Your locked i3 really isn't....

[WoodlandHills]

Just want to let the forum know that any "locked" i3 that is accessible by the public can be unlocked at anytime with a simple $10 radio amplifier. The low power signal used by the door to make contact with your key as you walk up to your car is boosted to a 50 to 100 foot range. Now the key in your pocket as you wait in line at Starbucks or sitting on your dresser appears to be right next to your car and the doors can be opened by simply pulling the handle. At this point the car can be started and driven away or just looted.....

The only way to protect from this trick is to keep your key in a Faraday Cage at all times. At home a metal box such as a microwave or a refrigerator will work and when away from home perhaps wrapping the key in aluminum foil will do the same.

BTW, every car made that uses this sort of method to unlock the doors is wide open to this technique, not just BMWs. This has been known to the criminal community for a while now, but the general public has just discovered its exposure.

 

[jadnashuanh]

I read that article...have you tried it with the i3? The guy who wrote the article has a Prius and, did say that it was possible to prevent this from happening in design. He did NOT try other vehicles to see how many were vulnerable.

 

[MarkN]

Just want to let the forum know that any "locked" i3 that is accessible by the public can be unlocked at anytime with a simple $10 radio amplifier. The low power signal used by the door to make contact with your key as you walk up to your car is boosted to a 50 to 100 foot range. Now the key in your pocket as you wait in line at Starbucks or sitting on your dresser appears to be right next to your car and the doors can be opened by simply pulling the handle.

This doesn't apply if you don't have comfort access.

 

[TomMoloughney]

I have comfort access and my car won't unlock when it's the garage and my key is on the kitchen table, about 20 feet away. I know this because many times I've went to the garage to get something from the car and it was locked and I couldn't open the door without walking back into the kitchen and getting the key.

The range isn't more than 20 feet, I can attest to that. The key has to be really close to the car for this to happen. Just be cognizant of it and you should be fine.

 

[WoodlandHills]

I have comfort access and my car won't unlock when it's the garage and my key is on the kitchen table, about 20 feet away. I know this because many times I've went to the garage to get something from the car and it was locked and I couldn't open the door without walking back into the kitchen and getting the key.

The range isn't more than 20 feet, I can attest to that. The key has to be really close to the car for this to happen. Just be cognizant of it and you should be fine.

Tom, did you miss the part about the $10 amplifier? Just hold it near the door and it boosts the signal to over 50 feet. If you park outside is your key within 50 feet of your car? If so than you are not fine at all..... High school kids are doing this, not just car thieves, it is a very simple hack of a glaring vulnerability of every car that uses this method of remote access.

 

[WoodlandHills]

I read that article...have you tried it with the i3? The guy who wrote the article has a Prius and, did say that it was possible to prevent this from happening in design. He did NOT try other vehicles to see how many were vulnerable.

He didn't have one of those battery amps to test other cars with, neither do I, but I cannot see why the i3 should be the only car that is invulnerable to this spoof. If a car uses a low power transmitter to contact the key and unlock the doors then boosting that signal will increase the range at which the car can contact the key. If you happen to be in the market buying milk the car doesn't care: it just knows that it contacted the key and now it will unlock the doors to whomever pulls the handle. Is there any reason an i3 would not allow the spoofer to turn the car on and drive it away under the same circumstances?

 

[i3atl]

The signal from the key needs to make it back to the car - so depending on where the key is, if the key is transmitting at very low power, the signal would not make it back without amplification near the key as well.

There are various ways they could protect against this - so it's not correct to say that it automatically applies to every car with comfort access style functionality.

 

[TomMoloughney]

I have comfort access and my car won't unlock when it's the garage and my key is on the kitchen table, about 20 feet away. I know this because many times I've went to the garage to get something from the car and it was locked and I couldn't open the door without walking back into the kitchen and getting the key.

The range isn't more than 20 feet, I can attest to that. The key has to be really close to the car for this to happen. Just be cognizant of it and you should be fine.

Tom, did you miss the part about the $10 amplifier? Just hold it near the door and it boosts the signal to over 50 feet. If you park outside is your key within 50 feet of your car? If so than you are not fine at all..... High school kids are doing this, not just car thieves, it is a very simple hack of a glaring vulnerability of every car that uses this method of remote access.

