Assignment 5: Cars and Key Fobs (2021)
web.stanford.edu234 points by Pikamander2 15 days ago
234 points by Pikamander2 15 days ago
BMW has a page describing the use of UWB (Ultra Wide Bandwidth) radio in key fobs and how it helps against relay attacks. In short it's because the wide bandwidth allows for very short pulses which lets them measure the distance between the car and the key, and using a relay will inevitably add distance and therefore time between the signal is sent and the reply is received.
https://www.bmw.com/en/innovation/bmw-digital-key-plus-ultra...
I believe this was ratified into a standard so it should show up in more new cars. https://carconnectivity.org/car-connectivity-consortium-publ...
The core problem is that older systems never proved distance in any rigorous sense, they only proved connectivity/liveness. Pretending that you're closer than you are is sometimes called in research "the mafia fraud attack".
For the time being, I just store my keys in a little cast iron dutch oven, sitting on top of the fridge.
It's extremely effective as a shield for the 125kHz LF wake-up signal, and I've been unable to elicit a response when they're in there, even with a relay setup that reliably wakes them up from several feet away otherwise.
I just don't understand why manufacturers don't follow Volvo on this - their keyless keys just go to sleep if they aren't moved for a few seconds, and they won't respond to any signal while sitting on a table for example.
That solves part of the problem, but doesn't help when you're in a supermarket or any other event where you're moving around.
My previous cars had keys that I could manually switch off and on, which is also not a full solution because it only works for people who take the effort to always do that, but at least it gives people to opportunity to complete prevent relay attacks.
All in all I'm not a big fan of key-less entry. Having to press a button on a key to gain entry can maybe be a bit of an annoyance, but in my opinion it's not a big deal compared to the advantage of completely preventing relay attacks.
My previous car(a Mercedes) had a very very simple solution to this - you clicked on the lock button twice and it just disabled the keyless entry entirely until you pressed any other button.
>>the advantage of completely preventing relay attacks.
From my understanding ToF sensors are good enough now to completely prevent relay attacks, the added time for the relay just adds too much of a delay and it gets rejected. I believe the newest range rovers use that, they went from being extremely susceptible to relay attacks to relay attacks against them being impossible.
I think the Toyota has it too. Press and hold lock and click unlock twice on the FOB. This disables the signalling that enables a lot of 'quick actions' - like double tapping the door latch to open it.
that's a nice solution too but re: mercedes it requires the user to actively use that feature which I suspect most won't remember to do
For anyone interested, with all keyless entry Subarus in the US it’s easy to put the fob to sleep.
If you’re car camping and doing a lot of stuff around your car and opening the doors a bunch for a couple hours, you probably want to put your fob to sleep. Found out the hard way, but my battery was also a bit iffy to start with that year.
maybe so, but this would seemingly solve most of the problem with easy to implement tech
the real test is to find out if this effectively eliminated all fob hacks for volvo since they may not be faster than the tiger, they just need to be faster than everyone else...
Related: I've found that replacing/programming Volvo keys is extraordinarily expensive and I've yet to find a third-party locksmith who will touch them. (The latter applies to both fobs and a basic key.)
Yep - which is why I always add key insurance to my car insurance, it's a very cheap add on annually but saves a lot of money if you need a new key.
Wow. I had no idea this was an option. It kind of breaks my brain a bit because, based on the majority of my experience with car ownership (91, 98 and 2K models), it's an absurd notion.
Likewise, I wish my phone had a setting to mute Amber Alerts while the phone's been motionless for a long time. It's sleeping, I'm sleeping, blasting me with an emergency tone at 4:45am is not going to help anyone. But yes if I'm actually out and about, by all means, I'd be happy to help, I don't want to turn them off entirely.
Such common sense, yet so uncommon.
I've heard BMW does it too. Hoping that it's true and I can preserve battery by just keeping my key on the table, since it burns through a charge.
Unrelatedly, I didn't realize "Dutch oven" had a non-fart-related meaning, thanks for the new word.
I learn something new here every day.
- I ain’t cut out to be Jessie James -You don’t go writing hot checks down in Mississippi - Dutch oven has a non fart meaning
My father used to be a prosecutor in MS, and one of my earliest going-to-work-with-dad memories is watching him sign off on warrants for people writing hot checks. I asked him once if he thought that was a bit heavy-handed and he gave me a very stern lecture about people who write hot checks.
So yeah, don't do that in Mississippi.
My mother told me I would end up in massive unrecoverable debt if I didn’t keep my check book balanced, and if I kept it up for too long I would be arrested for fraud. She was from MS, so that tracks.
My prev comment was just quoting Johnny Cash. Had I thought about it, I probably would have assumed that “writing hot checks” was in the song because it’s sort of an amateur crime that landed him in the prison where he learned his lessons. Of course it has to be Mississippi for the chain gang reference.
Funnily enough, I think that's the first time I heard that Dutch oven has another meaning, beyond the cooking apparatus.
haha, I think the fart connotation is just that you're trapped with the lid (blanket) on.
I purchased some cheap key fob faraday bags on Amazon.
The bags work while I'm in the car.
You know those Danish butter cookie tins that everyone's mom uses for sewing supplies? They also make good Faraday cages.
Not in my experience. Did a lot of Bluetooth testing in a former role, and those were the first thing we tried and the first thing we gave up.
ESD-shielded multilayer metalised polybag? Fold shut, keep until crinkled or until it has any holes?
Your microwave oven also makes a good Faraday cage.
That's an expensive mistake waiting to happen.
Why would you ever turn on your microwave without opening it to put something in it? It's not like an oven that has to preheat.
Mistakes when setting a timer.
My current microwave will complain if the door hasn't been opened recently, but my old one would just turn on if I fucked up the time entry and tried to set a timer while I already had a timer going...
Boredom
That’s an expensive way to be bored!
