from a hand held device and then you get in and drive off.
Crosseye_Jack
With practice raking doesn't take that much time and "usually" comes with the benefit of not tripping the alarm that the door was opened (because the car "thinks" the door has just been unlocked with a key).
<EDIT> Seems HN has different experiences with their cars then my own, So I'll concede the idea that the alarm doesn't trip when using the key. It seems the cars I've had in the past are the exception to the rule. </EDIT>
The thing is, in the real world, no one really looks twice when someone gets into a car unless they are using obvious brute force to get into the car.
Kirby64
Not true for most alarm systems. If the car is locked, then any opening without the key fob unlock button will trigger the alarm in my experience.
testing22321
I had a non electronic key cut for my Jeep so I could zip tie it under the frame for emergency use. It will not start the engine, but does open the door locks. When I open the doors with it, the alarm goes off.
HPsquared
I think that mechanical key behaviour depends on the car. I'm pretty sure my BMW sets off the alarm if I use the mechanical backup key, but it turns off when I put the key in the ignition slot.
H8crilA
It is superior, but a lot more difficult to pull off. And what if raking takes just 5-15 seconds? Because that's how fast it often is.
And in either case you still need to deal with the immobilizer, and turn the core of the ignition lock. Unless your radio device is that comprehensive :)
Crosseye_Jack
Presuming its a modern car (and if we are talking about keyless entry/start we are), well then you just plug an "Emergency Start Device" into the OBD port or to the BCM module, and drive away. Heck a lot of these "Emergency Start Devices" can also unlock the car, but often involve pulling panels/lights from the car to get to the can bus to run the attack.
So that attack when done on its own is mainly left to stealing cars off drives at night rather than say from a supermarkets car park during the day.
kevin_thibedeau
Push-to-start eliminates the need to turn a physical lock. They drop to zero security once their RF is broken.
null
myself248
For the time being, I just store my keys in a little cast iron dutch oven, sitting on top of the fridge.
It's extremely effective as a shield for the 125kHz LF wake-up signal, and I've been unable to elicit a response when they're in there, even with a relay setup that reliably wakes them up from several feet away otherwise.
stavros
Unrelatedly, I didn't realize "Dutch oven" had a non-fart-related meaning, thanks for the new word.
xeromal
haha, I think the fart connotation is just that you're trapped with the lid (blanket) on.
stavros
It all makes sense now.
onionisafruit
I learn something new here every day.
- I ain’t cut out to be Jessie James -You don’t go writing hot checks down in Mississippi - Dutch oven has a non fart meaning
abirch
I purchased some cheap key fob faraday bags on Amazon.
The bags work while I'm in the car.
gambiting
I just don't understand why manufacturers don't follow Volvo on this - their keyless keys just go to sleep if they aren't moved for a few seconds, and they won't respond to any signal while sitting on a table for example.
roelschroeven
That solves part of the problem, but doesn't help when you're in a supermarket or any other event where you're moving around.
My previous cars had keys that I could manually switch off and on, which is also not a full solution because it only works for people who take the effort to always do that, but at least it gives people to opportunity to complete prevent relay attacks.
All in all I'm not a big fan of key-less entry. Having to press a button on a key to gain entry can maybe be a bit of an annoyance, but in my opinion it's not a big deal compared to the advantage of completely preventing relay attacks.
emeril
maybe so, but this would seemingly solve most of the problem with easy to implement tech
the real test is to find out if this effectively eliminated all fob hacks for volvo since they may not be faster than the tiger, they just need to be faster than everyone else...
gambiting
My previous car(a Mercedes) had a very very simple solution to this - you clicked on the lock button twice and it just disabled the keyless entry entirely until you pressed any other button.
>>the advantage of completely preventing relay attacks.
From my understanding ToF sensors are good enough now to completely prevent relay attacks, the added time for the relay just adds too much of a delay and it gets rejected. I believe the newest range rovers use that, they went from being extremely susceptible to relay attacks to relay attacks against them being impossible.
dzhiurgis
Phone based keys leapfrogged this
hamburglar
Except phone based keys are terrible in many other ways
brk
Your microwave oven also makes a good Faraday cage.
asciimov
That's an expensive mistake waiting to happen.
potato3732842
Why would you ever turn on your microwave without opening it to put something in it? It's not like an oven that has to preheat.
crustycoder
This is an old article and whilst there are undoubtedly still vulnerable vehicles, with the advent of UWB it seems to be a solved problem.
