# One Show Keyless Car Theft



## 90TJM (Sep 30, 2013)

New way of Car theft I have not heard about before.The signal from car to key fob can be intercepted outside your house using a device.So they dont need to break in to get the key.My fob opened my car from the back of my house.I have wrapped
the fob in thick foil and that appears to block the signal.Scary!


----------



## ZephyR2 (Feb 20, 2013)

Didn't see it but doesn't this only relate to cars with keyless entry like Audi's Advanced key.
From what I've heard these devices can pick up the faint signal from a key fob inside a building and relay it to the car giving the impression that the key fob is close to the vehicle allowing them to open the car and start it up.
With a standard key fob no signal is emitted from the fob to the car until you press the button, so these should not have that same vulnerability.
If you want more piece of mind then Google Faraday cages. You can easily make one using foil like yourself or buy a specially lined pouch.


----------



## Rev (Nov 17, 2015)

ZephyR2 said:


> Didn't see it but doesn't this only relate to cars with keyless entry like Audi's Advanced key.
> From what I've heard these devices can pick up the faint signal from a key fob inside a building and relay it to the car giving the impression that the key fob is close to the vehicle allowing them to open the car and start it up.
> With a standard key fob no signal is emitted from the fob to the car until you press the button, so these should not have that same vulnerability.
> If you want more piece of mind then Google Faraday cages. You can easily make one using foil like yourself or buy a specially lined pouch.


Or if you've bought some computer components, an anti-static bag should do it. Like these:
https://upload.wikimedia.org/wikipedia/ ... ic_bag.jpg
https://i.stack.imgur.com/IRIvK.jpg


----------



## jhoneyman (Aug 8, 2012)

a similar thing happened to me in Libson 15 years ago.
Remote opening of the car was intercepted and the frequency was used to then open the car when we were having dinner.


----------



## powerplay (Feb 8, 2008)

If you happen to have Advanced Key, can this be deactivated so you have to press button like normal key fob?

Just asking as I'm about to buy a car with the Advanced Key option but don't really want it, I would never have chosen it on a newly ordered car so if it can be disabled then happy days :lol:


----------



## Nyxx (May 1, 2012)

Never say never Poweplay.

I have it and 3 weeks in love it. (did not like it at first) 
Walk up to car put hand on door handle and it unlocks.
Close door and I just slide the back of my hand over the door handle and it locks.

Very cool.


----------



## R_TTS (Mar 16, 2016)

powerplay said:


> If you happen to have Advanced Key, can this be deactivated so you have to press button like normal key fob?
> 
> Just asking as I'm about to buy a car with the Advanced Key option but don't really want it, I would never have chosen it on a newly ordered car so if it can be disabled then happy days :lol:


There's no option within the MMI to turn off the advanced key, but you can just use it like a normal key fob if you want. If the security aspect is a concern, may be it could be deactivated with coding? I think it's a good feature, give it a try before you try and deactive it.

What car you just about to buy then?


----------



## brittan (May 18, 2007)

The Advanced Key and the Start button are natural partners: an ordinary key with the Start button just doesn't work in a sensible manner. I would not have chosen it but now I'm used to it, I'm glad it's fitted.

Perhaps we all have to get Mr Faraday to fit one of his cages to our pockets?


----------



## 90TJM (Sep 30, 2013)

It looks like its only cars with Keyless entry that are vunerable at present from this type of theft.


----------



## brittan (May 18, 2007)

90TJM said:


> It looks like its only cars with Keyless entry that are vulnerable at present from this type of theft.


Normal key fobs are vulnerable to signal replication but that signal can only be captured when you press the fob. The Keyless fob transmits all the time - AFAIK - so there's more opportunity for recording the signal.