Ah yes, I did miss that. This type of car access has been around for a while from various manufacturers and I've never heard of any issues with it. You still need to be really close to the car, like the case used above - sitting at a cafe with the car parked less than 100 feet away. Thieves will always be working on ways to steal cars. If they really want your car they'll figure out a way to take it, comfort access or not!

 

[WoodlandHills]

If your car is parked outside your house in the driveway, I bet most folks key is within 50 feet or so. I know mine is..... I park inside the garage, but the driveway and the street outside are all well within 50 feet of the key at night. My Infiniti is also vulnerable, but it too lives in a locked garage and is only exposed when parked away from the home. Our smart uses a transmitter in the key so it is not able to be spoofed like the "proximity" systems.

 

[jadnashuanh]

http://sherman-on-security.com/thieves-using-a-17-power-amplifier-to-break-into-cars-with-remote-keyless-systems/

Not all cars are subject to this problem. IT appears that Toyota and Lexus (same manufacturer) ARE subject to this. It appears to be a bit more complex for BMW and some other brands. Before I started saying the sky is falling, I'd have to do some more research, and buying one of the amplifiers may look suspicious to the authorities, should they wish to investigate. If it were a major issue with BMWs, I think we'd have heard more about it.

Keys and locks only keep out the casual thieves.

 

[i3an]

Deep breath, everyone. In all this hyperventilating I have yet to see one photo of an actual "amplifier", one link to Amazon or eBay items going for $10 or $17 or whatever, one documented arrest and retrieval of this mystery device. In fact there is just one online eyewitness account (in the NYT) of a teenager being observed nonchalantly opening a (presumably locked) BMW door and rifling around, but not of driving off - as I assume the jacked vehicle would not get very far, or at any rate would not re-start once out of range of the original fob. Frankly, this is taking on the aura of an urban myth. So if anyone has any hard evidence on this Loch Ness amplifier, please share; otherwise, stop speculating.

 

[WoodlandHills]

http://sherman-on-security.com/thieves-using-a-17-power-amplifier-to-break-into-cars-with-remote-keyless-systems/

Not all cars are subject to this problem. IT appears that Toyota and Lexus (same manufacturer) ARE subject to this. It appears to be a bit more complex for BMW and some other brands. Before I started saying the sky is falling, I'd have to do some more research, and buying one of the amplifiers may look suspicious to the authorities, should they wish to investigate. If it were a major issue with BMWs, I think we'd have heard more about it.

Keys and locks only keep out the casual thieves.

Now that the secret is out I suspect that we will be hearing more on this story in the weeks ahead. In theory, do you know of any reason why this would not work on any car using this type of keyless entry? I have not heard of any company that codes or scrambles the signals or of any other security applied to these signals between the fob and the car. I think that the car companies simply overlooked this and that there are a lot of red faces in the various engineering departments around the world. Whether or not this is currently being widely exploited, the security flaw does exist and there seems to be very little one can do besides shielding ones keys. An On/Off button on the fob to shut off the keyless entry system would be the simplest way to address the problem in a recall..... In the meantime, I wonder if one of those travel wallets that block RFID scanners from stealing your passport and credit card data would work here?

 

[Schnort]

Of course there's security between the FOB and the car. (i.e. THAT FOB needs to be near THAT car). It might not be super tough(i.e. it might be clonable), but there's definitely security. It's probably on par to modern garage door openers, but I hope they'd be a little smarter than that (i.e. be unable to clone by snooping traffic).

The exploit is using a two way amplifier to make it appear that the FOB and car are within the required proximity to unlock the doors (essentially by repeating the boosted signals so that the FOB can 'hear' the car and vis-a-versa).

This exploit won't allow your car to be stolen(I don't think), as the car only operates while the FOB is in the much shorter range of 'inside the cabin'. If they drive off, they'll quickly be out of range of your FOB and the car should stop, or at least not be able to be restarted.

