2 hours ago, Austin 7 said:

Car remote locking systems mostly seem to use the same well known frequency band (around 433 MHz)

 

They pretty much have to use the license-free band allocated for low power devices including remote keyless entry systems.  Misuse of frequencies allocated for other purposes is frowned upon by OFCOM (as is deliberate jamming of legitimate transmissions).  You can't just decide to use another frequency to avoid the jammers; there's not a lot of spare RF spectrum available - most if not all that's of any practical use has been allocated already - so you'd end up messing up someone else's RF comms.

 

https://www.ofcom.org.uk/spectrum/radio-spectrum-and-the-law

Edited 24 January, 20206 yr by ejstubbs

I believe this is the same principle as what happens in some locations near airports and such where people suffer ineffective fobs - strong EM radiation ‘floods’ the receiver antenna and drowns out the keyfob signal.

Drifting from the original subject slightly: in around  1985-1990, I think, I heard stories of  car engines  suddenly failing to run whilst passing such places as the huge aerial array at Daventry. The cause was said to be interference with the car's then-new electronic ignition system.

Was this an old wives tale?

It's only going to get worse;

 

VAG MkVIII Golf Software & OTA Issues

 

VAG don't have the best reputation for extensively testing,  and more importantly, proving their technology works.

 

Basically, if it can be programmed, it can be reprogrammed.

On 23/01/2020 at 17:20, ejstubbs said:

Bottom line: simply capturing and replaying a key fob's last transmission should not cause the ECU to unlock the car.

 

With the right equipment and know-how, a "replay attack" is very simple to carry out.

 

Essentially it involves blocking (or "jamming") the car from receiving the keyfob signals, and capturing an unlock command from the keyfob. A bad guy waits for the owner to press the unlock button and captures the transmission which doesn't reach the car and therefore doesn't unlock it. The owner thinks nothing of it, and presses the unlock button again, which again the bad guy captures and blocks from reaching the car BUT at the same time the bad guy transmits the first unlock command to the car and it unlocks.

 

Owner then gets in and drives away as normal. Only bad thing is the bad guy now has an unlock command stored in his equipment which he can transmit to unlock the car, and it will work until the car next receives an unlock signal from the keyfob. 

Totally wrong description.

 

It's not a "replay" attack, it's a "relay" attack.

 

A simple 2 way transceiver acts as a range extender or ”relay” for both keyfob and car transponder. Has the effect of fooling car and keyfob that they are close by and the unlock/mobilise commands to exchange by receiving and retransmitting bidirectionally.

 

Once the car is unlocked the thief jumps in the car, simply presses the start button. As the car still thinks the keyfob is there, it starts up. Once started, car will run without the keyfob until next stopped.

 

Latest keyfobs go to sleep when not physically moved, mitigating this kind of attack.

Just now, xman said:

Totally wrong description.

 

It's not a "replay" attack, it's a "relay" attack.

 

A simple 2 way transceiver acts as a range extender or ”relay” for both keyfob and car transponder. Has the effect of fooling car and keyfob that they are close by and the unlock/mobilise commands to exchange by receiving and retransmitting bidirectionally.

 

Once the car is unlocked the thief jumps in the car, simply presses the start button. As the car still thinks the keyfob is there, it starts up. Once started, car will run without the keyfob until next stopped.

 

Latest keyfobs go to sleep when not physically moved, mitigating this kind of attack.

 

You are describing a relay attack, which targets vehicles with keyless entry.

 

I was talking about a replay attack, which targets vehicles with traditional keyfobs like OP said he has

Keyfob remotes for decades feature two way encrypted rolling codes that constantly change. A simple recording will not work on all but ancient cars.

 

It's possible spare keys were made, retained or lost by previous owners or dodgy dealers/mechanics.

Edited 26 January, 20206 yr by xman

8 minutes ago, xman said:

Keyfob remotes for decades feature two way encrypted rolling codes that constantly change. A simple recording will not work on all but ancient cars 30+ years old

 

Even rolling code systems are susceptible to a replay attack in the way I have described. It doesn't matter that the transmission from the fob is encrypted because you don't need to be able to read it, you just need to be able to store it and play it back.

