Stealing Key Fob Signal
#1
Stealing Key Fob Signal
Below is a thread I posted in the TL Forum. I would like to share it with RL owners and hope that it is not an "overkill."
I was at the gym last week for about an hour. When I returned, I discovered that certain things in my trunk were missing, but there was no sign of forced entry. When I told my story to several friends from the same gym, they also had the same experience, since we all park in the gym's garage.
We think that someone must have been stealing the signals from our remote key fobs when we locked our cars with the fobs. How easy can this be done? How expensive is the device? I think we might report this to the police so that they can set up a decoy to catch the thief.
From now on, I will use my key to lock the car manually to avoid signal theft
I was at the gym last week for about an hour. When I returned, I discovered that certain things in my trunk were missing, but there was no sign of forced entry. When I told my story to several friends from the same gym, they also had the same experience, since we all park in the gym's garage.
We think that someone must have been stealing the signals from our remote key fobs when we locked our cars with the fobs. How easy can this be done? How expensive is the device? I think we might report this to the police so that they can set up a decoy to catch the thief.
From now on, I will use my key to lock the car manually to avoid signal theft
#2
Don't know how easy it is. I typically lock by touching the door dimple and unlock by grabbing the door handle. By doing that you're not transmitting the signal across a distance as you would by pressing the buttons on the Fob.
#3
Haven't heard of this before. Sounds worrisome to me. Luckily, I lock my doors by using the door lock in the car before I close the door. (I've had the car unlock itself when I use the door dimple. )
#4
The worrisome thing about the WSJ story was the attititude of the insurance companies towards the owners of cars that have been stolen with these types of systems. The insurance companies believe that these systems are theft-proof and give the owners a very difficult time trying when they try to make a claim, believing that either the car must have been left unlocked or the owner was involved.
#5
This may have been the story I was remembering - it was from Wired and not the WSJ. Scary stuff all the same.
http://www.wired.com/wired/archive/14.08/carkey_pr.html
http://www.wired.com/wired/archive/14.08/carkey_pr.html
#6
yes you are
Originally Posted by GoHawks
I typically lock by touching the door dimple and unlock by grabbing the door handle. By doing that you're not transmitting the signal across a distance as you would by pressing the buttons on the Fob.
#7
Originally Posted by Ry4an
The fob is still transmitting presense and authentication information; you're just triggering it from the car instead of from the fob. For evidence notice that the door dimple doesn't work if you have a fob in-range. The fob's still in the picture and transmitting, and in theory every bit as sniffable, though do believe the sniffing is quite hard to do.
Trending Topics
#8
I doubt if the transmitting power of the fob changes whether or not you use the dimple or the fob-the transmit power of the fob is probably a fixed value since designing it otherwise would be more difficult (and expensive). I actually hope I am wrong, since I am already disconcerted by the possibilities discussed in this thread. I guess I will invest in my own personal Denver boot to use-nothing like brute force to hang onto your RL.
#9
I'd think a simpler explanation would be that perhaps someone took your keys out of your locker while you were in the gym, and used them to unlock your car. it'd be simple enough to watch who comes and goes to find out who's in which car and where your locker is....
I doubt most thieves who are enterprising enough to be able to hack the keycode system on your car would bother just taking a few things out of the trunk -- or that they'd be dumb enough to lift things on repeated occasions from the same location. I'd imagine that kind of investment in time and energy would be used only by real professional thieves who were interested in boosting your whole car for parts.
I could be wrong, but it just seems like an awful lot of trouble to go through.
I doubt most thieves who are enterprising enough to be able to hack the keycode system on your car would bother just taking a few things out of the trunk -- or that they'd be dumb enough to lift things on repeated occasions from the same location. I'd imagine that kind of investment in time and energy would be used only by real professional thieves who were interested in boosting your whole car for parts.
I could be wrong, but it just seems like an awful lot of trouble to go through.
#10
Originally Posted by acurafox
I doubt if the transmitting power of the fob changes whether or not you use the dimple or the fob-the transmit power of the fob is probably a fixed value since designing it otherwise would be more difficult (and expensive). I actually hope I am wrong, since I am already disconcerted by the possibilities discussed in this thread. I guess I will invest in my own personal Denver boot to use-nothing like brute force to hang onto your RL.
With all due respect, you are wrong. The range of the fob is different when it's passive vs if you hit the lock/unlock button.
Obviously when you hit the unlock/lock, the signal can be transmitted from quite a distance. Now, try this experiment. Assuming you have a garage, make sure the car is locked. Now leave the fob in the house, and walk up to the car and grab the door handle. I guarantee the door won't unlock since the proximity sensor doesn't detect the fob on you. Now if you go back in the house and hit the unlock button, you should be able to unlock the doors.