 

[I33t]

In theory, do you know of any reason why this would not work on any car using this type of keyless entry? I have not heard of any company that codes or scrambles the signals or of any other security applied to these signals between the fob and the car. I think that the car companies simply overlooked this and that there are a lot of red faces in the various engineering departments around the world.

Do you have any proof that all keyless entry systems use the same hardware and protocols?

Without any proof, this is just speculation based on very few instances of other brands of car being at risk from this attack.

FWIW, the i3 seems to know whether the key is inside or outside the car. I haven't tested flipping it out the window, but as soon as I step out of the car, the car switches to shutdown mode and I have to get back in the car and press the Start button. Having a retransmit device may not work on the i3.

 

[jadnashuanh]

The fob has (I'm pretty sure based on how it works) an RFID chip in it and a radio transceiver. If know that the battery is dead, you must put the fob right up against a small area on the steering column. There are ways to prevent that repeater from working, it appears that TOyota does not use them. I have no insight on those used by BMW, but while both companies have cultural history of overthinking things, the Germans aren't as cost conscious as the world's largest car manufacturer. IOW, it is my feeling, anyways, that BMW tends to choose the engineering answer verses the accountants response when analyzing cost/benefit decisions.

 

[WoodlandHills]

Of course there's security between the FOB and the car. (i.e. THAT FOB needs to be near THAT car). It might not be super tough(i.e. it might be clonable), but there's definitely security. It's probably on par to modern garage door openers, but I hope they'd be a little smarter than that (i.e. be unable to clone by snooping traffic).

The exploit is using a two way amplifier to make it appear that the FOB and car are within the required proximity to unlock the doors (essentially by repeating the boosted signals so that the FOB can 'hear' the car and vis-a-versa).

This exploit won't allow your car to be stolen(I don't think), as the car only operates while the FOB is in the much shorter range of 'inside the cabin'. If they drive off, they'll quickly be out of range of your FOB and the car should stop, or at least not be able to be restarted.

That's what happened to me once, I dropped my wife at the market and drove across the street to get gas. Unfortunately, she still had the key and had to walk about a 1/2 mile with a bag of groceries to get the car started and driven away from the pump since I had shut down to fuel. This was in our Infiniti. I will try to start our i3 and then give her the key out the window and see how far I can drive once I get back home on Monday.

I am not hyperventilating here, I just wanted folks to be aware of a very real security flaw that may apply to their car as well as to mine. Until someone can show me how BMW is immune or protected from this, I will err on the side of caution as I cannot see any reason why this spoof should not work.

BTW, I was wondering if all of the stories on the media about this will result in a decline in such incidents or will the miscreants will now all want to give it a try.....? It seems like basic Science Project type tech that anyone could reproduce, like filing a point on to a Toyota key used to let you into any Camry you wanted: sometimes the crooks are a step ahead of the Cops, except on this case there really aren't any Cops vetting car locking systems!

 

[CaptBreadbeard]

This isn't magic or even something new. Basic physics and engineering, it's the application that is new. Generally, it should be considered a design flaw of the system.

Easy Answer:
Neither the car nor the fob is being hacked, they're working exactly as designed. While different manufacturers have slight variations in their designs, the key problem is that some/all manufacturers didn't do anything smart to ensure the fob is actually near the car. Rather they relied on the propagation of electromagnetic (EM) radiation and assume that if they get a signal, the fob is near the car. The problem is that how strong or weak an EM signal appears to be, isn't just a function of distance. This is why we build better/bigger/directional antennas or output more power in the signal or employ more advanced signal processing, etc. The stronger the signal appears, the further it can effectively propagate while still being intelligible and the longer range you will have. The physics aren't a hack per se, it's how we engineer practically any communications system.

All they are doing is setting up an amplified repeater. Boost the cars signal so it can reach the now distant fob and vice versa. The repeater doesn't have to actually hack anything in the signal, it just has to relay the signal at a high enough effective power and the two devices will talk as if they really are near to each other. Since simple implementations assume that if they get a usable signal, the fob must be near the car, the car responds as if the fob is. This isn't hard to do at all. Hackers have shown accessing Bluetooth at over a mile with a not much more than a Pringles can and some washers (creates a directional antenna which boosts the effective signal power). You can buy similar devices for your wifi at home.

