1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Keyless-Entry Cars Vulnerable to Silent Theft

Discussion in 'Gen 3 Prius Main Forum' started by KyleT, May 9, 2015.

  1. KyleT

    KyleT Junior Member

    Joined:
    Jun 3, 2013
    40
    8
    0
    Location:
    Western Washington
    Vehicle:
    2013 Prius
    Model:
    Two
    It sounds like everyone assumes that the "secrete device" to unlock a keyless-entry car is a signal amplifier while there is no proof that there is such thing out there.

    I don't know about other brands but there is a flaw in the keyless-entry (or smart key) system in Toyota and it is a known problem. In certain condition the car's door can unlock or lock without human interaction. (I don't want to reveal what it is yet.) Unfortunately, that "certain condition" can be duplicated easily by anyone from 1-120 years old. I haven't tried it yet but in theory it should work.
     
    #41 KyleT, Jun 15, 2015
    Last edited: Jun 15, 2015
  2. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
  3. law

    law Member

    Joined:
    May 2, 2015
    188
    33
    0
    Location:
    CA
    Vehicle:
    2015 Prius
    Model:
    Persona
    Has any prius had break in in CA? This makes me so paranoid.
     
  4. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    oh ya, one of the highest theft rates. and now they're stealing wheels and batteries too!:eek:
     
  5. hojman

    hojman Junior Member

    Joined:
    Nov 9, 2011
    2
    0
    0
    Location:
    Los Angeles
    Vehicle:
    2011 Prius
    Model:
    Two
    I live near Santa Monica and had my car broken into twice and I'm guessing they used this method as there was no other signs of forced entry. I have tested wrapping the FOB in aluminum foil and putting it in an Altoid like metal box and both work as I was not able to open the door with SKS. My back up FOB is now wrapped in aluminum foil and my primary is stored in the metal box when I am at home. This is giving me some peace of mind but we shall see if this works. The RFid pouches (Travelon Safe Zip Id Pouch that i found at TJ Maxx
    ) did not work for me. Went to the dealer in Santa Monica and they said that they had no clue how to disable the SKS entry and said that they would need the car for a whole day and charge me $150 IF they figured out how to do it since I have the Model Two without the nav screen which is apparently pretty easy to do.
     
    #45 hojman, Jun 15, 2015
    Last edited: Jun 15, 2015
  6. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    santa monica? what has this world come to???
     
  7. law

    law Member

    Joined:
    May 2, 2015
    188
    33
    0
    Location:
    CA
    Vehicle:
    2015 Prius
    Model:
    Persona
    That's so shitty. Keyless entry was the one option I wanted in a new car because I find it so convenient. I'm at Inland Empire hopefully people aren't as savy here...lol
     
  8. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    i'm rethinking 10 years of prius ownership. i wonder why my insurance rates haven't gone up?(n)
     
  9. law

    law Member

    Joined:
    May 2, 2015
    188
    33
    0
    Location:
    CA
    Vehicle:
    2015 Prius
    Model:
    Persona
    Outside of putting our key in something is there anything else you can do? Toyota doing anything about it?

    I couldn't imagine going shopping and leaving something in the car then coming back and it's gone.
     
  10. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    toyota doesn't seem to care, no skin off of their back. besides, the crooks are always one step ahead of the good guys.
     
  11. law

    law Member

    Joined:
    May 2, 2015
    188
    33
    0
    Location:
    CA
    Vehicle:
    2015 Prius
    Model:
    Persona
    I didn't read all the post, but I assume whatever these thiefs are using has a range? So if I'm far enough from my car they can't get in?
     
  12. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    that's my take from it. they must watch for prius pulling into parking lots and etc., then grab it as you are walking away. maybe you can keep an eye on it until you're out of range.
     
  13. law

    law Member

    Joined:
    May 2, 2015
    188
    33
    0
    Location:
    CA
    Vehicle:
    2015 Prius
    Model:
    Persona
    I see. I assume this is the same thing with any car with keyless entry? My Audi has the same thing... sigh..lol
     
  14. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    according to post #37, once you're out of sks range, you're okay. so be sure the key is far enough away from the car at home.
     
  15. law

    law Member

    Joined:
    May 2, 2015
    188
    33
    0
    Location:
    CA
    Vehicle:
    2015 Prius
    Model:
    Persona
    this is so boooshy. Thanks for info Bisco
     
  16. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    pleasure.
     
  17. kbeck

    kbeck Active Member

    Joined:
    Feb 10, 2010
    420
    275
    0
    Location:
    Metuchen, NJ
    Vehicle:
    2010 Prius
    Model:
    III
    OK, let me take a whack at this.

    First, if I understand this correctly, one takes one's wireless fob and places it near the car. Let's say the car is transmitting with some microwatt/milliwatt signal source at 115 kHz; that's about 1/3 of the base frequency in the AM Radio band, which starts around 540 kHz. Remember that the fob doesn't have a decent AM antenna like your cheapest AM radio tends to have, so it'll be some near-field thing, which is what Toyota is trying for.

