Thieves Use Proximity Key Fob Relays to Gain Access.

[ShadowsPapa]

Try it with the vehicle started and then hand the fob away.

That's exactly when it annoys us with my wife's Jeep. As I recall mine simply says fob has left in the display. I don't recall the chimes but would have to try again.
My example of my wife exiting and taking the fob with her was with her Jeep running, in Park. It beeped the whole time she was gone until she returned.

Pull up to airport terminal.
Put Jeep in park, leave engine running.
Wife leaves to go inside airport, takes FOB with her,
Jeep starts yelling at me.
Cluster message fob has left the vehicle.
(hmmm, I wonder if she really did that on purpose)

Sponsored

 

[Lunentucker]

Interesting. Maybe we'll play with it some more tomorrow.

 

[joeym7]

Testing theory.

Started with fob inside truck, which would replicate the thief starting it with the relay device.
Handed the fob to my wife in the garage and drove away.

Drove well out of range.
There was no notification or alert from the vehicle that the fob was left behind.

Stopped and powered down, still without the fob. Powered back on, still without the fob, no problem.

Off camera I tested that further and it will let you restart once before it says fob is missing. I didn't get too far away because my helper had to walk the fob back to me if it failed - which it did on the second restart attempt.

So, yes, a thief can keep going, presumably indefinitely, as long as the engine is running. They may even be able to restart once, although that's not 100% proven at greater time and distance.

Thanks for this, very good info to confirm what has been stipulated...What a screwed up design.

 

[ShadowsPapa]

Thanks for this, very good info to confirm what has been stipulated...What a screwed up design.

They are trying really really hard to idiot proof these things.
The problem is, the world keeps coming up with better idiots, thwarting their plans and messing it up for the rest of us.

It should be like it was 100 years ago. Only those who could handle a team of horses, and, who were mechanically inclined and could fix things on the road, would own and drive a car.

 

[NachoRuby]

Interesting. Maybe we'll play with it some more tomorrow.

With the vehicle started, mine immediately says keyfob not in vehicle, once it's removed from the cab. And it won't restart if I shut it off. It says keyfob not detected. Then, if I press start again it tells me to press the keyfob against the start button.

It's very odd that yours let you restart with no keyfob in the truck. Mine barks at me the second the keyfob is held outside the window, even millimeters from the cab

 

[joeym7]

They are trying really really hard to idiot proof these things.
The problem is, the world keeps coming up with better idiots, thwarting their plans and messing it up for the rest of us.

It should be like it was 100 years ago. Only those who could handle a team of horses, and, who were mechanically inclined and could fix things on the road, would own and drive a car.

Yea, I get that (generally), but to me this was a situation: if it isn't broke, don't fix it...I'm wondering which political group they were trying to appease with this (often the motivation to manifest "stupid" these days ;-)) was it "Mad-Mothers against having to press a button to get in an automobile"?. ;-)

 

[ShadowsPapa]

With the vehicle started, mine immediately says keyfob not in vehicle, once it's removed from the cab. And it won't restart if I shut it off. It says keyfob not detected. Then, if I press start again it tells me to press the keyfob against the start button.

It's very odd that yours let you restart with no keyfob in the truck. Mine barks at me the second the keyfob is held outside the window, even millimeters from the cab

That's how mine is - and when I was using AlfaOBD to gather some info from my truck, of course you press the start button two times with foot OFF the brake to put it in run mode.While doing all of this, I lost bluetooth connection and decided to start all over. In the mean time my fob had fallen off the console lid between console and seat. I pressed the button, nothing happened. Being OCD once I realized the fob wasn't on the console lid, I dug around and found it, placed it in the holder between the cup holders this time - everything worked fine.
My point is - even down on the floor sort of under the edge of the seat, mine was a bixxxxxn at me that the fob wasn't there and refused to go into ACC or RUN mode.

 

[AmosMoses01]

As an electrical engineer, this design is pretty frustrating. The "good idea fairies" come up with great ideas, but don't think about all the negative and unintended consequences. This could have been designed more securely, albeit likely with some increased BOM costs.

In late 2000's my neighborhood was attacked one evening with something like this relay attack - no vehicles were stolen, but everyone with a 2000's vehicle on my street (all domestic brands and Japenese in origin) had their vehicles opened and items stolen from inside one night. The police said everyone was being complacent and left their vehicles unlocked, to which we just rolled our eyes. Didn't know about the repeaters at the time, but for both my wife and I to leave our vehicles unlocked was extremely hard to believe (A Tahoe and a Subaru Legacy). Neither of us have ever kept/left valuables in the vehicle, so nothing other than some change in a cupholder was lost.

I guess to keep people from driving away with a vehicle we can bring back ye olde "Club" to lock the steering wheel, low tech overriding high tech convenience.

