1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Has Toyota improved SKS resistance to relay attacks?

Discussion in 'Prime Technical Discussion' started by chogan2, Feb 22, 2023.

  1. chogan2

    chogan2 Senior Member

    Joined:
    Feb 12, 2008
    1,066
    756
    0
    Location:
    Virginia
    Vehicle:
    2021 Prius Prime
    Model:
    LE
    A relay attack happens when a thief uses a radio or radios to transmit the car's SKS/keyless entry signal to a distant keyfob, and relay that keyfob's response back to the car. The car then thinks the fob is present. And opens up. And, plausibly, starts, depending on (e.g.) make and model and what, exactly, the thieves are doing.

    This is a known vulnerability of many keyless entry systems and has been discussed on PriusChat before, e.g.
    Repeater hack for keyless entry | PriusChat
    Faraday Bag for Smart Key (SKS) Break-in Protection | PriusChat



    The only advice I've every seen is to keep your fob in some sort of RF blocker/Faraday cage.

    My question is, has Toyota improved the security of its system for recent models? This appears to have been a well-known issue for earlier versions of the Prius and other Toyota models. I would have assumed they'd have beefed up the system.

    But.

    What prompts my inquiry is that I just watched a YouTube presentation by a guy whose one-year-old Tacoma was stolen, presumably by a relay attack. (There was a twist, in that there was vague mention of "decoding" the signal and programming a new fob based on that. But that's a separate issue).

    Now I'm wondering whether the keyless entry on my wife's 2021 is as vulnerable to this attack as earlier versions where known to be. .

    Any Prius gurus here care to offer some enlightenment?

    I'm not hugely worried about this, but I don't want to get in the habit of tossing my keys into an RFID-blocking bag if there's no need for it.

    I'm not even worried enough about it to try turning off the keyless entry. Yet. If I can figure out how to do that and keep it off.

    I was just wondering whether Toyota had worked some magic on the most recent Prius that would guard against this type of attack.


    So, e.g., at random:
    https://www.thetruthaboutcars.com/2016/12/mystery-device-unlocks-starts-50-percent-vehicles/
    https://www.thetruthaboutcars.com/2016/03/group-defeated-keyless-entry-cars-simple-homemade-devices/
    Keyless car theft: What is a relay attack, how can you prevent it, and will your car insurance cover it? | Leasing.com
     
    #1 chogan2, Feb 22, 2023
    Last edited: Feb 22, 2023
  2. Todd Bonzalez

    Todd Bonzalez Active Member

    Joined:
    Apr 3, 2022
    250
    160
    1
    Location:
    Ireland
    Vehicle:
    2004 Prius
    Model:
    Base
    There seems to be some innovation in remote keys (in the new European Lexus NX anyway). I'd assume it'll trickle down to lesser Toyotas over time. Will it stop relay attacks though? Who knows? My brother's been using a faraday bag since his Mercedes was hit.

    2023 Lexus NX Updates (Europe) | PriusChat

     
    donbright likes this.
  3. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,129
    50,045
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    I haven’t read that it’s a problem in the last 20 years, I’d worry more about the cat
     
    lbligh and chogan2 like this.
  4. chogan2

    chogan2 Senior Member

    Joined:
    Feb 12, 2008
    1,066
    756
    0
    Location:
    Virginia
    Vehicle:
    2021 Prius Prime
    Model:
    LE
    Just FYI, it appears that all modern Toyota fobs can be put into "sleep" (non-responsive) mode by holding the lock button and pressing unlock twice. The LED will flash four times. At that point, the fob will no longer respond to anything. Press unlock to bring it back out of sleep mode.

    That works for the fob on my wife's 2021 Prime. Just tested it, and with that, I get no response from the car when the fob is near.

    This is an alternative to (e.g.) tossing your keys into a metal coffee can/RF blocking envelope/Faraday cage when you get home.

    Apparently Ford thinks this is enough of an issue that they built "auto-sleep" into their fobs starting 2021. As I understand it, if the fob is motionless for 40 seconds, it automatically goes to sleep.

    I keep reading about other attacks based on the RFID in the fob, but last I knew, those required being within a couple of inches of the fob to get the data. I don't think that's a practical concern. I hope

    That said, Toyota was specifically mentioned in this piece in Wired, and not in a good way, for those RFID-based attacks that allow somebody to clone the RFID in the fob:

    Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys | WIRED

    Not trying to be paranoid. Not even really worried about it. But I'm a big believer that markets will exploit all profitable opportunities. And if I can keep the convenience of SKS but cheaply reduce the risk, I guess I'll do that.
     