My car has UWB, there's a LED on the fob that blinks when it is in range and if it's stationary for a short time, it inactivates as well. Some experimentation suggests you need to be within about 5m of the car to open the doors.
The localisation seems to be very accurate, even if you can open the car from a distance it won't start unless the fob is physically within it. If I sit in the driver seat the fob has to be less than 10mm away from the outside of driver's window, otherwise it refuses to start.
ta1243
I have a physical key which I physically put in a hole in the steering column. This means I know exactly where it is when I come to parking the car, and you need to physically have it in contact to drive the car away.
I don't get the appeal of keyless ignition.
hermitcrab
I had a car that unlocked as soon as you walked near with the fob. I hated this feature, because you were never sure if the car (with your expensive laptop in the boot/trunk) was actually locked. I ended up giving the key to a family member and getting them to walk a distance away, so I could try the door handle and check it was actually locked.
RunningDroid
My family have both a Chrysler and a Subaru that try to do this, but they can't always keep up. (Sometimes I walk too fast and pull on the handle before it unlocks the door.)
2rsf
This is as easy to break and and susceptible to theft as keyless, so what's the benefit?
null
marxisttemp
People with bulky keychains often just throw them in their bag or purse and it can be annoying to fish them out.
I personally put a very high value on having a minimal keychain and wallet since I rarely carry a bag with me. The goal is to someday live in a state with Apple Wallet drivers’ license support, in a house with NFC smart locks, driving a car with Apple Car Key, at which point I could finally completely jettison my keys and my MagSafe wallet. I don’t want to carry physical keys when I’m already constantly carrying a device with a Secure Enclave and biometrics.
blacksmith_tb
A beautiful aspiration, until you lose or break your phone...
vel0city
People lose wallets. People lose car keys.
My PaaK car has a backup passphrase to start it. I can be used in a pinch if my phone isn't working. I can't say the same if I lose my car key.
If I go on a long trip I'm likely to bring multiple car keys and multiple payment methods. This is still true if I'm doing PaaK.
ryandrake
Or if you don't tend to bring your phone with you to do a bunch of errands. If all my locks were tied to my phone, I'd have to fish it out of the drawer whenever I go anywhere. OP said he "constantly" carries his phone with him, so maybe not a problem for him. Am I the only person in the world who leaves the phone at home if I'm not planning to use it?
brk
Not sure why you're being downvoted, I'm exactly the same. House locks are already electronic/automated, haven't carried a physical house key in year. Cars use fobs, for newer vehicles there is no option for physical keys anyway. When I leave the house I take my phone, plus the solo fob for whatever vehicle I am driving. I have no desire to have a ring of multiple physical keys and fobs with me.
cholantesh
Because it's a wild rube goldberg solution to a minor inconvenience.
dzhiurgis
My phone has a card, opens my car and my garage door. Haven’t had a trouble for years. Saved me hours from looking for each of those items separately.
kenjackson
I’m honestly very surprised that you don’t see the appeal. Are there other things people view as conveniences that you don’t see the appeal of? E.g., keyless entry or remote lock?
cholantesh
Do they really, though? I don't know anyone who raves about how much more convenient button start is, they either dislike/distrust it or don't really care either way.
whartung
I love the entry on my '14 Jeep.
Walk up, put your hand in the handle, and it unlocks. Get in, press the button, and it starts. This is a fabulous "happy path" that is seamless.
Nothing happens without an actual action, but the actions are natural and organic to the task. The sensor is inside the door handle, combined with the key fob, and it just opens when you slide your hand into. It's a, truly, marvelous experience.
My keys stay in my pocket. Since I open the door for my wife anyway, it just works. (She can open the door, I just have to be close.)
Similarly, when we open the rear lift gate, it just opens. This also unlocks the rest of the vehicle (in contrast to if I push the gate open button on the fob, only the rear gate is open, not the rest -- which I find odd).
When leaving, I press a lock button on the handle to lock the car.
It's a great compromise, and works really well.
vel0city
I absolutely rave about it. Every time I get a rental car that needs a cut key in an ignition cylinder it's a massive pain. I wouldn't buy a car that doesn't have push button ignition and would prefer for all cars I buy going forward to have phone as a key as an option.
For my personal cars I either use phone as a key or I'll keep the key fob in my bag. So I just walk up to the car, the car either auto unlocks or I press the button on the door, I get in, I press the button, and I go. When I'm done I just grab my bag and walk away and the car will auto-lock or I just press the door button. So smooth, I never need to really handle the key at all. It just stays in its specific pocket in my bag or it's just my phone in my pocket.