Also, the manual states that the proximity sensor will detect the fob if you're within 2-3 feet from either door handle or the trunk. You can lock/unlock the doors from much further than that if you press the buttons on the fob.
#12
The way I look at it is that I shell out money for insurance, and if my car gets stolen (no matter whether it's from stealing the signal or bashing out a window) it's State Farm's problem. Sure, I'll be inconvenienced, but I'll get over it.
Now, that doesn't mean I'm careless or that I don't care, but it does mean I'm not going to lose a lot of sleep over it. I just don't want the car to ever be found if it gets stolen. In the meantime, I'm cautious and I keep my eyes open, and I don't park in questionable areas, and I take care of my stuff. And beyond that, there isn't a lot I can do.
.
.
Now, that doesn't mean I'm careless or that I don't care, but it does mean I'm not going to lose a lot of sleep over it. I just don't want the car to ever be found if it gets stolen. In the meantime, I'm cautious and I keep my eyes open, and I don't park in questionable areas, and I take care of my stuff. And beyond that, there isn't a lot I can do.
.
.
#13
Originally Posted by GoHawks
Don't know how easy it is. I typically lock by touching the door dimple and unlock by grabbing the door handle. By doing that you're not transmitting the signal across a distance as you would by pressing the buttons on the Fob.
#14
Originally Posted by jftjr
I'd think a simpler explanation would be that perhaps someone took your keys out of your locker while you were in the gym, and used them to unlock your car. it'd be simple enough to watch who comes and goes to find out who's in which car and where your locker is....
I doubt most thieves who are enterprising enough to be able to hack the keycode system on your car would bother just taking a few things out of the trunk -- or that they'd be dumb enough to lift things on repeated occasions from the same location. I'd imagine that kind of investment in time and energy would be used only by real professional thieves who were interested in boosting your whole car for parts.
I could be wrong, but it just seems like an awful lot of trouble to go through.
I doubt most thieves who are enterprising enough to be able to hack the keycode system on your car would bother just taking a few things out of the trunk -- or that they'd be dumb enough to lift things on repeated occasions from the same location. I'd imagine that kind of investment in time and energy would be used only by real professional thieves who were interested in boosting your whole car for parts.
I could be wrong, but it just seems like an awful lot of trouble to go through.
Let's face it, the technology for stealing key fob signal is out there, and it probably does not require a thief to spend lots of money and time to invest in such technology. If a thief pulls off just 50 jobs a day - a fairly easy task if he hits places like shopping malls and municipal parking lots - the return for his effort is quite handsome. This is particularly worrisome because not many people are aware of the technology, which make them easy targets.
I can think of at least two ways that a thief can use the technology to get into your car. One, by blocking the signal from the key fob when you try to lock your car. How many people test their car door to see if it is locked after "locking" it with their key fob? In so doing, the thief can easily open your car door (and your trunk) and take whatever he wants, after you walk away. Two, by intercepting the signal and storing it in the device, so that he can decode it and use it any time he wants. The second method is more problematic because he can hit your car again and again unless you are aware of the problem and think of a solution.
So, let's not dismiss this potentially large problem, thinking (erroneously) that it is "an awful lot of trouble [for thieves] to go through."
#15
The OP apparently has a TL, so keyless entry/start like our RL's have isn't what he's dealing with.
As for the RL's system, it is a half-duplex (2-way) device, wherein the car and the fob talk to each other, whereas the 1-way devices like the TL's use one active transmitter (the fob) and one passive receiver (the car). As I understand it, the RL's system uses either frequency shift keying or amplitude shift keying, either of which is similar to the rolling code scheme used in your garage door opener.
Now, in Beckham's case, the story says the thieves appear to have had "inside info" that helped them crack his codes. Without that, they likely wouldn't have been able to even run a brute force crack in an hour ... even with a supercomputer ... since we're taking billions of possible codes.
While our cars are indeed sending out little signals looking for our fobs, it's merely a "polling" signal, not an access signal. When we're within a few feet of our cars, the polling signal recognizes our fobs, then sends the encrypted access keys from the fob to the car's onboard computer, which accepts the codes and allows us to open the doors and start the car.
All in all, it's a pretty tight system and not as vulnerable as some of the stories lead you to believe.
.
.
As for the RL's system, it is a half-duplex (2-way) device, wherein the car and the fob talk to each other, whereas the 1-way devices like the TL's use one active transmitter (the fob) and one passive receiver (the car). As I understand it, the RL's system uses either frequency shift keying or amplitude shift keying, either of which is similar to the rolling code scheme used in your garage door opener.