----------



## ormandj (Mar 27, 2017)

Most PKE systems require a LF signal from the vehicle before the fob will respond. They aren't constantly transmitting signal, and there is a two way communication initiated by the vehicle. I verified this with one of my PKE fobs and a RF signal analyzer. It wouldn't make sense for them to continuously transmit. Not to mention, the range on these is generally extremely low (a meter or two with no obstruction at most), they tend to be RFID based and operate at 125kHz. Nobody is repeating your signal and driving off with your car while you're lounging in the living room.


----------



## powerplay (Feb 8, 2008)

R_TTS said:


> powerplay said:
> 
> 
> > If you happen to have Advanced Key, can this be deactivated so you have to press button like normal key fob?
> ...


I've bought a mk3 TT RS with the advanced key option.

Just getting used to the car but don't think the advanced key is a really necessary feature. It means I can be standing within a couple of feet of my locked car and someone else could open it. Not what it really want :lol:

However as I have it I may as well get used to it


----------



## Mark Pred (Feb 1, 2017)

I'd not spec an Audi with Advanced Key - a friend of a friend had their two month old S3 cabrio stolen off the drive without the keys leaving their side. Police told her that it was becoming more common. Insurance paid up and she had GAP thankfully.


----------



## ormandj (Mar 27, 2017)

Mark Pred said:


> I'd not spec an Audi with Advanced Key - a friend of a friend had their two month old S3 cabrio stolen off the drive without the keys leaving their side. Police told her that it was becoming more common. Insurance paid up and she had GAP thankfully.


Advanced key isn't the culprit, that's purely FUD spread by police, news, and people who've mistakenly left cars running or with keys inside. Please see the above technical explanation on how this technology works. I don't have an Audi key to test with yet, but it most assuredly functions the same way. If someone stole the car and the keys weren't anywhere near and it wasn't left running, there is something far different going on, not related to the PKE system.


----------



## ZephyR2 (Feb 20, 2013)

As I understand it the fob isn't transmitting a signal all the time, its listening for a signal, which requires a lot less power. 
When you lift or touch the door handle the car emits a calling signal. The range of this transmission is typically 2 - 5 metres. If the fob is in range and detects the correct signal it then transmits the lock or unlock signal, in the same manner as pressing a button on the fob. 
What thieves are doing is capturing the unlock signal from the car, by lifting or touching the handle. The signal is then amplified using a special device which enables it to reach a fob at some distance or inside a house. Typically a fob can unlock a car from many metres away or inside a building so there is no need amplify the fobs unlock transmission.

Sent from my iPhone using Tapatalk


----------



## ormandj (Mar 27, 2017)

ZephyR2 said:


> As I understand it the fob isn't transmitting a signal all the time, its listening for a signal, which requires a lot less power.
> When you lift or touch the door handle the car emits a calling signal. The range of this transmission is typically 2 - 5 metres. If the fob is in range and detects the correct signal it then transmits the lock or unlock signal, in the same manner as pressing a button on the fob.
> What thieves are doing is capturing the unlock signal from the car, by lifting or touching the handle. The signal is then amplified using a special device which enables it to reach a fob at some distance or inside a house. Typically a fob can unlock a car from many metres away or inside a building so there is no need amplify the fobs unlock transmission.
> 
> Sent from my iPhone using Tapatalk


You're talking about a relay style attack and there is plenty of tech in place to stop that. First, that 125kHz signal isn't going far through walls/etc without a lot of power, it's not terribly feasible, but let's say you're walking around at a gas station, and someone is near you with a relay, someone is also near your car with a relay. There are a fair number of strategies involved to mitigate this, including timing checks as well as QAM and IMD detection. There's a quick overview on Wikipedia specifically discussing these strategies and others, and far more available if you dig into some of the more in-depth research.

https://en.wikipedia.org/wiki/Smart_key ... quirements

I shouldn't say it can't be done or isn't being done, I'll just say it is extremely unlikely based on physics concerning the "while in the house someone used a 500W portable amp to get a LF signal through multiple walls" to even begin the whole process, them circumvented all of the above (and more) security measures employed. People leaving their keys in their cars or leaving the car running is a much more likely story. It's just not as cool sounding on the news.


