Assignment 5: Cars and Key Fobs (2021)
web.stanford.edu232 points by Pikamander2 3 days ago
232 points by Pikamander2 3 days ago
BMW has a page describing the use of UWB (Ultra Wide Bandwidth) radio in key fobs and how it helps against relay attacks. In short it's because the wide bandwidth allows for very short pulses which lets them measure the distance between the car and the key, and using a relay will inevitably add distance and therefore time between the signal is sent and the reply is received.
https://www.bmw.com/en/innovation/bmw-digital-key-plus-ultra...
I believe this was ratified into a standard so it should show up in more new cars. https://carconnectivity.org/car-connectivity-consortium-publ...
The core problem is that older systems never proved distance in any rigorous sense, they only proved connectivity/liveness. Pretending that you're closer than you are is sometimes called in research "the mafia fraud attack".
For the time being, I just store my keys in a little cast iron dutch oven, sitting on top of the fridge.
It's extremely effective as a shield for the 125kHz LF wake-up signal, and I've been unable to elicit a response when they're in there, even with a relay setup that reliably wakes them up from several feet away otherwise.
I just don't understand why manufacturers don't follow Volvo on this - their keyless keys just go to sleep if they aren't moved for a few seconds, and they won't respond to any signal while sitting on a table for example.
That solves part of the problem, but doesn't help when you're in a supermarket or any other event where you're moving around.
My previous cars had keys that I could manually switch off and on, which is also not a full solution because it only works for people who take the effort to always do that, but at least it gives people to opportunity to complete prevent relay attacks.
All in all I'm not a big fan of key-less entry. Having to press a button on a key to gain entry can maybe be a bit of an annoyance, but in my opinion it's not a big deal compared to the advantage of completely preventing relay attacks.
My previous car(a Mercedes) had a very very simple solution to this - you clicked on the lock button twice and it just disabled the keyless entry entirely until you pressed any other button.
>>the advantage of completely preventing relay attacks.
From my understanding ToF sensors are good enough now to completely prevent relay attacks, the added time for the relay just adds too much of a delay and it gets rejected. I believe the newest range rovers use that, they went from being extremely susceptible to relay attacks to relay attacks against them being impossible.
I think the Toyota has it too. Press and hold lock and click unlock twice on the FOB. This disables the signalling that enables a lot of 'quick actions' - like double tapping the door latch to open it.
that's a nice solution too but re: mercedes it requires the user to actively use that feature which I suspect most won't remember to do
For anyone interested, with all keyless entry Subarus in the US it’s easy to put the fob to sleep.
If you’re car camping and doing a lot of stuff around your car and opening the doors a bunch for a couple hours, you probably want to put your fob to sleep. Found out the hard way, but my battery was also a bit iffy to start with that year.
maybe so, but this would seemingly solve most of the problem with easy to implement tech
the real test is to find out if this effectively eliminated all fob hacks for volvo since they may not be faster than the tiger, they just need to be faster than everyone else...
Related: I've found that replacing/programming Volvo keys is extraordinarily expensive and I've yet to find a third-party locksmith who will touch them. (The latter applies to both fobs and a basic key.)
Yep - which is why I always add key insurance to my car insurance, it's a very cheap add on annually but saves a lot of money if you need a new key.
Wow. I had no idea this was an option. It kind of breaks my brain a bit because, based on the majority of my experience with car ownership (91, 98 and 2K models), it's an absurd notion.
Likewise, I wish my phone had a setting to mute Amber Alerts while the phone's been motionless for a long time. It's sleeping, I'm sleeping, blasting me with an emergency tone at 4:45am is not going to help anyone. But yes if I'm actually out and about, by all means, I'd be happy to help, I don't want to turn them off entirely.
Such common sense, yet so uncommon.
I've heard BMW does it too. Hoping that it's true and I can preserve battery by just keeping my key on the table, since it burns through a charge.
Unrelatedly, I didn't realize "Dutch oven" had a non-fart-related meaning, thanks for the new word.
Funnily enough, I think that's the first time I heard that Dutch oven has another meaning, beyond the cooking apparatus.
haha, I think the fart connotation is just that you're trapped with the lid (blanket) on.
I learn something new here every day.
- I ain’t cut out to be Jessie James -You don’t go writing hot checks down in Mississippi - Dutch oven has a non fart meaning
My father used to be a prosecutor in MS, and one of my earliest going-to-work-with-dad memories is watching him sign off on warrants for people writing hot checks. I asked him once if he thought that was a bit heavy-handed and he gave me a very stern lecture about people who write hot checks.
So yeah, don't do that in Mississippi.
My mother told me I would end up in massive unrecoverable debt if I didn’t keep my check book balanced, and if I kept it up for too long I would be arrested for fraud. She was from MS, so that tracks.