Some men just want to watch the world burn, others are content watching the turntable turn...
I have a 2021 Toyota that I lost one of two key fobs. Toyota has a strict policy that only Toyota dealerships can program key fobs for their newer cars, so buying a key fob replacement from a 3rd party was not an option. Total out of pocket expense for getting new key fob, programming that key fob to the car, and making sure the other fob still worked; cost about $550. I feel that is an absurd amount of money to spend because of a lost fob. I appreciate people looking into and exposing weaknesses of car fobs because it might expose ways to circumvent the monopolistic costs associated with replacements. Wish there was a way to retrofit my car to use Ultra Wide Bandwidth as a key.
Essentially all manufacturers have that policy, because key replacement is a profit center for dealerships. Independent auto locksmiths depend on third-party programming tools and keys by companies like Autel and Xhorse. There's a constant game of cat-and-mouse, with manufacturers developing new immobilizer systems and the third-party companies reverse-engineering those systems. An auto locksmith with the right equipment should be able to copy a key, remote or keyless fob for any current US Toyota model.
Two locks smiths told me that only the dealership can program a fob for a 2021 Toyota Sienna.
Used to be, you could get a seedy OBD cable off Amazon and it came with instructions on how to "acquire" the dealer software, which let you reprogram the car to accept any fob. Not sure if things have changed in the last 5 years.
Improvements in key tech just hurt me.
As long as they aren’t trivially exploitable like the Hyundai keys, more expensive keys are my problem. Stolen cars are my insurance company’s problem.
All other things equal, the easier it is to steal your car, the higher your insurance premium will be.
Agreed, but it’s a risk/return decision. In my city, car theft is like 80% less than it was 20 years ago. 60% of stolen cars are running in the driveway (warming up in the winter), and 20% of the cars in the peak year a few years ago were Hyundai/Kia with the egregiously bad locks.
Good enough to stop crackheads is my desire in this space. Doubling the cost of a $400 key to reduce my chances of a loss by 3% is a hard no.
Vulnerabilities like this lead to car thefts. Some models of cars are more susceptible than others, and the manufacturers seem unwilling to fix the problem. The insurance companies know which models are more trouble for them, and so they set higher rates for these, which punishes the driver/owner for something outside of their control.
My solution? Require the manufacturers of vulnerable models to pay the insurance on behalf of the driver/owner as long as the vulnerabilities go unfixed.
part of what helps is, at least, before buying a car, to get insurance quotes and then you see the true cost of THAT car
Consumer Reports will also inform you of things like this in advance, if you look. (For this and 100 other reasons, It's worth paying for a digital sub.)
Consumer Reports reporting is bought and paid for by the OEMs. They'll make a big issue out of nothing or minimize real issues depending on where the money is coming from. This goes back at least as far as the Samurai rollover scandal.
Pretty much all industry journalism where the journalists depend on being in the good graces of the manufacturers to get the access they need to make their content is like this.
Consumer Reports buys all the items they review, anonymously.
That doesn't stop them from doing questionable stuff and playing favorites. All this was aired publicly in the lawsuit Suzuki filed.
Yes, many people make many claims. You should think about which ones to believe.
i don't know how you can say they play favorites. internal memos show that suzuki knew that they had a rollover issue because of the narrow wheelbase and CR called them out on it through testing.
The vehicle proved to be equal or less rollover prone than the competition (especially the Bronco II which IIRC holds the record for the most rolled over vehicle) in actual service and per the stats compiled over the years by the NHTSA
So it really kind of begs the question what axe CR was grinding. In the lawsuit it came out that one of the writers managed to put it on two wheels incidentally not part of the tests and that they monkeyed with the tests they were running to try and replicate that.
Is that total rollovers or rollovers per mile? Because there were a hell of lot more Broncos on the road than Suzuki ever sold across their entire lineup.
We're talking about the Bronco 2 here, not the normal Bronco. Rollovers compared to production numbers. Someone crunched the numbers and IIRC it comes out to 20-something percent of Bronco 2s were rolled. I can't find those numbers but I did find that the fatality rate almost doubles the Samarui.
https://www.motortrend.com/features/ford-bronco-ii-history-e...
And I found this hilarious gem:
https://www.broncocorral.com/articles/ford-bronco-ii-rollove...
I don't think anyone would expect to do a 30mph J turn in anything except the most car-like of modern SUVs and expect to maintain upright. Perhaps getting away with that sort of stuff is a reflection of the kind of tires they had at the time.
This is quite literally the opposite of true. Consumer Reports remains the shining exception to this practice, unlike Wirecutter, etc.
My friends Truck was stolen by some people with a tow truck. Key access doesn't really matter in the long run.
If you want to prevent theft, you have to make stealing "expensive" enough for people not to bother with it.
Which is harder for the average thief to acquire, a bluetooth "kit" off a shady website or a friggin' tow truck?
There are phone thieves in San Francisco/Oakland literally driving Audis and BMWs. Trucks bring in a lot of value. A tow truck is also inconspicuous looking, people can think its a repo truck or towing someone parked illegally.
A (new enough) tow truck screams "I have an ongoing business relationship with people who have badges, guns and letters of marque that give them permission to ruin and/or end your life at their discretion" which is really why none of the people who would perhaps bother a common thief or stick their nose in anything out of the ordinary will get near a tow truck.
You could roll up to a parking lot with active security and snatch something with a tow truck and they won't bother you most of the time whereas if you rolled up to engage in swapping a battery or some other legitimate repair they'd probably at least come over and ask what you're up to.
Do people not look at the operating costs before buying a vehicle? Do they really just negotiate a monthly payment and get surprised at the amount they have to pay for fuel/maintenance/insurance?
When I bought my most recent car I had a spreadsheet which projected fuel (whether that's gas, electricity, or gas+electricity) and maintenance costs (there was some ball-parking here) for a dozen different models based on our driving habits. Once the list was narrowed down a bit I did some online quotes at my insurance company to add that in.
