Remote keyless entry systems with rolling code: are transmitters really clonable?

Yes, that also works.

Well, IMO there is no excuse for bad security of car keys. Replacement keys seem to cost well beyond $50 and decent processor costs 30 cents. And keys seem to have fancy functions that require processor (and probably also two way communication)

--
                              Waldek Hebisch
Reply to
Waldek Hebisch
Loading thread data ...

I don't know of any keys/fobs with two way communication. It would simplify some things but make others more complicated. I worked on one a long time ago but it was never produced. It was not intended for cars and that might have made it harder.

Reply to
Paul Rubin

Most modern keys have two systems - a remote door lock and a separate RFID chip to arm the ignition. The RFID is two-way - the car pings and the chip responds.

Reply to
Clifford Heath

Dealer was able to read from the key mileage of my car. How could this happen without two way communication?

--
                              Waldek Hebisch
Reply to
Waldek Hebisch

Very interesting. I had not heard of that before. Thanks.

Reply to
Paul Rubin

Am 15.12.2015 um 15:21 schrieb snipped-for-privacy@kapsi.spam.stop.fi.invalid:

That's going to be very hard to do in practice. Usually there is just not enough spatial separation between the user and the car in that moment, and not enough time to set things up, because most people will walk only very few steps before the press their lock button.

You would have seconds at most to move quite a bit of tech smack into the line-of-sight between the two. And receiving the very same signal coming from the right that you're trying to keep from reaching its intended receiver that's only a meter or two behind you requires some pretty finely tuned EM field manipulation. As in: antennas, and weird ones, too.

So now you're suspiciously standing there smack between the guy and his car, having basically jumped into that spot, just as his key failed, and you're wielding some rather conspicuous gear. Not a good way to avoid being found out.

If the user knows their car well, they may even notice the delay caused by this.

Reply to
Hans-Bernhard Bröker

Never heard of keyless entry and start systems, where you only need to have the key with you, but no need to take it out and press any buttons, then?

Those do use two-way comms. They don't radio quite as far as your usual remote lock fob, though.

And yes, the theft protection system is RFID, i.e. two-way, too.

Reply to
Hans-Bernhard Bröker

I guess I've heard of those but never seen one up close, so ok.

I've seen keys with RFID but I don't think of that as similar to a remote.

Reply to
Paul Rubin

BMW has been doing that for about a decade now, I think.

Reply to
Hans-Bernhard Bröker

You either plant the device in a parking spot, and wait and see who pulls up, or plant the device on the car in a targeted attack.

-a

Reply to
Anders.Montonen

I agree. You have to transmit enough power to stop the car hearing the fob, while still hearing it yourself. Unless you have two devices, your own transmit power will swamp your own receiver more than it swamps the car's one.

Sure, it's been demonstrated at DEFCON, but that doesn't mean it would be easy to put into practice.

Reply to
Clifford Heath

The power consumption of a clock is negligible. Digital watches can run for over a year on a tiny cell, and they're also driving the LCD. A fob needs to power a transmitter; each button press will use what the clock uses in a month.

Fixed rolling codes are vulnerable to interception attacks. The attacker receives one code while preventing the from receiving it. Then it does the same for several following codes. Then it transmits the first code, unlocking the car, and keeps the following codes for later use.

Executing such an attack isn't trivial (you have to interfere with the car's reception without interfering with your own), but if you can manage it, it doesn't matter how good the crypto is.

The point about a clock is that the receiver's clock advances automatically. So long as at least one code is accepted, any codes transmitted around that time will expire almost instantly.

It's effectively a challenge-response system without the need to actually transmit a challenge. The fact that the challenge is known well in advance only helps if you can break the crypto.

Probably not even one second. A 32-bit timestamp with one-second granularity rolls over every 136 years. And rollover doesn't really matter. If you transmit with a different code ten times per second and it rolls over after 13.6 years, no-one is going to wait that long to break into your car.

Reply to
Nobody

On 2015-12-16 Hans-Bernhard Bröker wrote in comp.arch.embedded:

But the bad guys have found a solution for that: amplify the signals so a key in your house will start your car. Then drive off (the car keeps driving without key as long as you don't switch it off) to a safe place and have all the time you need to hack or strip the car.

I'm not sure this has actually been done or if it was only suggested as a theoretical attack.

--
Stef    (remove caps, dashes and .invalid from e-mail address to reply by mail) 

Someone will try to honk your nose today.
Reply to
Stef

Man in the middle attack, which you CAN use on boundaries of wifi, see various quotes and articles about ising drones to do this.

The emphasis is on "middle" as you have to between so your signal can be stronger than the originator.

--
Paul Carpenter          | paul@pcserviceselectronics.co.uk 
    PC Services 
 Click to see the full signature
Reply to
Paul

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.