 

[ShadowsPapa]

As an electrical engineer, this design is pretty frustrating. The "good idea fairies" come up with great ideas, but don't think about all the negative and unintended consequences. This could have been designed more securely, albeit likely with some increased BOM costs.

In late 2000's my neighborhood was attacked one evening with something like this relay attack - no vehicles were stolen, but everyone with a 2000's vehicle on my street (all domestic brands and Japenese in origin) had their vehicles opened and items stolen from inside one night. The police said everyone was being complacent and left their vehicles unlocked, to which we just rolled our eyes. Didn't know about the repeaters at the time, but for both my wife and I to leave our vehicles unlocked was extremely hard to believe (A Tahoe and a Subaru Legacy). Neither of us have ever kept/left valuables in the vehicle, so nothing other than some change in a cupholder was lost.

I guess to keep people from driving away with a vehicle we can bring back ye olde "Club" to lock the steering wheel, low tech overriding high tech convenience.

How about something simple - like a lock that goes through the front axle u-joints. Won't work on the SelecTrac equipped JTs or the newer ones with the CV front axles, but unless they have a bolt cutter........ or flatbed, it would at least slow them down.
Most bad guys rely on easy, least amount of time, biggest gain for the time spent. If it takes too much time for the gain, they move to something easier.
But then that won't work when at the grocery store or to have to do that every time you park in your own garage.

Frankly, I'm ready for a vehicle with a retina scanner or a finger print reader. Can't easily unlock my phone unless you duplicate my finger print (I said can't EASILY do it - I'm sure there's a way)

 

[ecidiego]

This thread saved me $350 I can tell you that. Glad the backorder on the prox harnesses slowed me down.

 

[NachoRuby]

This thread saved me $350 I can tell you that. Glad the backorder on the prox harnesses slowed me down.

You still have a proximity key. Even without the harness. You're no safer, unfortunately. We all have proximity keys. It's how the key knows if it's inside the Jeep or not. They steal the signal when the Jeep talks to the fob. But this works even without proximity keys. They steal the signal when you push a button in that case.

There's no way to opt out. I guess manual locks with no chips. But then you can just hotwire it. The base sport key is also a proximity key.

So you'd need to have manual everything, and no chip in your key (like up until the 90s on many cars.) But then, you can just touch two wires together to start it, so that's not safer either.

 

[ecidiego]

You still have a proximity key. Even without the harness. You're no safer, unfortunately. We all have proximity keys. It's how the key knows if it's inside the Jeep or not. They steal the signal when the Jeep talks to the fob.

The door won't unlock for someone walking down the street at night relaying passive entry RF. They'd have to use HackRF and capture a code. Much more work, stalking me for fob press etc. They'll have to resort to window smash to get inside which is more work than just opening every door on street with a simple relay attack.

One option to overcome all of this to pull the RFID chip out of the fob and just not use the fob at all. This is how you can start the truck with a dead fob. One of the fob vendors sells a key nub that holds it. Only annoying part is holding the RFID right up to the button for each start. If you eliminate the fob all of these RF attacks are dead.

Naturally you could just use a dead fob for this but why carry the bulky thing.

 

[NachoRuby]

The door won't unlock for someone walking down the street at night relaying passive entry RF. They'd have to use HackRF and capture a code. Much more work, stalking me for fob press etc. They'll have to resort to window smash to get inside which is more work than just opening every door on street with a simple relay attack

That's exactly how they do it. They stalk. They do recon. They steal your keycode, and can then duplicate the RF signal, even if you don't have proximity locks. The crack the encryption. They can steal the "unlock" botton on the keyfob. That's been a thing since forever on garages and on vehicles
Also. Let's not forget, you don't need to smash a window to get in. Any locksmith (so presumably any professional thief) can get in without breaking anything. They just pick the physical lock.

 

[ecidiego]

That's exactly how they do it. They stalk. They do recon. They steal your keycode, and can then duplicate the RF signal, even if you don't have proximity locks. The crack the encryption. They can steal the "unlock" botton on the keyfob. That's been a thing since forever on garages and on vehicles.

See option B I posted.

Much of this about eliminating X percentage of thieves. Replay attacks are easy and require no recon. Eliminate the replay attack. Not to mention, I can just use the key to lock/unlock and never press the buttons. Couple that with the RFID use instead of proximity, all of those vectors are gone.

 

[NachoRuby]

See option B I posted.

Much of this about eliminating X percentage of thieves. Replay attacks are easy and require no recon. Eliminate the replay attack.

Yes, I guess. But thieves using these methods aren't low level. I'm sure all know how to pick a physical lock too. We're not talking about neighborhood crackheads or something. These guys are professionals. They know exactly what they want to steal. They do recon, and they wait for the opportunity. They have lock picking tools too.
They don't just happen upon a car. They know in advance what they want to steal and how to do it without anyone noticing. They aren't smashing windows.

Sponsored