There were no financial surprises when I bought the car.
This is unnecessarily self-congratulating. The problem is that vulnerabilities are found in cars after they are on the market for a while and already purchased, so existing owners get their rates hiked, but the manufacturer never fixes the issue. No amount of research is going to guarantee your operating cost next year.
> When I bought my most recent car I had a spreadsheet
Yeah so already different from like 90% of car buyers out there.
BTW, car keys (physical keys) are notoriously weak, generally susceptible to simple raking attacks. You can learn how to rake a lock in a few minutes, and the rake+tensioner itself costs around $5. And all cars include a physical key as a backup entry method. This was partially solved by adding another device that cuts off the engine, the immobilizer, which still allows the attacker to get in, but not to drive off.
> And all cars include a physical key as a backup entry method.
Which means you are safer with just keys rather than keys plus another way to open the doors.
> This was partially solved by adding another device that cuts off the engine, the immobilizer
If they key does not need to be physically inserted to start the engine (which is true in many cars) then that is liable to attack using the remotes too, right?
The thing is if you have time to rake a car lock, you can also just break the window if you're going to rob the interior.
The key fob attack is superior since no one looks twice if you walk up to a car, it unlocks from a hand held device and then you get in and drive off.
With practice raking doesn't take that much time and "usually" comes with the benefit of not tripping the alarm that the door was opened (because the car "thinks" the door has just been unlocked with a key).
<EDIT> Seems HN has different experiences with their cars then my own, So I'll concede the idea that the alarm doesn't trip when using the key. It seems the cars I've had in the past are the exception to the rule. </EDIT>
The thing is, in the real world, no one really looks twice when someone gets into a car unless they are using obvious brute force to get into the car.
Not true for most alarm systems. If the car is locked, then any opening without the key fob unlock button will trigger the alarm in my experience.
My 2001 seqouia's battery recently died. I unlocked the car with the key and when I hooked up the jumper cables the alarm went off until I turned the ignition to on. I was surprised it was that good
I had a non electronic key cut for my Jeep so I could zip tie it under the frame for emergency use. It will not start the engine, but does open the door locks. When I open the doors with it, the alarm goes off.
I think that mechanical key behaviour depends on the car. I'm pretty sure my BMW sets off the alarm if I use the mechanical backup key, but it turns off when I put the key in the ignition slot.
Yeah, I think it is car dependant. But the car I use (gave up my own car, but the family has a shared "work horse" car we are all insured on.) is a 10 year old UK Ford fiesta and that car doesn't trip the alarm if the door is unlocked with the key, and its not the transponder in the key, cause one of the keys to that car doesn't have a transponder and the keys get mixed up from time to time (So you only know you have picked up the wrong key only when you insert the key into the ignition and the immobilizer light is a solid red light - 3 keys, one with a fob, 2 without a fob, one of which has a failed transponder chip in it, these two keys look the same and not one of us has been arsed enough to take both keys to the car, figure out which doesn't work and label it :-P).
(One day, when I can be arsed, I'll rekey the car and reprogram it with fresh transponders, but today is not that day!)
Put a piece of tape or some paint on the handle part of the no-transponder key so you don't mix it up any more. Less effort than the "full-arse" solution.
We keep saying we are going to do something like that, but we keep forgetting because we normally in "Go do task" mode when we grab the keys. Its not too much of an issue because we will normally grab the fob key, it only becomes and issue when one of us forget to put the fob key back when being done with the car.
But "reprogramming" a key (more like adding a key) on that model of ford just involves doing a dance with the fob key then inserting the key with the new transponder. So we plan to get all keys working on the car at some point. I was just going to order a new chip but my bother was complaining about the key barrel being a bit loose on him so just doing to replace everything at some point. Its just more about not being lazy about it :-P
Thing is, its what we call "the work horse" car of the family, it gets used about once a week to do tasks no one wants to do in their own cars (or when I need to do something in a car), so its not really a high priority thing to fix, but if we are going fix it might as well do it "right")
It is superior, but a lot more difficult to pull off. And what if raking takes just 5-15 seconds? Because that's how fast it often is.
And in either case you still need to deal with the immobilizer, and turn the core of the ignition lock. Unless your radio device is that comprehensive :)
Presuming its a modern car (and if we are talking about keyless entry/start we are), well then you just plug an "Emergency Start Device" into the OBD port or to the BCM module, and drive away. Heck a lot of these "Emergency Start Devices" can also unlock the car, but often involve pulling panels/lights from the car to get to the can bus to run the attack.
So that attack when done on its own is mainly left to stealing cars off drives at night rather than say from a supermarkets car park during the day.
Push-to-start eliminates the need to turn a physical lock. They drop to zero security once their RF is broken.
Funfact: in the past Ford and Volkswagen had only a number of different variations for the coding of the physical keys. So that you could open and start several cars with the very same physical key.
I assume that this was also true for other brands.
Many fleet vehicles are still this way. The 1284x key, for example, can open a surprising number of things including many older police vehicles.
A few hundred dollars more on Amazon will net you a magic keyring that can open a surprising number of vehicles, buildings, control systems, and vending machines.
If you're into that sort of thing check out Deviant Ollam's physical pentesting videos on Youtube.
> magic keyring
Are you talking about the "1284x FEO-K1 16120 222343 CH751 CH501 C346A C390A E114 " set?
That's a good start. To do better you'll need to do some reading or watch a ton of youtube videos to identify the keys that will get you the most bang for the buck.
I think mine has something like 20 keys on it now, and it will open a truly surprising number of things that it shouldn't.
This happened to me! Friend had a similar car and at night they went to mine and the door unlocked but the car wouldn't start. The door only had a few pins it checked while the ignition used every pin. We compared our keys and sure enough one part of it was the same.