Now, in Beckham's case, the story says the thieves appear to have had "inside info" that helped them crack his codes. Without that, they likely wouldn't have been able to even run a brute force crack in an hour ... even with a supercomputer ... since we're taking billions of possible codes.
While our cars are indeed sending out little signals looking for our fobs, it's merely a "polling" signal, not an access signal. When we're within a few feet of our cars, the polling signal recognizes our fobs, then sends the encrypted access keys from the fob to the car's onboard computer, which accepts the codes and allows us to open the doors and start the car.
All in all, it's a pretty tight system and not as vulnerable as some of the stories lead you to believe.
.
.
#16
Originally Posted by GoHawks
With all due respect, you are wrong. The range of the fob is different when it's passive vs if you hit the lock/unlock button.
Obviously when you hit the unlock/lock, the signal can be transmitted from quite a distance. Now, try this experiment. Assuming you have a garage, make sure the car is locked. Now leave the fob in the house, and walk up to the car and grab the door handle. I guarantee the door won't unlock since the proximity sensor doesn't detect the fob on you. Now if you go back in the house and hit the unlock button, you should be able to unlock the doors.
Also, the manual states that the proximity sensor will detect the fob if you're within 2-3 feet from either door handle or the trunk. You can lock/unlock the doors from much further than that if you press the buttons on the fob.
Obviously when you hit the unlock/lock, the signal can be transmitted from quite a distance. Now, try this experiment. Assuming you have a garage, make sure the car is locked. Now leave the fob in the house, and walk up to the car and grab the door handle. I guarantee the door won't unlock since the proximity sensor doesn't detect the fob on you. Now if you go back in the house and hit the unlock button, you should be able to unlock the doors.
Also, the manual states that the proximity sensor will detect the fob if you're within 2-3 feet from either door handle or the trunk. You can lock/unlock the doors from much further than that if you press the buttons on the fob.
#17
The RF technology the RL uses IS hackable, however, its not easy at all. You need a laptop that can run numerous codes in a quick fashion, even then, it would take quite a few minutes to crack the code. Its definitely not rocket science but the overwhelming majority of car thieves are not the sharpest knives in the drawer. However, a few enterprising computer geeks could do it without much work.
#18
Originally Posted by kenny5
I think you are wrong for various obvious reasons. First, I put my car keys (key fob) together with my wallet in the gym locker, and locked them with my own combination lock. If the thief managed to decipher the combination, why didn't he take the cash (totally fungible) in my wallet along with the credit cards? Also, why did he bother putting the key fob back into my locker after he stole from my trunk? I have yet to come across such a "kind-hearted" thief.
I remember from my high school days that Master lock combination locks are trivial to open -- and most gym lockers can be opened easily even if locked without removing the lock.
OK, maybe I'm wrong. But still, it ain't that easy to capture a key signal and open a car with it, and the equipment costs a few hundred bucks, at least. I'd look for another explanation first.
And yes, the RL system is quite a bit more secure than the TL's system.
#19
As a former TL owner, I read a similar thread a couple of years ago. The most notable was a TL which was stolen and involved in a high-speed (120MPH) high-speed chase down I-20 (which resulted in the thief hitting a Georgia State Patrol car at 95 MPH after the officer pulled in front of him). It was a rare Deep Green Pearl / Camel / 6-speed car.
Back to the remote. So I beleive the way these things work is similar to TCP's three-way handshake http://en.wikipedia.org/wiki/ACK_%28TCP%29.
[CAR IN LISTEN / WAIT MODE]
1. The active open is performed by sending a SYN to the server.
2. In response, the server replies with a SYN-ACK.
3. Finally the client sends an ACK (usually called SYN-ACK-ACK) back to the server.
[THEN UNLOCK MESSAGE IS SENT, CAR IS UNLOCKED, SESSION ENDED and car goes BACK TO WAIT MODE]
The issue with the TL (which I thought also existed with the RL) is that the code is fixed. There is VERY LIMITED frequency (thanks to FCC rules and so many devices using this "unregulated" frequency). As an example, the RL remote has FCC ID ACJ8D8E24A04, and all RL remotes are in the range registered to this ID.
Once again I thought the RL also had a fixed code. I'd be real happy to be wrong.
But at the end of the day, if you just walk up to the car and press the dimple, you've eliminated the longer-range remote transmission. I've found that it is VERY "local" - if someone is even on the other side of the car they cannot open my car by touching the door handle.
