Something strange is going on in the city of Stadskanaal (Groningen).
Police got a lot of complaints from people who had stuff stolen from
their car. The strange thing is the thieves did not damage the car or
the locks while taking out stuff. Police guesses there is a
vulnerability in the electronic opening mechanism and the burglars
somehow exploit it. The interesting fact is that many different makes
and models where opened. A journalist who just called me told me there
was a big list of brands involved, ranging from cheaper models to
Mercedes and Jaguar. Police is now investigating if there is a device
on the market that will crack the remote control codes or otherwise
opens the cars without damage ….
Of course we are all curious what this could be. Maybe it is indeed
some device that will try to guess (brute force) the right remote
control code. It could also be there is something else going on. A
weakness in the electronic system of the car that will do an
’emergency opening’ if you zap the car with a cattle prod or tazer.
ÂÂ
ÂÂ
ÂÂ
I have been an expert witness in a court case concerning a specific
car theft in The Netherlands a couple of years ago. And I did study
the subject of remote controls then. One of the things I found out was
most modern remote controls use a so called ‘rolling code’. Meaning
you can not record the bits from the control and ‘replay’ them to the
car. The only weakness I found then is that some remote controls will
start at the beginning of the sequence when the battery is changed.
And the cars will open if the beginning of the sequence comes by. But
I am not convinced this is how the thieves gained access.
Small update: If an high-power transmitter would be used that spits
out a random bitstream at the remote control frequencies (around
433.920 Mhz) you might have a chance of accidentally opening a car.
This just would depend on the amount of correct bits needed.
Especially in an area where you would find lots of cars (like a
parking garage or big square filled with cars) you might get lucky.
Again, depending on the amount of correct bits needed to open a car.
I posted this question on nl.radio.scanners and hope a local radio
enthusiast can be found that is willing to scan the small range for
long uninterrupted digital transmissions that sound like this one
blackbag.toool.nl/images/remote-keypresses-433950mhz.wav
ÂÂ
More updates: 13 september 19:10
Did you ever hear about the trick where people could open a Mercedes
with a ping-pong or tennis ball? It is an urban legend from years
ago. The complete Mercedes lock could not be manipulated with hooks
etc because it was completely shielded. In fact so sheilded it was
almost air thight. If you would smash a pingpong ball or prepared
tennis ball to the lock the air that is blown into the lock can only
escape by lifting the buttons up and unlocking the car. This is an old trick
and does not work anymore. One of my informants thinks it might still
be possible with a portable air pressure device. Currently small
compressors are one the market that can deliver 8 bar of pressure.
Maybe these locks where ‘blown open’? Sounds feasible to me ….
BTW: should I create a new article when I update or do readers like it when I paste in an existing posting?
To be continued …
Ik ben ook zeer benieuwd hoe ze dat voor elkaar hebben gekregen.
Op de radio had de politie het al over een methode om zoveelmogelijk codes uit te zenden. Er zou volgens hun altijd wel 2 of 3 op de honderd auto’s op deze mannier open gaan. Dit was volgens mij ook al onmogelijk omdat deze sloten (zenders)idd gebruik maken van een steed wisselende code. Voor de rest complimenten voor de site (toool) en voor je log. volg het met veel leesplezier.
I was expecting your insight on this when I heard the news. Rather yours than the spyshop salesman that obviously had no idea what he was talking about, just used bits and pieces of what ‘his engineers’ told him. Something incomprehensible yadda yadda on using a lot of transmitters on one frequency or something.
Barry,
If you have any published items from that court case, It would be great if you where able to make it available… Even if its out of date or incomplete, I’m rather intrigued.
Keep of the great work, this blog has become a regular stop for me as of late 🙂
Cheers!
Many years ago when I was going to technical school, for a final project my team and I made a device that could scan all codes for Clifford car alarms.
We picked the Clifford car alarm because most of us at the time had that brand of alarm installed in our cars, so we had remotes for them to do testing and work on our class project.
In our testing, we found that there was a limited number of frequencies used in the Clifford remotes, so our little device would scan all available codes and within minutes or sometimes seconds, would disarm the car alarm. It was amazing and also a little nerve racking that the alarm could be bypassed so easy.
Maybe this is how they did it?
I presume that simple picking has been ruled out. Have they ruled out overlifting?
I’m curious to hear how this turns out. Thanks again for sharing Barry.
-j
Building off of what seanrox said…
A friend of mine is big into Crypto, and RF transmission. Unfortunately, i am not, so i can not directly speak as accurately aboutt eh subject as he can describe it, but i will at least try to give the general idea.
He just recently bought a new Toyota Prius Hybrid car. And was discussing with me one day about how worthless the locking security mechanisms are. The car uses a proximity system, that will allow the door to unlock, without useing a key or pushing a button. Or to turn the car on, without inserting a key into an ignition.