 

The vehicle will accept the next X number of codes in the sequence, usually at least the next 255 in modern vehicles. It will not accept any past codes.

 

If you can capture an unlock command from the keyfob and block the car from receiving it, you can play back that transmission at any time in the future and it will unlock the car. However if the keyfob sends another unlock command and the car receives it, it will unlock and also disregard the code that you have stored so the transmission you captured is now useless as it has "rolled" past it.

 

The trick to a successful replay attack is to block the car and capture an unlock command. The car won't unlock and the person pressing the button on the fob will almost certainly shrug it off and immediately press the unlock button again. You then capture this next unlock command and simultaneously transmit the first command you captured so that the car unlocks. The fob is now one step ahead of the car, and YOU have a valid unlock command stored with the next code in the sequence, and the driver is blissfully unaware of this. Once the car is locked, you can transmit that unlock command you have stored and it will unlock the car because it has a valid code that the car has not seen yet. Obviously if the fob is used to unlock the car before you have used that code, you are back to square one

Edited 26 January, 20206 yr by slow_nick

I suppose that might be feasible.

 

However I see a number of hurdles.

 

Isn't it a 2 way exchange between fob and car so car securely handshakes to check the fob is real and present? Car would not repeat the same handshake codes.... Maybe not....

 

Difficult to see how you could easily jam the car transponder and simultaneously receive the fob on the same frequency and even more difficult to jam and simultaneously transmit and receive as required in step 2.

 

Then I would have thought the rolling codes would advance when the car was locked.

 

But then I suppose some clever Chinese techie could figure it all out.

 

 

20 minutes ago, slow_nick said:

 

 Once the car is locked, you can transmit that unlock command you have stored and it will unlock the car because it has a valid code that the car has not seen yet. Obviously if the fob is used to unlock the car before you have used that code, you are back to square one

Very interesting but presumably quite hard to make work, since the driver is presumably using the car to go to a destination, i.e. get out/lock/unlock and return - of course could work if they were going to pick someone up...

1 minute ago, xman said:

I suppose that might be feasible.

 

However I see a number of hurdles.

 

Isn't it a 2 way exchange between fob and car so car securely handshakes to check the fob is real and present? Car would not repeat the same handshake codes.... Maybe not....

 

Difficult to see how you could easily jam the car transponder and simultaneously receive the fob on the same frequency and even more difficult to jam and simultaneously transmit and receive as required in step 2.

 

Then I would have thought the rolling codes would advance when the car was locked.

 

But then I suppose some clever Chinese techie could figure it all out.

 

 

 

It's one-way communication between a dumb fob and the car, no handshake. The fob just sends a burst of data, presumably comprising a command (e.g lock/unlock) and a code that's in a sequence only known by the fob and the car.

 

Almost all vehicle remote fobs, including keyless entry systems, are using 433.920 MHz in Europe. This frequency is licence free within certain RF power and duty cycle limits, and is used by an absolute magnitude of stuff including garage door openers, wireless doorbells, some baby monitors, wireless thermostats etc.

 

All you need to do is have some sort of device in close proximity to the vehicle transmitting on that frequency with a decent amount of power (even 0.1W will overpower a keyfob which is typically on the order of 0.01W RF power). Then have a receiver near the keyfob which is capable of receiving and recording transmissions on 433.920 MHz. This equipment is neither expensive nor difficult to obtain if you know what you are looking for.

 

In the right scenario you could even do it with a single device with two antennas. It's not a sophisticated attack, and far more than feasible, it has been known and working for a very long time.

2 minutes ago, Jelnet said:

Very interesting but presumably quite hard to make work, since the driver is presumably using the car to go to a destination, i.e. get out/lock/unlock and return - of course could work if they were going to pick someone up...

 

This is correct. You'd either have to hope they are not going to lock their car at the destination, or you'd have to follow them to the destination and take the car from there