-josh
Back to the remote. So I beleive the way these things work is similar to TCP's three-way handshake http://en.wikipedia.org/wiki/ACK_%28TCP%29.
[CAR IN LISTEN / WAIT MODE]
1. The active open is performed by sending a SYN to the server.
2. In response, the server replies with a SYN-ACK.
3. Finally the client sends an ACK (usually called SYN-ACK-ACK) back to the server.
[THEN UNLOCK MESSAGE IS SENT, CAR IS UNLOCKED, SESSION ENDED and car goes BACK TO WAIT MODE]
The issue with the TL (which I thought also existed with the RL) is that the code is fixed. There is VERY LIMITED frequency (thanks to FCC rules and so many devices using this "unregulated" frequency). As an example, the RL remote has FCC ID ACJ8D8E24A04, and all RL remotes are in the range registered to this ID.
Once again I thought the RL also had a fixed code. I'd be real happy to be wrong.
But at the end of the day, if you just walk up to the car and press the dimple, you've eliminated the longer-range remote transmission. I've found that it is VERY "local" - if someone is even on the other side of the car they cannot open my car by touching the door handle.
-josh
#20
Lindros, you're right about the lmited frequencies assigned to things like our fob transmitters. But if the system uses Amplitude Shift Keying (ASK), it can send a multitude of different binary signals within that same frequency.
Per the same Wikipedia, on ASK: "The amplitude of an analog carrier signal varies in accordance with the bit stream (modulating signal), keeping frequency and phase constant." (My emphasis)
It's similar to the way radio can carry zillions of different notes in a song on a single radio frequency (station). That's where the equivalent of rolling codes comes in. Each handshake can be on a different "note" within the same frequency, and the car's processor matches them up.
But I think you're wrong about the session ending and the car going back to wait mode when the door unlocks. Ours stay awake, since the same fob signal allows us to start the car. The process you're describing applies to the TL-type system, where the car just waits for the signal generated by the fob's button being pushed. That is, it's a one-way, active-passive system, unlike our RL's.
.
.
Per the same Wikipedia, on ASK: "The amplitude of an analog carrier signal varies in accordance with the bit stream (modulating signal), keeping frequency and phase constant." (My emphasis)
It's similar to the way radio can carry zillions of different notes in a song on a single radio frequency (station). That's where the equivalent of rolling codes comes in. Each handshake can be on a different "note" within the same frequency, and the car's processor matches them up.
But I think you're wrong about the session ending and the car going back to wait mode when the door unlocks. Ours stay awake, since the same fob signal allows us to start the car. The process you're describing applies to the TL-type system, where the car just waits for the signal generated by the fob's button being pushed. That is, it's a one-way, active-passive system, unlike our RL's.
.
.
#21
Wow, it is amazing to find out the type of people who lurk and post in this forum -- RL owners who are techno geeks. I was a science (biochem) major, but my relative geekiness pales in comparison Great posts and analyses, fellow posters!!
#22
Mike_TX -- As per my post I'm happy if the car really does have a two-way system that is improved upon the TL's system. I haven't heard of an RL break-in issue like the TL as of yet, but there is also a smaller sample set.
In other news, please don't take my capitals in my post as "yelling" or even "emphasis" - I could have changed the font but was too lazy. Also apologies for spelling and duplication errors...
In other news, please don't take my capitals in my post as "yelling" or even "emphasis" - I could have changed the font but was too lazy. Also apologies for spelling and duplication errors...
#23
its called a Radio frequency ID reader repeater...........i have a friend that worked for a "spy shop" he showed it to me how it works. my car and his after market clifford 2-way alarm as i pushed unlock on my car, the reader saved the command and all he did was about 20 feet from my car hit the repeat key on the handheld unit and my car doors unlocked it cant be done unless some one is sitting with in range of a fob to copy the signal.. i do not know how the newer cars work but his clifford 2way alarm did the same
i dont know about all dealers the acura dealer by my house has a sheet of tools theifs can use to unlock acuras the lady selling lojack and the warrenty's showed me the list...
i have a tl i never seen it done to the new rl's
i dont know about all dealers the acura dealer by my house has a sheet of tools theifs can use to unlock acuras the lady selling lojack and the warrenty's showed me the list...
i have a tl i never seen it done to the new rl's
#24
Originally Posted by GoHawks
Don't know how easy it is. I typically lock by touching the door dimple and unlock by grabbing the door handle. By doing that you're not transmitting the signal across a distance as you would by pressing the buttons on the Fob.
Me Too
Thread
Thread Starter
Forum
Replies
Last Post
soupi
2G TSX Audio, Bluetooth, Electronics & Navigation
14
11-15-2015 11:15 AM