    Amplifiers in that range are trivial to make. As an amateur radio operator, I know that there's people who mess about at even lower frequencies than this with kilowatt amplifiers, the kind where when one coughs, the lights in the house flicker. But a 10W amplifier is not a problem and can run off of batteries. So, the difference in signal level goes 1 mW to 10W -> 10log(10/0.001) or about 40 dB. If one had to be 5 feet away to activate the fob; well, power level drops by the square of the distance. Doubling the distance quarters the power (I think, it's been a while), so let's say 6 dB for each double-distance. 40/6 = 6.66 doublings, so 5*2*2*2*2*2*2 or so gives us 5*64 = 320 feet, a football field. Even throwing in the attenuation of the walls of the building, that means that a nearby house (say, the car is parked on the street) will be permeated by the signal. If the fob is 600 feet away, no dice, unless our miscreant is running a 100 W amplifier, unlikely.

    Now, let's take the opposite direction, 314 MHz. Now, it takes a bit more skill to make an amp that runs at 314 MHz; but one can chase over to Microcircuit and get modules that push out 30 dB or 50 dB of gain at that frequency for $100 to $300 bucks. Maybe less, I haven't priced them recently. And if the People Unknown who are building these boxes that the miscreants are using are halfway competent, they can build an amplifier, parts and all, for $30 bucks and change. Less in quantity. (What do you think are in cell phones? Answer: Lots and lots of amplifiers and emitters, and a cheapie, non-smart phone goes for less than $30, anyway).

    Next: At 300 MHz the wavelength is a lot shorter. With a shorter wavelength (we're talking around a meter, here) it's much easier to make a decent antenna; so it's a good bet that the fob is dumping out 50 mW or so of energy at 300 MHz. You guys might think this strange, but there are amateur radio operators who make a hobby of seeing just how far they can send a low amplitude signal. Admittedly, they're doing this in the HF radio band where one can bounce radio signals against the ionosphere; but there are 6,000 mile distance records for 100 mW transmitters. Now, this 300 MHz signal does have to get through the walls of the building (unless one put the fob near a window..), but 300 MHz penetrates fairly well. Put a 20 dB to 30 dB gain radio amp in the miscreant's box, and there you have it:
    1. Miscreant turns on box, it amplifies the SKS signal the car puts out, and blasts it over the neighborhood. (AM radio goes right through walls, no problem.)
    2. Fob sees signal, responds. It's a little weak, but the miscreant's box has another amplifier at 300 MHz, and blasts this out at the car.. Which is designed to pick up a weak signal, the better for it to work.
    3. Miscreant opens up car and walks away with your stuff.
    If one is a couple of football fields away this won't work, for sure. But cars parked out front.. Easy.

    Foiling the attack means either turning off the fob with a switch or putting it inside a wrap of aluminum foil or an Altoids box. Note that this is not a case of encryption keys getting broken; the car is sending the right key, the fob is transmitting the right key, it's all just happening a lot farther apart than expected.

    I suppose one way to fix this would be to put in a "radar" function. Light travels at 2 ns per foot, roughly, so a fob 5 feet away would have a round-trip-delay excluding hardware of 10 feet or 5 ns, but if it was 30 feet away the round-trip delay would be 60/2 = 30 ns, and that difference might be detectable. Hm. I work on hardware that keeps track of bits on the 10's of picosecond level, but that's $$.

    Hm. I wonder what the crowds over at TI and Siemens are trying to come up with now to defeat the hack? And what the bad guys would do to defeat the fix. (Different pulse trains at different pulse repetition rates, using frequency hopping, etc. If this sounds like Electromagnetic Warfare.. It's because it is. :))

    Fun.

    KBeck.
     
    Nora likes this.
  18. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,134
    50,050
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    can they also start the car?
     
  19. ILuvMyPriusToo

    ILuvMyPriusToo Senior Member

    Joined:
    Dec 4, 2014
    778
    514
    0
    Location:
    Outside Philly, PA
    Vehicle:
    2009 Prius
    Model:
    II
    Sounds like yes, it would be a normal handshake.
     
  20. qdllc

    qdllc Senior Member

    Joined:
    Aug 25, 2013
    1,370
    399
    0
    Vehicle:
    2013 Prius
    Model:
    Two
    I can't say this would help if they want to break in and steal OEM hardware, but the simple fact is the best deterrent to someone breaking into your car is to not leave anything to attract thieves. If they don't see something worth grabbing, they won't bother.

    Frankly, the whole way they can get around keyless entry is moot. There's always been tools to bypass locks, and no matter how much they want to restrict who can buy them, the crooks always manage to get them. The most you can do is invest in a top-notch anti-theft system that DOES NOT utilize the OEM security system to activate and deactivate.