  5. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    110,129
    50,045
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    Understood, but people have been posting these worries ever since the article came out, but not much has come to fruition, fortunately.
    Maybe if you’re in a high crime area…
     
  6. Todd Bonzalez

    Todd Bonzalez Active Member

    Joined:
    Apr 3, 2022
    250
    160
    1
    Location:
    Ireland
    Vehicle:
    2004 Prius
    Model:
    Base
    Maybe not in the US, but it is a recognised problem in Europe. Seems Toyota's aware of it:
    How to minimise the risk of vehicle theft by 'relay attack' | Johnsons Toyota

    https://www.zdnet.com/article/car-theft-ring-used-software-to-steal-hundreds-of-vehicles-without-the-physical-key-fob-say-police/

    If your risk model doesn't involve owning or driving a car in Europe you're probably fine :LOL:
     
  7. chogan2

    chogan2 Senior Member

    Joined:
    Feb 12, 2008
    1,066
    756
    0
    Location:
    Virginia
    Vehicle:
    2021 Prius Prime
    Model:
    LE
    Prius never makes any of the top-15 most-stolen-car lists. So I get that this can't be a big problem.

    And yeah, I'm more likely to have the catalytic converter stolen.

    But I'm beginning to believe that's mainly because the Prius isn't a desirable car to steal. Unless Toyota fixed something in these more recent models, it's an inherently weak system.

    In parts of Canada,there's been an uptick in thefts of Tacomas and Lexus sedans, but so far, that seems to be blamed on being able to clone a key if you have access to the car. I can't even imagine how that could work.

    Anyway, not trying to scare-monger, just trying to get a handle on how secure or insecure these electronic controls are. I used to believe the Toyota immobilizer system made the car theft-proof, short of dragging it onto a flatbed. I'm not so sure any more.
     
  8. Leadfoot J. McCoalroller

    Leadfoot J. McCoalroller Senior Member

    Joined:
    May 12, 2018
    7,427
    6,913
    1
    Location:
    Pennsylvania
    Vehicle:
    2018 Prius c
    Model:
    Two
    I wonder if they could do a remote or something, just to make it easier to sleep and wake your fob.

    This was a sarcastic response. It just strikes me as pants-on-head stupid that they are back to requiring about as many actions to lock the keyfob as it took to manually lock a 1970s car.
     
  9. chogan2

    chogan2 Senior Member

    Joined:
    Feb 12, 2008
    1,066
    756
    0
    Location:
    Virginia
    Vehicle:
    2021 Prius Prime
    Model:
    LE
    Sure, I could just take the battery out, if I'm that worried. But I think Ford has it right with auto-sleep, which I think eliminates much of the risk with no user action. "Battery saver mode" for Toyota is clearly a work-around.

    Separately, I did not realize that, on Amazon, you can get a new-fob programmer that will work even if all existing keys are lost. At least that's what the manufacturer claims. In which case, it's not much of a mystery how somebody could clone a new fob for a car:

    Amazon.com: Customer Questions & Answers

    upload_2023-2-23_12-14-45.png

    OK, I have to stop looking at this. Now I really am getting paranoid. Maybe I'm misreading that, but it seems to say that anybody can create a functioning key, without an existing key, for any model that this device will work on? That can't possibly be correct. But that's the plain reading.

    Yeah, I need to stop digging now.
     
    #9 chogan2, Feb 23, 2023
    Last edited: Feb 23, 2023
  10. Doug McC

    Doug McC Senior Member

    Joined:
    Feb 15, 2022
    1,014
    382
    0
    Location:
    Midwest
    Vehicle:
    2022 Prius
    Model:
    XLE
    Another advantage (how-be-it perhaps small) to putting the fob to sleep is a slightly less drain on the battery. Additionally, with Toyota safely connect, if the Prius is stolen, Toyota can locate it (perhaps that is why thieves aren’t too quick to grab the Prius).
    I have an additional layer of security where I live: It is called “Lilly Moon”, aka White German Shepherd that is very protective of us and the house, and will give a quiet “woof” if she senses danger. Quietly opening the door and the poor fool holding a box against the house better be able to hit 35 mph in less than a second or ….
     
    chogan2 likes this.
  11. chogan2

    chogan2 Senior Member

    Joined:
    Feb 12, 2008
    1,066
    756
    0
    Location:
    Virginia
    Vehicle:
    2021 Prius Prime
    Model:
    LE
    Whoa, mind blown. Thank you for that post, I did not realize that Toyota Safety Connect provides a stolen car locator service.

    I've always turned down any such subscription as a knee-jerk reflex.

    But now, it kind of looks as if you can get Lo-Jack like coverage, for $8 a month? Staffed24/7? I never knew.