OBS Ford F-150s do this and it's not common knowledge even among enthusiasts. The back 4 pins work the door, the front 6 or so pins work the ignition. A common problem is that the ignition barrel keyswitch dies and you have to replace it, but then you have separate keys for the door and ignition. I took the new ignition key to a locksmith and had him copy the 4 back pins from the factory key, and I was back to a single key!
I had a similar experience once when I drove a Prius. Walked out of the grocery store, hit the unlock button, got into my car, then wondered why the seat was too far forward - before realizing it was not my Prius.
My mom amd my friends mom both drove toyotas, completely different models and many years apart. By coincidence the key for my friends moms car worked for my moms, for unlock and start, but, my moms could only unlock the other one.
Fun fact: the same applies to common household locks. If you take your household key and try all the same-brand locks in your neighborhood (~50) you'll likely find a match. Don't actually do this, your neighbors will think you're causing trouble.
In the 1970s, I unlocked the door on what I took to be the family VW Rabbit and got behind the wheel. It turned out that the ignition lock was fussier than the door lock, and I discovered my mistake without driving away.
Same thing happened to my Dad when he took us to Disneyland in the 80s. About the time the rental car agency was sending out the spare set of keys, he noticed the items in the backseat weren't ours.
I have a Honda from the late 90s which behaves in a similar way and whose ignition is also fussy but only to a point. With enough wiggling, a key from a different model from ~10 years prior will also start it.
The two times I had a car break-in, it was purely physical. Once it was smashed glass, and the other someone pried open my door with a crowbar.
The current gold standard for vehicle theft protection is:
IGLA system to block the CAN bus, LIN bus, and ODBII port. It also protects against key fob cloning/relay attacks.
+
A hidden physical kill switch that cuts off the fuel pump relay (the company 41.22 makes a drop in that doesn't require wire splicing).
+
A hidden GPS tracker with an onboard backup battery in the event the car battery is disconnected.
None of this stops someone with a flatbed from simply towing your vehicle away, but at least the GPS tracker will give you a window to locate them.
If I have a towing tool for your car, be sure I have a Faraday cage too to block all your GPS trackers while I dismantle the car. Think big truck that is isolated from both sound and electromagnetism and I simply hack at your car with my wrenches, selling your expensive Tesla for parts.
That's an issue once the tow truck gets where it's going, but the GPS tracker will record/broadcast the path there.
GPS jammers are less than $30 on Alibaba, truck drivers have been using them for over 10 years [1] to defeat their bosses tracking devices.
Multi-Band Jammers are $1000, burglary rings are using those to block all Wi-Fi, cell, GPS signals - check out this arrest report from last week in Pennsylvania [2]. If I was a high-end car thief, like in Gone in 60 Seconds, that's what I would use.
[1] https://www.theregister.com/2013/08/12/feds_arrest_rogue_tru...
[2] https://dauphin.crimewatchpa.com/lowerpaxtonpd/3730/cases/or...
That's a professional car thief starter pack right there. I wonder what the Windex and shaving cream are for.
It doesn't take much to jam GPS, I'd imagine a small handheld device could easily do it. The GPS signal is already below the noise floor.
I think you missed the point. The Faraday cage is built inside the truck's cargo, and I put the car inside the Faraday cage directly. I also dismantle the car while the truck is moving so when I reach the chop-shop the GPS and all the car's guts are ready for sale.
I have a physical key which I physically put in a hole in the steering column. This means I know exactly where it is when I come to parking the car, and you need to physically have it in contact to drive the car away.
I don't get the appeal of keyless ignition.
People with bulky keychains often just throw them in their bag or purse and it can be annoying to fish them out.
I personally put a very high value on having a minimal keychain and wallet since I rarely carry a bag with me. The goal is to someday live in a state with Apple Wallet drivers’ license support, in a house with NFC smart locks, driving a car with Apple Car Key, at which point I could finally completely jettison my keys and my MagSafe wallet. I don’t want to carry physical keys when I’m already constantly carrying a device with a Secure Enclave and biometrics.
A beautiful aspiration, until you lose or break your phone...
People lose wallets. People lose car keys.
My PaaK car has a backup passphrase to start it. I can be used in a pinch if my phone isn't working. I can't say the same if I lose my car key.
If I go on a long trip I'm likely to bring multiple car keys and multiple payment methods. This is still true if I'm doing PaaK.
They do, and obviously it's a huge headache. But now we can imagine a bright future where you can lose both, and your normal way to try and get help, all at once!
> But now we can imagine a bright future where you can lose both, and your normal way to try and get help, all at once!
Still a possibility with cut keys, paper currency, and dumb cell phones. Ever have all of those things in a bag and have that bag stolen?
At least with the PaaK car I have, there's a backup passphrase as well.
As I mentioned elsewhere, I'll trade the slightly worse day maybe once a decade+ (or quite possibly never!) for the convenience every single other day. If I'm smashing my phone every few days I'll probably rethink that strategy. But I'll probably want to change whatever is causing me to smash my phone every few days.
And people don't lose phones?
> My PaaK car has a backup passphrase to start it
Cars that need a physical cut key to go into a cylinder don't usually have backup passphrases.
No, but you can ziptie spares of said keys to an inconspicuous location on the vehicle -- just the valet key or the door key, depending on your tolerance for risk and whether or not the car came with them. (Credit to DeviantOllam for the idea.)
Or if you don't tend to bring your phone with you to do a bunch of errands. If all my locks were tied to my phone, I'd have to fish it out of the drawer whenever I go anywhere. OP said he "constantly" carries his phone with him, so maybe not a problem for him. Am I the only person in the world who leaves the phone at home if I'm not planning to use it?
> Am I the only person in the world who leaves the phone at home if I'm not planning to use it?