Harder Answer
The EM propagates much further than you can actually pull out an intelligible signal. The signal needs to stand out enough from all the noise to be received and made intelligible; this is called Signal-to-Noise-Ratio (SNR). Outside of some very sophisticated signal processing, you need the signals power to well above the noise floor or else you won't be able to understand it. Consider a very noisy room, your normal indoor voice isn't intelligible at anything but very close ranges due to the increased noise in the room (aka noise floor). You end up yelling, getting very close or both in order to communicate. The same principle is at work when you get far apart even in quiet environments. The car and fob, while using EM, are actually working on the same idea. They put out very weak, low power signals (measured in dB) such that at anything more than a short distance, they can't communicate because the signal becomes unintelligible (there isn't enough SNR to pull out the messages). Just like you can yell in a noisy room, there are ways to boost the signal so that intelligible communications occur a a longer distance. What these thieves have done is put a middle man between the two so they can communicate. The middle man merely repeats what each says at higher effective power and voila, there's enough SNR to close the communications path!

Depending on the implementation, this is potentially fixable. However, what this really shows is that the car manufacturers have no idea what so ever about security best practices. This isn't a shock though. This lack of security knowledge permeates many industries. A security expert was detained and question this week because he tweeted about being able to access the planes flight controls from the inflight wifi! http://money.cnn.com/2015/04/17/technology/security/fbi-plane-hack/ The list goes on and on. The computer security field is light-years beyond most everyone else, but even then companies and individuals frequently ignore best practices. This is an absolute colossal engineering failure, which obviously has no regard for security. This is so basic, it's sad, it's incompetent.

Ways to potentially fix this (hardly inclusive):
1) Time of flight. If the implementation allows for a software update on the car to check time of flight, the car would know that the fob can't be close to it. You can't get around the fact that the signal propagates with a given velocity and even repeating it means the round trip time is too long. This is how GPS works, etc. However, given the speed involved, you need high precision clocks to measure the distances we're discussing here and I highly doubt anything but the GPS unit has such a clock. Alternatively, with multiple antennas you might be able to add triangulation estimates to the car/fob communication and reject this attack; this still works the same, but may remove the need for high-precision clocks.

2) Listen for the echo. Since the car puts out a signal to find the fob and the middle man repeats this signal exactly a short time later and at much higher power (remember the signal took time to travel from the car to the middle man), the car should be able listen for it's signal being repeated and ignore the fob. Of course, this would mean a such a device anywhere near your car effectively creates a Denial-of-Service attack. Unfortunately, there already will be many echoes and reflections of the cars original signal as it bounces around. However, the middle man should be at a much higher power...until they build a directional antenna.

I'm sure there are more, but if any particular manufacturer's design permits it is entirely unknown. If computer security is any indication, the best solution is multiple, redundant checks. Given the margins involved, I suspect they might not be able to fix it at all with out changing the design; everything been simplified as much as possible and there simply isn't any that wasn't essential to the flawed design.

Don't Panic
Don't freak though, the locks on nearly all of our houses are terrible too. Anyone with a basic skill set can pick them almost as fast as you can open it with the "key." Most security is for theater purposes only...it keeps honest people out, nothing more. Your real security posture hasn't changed much if any at all.

 

[I33t]

Except... This car doesn't fit that description.

From the garage door opener thread:

I tested it just now
Car will not start unless fob is inside car. I even put window down and held it just outside the car. Will not start.

Confirmed.

Key held outside drivers window (RHD car):

Car requests remote be held against steering column when you press the start button:

There was another similar message but I didn't get a photo of it. The car definitely knows if the fob is inside the cabin.

Clearly, the electronics are not designed by Toyota

 

[WoodlandHills]

The demo clearly proves that when the car "thinks" the fob is too far from the car it will not start. What happens when the signal is boosted and the car "thinks" the fob is NOT too far away.....? Has anyone tried to start their car and then hand the fob through an open window to a friend and have them walk away from the car? Will the car shut off or will it stay running?

 

[BrianStanier]

It stays running, but will not restart. It would be unsafe to stop the car if it is unable to detect the fob for some reason.