Thieves Use Proximity Key Fob Relays to Gain Access.

[Almost]

This is rampant in North Jersey along the I-78 corridor. Affluent homes minutes from the highway and about 20 min from the ports in Newark. They will scout during the day at shopping malls etc. for high end cars and follow them home and come back later at night. Happens pretty much daily around here. Had a friend have his car stolen out of the driveway with his dad right there in the garage in the morning. They’re pretty brazen.

Sponsored

 

[ShadowsPapa]

Or when they got in all they could smell is rotting whale stench with a hint of summers eve ????

This is a perfect example of why I wish this forum allowed me to hit 100 likes, especially the laughing one.

 

[Deleted member 47279]

Not Gladiator specific, but worth knowing.



Thieves boost the key fob signal using two devices. A repeater near your home or person repeats the signal to the partner standing next to your car, enabling a proximity signal that unlocks the doors and allows the vehicle to be started and driven.

Sounds like a standard replay attack. but seriously my FOB must be in close ass range to start. im sure its a threat, but doors are normally off anyways and i have to be close by. its a risk, but idk if its that high.

 

[ShadowsPapa]

Yeah, until they jump in, realize it’s a 6 speed manual and then run away

How funny would it be if they spent all that work to get it unlocked, hop in and realize it’s a 6 speed manual and then don’t know what to do. ?

Heck, there's even employees of car dealerships that can't drive a silly stick. I ran into that with my SX4 - took it for some tire work. The guy saw the year and asked if it was a manual - yeah, T5 - "OK, I'll have to have Jim work on it, he can drive a stick".
And I thought - when I was working on cars for a living there wasn't much of anything I couldn't drive (semi tractor - no, let the pros operate those)

 

[Deleted member 47279]

My pistol is faster then their repeater.

well depends on the situation. most crimes like this are very targeted. technology is noramlly not so easy to match different manufacters implementaton, so its specifc to that radio and ive seen tests like this fail cause of slight changes. while im sure you have speed, i bet you wouldnt even know whats happening till you see the taillights.

 

[ShadowsPapa]

technology is noramlly not so easy to match different manufacters implementaton, so its specifc to that radio and ive seen tests like this fail cause of slight changes.

Got that right. I was in IT for several years - it's amazing the things that were supposed to be "Standards" but still didn't work with each other. There are still times that Bluetooth doesn't cooperate because one maker leans to one side of a "standard" or does their own thing "because it's better". I found out when using a Bluetooth bridge to connect cell phones to my home phones in the past. Some phones worked great, others not so much. Even today some phones work better with some BT radios than others.
It doesn't take much to throw things off and with automotive, you can bet they are specializing a bit - they'd have to. What works on GM products may well not work so well with Jeep or whatever.

I worked with a guy who was taking time off from being a professor of computer science so he could work a couple of years in the real world. His favorite saying "the nice thing about computer standards is there's so many to choose from".

 

[Deleted member 47279]

Got that right. I was in IT for several years - it's amazing the things that were supposed to be "Standards" but still didn't work with each other. There are still times that Bluetooth doesn't cooperate because one maker leans to one side of a "standard" or does their own thing "because it's better". I found out when using a Bluetooth bridge to connect cell phones to my home phones in the past. Some phones worked great, others not so much. Even today some phones work better with some BT radios than others.
It doesn't take much to throw things off and with automotive, you can bet they are specializing a bit - they'd have to. What works on GM products may well not work so well with Jeep or whatever.

I worked with a guy who was taking time off from being a professor of computer science so he could work a couple of years in the real world. His favorite saying "the nice thing about computer standards is there's so many to choose from".

https://s34s0n.github.io/2019/07/18/Jam-and-Replay-Attacks-on-Vehicular-Keyless-Entry-Systems/

exactly. check this out. i have a hackRF. i should do it for the lulz.

 

[cuellar13]

I keep all of our fobs in a faraday box. Signal can't penetrate for them to repeat it. Here in the Tampa Bay Area (last year, I believe), there were 3 Jeeps (2 JLs and a JT) stolen simultaneously one night, in the same neighborhood, using repeaters. All within seconds of each other. Toll cameras picked up the plates just outside of Miami before morning traffic started, all driving together. Local news did a story on it. I bought a faraday box after reading the story. Cheap extra insurance. You can make your own, too.

 

[ShadowsPapa]

https://s34s0n.github.io/2019/07/18/Jam-and-Replay-Attacks-on-Vehicular-Keyless-Entry-Systems/

exactly. check this out. i have a hackRF. i should do it for the lulz.

Very simple to do because of how the vehicle's security is so simple.
These actually must be able to assume the button will be pressed out of range, in a pocket, whatever, so they have to buffer past codes or a single press or two out of range and you are locked out.
Unlocking would be extremely simple. Capture a code while jamming the ability to receive. The vehicle never knows a code was sent. It's still listening for one.
It's too bad these don't operate under something like a VPN so the codes are sent inside an encrypted tunnel.
The problem with this is the conditions have to be just right for you to be able to use the "hack".
I am always close enough to my vehicle..... no way for anyone in between, and once I've unlocked and gotten in, unless they follow me home (which I suppose IS possible) what would you do with the code you captured in the parking lot?
How many codes do these vehicles buffer?
Due to the human safety issue, I don't unlock my vehicle unless I am close enough to it to see what and who is around, especially if my wife is with me. Only when she is at the door does it get unlocked - and only when I see who else is around.
People, WOMEN, have been kidnapped and worse, from Walmart parking lots. Situational awareness is important.
Our garage is not attached - the overhead doors are insulated aluminum and the entry door is steel. So the fobs can't actually communicate easily with the vehicles once we get into the house and the garage doors are closed.