But I would use it, even on a trip to get groceries. I'd use it as the source of the media I listen to in the car, so my audiobook starts playing wirelessly when I get in. My phone has the shopping list on it shared between my wife and I, so we always have it if either one of us decide to make a quick stop.
I am also one of those guys don't always carry my phone around. That's why I load my keys and credit cards on Apple Watch, turned off most of the notifications on it, and only allow calls and text messages from wife.
Unlike my car keys or wallet, my phone can be located anywhere in the world from another device.
Not sure why you're being downvoted, I'm exactly the same. House locks are already electronic/automated, haven't carried a physical house key in year. Cars use fobs, for newer vehicles there is no option for physical keys anyway. When I leave the house I take my phone, plus the solo fob for whatever vehicle I am driving. I have no desire to have a ring of multiple physical keys and fobs with me.
Because it's a wild rube goldberg solution to a minor inconvenience.
What is Rube Goldberg about storing passkeys on a phone? Would you not call a physical lock system based on notches cut into metal a Rube Goldberg machine?
I had a car that unlocked as soon as you walked near with the fob. I hated this feature, because you were never sure if the car (with your expensive laptop in the boot/trunk) was actually locked. I ended up giving the key to a family member and getting them to walk a distance away, so I could try the door handle and check it was actually locked.
My family have both a Chrysler and a Subaru that try to do this, but they can't always keep up. (Sometimes I walk too fast and pull on the handle before it unlocks the door.)
More modern cars will auto-fold the mirrors when locked, so you have a visual indication from far away whether or not it’s locked.
This is as easy to break and and susceptible to theft as keyless, so what's the benefit?
Trying to dig your keys out of your pockets when it's extremely cold and having mittens on is not fun. Double the fun if it's night time, because the sun sets at 4:30 on those kinds of days.
Also it not being possible to lock yourself out of your car is neat.
It's not a must have but it's really nice.
Source: Canada
> you need to physically have it in contact to drive the car away.
No you don't. Remember when Kia Boyz trended on TikTok, where cars with physical keys were so easy to steal that people were doing it just for clout, but ones with fancier keyless ignitions were safe?
My phone has a card, opens my car and my garage door. Haven’t had a trouble for years. Saved me hours from looking for each of those items separately.
I’m honestly very surprised that you don’t see the appeal. Are there other things people view as conveniences that you don’t see the appeal of? E.g., keyless entry or remote lock?
Do they really, though? I don't know anyone who raves about how much more convenient button start is, they either dislike/distrust it or don't really care either way.
I love the entry on my '14 Jeep.
Walk up, put your hand in the handle, and it unlocks. Get in, press the button, and it starts. This is a fabulous "happy path" that is seamless.
Nothing happens without an actual action, but the actions are natural and organic to the task. The sensor is inside the door handle, combined with the key fob, and it just opens when you slide your hand into. It's a, truly, marvelous experience.
My keys stay in my pocket. Since I open the door for my wife anyway, it just works. (She can open the door, I just have to be close.)
Similarly, when we open the rear lift gate, it just opens. This also unlocks the rest of the vehicle (in contrast to if I push the gate open button on the fob, only the rear gate is open, not the rest -- which I find odd).
When leaving, I press a lock button on the handle to lock the car.
It's a great compromise, and works really well.
I absolutely rave about it. Every time I get a rental car that needs a cut key in an ignition cylinder it's a massive pain. I wouldn't buy a car that doesn't have push button ignition and would prefer for all cars I buy going forward to have phone as a key as an option.
For my personal cars I either use phone as a key or I'll keep the key fob in my bag. So I just walk up to the car, the car either auto unlocks or I press the button on the door, I get in, I press the button, and I go. When I'm done I just grab my bag and walk away and the car will auto-lock or I just press the door button. So smooth, I never need to really handle the key at all. It just stays in its specific pocket in my bag or it's just my phone in my pocket.
With a cut key, I walk up to the car. I need to fish around in my bag to grab the key. I then need to stick the key in the door and turn it, using care to not scratch the paint. I get in the car, need to insert the key, turn it and hold it long enough for it to start. When I'm done driving, I take the key out, grab my bag, and get out of the car. I then need to once again insert my key into the door once again being careful to not scratch anything, turn it to lock. Then I need to put the key away again.
And then phone as a key is incredibly nice, definitely my preferred way. I can easily leave the house for most errands with nothing but my phone on me. It's my car key, my payment method, my transit pass, my paperback novel, my portable music player, my camera, my maps, my communicator, all in one tiny package. Incredibly freeing compared to having to carry a bunch of junk in my pockets just to get groceries or whatever.
>With a cut key, I walk up to the car. I need to fish around in my bag to grab the key. I then need to stick the key in the door and turn it, using care to not scratch the paint. I get in the car, need to insert the key, turn it and hold it long enough for it to start. When I'm done driving, I take the key out, grab my bag, and get out of the car. I then need to once again insert my key into the door once again being careful to not scratch anything, turn it to lock. Then I need to put the key away again.
I'll be honest, this reads like a drastic overcomplication of a very simple transaction. Why can't you just put them in your pocket? Are you walking around like a frontier town sheriff with cylinder lock keys on an antique keyring?
> Why can't you just put them in your pocket?
Modern car keys, even cut ones, are often giant behemoths of keys. They need transponders for the immobilizer. They choose to integrate the remote into it, and either way I'd probably still have the remote on the same keychain. They're annoying and uncomfortable to have in my pocket. If I have a choice to not have to have an expensive big giant chunk of plastic in my pocket every moment I'm out of my house or choose to have that giant expensive chunk of plastic in my pocket every moment, which do you think I'd rather choose?
And then if I have to actually take it out of my pocket and stick it into things? Even more annoying when there's the option of just not having to do that. Why would I prefer to have to take this annoying chunk of plastic out of my pocket every time I want to get into and start my car?