----------



## ormandj (Mar 27, 2017)

ZephyR2 said:


> As I understand it the fob isn't transmitting a signal all the time, its listening for a signal, which requires a lot less power.
> When you lift or touch the door handle the car emits a calling signal. The range of this transmission is typically 2 - 5 metres. If the fob is in range and detects the correct signal it then transmits the lock or unlock signal, in the same manner as pressing a button on the fob.
> What thieves are doing is capturing the unlock signal from the car, by lifting or touching the handle. The signal is then amplified using a special device which enables it to reach a fob at some distance or inside a house. Typically a fob can unlock a car from many metres away or inside a building so there is no need amplify the fobs unlock transmission.
> 
> Sent from my iPhone using Tapatalk


You're talking about a relay style attack and there is plenty of tech in place to stop that. First, that 125kHz signal isn't going far through walls/etc without a lot of power, it's not terribly feasible, but let's say you're walking around at a gas station, and someone is near you with a relay, someone is also near your car with a relay. There are a fair number of strategies involved to mitigate this, including timing checks as well as QAM and IMD detection. There's a quick overview on Wikipedia specifically discussing these strategies and others, and far more available if you dig into some of the more in-depth research.

https://en.wikipedia.org/wiki/Smart_key ... quirements

I shouldn't say it can't be done or isn't being done, I'll just say it is extremely unlikely based on physics concerning the "while in the house someone used a 500W portable amp to get a LF signal through multiple walls" to even begin the whole process, them circumvented all of the above (and more) security measures employed. People leaving their keys in their cars or leaving the car running is a much more likely story. It's just not as cool sounding on the news.


----------



## mad chemist (Feb 18, 2011)

powerplay said:


> R_TTS said:
> 
> 
> > powerplay said:
> ...


Hope you're enjoying the new car Powerplay, I've given up waiting for now and plan to keep the M4 until next year.

This recent post on an M website got me worried: http://f80.bimmerpost.com/forums/showth ... ?t=1387182

Mad.


----------



## ormandj (Mar 27, 2017)

His keys must have been near the front door (many I'm sure drop them nearby when they walk in), I guess that is one way this may have worked with a power amp passing the LF just through a door, but I am still surprised this worked with the timing checks. I'll have to check on this with the Audi fob but sure seems like that BMW might be missing some of the security functionality that should (needs to) be enabled to prevent that type of attack.

That is scary, guess I'll eat crow on this one at least for a BMW. What worries me more is the auto manufacturer specifications regarding these technologies and security implementation appear to be false, at least in this case. That really stinks for us as the consumers with failed implementations. Hopefully the Audi system isn't as lackluster, I'll have to test this in my RF lab when my car arrives.


----------



## keithS (Jun 20, 2016)

ormandj said:


> First, that 125kHz signal isn't going far through walls/etc without a lot of power, it's not terribly feasible,


Is it really 125KHz? Most of the keyfobs I've seen use the 433MHz band, at least in the UK.


----------



## ormandj (Mar 27, 2017)

keithS said:


> ormandj said:
> 
> 
> > First, that 125kHz signal isn't going far through walls/etc without a lot of power, it's not terribly feasible,
> ...


The signal from the vehicle to the fob to initiate the fob transmission is 125kHz/LF. The fob will respond on a different frequency. I don't have an Audi fob to check, but 315/433.92MHz is common.


----------



## keithS (Jun 20, 2016)

ormandj said:


> [
> The signal from the vehicle to the fob to initiate the fob transmission is 125kHz/LF. The fob will respond on a different frequency. I don't have an Audi fob to check, but 315/433.92MHz is common.


Ah thanks, I wasn't aware the vehicle used a different frequency to communicate with the fob.