 

[ShadowsPapa]

I keep all of our fobs in a faraday box. Signal can't penetrate for them to repeat it. Here in the Tampa Bay Area (last year, I believe), there were 3 Jeeps (2 JLs and a JT) stolen simultaneously one night, in the same neighborhood, using repeaters. All within seconds of each other. Toll cameras picked up the plates just outside of Miami before morning traffic started, all driving together. Local news did a story on it. I bought a faraday box after reading the story. Cheap extra insurance. You can make your own, too.

In my experience, it doesn't take a lot to block the signals. They aren't overly powerful. But for a 50K vehicle, more is better!
We live in a rural area. We can see all around us for the most part, any vehicle acting strangely around here gets photographed or a video made, and/or I walk out the door and approach. Done that every since we got up one morning and all of the Christmas display I had in the front yard 20' from the big front window was GONE.
Otherwise, it's been pretty quiet around here. The only break-ins were years ago, and they were targeting guns.

 

[Deleted member 47279]

I keep all of our fobs in a faraday box. Signal can't penetrate for them to repeat it. Here in the Tampa Bay Area (last year, I believe), there were 3 Jeeps (2 JLs and a JT) stolen simultaneously one night, in the same neighborhood, using repeaters. All within seconds of each other. Toll cameras picked up the plates just outside of Miami before morning traffic started, all driving together. Local news did a story on it. I bought a faraday box after reading the story. Cheap extra insurance. You can make your own, too.

that makes sense. most likely they were told this repeater will only work with these year jeeps. JL & JT exact same FOB security. I honestly havent thougth about it, as long as they replay the signal within thejeep it will start once and drive until shut down. thats something i never agreed with on these. idk why they continue to leave that.

 

[ShadowsPapa]

that makes sense. most likely they were told this repeater will only work with these year jeeps. JL & JT exact same FOB security. I honestly havent thougth about it, as long as they replay the signal within thejeep it will start once and drive until shut down. thats something i never agreed with on these. idk why they continue to leave that.

OK, edumacate me on sumptin.

Unlock door - button press, they capture the first one, jam the truck getting it.
You press a second time and when they capture that one they unjam and send the first to the truck to unlock it.
You get in, press brake pedal if automatic, press the ign button and it TIP starts. No button press needed.
So if you have the fob inside, press the TRUCK's button to start, never touching the fob, why would their signal not work to start the truck later?
Is there a code sent from the truck to the FOB saying "ok, we're starting, change your signal now"?
Why would what the truck needs to see to start change after they get away with it and then try to start it again later?

It would have to tell the FOB that once it is started to change because you don't press buttons to start or stop the truck.
I have the fob with me - touching nothing at all, no buttons, nothing, and I can get in and out and start it with the same fob, again, never touching anything, as often as I want.
So unless there's a response from the truck telling the fob that it's started -
It also knows when the fob has left the building, and it knows when it returns.
I wonder - could I leave the truck, truck running, put my fob in the house and get the second fob and get in and drive away? How would it respond?

 

[Gvsukids]

I wonder - could I leave the truck, truck running, put my fob in the house and get the second fob and get in and drive away? How would it respond?

Just fine. Fobs give off the same signal.

 

[ShadowsPapa]

Just fine. Fobs give off the same signal.

They used to be programmed in as FOB 1, FOB 2, FOB 3, FOB 4. They could be very different FOBS and the vehicle was programmed to recognize the FOB. I had 4 set up with my other Grand Cherokee. 1 was bought from eBay, two were ones from a different year but same platform and one was an original. You told it to listen for the FOB signal and accept that FOB.
So they were actually different signals, but the Jeep was told to respond to any of them.
So the signals the Jeep sees must be different. You have to have a PIN to register a new FOB with the BCM.
I know these things can freak out if you lock it one way and try to unlock it a different way.

 

[Deleted member 47279]

replay attacks dont care whats being sent. all they do is buffer and replay the RF. so your FOB could have some smart capability, but most likely its just a sending out a identifier over agreed upon encryption or even worst it could be rolling codes. in this instance replay removes the barrier to break any encrpytion or security, by just replaying the existing signal from your fob inside your house. the reason it would work is cause theres nothing in the authentication that says you need another factor like a button press or code. by having the repeater outside the jeep the software would allow the doors to open, then by having the repeater inside the jeep the "security" settings would detect the signal within the cabin via strength and start the jeep. once you drive to the destination you would no longer have the fob within repeatable distance hence you couldnt drive unless you added anther key via programming which has been shown to be done via third party software for mopar vehicles. seen with hellcats. also using another fob would work, because like i said the fob is transmissing an identifier that was added as a "trusted" key in the software hence you could drive away. from a security POV its stupid, yet the business case is usability and idiots losing fobs so there needs to be a way to add keys.

Sponsored