Imagine if every time you wanted to open your fridge you had to fish out a key from your pocket, put it in a cylinder, and turn it. Imagine if every time you wanted to flush out your toilet you had to do a couple of extra steps just because. To turn on the sink, you have to do this extra little pattern before you just lift the handle! Sounds great, why not add a bunch of extra little steps to everything in your life when you don't have to.
Its like I'm talking to the people in the cave. You don't even see how nice it is to just not have to carry the car key because its been just so ingrained into your life, that you accept it as something normal and expected. Who wouldn't want to carry around a $200 chunk of plastic half the size of a baseball in their pocket everywhere they go that does nothing but unlock and start their car?!
Its freeing to not have to carry a ton of junk with you everywhere you go.
>You don't even see how nice it is to just not have to carry the car key because its been just so ingrained into your life, that you accept it as something normal and expected.
Possibly, but alternatively, you've rationalized that a litany of features that proffer negligible improvements to the experience of driving a car and entrench car dependency are in fact worth having what you regard as cartoonishly oversized keys* that can give malicious actors faster access to a $50000 vehicle.
* I've very recently had about 5 different ones in my pockets on extended test drives and only the CX-5 I think fits this rubric, but meh
Yes, because car theft was unheard of before wireless key fobs. Seriously? Are you not familiar with the Kia Boys? Having wireless transponders has massively reduced the rates of theft over the days of cut keys. And if it's all going to be relying on the security of a wireless handshake anyways, there's little point in having the tumbler that can be trivially raked. Or just overpowered and turned anyways.
And hilarious you're tying the idea of people having pushbutton ignitions to continuing car dependency. Yes, if only we still required cut keys on cars, we would have eliminated car dependency in the US! Tons of people were thinking "maybe cars aren't all they're cracked up to be..." but then they saw "ooh, push button ignition! Nevermind, defund public transit!"
I'm very pro public transit. I ride it, I vote for it, I write to my congress critters about it, I champion it to my friends and strangers all the time. I want to see it succeed. But guess what...I have my transit pass on my phone as well! Eee gads!
Once again, it all boils down to why would I choose to do the more annoying process when I don't have to? The cut key isn't really providing any extra security (once again, see Kia Boys). Would you choose to have to insert a key and turn it to open your fridge? Why would I want to have to do that instead of just pressing a button on my car? Personally, even pressing the button is a bit overkill, but I guess I'm a little old fashioned. In the end I do still prefer thinking about the car is either "on" or "off", as in is the drive train ready to operate or not.
I do not get the appeal either. You have to put something in your pocket and take it out occasionally.
> And then phone as a key is incredibly nice, definitely my preferred way.
Your phone becomes a point of failure for one more thing.
> Incredibly freeing compared to having to carry a bunch of junk in my pockets just to get groceries or whatever.
All I put in my pocket to buy groceries are keys and a wallet.
> Your phone becomes a point of failure for one more thing.
So one critical point of failure instead of multiple critical points of failure. If you lose your car keys on your trip, your trip is still a failure and you're stranded. If you lose your wallet on your trip it's still a failure, and now you have to go cancel a handful of cards and you're out the cash in the wallet and what not and need to get a new ID. If you lose your phone it's still a bad day, a potentially expensive and useful device went missing.
If I lose my phone it's the same bad day as if you lose yours, a potentially expensive device went missing. I can use my backup passphrase on the car to get home. I still have my regular wallet at home to fall back on, and all my payment info was encrypted and can be remotely wiped with a few clicks. I didn't lose any government documents.
And in the end, it's not like I'm breaking my phone every day or something. Phones are pretty resilient these days especially when thinking about short trips around town. I've had one phone break from physical damage in the past decade. Seems like an overblown concern to me. As for "what if your phone dies?", the car is a 74kWh battery. If my phone dies while I'm next to 74kWh of electricity I'm an idiot and failed to have extremely basic plans.
> All I put in my pocket to buy groceries are keys and a wallet.
So 3x more junk than me for otherwise no reason.
> . If you lose your car keys on your trip, your trip is still a failure
I have my phone so i can phone for help. I have my wallet so I can pay for things.
> If I lose my phone it's the same bad day as if you lose yours, a potentially expensive device went missing
Nope, because its like everything that could happen to me happening at once.
You have a lot less backup.
> Nope, because its like everything that could happen to me happening at once
No, because I can still drive home even if I lose my phone.
If you lose your wallet, you're not buying the groceries. If you lose your keys, those groceries aren't getting home anytime soon.
And even then, this is still a massively rare occurrence. How often do you smash your phone on the ground, daily? Weekly? Monthly? I'll gladly trade a slightly less convenient day once a decade+ for having to deal with all this business of having to carry extra junk every day of my life.
I like it quite a bit. It wouldn't be a dealbreaker for me, but I would prefer having it than not.
Did a high school project on the jam and replay attack mentioned here: https://github.com/trishmapow/rf-jam-replay. Low cost SDRs have been a real game changer in letting the average Joe get started in this space. Good to see that more unis have courses with this type of hands on experimentation.
So many Range Rovers are being stolen in the UK that the manufacturer has started contributing towards insurance costs: https://www.whatcar.com/news/range-rover-insurance-owners-to...
Code-hopping remotes have existed for a very long time, and I am really surprised that it's not the case here. I have had cars that were made in the 90's that used keeloq, a technology from the mid 80's.
In fact, all of my door openers and car remotes have some form of code-hopping and it's certainly not because they were specifically chosen for that aspect.
Sure, there are attacks for code-hopping systems as well, but it's a completely different league.
By code hopping do you mean rolling code based remotes?
I think what can sometimes be done with these is that one can record one or two codes and then desync the original remote. But I agree, it's a different league.
I'm confused why this is still an unsolved problem. A simple cryptographic challenge with pre-shared keys + button press ought to make key fobs perfectly secure for all practical purposes. Is there something I'm missing here?