----------



## mad chemist (Feb 18, 2011)

ormandj said:


> His keys must have been near the front door (many I'm sure drop them nearby when they walk in), I guess that is one way this may have worked with a power amp passing the LF just through a door, but I am still surprised this worked with the timing checks. I'll have to check on this with the Audi fob but sure seems like that BMW might be missing some of the security functionality that should (needs to) be enabled to prevent that type of attack.
> 
> That is scary, guess I'll eat crow on this one at least for a BMW. What worries me more is the auto manufacturer specifications regarding these technologies and security implementation appear to be false, at least in this case. That really stinks for us as the consumers with failed implementations. Hopefully the Audi system isn't as lackluster, I'll have to test this in my RF lab when my car arrives.


If I can ever factory order either a TTRS or RS3, I won't be specifying keyless-entry.

Will be good to hear your feedback on the Audi system when you get the chance.


----------



## ZephyR2 (Feb 20, 2013)

ormandj said:


> I shouldn't say it can't be done or isn't being done, I'll just say it is extremely unlikely based on physics concerning the "while in the house someone used a 500W portable amp to get a LF signal through multiple walls" to even begin the whole process, them circumvented all of the above (and more) security measures employed. People leaving their keys in their cars or leaving the car running is a much more likely story. It's just not as cool sounding on the news.


I'm sure you know far more than me about this but there's no way insurance companies would be paying out over and over again for total losses if they didn't think that such attacks were possible, and were actually being carried out.
So on that basis I'm inclined to believe it can and is being done.


----------



## L1ARR (May 12, 2017)

Is there no sort of jammer that we can place inside our homes to block the signal?


----------



## ormandj (Mar 27, 2017)

ZephyR2 said:


> ormandj said:
> 
> 
> > I shouldn't say it can't be done or isn't being done, I'll just say it is extremely unlikely based on physics concerning the "while in the house someone used a 500W portable amp to get a LF signal through multiple walls" to even begin the whole process, them circumvented all of the above (and more) security measures employed. People leaving their keys in their cars or leaving the car running is a much more likely story. It's just not as cool sounding on the news.
> ...


Please see posts following that video in this thread, clearly it's being done, and there's a few details that appear to make it possible, one of which is quite scary to me (auto mfgs not implementing some of the required security protocols properly, or too loosely for convienence ). I am very surprised, the keys close to door thing I should have had the foresight to consider, but the other issue(s) are quite worrisome.

How often is this happening on your side of the pond? You never hear about it here in the states, but it sounds like some widespread epidemic over there. Is it just BMW or is it seen in other brands too?


----------



## ormandj (Mar 27, 2017)

L1ARR said:


> Is there no sort of jammer that we can place inside our homes to block the signal?


Sure, buy a little pouch or something that blocks 125kHz. They sell them for all kinds of reasons, normally labelled for blocking RFID. Stick your fob in it, problem mitigated for a few bucks. Nutty though that it would be required, some mfgs are going to have some really bad days for a flaw of this magnitude.


----------



## TTGazza (Jun 13, 2016)

Strange how all these stories never mention that you can't drive the car without the key being inside, just try starting the car by leaning in whilst you're standing outside with the key in your pocket, it won't start, fake news once again and the fear is spread. I like the smart key and would specify it again.


----------



## ZephyR2 (Feb 20, 2013)

TTGazza said:


> Strange how all these stories never mention that you can't drive the car without the key being inside, just try starting the car by leaning in whilst you're standing outside with the key in your pocket, it won't start, fake news once again and the fear is spread. I like the smart key and would specify it again.


So what do you make of this video from which was on ADAC's web site. Note how the thief holds the device up first to unlock the car and continues to hold it until his accomplice has started the car.




Obviously once they've got away with the car they can't restart it again but back in their lock-up no doubt they can hack the OBD port and clone a key.



ormandj said:


> How often is this happening on your side of the pond? You never hear about it here in the states, but it sounds like some widespread epidemic over there. Is it just BMW or is it seen in other brands too?


It keeps popping up in the news and car mags from time to time. Its not just BMWs that are affected - Range Rovers, Fords, Audis and Mercs have been implicated as being vulnerable.


----------

