Skip to content

keyless entry systems can be bypassed

Featured Replies

I'm guessing they didn't do their research and underestimated the ability of thieves when they implemented KESSY.

The weakness of KESSY (and all proximity based unlock systems) is that they use RF to detect when the key is in range - a simple RF amplifier can vastly extend the range and allow a car to be unlocked while the key is far away. This has been well known for some time. It's also near impossible to secure against this attack method. Best just to avoid keyless entry systems.

 

The vulnerabilities revealed by these researchers are very different, and relate to the actual cryptographic methods used in locking and immobiliser systems. They have found that VAG have used a very small number of cryptographic keys for one part of the remote unlock protocol for a very long time, across a huge number of brands and models. It's only very recently that they have moved to issuing unique keys to each vehicle.

 

Getting the key from any given vehicle requires physical access to the vehicle's interior, so if a vehicle has a unique key this is good security. If several tens of millions of vehicles have the same key, then having access to one vehicle potentially gives you access to all of them.

The article is misleading and not about Kessy, if you read carefully it mentions grabbing the rolling code by pressing a button on the remote fob. I assume by keyless this article defines that as not needing to use the key in a lock to open the door.

 

The Ford weakness has been known for a very long time, that is why so many Ford ST models are stolen, same with BMW.

Edited by mannyo

The weakness of KESSY (and all proximity based unlock systems) is that they use RF to detect when the key is in range - a simple RF amplifier can vastly extend the range and allow a car to be unlocked while the key is far away. This has been well known for some time. It's also near impossible to secure against this attack method. Best just to avoid keyless entry systems.

 

 

Sorry, but this is not really true at all.

Typical key fobs in Europe operate in the IMS band (433 MHz) using 2FSK modulation. In order for one to use the key fob as an attack vector, he must first intercept the signal, then decrypt and decode the signal.

It is not sufficient to simply generate a 2FSK modulated signal on the correct frequency. You must also have the encryption key. (Normally) Assuming the system is properly setup.

Of course a receiver is by its nature normally on and listening. Thus, it could be possible to have to have a properly formatted signal cause some havoc, but they "should" be filtered out at the de-modulator.

It seems that VAG has not properly setup the receiver system.

It is important to keep in mind that VAG does not make this stuff. They buy "end products" from OEMs to plug into their CAN BUS.

The company I work for does a lot of the testing on these radios. Though, we do not touch the application layers or security aspects. We only care about the signal from the regulatory perspective.

As what mannyo said,its old news.

 

Maybe University of Birmingham researchers  have just removed bmw or ford and pasted vw into their research results,so lazy.

 

 

maybe they could do research into something more important.

Sorry, but this is not really true at all.

Typical key fobs in Europe operate in the IMS band (433 MHz) using 2FSK modulation. In order for one to use the key fob as an attack vector, he must first intercept the signal, then decrypt and decode the signal.

It is not sufficient to simply generate a 2FSK modulated signal on the correct frequency. You must also have the encryption key. (Normally) Assuming the system is properly setup.

Of course a receiver is by its nature normally on and listening. Thus, it could be possible to have to have a properly formatted signal cause some havoc, but they "should" be filtered out at the de-modulator.

It seems that VAG has not properly setup the receiver system.

It is important to keep in mind that VAG does not make this stuff. They buy "end products" from OEMs to plug into their CAN BUS.

The company I work for does a lot of the testing on these radios. Though, we do not touch the application layers or security aspects. We only care about the signal from the regulatory perspective.

 

That's interesting. So are the stories of cars with keyless entry being broken into with an RF amplifier apocryphal then?

 

My understanding is that the amplifier simply boosted the range of the car's signal while it is searching for the key without modifying any of the data.

Skoda fitted deterents front and rear to make them less likely to be stolen. Badges, they did do upgrades from green to black but they seem to still work, just check how few Skoda get stolen in the UK

Edited by GoneOffSKi

That's interesting. So are the stories of cars with keyless entry being broken into with an RF amplifier apocryphal then?

 

My understanding is that the amplifier simply boosted the range of the car's signal while it is searching for the key without modifying any of the data.

An amplifier is just that, an amplifier. On it's own, it is useless. It does not generate anything. You need the correct input signal fed into the amp. You can get a 10dB amp which works at in the IMS band for a few hundred bucks. The signal wont be very clean, but it will for sure amplify it.

But it's not like you can just point an amp at something and have it do something.

I suppose you could use an antenna as an input and another antenna as an output, but that is just going to amplify everything within the frequency range of the amplifier. 

 

 

If you want to increase the range of the cars signal with an amp, you need to get that signal into the amp. Maybe you could tune it to only look at 433MHz. But this will not impact your cars ability to "hear" anything

The Amp only goes one way. There are bi-directional RF amps, but they are hugely expensive. So, the car would be shouting but unable to hear any better. Or, it could hear better but unable to shout loud enough for the key fob to hear it.

This is not just a VAG problem, there are quite a few videos on You Tube about systems where the unlock code is grabbed or a signal amplifier is used to unlock a car whilst the owner is in bed and the car on the drive. I have a friend done it by accident with his Discovery with a kessy system. He got in the car whilst the key was in the kitchen, drove up to the farm yard, stopped the car and then had to walk back to the house to get the key after the car wouldn't restart.

Ian

Locally secure entry systems have been bypassed for years

 

 

145555734-thief-putting-a-brick-through-

Looks like crooklocks will be making a come back

The metropolitan police have been warning about keyless insecurity for years

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.