    I understand there are technical limits on any of that, which is why the pro thieves like to get a car into a metal shipping container ASAP. But still,assuming it can't be disabled by the thief, that's a significant chunk of peace of mind for $100 a year.

    I will definitely look into that further.

    Right now, I pay my own health insurance, homeowner's, car, general liability policy, and probably a couple others that I've forgotten. Every month, I hemorrhage insurance premiums. All the while praying that I never end up using the insurance. In that context, assuming I got the price right, another $8/month for theft locator coverage seems like a pretty good deal.

    Edit: Looked into the details (e.g., https://support.toyota.com/s/article/What-do-I-do-if-my-ve-10017?language=en_US)

    You have to file a police report first, give them the case number. If the 12V battery is disconnected, they can't find the car. Within those limitations, as long as the car can connect to a cell tower, it can report its location. I do not think it reports location continuously, so they would not see a history (e.g., prior to 12V disconnect), just current location if the 12V is alive and it can connect to a cell tower.
     
    #11 chogan2, Feb 23, 2023
    Last edited: Feb 23, 2023
  12. Leadfoot J. McCoalroller

    Leadfoot J. McCoalroller Senior Member

    Joined:
    May 12, 2018
    7,427
    6,913
    1
    Location:
    Pennsylvania
    Vehicle:
    2018 Prius c
    Model:
    Two
    I suppose you could always hide an airtag (or the google equivalent) in the car somewhere. I don't think those have extra subscription charges.

    That would break the technical dependency on the car's 12v power and eliminate the need for the police report.

    If it were me, I think I'd hide a tag. Then if the car gets stolen, I'd go activate the Toyota service. You have to figure they're tracking the car full time anyway, the subscription is just so you have a relationship basis for requesting reports.
     
    chogan2 likes this.
  13. Doug McC

    Doug McC Senior Member

    Joined:
    Feb 15, 2022
    1,014
    382
    0
    Location:
    Midwest
    Vehicle:
    2022 Prius
    Model:
    XLE
    If the only advantage to the connect service was theft protection/recovery then I would agree that the tag would make more sense. However, it also includes roadside assistance, and emergency services if in an accident. On my XLE it is $8/ month or $80/ year, which is cheap for all you get.
     
  14. chogan2

    chogan2 Senior Member

    Joined:
    Feb 12, 2008
    1,066
    756
    0
    Location:
    Virginia
    Vehicle:
    2021 Prius Prime
    Model:
    LE
    I'm looking into putting in a tracker, but it's my wife's car, so I have to tread lightly and get permission.

    FWIW, let me write out what I think I learned about such devices.

    For finding objects at a distance, there seem to be exactly two kinds of options. First, there are trackers that use the phone network, and so have some sort of monthly charge embedded in the cost, one way or the other. Second, there are trackers that use some sort of mesh network across devices, typically via some Bluetooth variant. Like an Apple Airtag. No monthly charge.

    Toyota's system uses the phone network, and depends on the 12V. No 12V, no location. Other phone-based trackers run anything from same deal (no 12V, no signal), to backup battery good for a few days, to independent battery good for months to years. There are several good options to choose from, all around the $100-$200 a year price point.

    The are two problems with the mesh-network-based trackers.

    First, each brand of device only talks to that brand. And even "long range" Bluetooth doesn't travel very far. This gives Apple a huge advantage over the others, owing to the roughly 100M Iphone in use in the U.S. (And I'm pretty sure that Apple uses your phone for this whether you like it or not.) Chances that an Airtag ends up within long-range Bluetooth range of an Iphone is far higher than the chances that a Tile ends up within range of another Tile that is within range of a phone that is connecting to that Tile.

    Second, Apple built some anti-stalking features into the Airtag. If you are separated from your Airtag for a long enough period, it'tll start to beep.Plausibly, a superglue in the right spot could silence that. But there's some way for individuals near a "lost" Airtag to know that they've had an Airtag planted on them. Apple always allows you to deactivate somebody else's Airtag that is lingering in the neighborhood of your phone. The upshot is that they'll only work with thieves that aren't tech-savvy enough to know that.

    That said, the news is full of cases where people found their stolen cars using an Airtag. So it works, at least sometimes.

    I bought my daughter a couple of Airtags to play with, this past Christmas. (She's the only Apple user in the family.) They are some impressive tech, for locating nearby objects. They accurately show the distance, direction, and velocity of the local Airtag.

    I may yet have my Apple-loving daughter set one up for my wife's car. If it gets stolen, I could just call her up and ask her if she can find it. For $25, it seems like cheap insurance. Gotta get my wife on board first.