My prev comment was just quoting Johnny Cash. Had I thought about it, I probably would have assumed that “writing hot checks” was in the song because it’s sort of an amateur crime that landed him in the prison where he learned his lessons. Of course it has to be Mississippi for the chain gang reference.
I purchased some cheap key fob faraday bags on Amazon.
The bags work while I'm in the car.
You know those Danish butter cookie tins that everyone's mom uses for sewing supplies? They also make good Faraday cages.
Not in my experience. Did a lot of Bluetooth testing in a former role, and those were the first thing we tried and the first thing we gave up.
ESD-shielded multilayer metalised polybag? Fold shut, keep until crinkled or until it has any holes?
Your microwave oven also makes a good Faraday cage.
That's an expensive mistake waiting to happen.
Why would you ever turn on your microwave without opening it to put something in it? It's not like an oven that has to preheat.
Mistakes when setting a timer.
My current microwave will complain if the door hasn't been opened recently, but my old one would just turn on if I fucked up the time entry and tried to set a timer while I already had a timer going...
Boredom
That’s an expensive way to be bored!
Some men just want to watch the world burn, others are content watching the turntable turn...
I have a 2021 Toyota that I lost one of two key fobs. Toyota has a strict policy that only Toyota dealerships can program key fobs for their newer cars, so buying a key fob replacement from a 3rd party was not an option. Total out of pocket expense for getting new key fob, programming that key fob to the car, and making sure the other fob still worked; cost about $550. I feel that is an absurd amount of money to spend because of a lost fob. I appreciate people looking into and exposing weaknesses of car fobs because it might expose ways to circumvent the monopolistic costs associated with replacements. Wish there was a way to retrofit my car to use Ultra Wide Bandwidth as a key.
Essentially all manufacturers have that policy, because key replacement is a profit center for dealerships. Independent auto locksmiths depend on third-party programming tools and keys by companies like Autel and Xhorse. There's a constant game of cat-and-mouse, with manufacturers developing new immobilizer systems and the third-party companies reverse-engineering those systems. An auto locksmith with the right equipment should be able to copy a key, remote or keyless fob for any current US Toyota model.
Two locks smiths told me that only the dealership can program a fob for a 2021 Toyota Sienna.
Used to be, you could get a seedy OBD cable off Amazon and it came with instructions on how to "acquire" the dealer software, which let you reprogram the car to accept any fob. Not sure if things have changed in the last 5 years.
Improvements in key tech just hurt me.
As long as they aren’t trivially exploitable like the Hyundai keys, more expensive keys are my problem. Stolen cars are my insurance company’s problem.
All other things equal, the easier it is to steal your car, the higher your insurance premium will be.
Agreed, but it’s a risk/return decision. In my city, car theft is like 80% less than it was 20 years ago. 60% of stolen cars are running in the driveway (warming up in the winter), and 20% of the cars in the peak year a few years ago were Hyundai/Kia with the egregiously bad locks.
Good enough to stop crackheads is my desire in this space. Doubling the cost of a $400 key to reduce my chances of a loss by 3% is a hard no.
Vulnerabilities like this lead to car thefts. Some models of cars are more susceptible than others, and the manufacturers seem unwilling to fix the problem. The insurance companies know which models are more trouble for them, and so they set higher rates for these, which punishes the driver/owner for something outside of their control.
My solution? Require the manufacturers of vulnerable models to pay the insurance on behalf of the driver/owner as long as the vulnerabilities go unfixed.
part of what helps is, at least, before buying a car, to get insurance quotes and then you see the true cost of THAT car
Consumer Reports will also inform you of things like this in advance, if you look. (For this and 100 other reasons, It's worth paying for a digital sub.)
Consumer Reports reporting is bought and paid for by the OEMs. They'll make a big issue out of nothing or minimize real issues depending on where the money is coming from. This goes back at least as far as the Samurai rollover scandal.
Pretty much all industry journalism where the journalists depend on being in the good graces of the manufacturers to get the access they need to make their content is like this.
Consumer Reports buys all the items they review, anonymously.
That doesn't stop them from doing questionable stuff and playing favorites. All this was aired publicly in the lawsuit Suzuki filed.
Yes, many people make many claims. You should think about which ones to believe.
i don't know how you can say they play favorites. internal memos show that suzuki knew that they had a rollover issue because of the narrow wheelbase and CR called them out on it through testing.
The vehicle proved to be equal or less rollover prone than the competition (especially the Bronco II which IIRC holds the record for the most rolled over vehicle) in actual service and per the stats compiled over the years by the NHTSA
So it really kind of begs the question what axe CR was grinding. In the lawsuit it came out that one of the writers managed to put it on two wheels incidentally not part of the tests and that they monkeyed with the tests they were running to try and replicate that.
Is that total rollovers or rollovers per mile? Because there were a hell of lot more Broncos on the road than Suzuki ever sold across their entire lineup.