It requires two-way communication, which makes the system more complex, with all the negatives that come with it.
Cars are not very secure by nature: they have easy to break glass windows, and are made of relatively lightweight materials. The key system just needs to match that level of security, and AFAIK, attacks on the keyfob are uncommon compared to other, less subtle techniques.
The more complex and sensitive "PKES" system, according to the article already has a challenge-response system, but it doesn't help with relay attacks.
yeah, this is what the article is describing as to what it was like in the early 2000s (assuming no moronic key reuse)
the problem is they "improved" the usability
it was safe when you had to push a button, but now roles are flipped so the car is the initiator, and doing it constantly
the protocol is now subject to a whole entire extra class of attacks it was never designed to deal with
You have to be able to get new keys made without having an original to read. A database of vin, key would be too big of a target and would have to be shared with dealers anyway so they could program new ones. I'm not a security expert but it seems like it would really shorten battery life on the fob if you wanted to protect against replay attacks by adding a time sensitive value.
Key distribution is (as always) an important, but solvable problem. There are some tradeoffs involving centralization vs cost of replacement, but those apply generally, not just in this particular case.
As for replay attacks, that's where the button press comes in (like on a hardware security token) -- the key only responds to challenges within a second or so of a button press and the car sets a similar timeout for validity.
Battery life maybe? AFAIK most of the remotes works one way only, they don't have a receiver and very low processing power.
And how that will protect you from repeater attack? I just steal your car while you are in mall with this just as easy, encryption or not. I don't care about the signal, just that I capture it, send it to my other device near your car and kaboom!, your car unlocked.
The key fob would always return a response the exact same amount of time after receiving the challenge, so couldn't the car learn the distance by measuring the time of flight?
How does repeating work if both the car and key use a code that changes every time, like 2FA app.
TOTP relies on synchronized clocks, which is far, far too complicated to work here.
This adds complexity and with complexity there comes a price tag. That would make the key fob more expansive. It also adds higher power requirements this then comes with new requirements for the battery.
Re price tag: you can buy a smartphone for 100$. Surely it is possible to mass produce cheap key fobs with send/receive capability and a tiny crypto module.
Re power: Key fobs already do some form of crypto and broadcast. Adding reception capabilities ought not to be that power hungry.
Even Better, they can use a smartphone app. We already have a battery-powered device that can emit radio signals in various frequencies!
I've got an even better solution: Picture a piece of metal, cut in a specific way as to allow metal "tumblers" inside a small cylinder to turn, engaging and disengaging the locks and/or ignition, whereas other pieces of metal, cut differently, would not allow any motion. I know, it sounds far out there, but we should give it a shot.
That doesn't sound very secure at all. I've heard there are little known techniques called "lockpicking" and "rakes" that make such technology practically useless.
Broke a few of these for my old work -- HiTag2 and Megamos, some of the code&knowledge used for the attack is online&published, but neither can be used to actually break the ciphers as-is [1][2]. The issue used to be that the cipher employed needed to be low-power, fast, and reliable. With current technology, one could easily use AES, and no serious auto maker should be using HiTag2/Megamos. They were hand-rolled ciphers. The way AES is used (i.e. the protocol itself) could still be wrong, of course, e.g. allowing for replay attacks, etc.
[1] Doesn't have some features which you need to use to actually attack HiTag2: https://github.com/msoos/grainofsalt
[2] Used for various pre-processing that is useful (but not neccessary) to break Megamos, but _far_ from the actual attack: https://github.com/meelgroup/bosphorus/
This is both very relevant and a bit off topic, but for me, quite timely.
Today my Polestar app wasn't updating properly. Some things were, but the widget was stuck on manual refresh, and the odometer and location in the app were from the previous location I'd been, not including the trip home.
I stupidly deleted the cache and data for the app. Then tried to reconnect to the car.
This process requires putting all of the fobs (for me, two) in the car, and then getting to the right step in the car as well as the app.
But... here the car claims it cannot find both fobs. While in other parts of the car software, it indicates it can find both fobs. Because of this, I cannot pair the phone and car, and have any of the app features working again.
I would, naturally, factory reset, but this also requires both fobs, and also claims it cannot find them. (I've tested each fob and they both fully work otherwise - just in these two instances, the car acts as if it cannot find them.)
Did you put them both in the cupholder? There's an RFID reader in there for that purpose.
I did. I tried a lot of things.
Ultimately the next day (this morning) I unplugged the charger, and hopped in the car and pressed Factory Reset, and it worked like a charm, and everything is fine now.
I don't know if charging was blocking pairing but I assume it was blocking the factory reset. (Just wish error messages were... more informative, you know?!)
I assume somehow data was... not in an ideal state... in the car's internal database, and the factory reset removed the bad data, allowing normal operation to assume.
This is an old article and whilst there are undoubtedly still vulnerable vehicles, with the advent of UWB it seems to be a solved problem.
My car has UWB, there's a LED on the fob that blinks when it is in range and if it's stationary for a short time, it inactivates as well. Some experimentation suggests you need to be within about 5m of the car to open the doors.
The localisation seems to be very accurate, even if you can open the car from a distance it won't start unless the fob is physically within it. If I sit in the driver seat the fob has to be less than 10mm away from the outside of driver's window, otherwise it refuses to start.
I HATE to say it, but 'enter your password to unlock your car' is the only reasonable alternative when 'something you have' is pseudo-secure.
Why can't it be very simple and secure. Car and fob share a secret key.
When you click on the open button on the fob, you send
SHA256(key)
Car responds with a random challenge
RND
Fob sends
SHA256(key XOR RND)
Car does the same calculation and compares.
There's no car identification in this protocol, meaning that impersonation/mitm attacks are trivial. Try again :)
I don't see it. Give an example of how this attack can be executed, a practical application.