With a cut key, I walk up to the car. I need to fish around in my bag to grab the key. I then need to stick the key in the door and turn it, using care to not scratch the paint. I get in the car, need to insert the key, turn it and hold it long enough for it to start. When I'm done driving, I take the key out, grab my bag, and get out of the car. I then need to once again insert my key into the door once again being careful to not scratch anything, turn it to lock. Then I need to put the key away again.
And then phone as a key is incredibly nice, definitely my preferred way. I can easily leave the house for most errands with nothing but my phone on me. It's my car key, my payment method, my transit pass, my paperback novel, my portable music player, my camera, my maps, my communicator, all in one tiny package. Incredibly freeing compared to having to carry a bunch of junk in my pockets just to get groceries or whatever.
gadders
So many Range Rovers are being stolen in the UK that the manufacturer has started contributing towards insurance costs: https://www.whatcar.com/news/range-rover-insurance-owners-to...
Tagbert
perhaps they should also contribute to a solution to the weak encryption?
trishmapow2
Did a high school project on the jam and replay attack mentioned here: https://github.com/trishmapow/rf-jam-replay. Low cost SDRs have been a real game changer in letting the average Joe get started in this space. Good to see that more unis have courses with this type of hands on experimentation.
DebtDeflation
The current gold standard for vehicle theft protection is:
IGLA system to block the CAN bus, LIN bus, and ODBII port. It also protects against key fob cloning/relay attacks.
+
A hidden physical kill switch that cuts off the fuel pump relay (the company 41.22 makes a drop in that doesn't require wire splicing).
+
A hidden GPS tracker with an onboard backup battery in the event the car battery is disconnected.
None of this stops someone with a flatbed from simply towing your vehicle away, but at least the GPS tracker will give you a window to locate them.
unnouinceput
If I have a towing tool for your car, be sure I have a Faraday cage too to block all your GPS trackers while I dismantle the car. Think big truck that is isolated from both sound and electromagnetism and I simply hack at your car with my wrenches, selling your expensive Tesla for parts.
DebtDeflation
That's an issue once the tow truck gets where it's going, but the GPS tracker will record/broadcast the path there.
stavros
It doesn't take much to jam GPS, I'd imagine a small handheld device could easily do it. The GPS signal is already below the noise floor.
exhilaration
GPS jammers are less than $30 on Alibaba, truck drivers have been using them for over 10 years [1] to defeat their bosses tracking devices.
Multi-Band Jammers are $1000, burglary rings are using those to block all Wi-Fi, cell, GPS signals - check out this arrest report from last week in Pennsylvania [2]. If I was a high-end car thief, like in Gone in 60 Seconds, that's what I would use.
[1] https://www.theregister.com/2013/08/12/feds_arrest_rogue_tru...
[2] https://dauphin.crimewatchpa.com/lowerpaxtonpd/3730/cases/or...
zero_k
Broke a few of these for my old work -- HiTag2 and Megamos, some of the code&knowledge used for the attack is online&published, but neither can be used to actually break the ciphers as-is [1][2]. The issue used to be that the cipher employed needed to be low-power, fast, and reliable. With current technology, one could easily use AES, and no serious auto maker should be using HiTag2/Megamos. They were hand-rolled ciphers. The way AES is used (i.e. the protocol itself) could still be wrong, of course, e.g. allowing for replay attacks, etc.
[1] Doesn't have some features which you need to use to actually attack HiTag2: https://github.com/msoos/grainofsalt
[2] Used for various pre-processing that is useful (but not neccessary) to break Megamos, but _far_ from the actual attack: https://github.com/meelgroup/bosphorus/
Ballas
Code-hopping remotes have existed for a very long time, and I am really surprised that it's not the case here. I have had cars that were made in the 90's that used keeloq, a technology from the mid 80's.
In fact, all of my door openers and car remotes have some form of code-hopping and it's certainly not because they were specifically chosen for that aspect.
Sure, there are attacks for code-hopping systems as well, but it's a completely different league.
BMW has a page describing the use of UWB (Ultra Wide Bandwidth) radio in key fobs and how it helps against relay attacks. In short it's because the wide bandwidth allows for very short pulses which lets them measure the distance between the car and the key, and using a relay will inevitably add distance and therefore time between the signal is sent and the reply is received.
https://www.bmw.com/en/innovation/bmw-digital-key-plus-ultra...