I approach my car, I press the button on the fob to open it, and your attack does what exactly?
Only two lecture slide decks?
Did the professor get tired of uploading the material for students to review post lecture?
This was a great class when I took it! Hope you’re doing well Dr. Pauly!
We should just GPS track the cars and arrest the thieves.
There's an UK-based company providing anti-theft tracking services for cars, motorcycles, heavy equipment etc. and they have a YouTube channel where they document some recovery operations. It's quite remarkable how fast a car goes from stolen to stripped. They also can't rely on just GPS to actually recover stolen goods. For example: https://www.youtube.com/watch?v=IdGoxDPMv9Y
For a good modern day automobile security system, at least in the US, get a car with a manual transmission.
How do people learn to drive manuals in 2025? It used to be that you used your buddy's/parent's beater in the back of the mall parking lot.
But no one has one anymore. I tried to learn in the 90s for about an hour, and never managed to get the car moving forward rather than bouncing. At this point, I don't have much desire to try again, but I wouldn't know how to try if I wanted to.
Twenty years ago, I supervised a beginner in an office parking lot that was generally empty on Saturdays. But you're right, we haven't had a car with a manual transmission in a dozen years now.
Cheap standard cars like a miata are fun to drive
edit: if you buy em old I mean
me I want an Exige
A patina of filth, slightly faded paint and maybe a few dings and dents also help make a car invisible.
So funny the guy towing my car couldn't drive it so I had to drive it onto the ramp
[dead]
One thing I would’ve liked about an Apple car is the security. Imagine FaceID, secure enclaves and MFA. An iPhone on wheels would be immune to most, if not all, of these attacks.
Which makes you dependent on a third party, that doesn't necessarily have the motive to keep it updated. Having a mobile as a secondary key is a better idea, my Polestar 2 has keys, but also an app that can use Face ID (or the equivalent Android security measure) to drive the car. Once the app is set up you don't need to carry the physical keys.
And then how do I loan it to a friend without the rigamarole of adding them as an authenticated user?
What if I'm not able to add them as an authenticated user or authentic myself to let them drive, e.g. I'm injured or very drunk?
I imagine the same way you share a key for a HomeKit-enabled smart lock.
The only scenarios where one is so injured and/or drunk as to not be able to complete the non-rigamarolish process of sharing a HomeKit home key either by doing it themselves or walking someone through the process are ones where the key holder is so incapacitated that they would be unable to share a physical key.
All of that is someone irrelevant because Express Mode is enabled by default, so if you are unconscious all a person has to do is pull your phone out of your pocket and use it to unlock and start your car the exact same way physical keys work in that situation. It even works if the phone's battery is dead.
https://support.apple.com/en-us/118271
Also, every implementation of CarKit Car Keys I have seen is the same as HomeKit home keys: there is a backup. Either a physical key, PIN, fob, or card.
> non-rigamarolish process of sharing a HomeKit home key
I have not used homekit, but from some searches it only seems to be a non-rigamarole process to add someone as a homekit user if the other person has an apple device? Also, is the Internet required to enroll someone?
> ones where the key holder is so incapacitated that they would be unable to share a physical key.
I don't need to be conscious or my phone have battery (or reception) to have someone take a key from my pocket.
> Also, every implementation of CarKit Car Keys I have seen is the same as HomeKit home keys: there is a backup. Either a physical key, PIN, fob, or card.
I was responding to gp who wanted none of this as it all defeats the security they desired. A 1-factor physical authentication token as a backup would be suitable for nearly all edge cases I can think of. As long as the person carries it, but then we are at worst where we are today, at best I could potentially authenticate or add someone from afar.
I'm not saying that smart locks aren't useful, just that they can't only be "smart", which I assume you would agree with since you brought up things currently having backup methods?
> And then how do I loan it to a friend without the rigamarole of adding them as an authenticated user?
By making adding an authenticated driver not a rigamarole, but easy and intuitive.
> What if I'm not able to add them as an authenticated user or authentic myself to let them drive, e.g. I'm injured or very drunk?
They call you an ambulance.
> By making adding an authenticated driver not a rigamarole, but easy and intuitive.
We'll have to agree to disagree. I don't believe that this will be possible in many situations. What if I'm not near my car? What if my phone is dead? What if my car's battery is dead and it needs jumped?
I'm also just cynical that the automakers or app developers are able to not enshittify the process.
What if when I set my wife up I added her as a user but not admin and now she can't share with someone without having to involve me, which may not be physically possible in all circumstances.
> They call you an ambulance.
You don't call an ambulance to take a drunk person home. Calling a taxi when there is someone able to drive is a waste of money and a huge inconvenience the next day to retrieve the car.
You also can't call an ambulance in the wilderness.
I also meant injured in a more broad sense. What if I just have a bad headache or migraine? I don't want to be fumbling with my phone or car electronics trying to navigate adding someone.
In the future?
They call 911, and they read the license plate number and the authorities send an override signal that turns on the car and only allows it to be driven to the nearest hospital that appears on the screen on the console. If they go off course, they have 30 seconds to get back on course before it coasts into a 5mph limp mode (to find a safe place to pull over) for 1 minute before it completely stops and shutsdown and locks them inside for the police to come get them.
Eh, the car will probably be self-driving at that point, so probably only the first half.
The last thing I want to see on any car is the ability for the government to just remotely hijack random cars. Not just because cops already and routinely abuse their privileges (imagine some crazy police officer doing that to their ex girlfriend!), but also because any such capability can and eventually will be abused by malicious actors. Think of the usual "for the lulz" trolls, organized crime rings involved in looting people, or nation-state enemies.
Aren't authorities notoriously unable to get into Apple products unless allowed?
I have my BMW key in Apple Wallet. When I was out of town and needed to share the key with another person, all I did use a standard share sheet for the key. It let it share via SMS, email, AirDrop, etc.You can revoke the key later.