He was complaining (and again, i am no crypto expert, so i appologize if i am completely talking out of my ass here) that the typical car convience unlocking system used a very weak 8 bit encryption, and that the variation in the codes and frequencies was so narrow, that the unlock codes of a car could be easily brute forced in a matter of 5 minutes at the most, provided you had the right hardware.
He said he was going to try and create a completely indipendant unlocking system useing some of his RF gear and a laptop to see if he could brute force his own car to unlock at the very least, and with luck, actually put it into an operational mode (be able to actually turn the car “on” keyless).
Currently he has figured out how to emulate the locking code for the car about 50% of the time. And has gotten the unlock coding to work once. But has not been able to replicate the proximity transponder.
He says he is still working on it, and doesnt really intend to do anything with it, because it is useless to him, as it is literally almost impossible to lock your keys in the car with the proximity system.
Anyway, sorry if thats so long winded.
But i would have to believe that on older vehicles, with a less sophisticated system for encrypting the codes, it would not at all be difficult to brute force your way through the unlock codes on a car.
Jarnie: There is some info available on the courtcase, but written in Dutch. It is the final decision of the judges in this case.
It can be found here (sorry for the poor quality, it is a fax)
http://toool.nl/p1.jpg
http://toool.nl/p2.jpg
http://toool.nl/p3.jpg
http://toool.nl/p4.jpg
From my chat log from last night:
>I just read the car opening thing now. Odds are that someone has a set of overlifters and a Tibbe pick or else they are jamming the car remote.
>
>The cars are never taken? [No, only “broken” into without damage. No, never taken]
>That suggests that it isn’t a rich gang who can beat all the cars in a clever way, or else they would be popping the bonnet and replacing the ECU to drive the car away.
>
>What you do is this: Get a fairly powerful transmitter that can record a signal. Put it near the car.
>On the first unlock press, you record the transmission, whilst jamming it with a known signal. You then wait for a second signal, which is also recorded and jammed.
>You then quickly play the first recorded signal back, opening the car.
>Later, you play the second signal and it opens the car, as it is the next code the car is expecting. (If the owner unlocks then relocks, you will have to repeat, as the code will automatically skip forwards, assuming the fob was pressed out of range – which is probably the assumption the user made when the first press failed to open the door.)
>Then you do your stuff and leave.
>If you want, you can even lock the car, since many don’t use an encrypted rolling code to lock, only for unlock, and the locking code stays the same.
>I’m not certain it would work on all cars, as the code is re-sync’d in different ways.
>If it is re-synced when the car is started, then it won’t work, but most don’t do that, they just move the code on to the next one(s) to expect for next time, to prevent a regular replay attack.
>
>The other way is to power probe, but that’s a fairly obvious thing compared to sitting in a van with an aerial.
Thoughts? I know the string for locking is generally weak, as who would bother cracking it? However, the days of a car only having 4096 codes to roll through are long gone. An early exploit was, as mentioned above, to simply scroll through every option. However, modern cars have anti-replay rolling codes that are millions long, with a time to hit the code measured in days. It wouldn’t be a suprise if they often had a slight delay to stop brute force from doing anything fast, either. More than one or two codes in a second would be odd, more than ten would be a definate attack. You can reduce the keyspace quickly by assuming the car will respond to the nth code along the list, say n=5, to allow for accidental fob presses in the pocket. It will never, of course, respond to the n-1th code unless you do something clever like I suggest above.
N
Oh, and further, most modern car ECUs will require the car to be unlocked and opened for a new fob to be programmed in (often by some odd display of key turning) which closes the door on “re-start” attacks.
The average car key is still cheap to buy in steel, but the electronic versions which allow the engine to be started and turning off the alarm can be £30 each, and they need to be programmed/sync’d with the car, often by machines which cost many thousands, and require a yearly update on the software.
NKT: Thanks for your posting, I enjoyed it a lot! It shows a weakness
in this type of rolling code scheme. I just do not see an easy way to
record and jam a frequency at the same time. Of course you could
extrapolate the transmitted bits from a known jamming signal in
software, but it would not be an easy task.
The idea of ‘blowing’ is great! If it worked, a small cheap CO2 canister like those used for soda sprayers might be provide enough pressure.
I wonder, if the models of cars involved, would mechanically picking the lock be enough? Wouldn’t the electronic alarm sound anyway without receiving the disable/unlock code? My aftermarket alarm sounds if I forget to disable it with the remote and open the trunk or door with the key, but I don’t know if that’s behavior is the same with newer OEM systems.
I would vote for separate posts for updates. Both to separate then comments referring to the update, and to make life easier for people reading via RSS.
Great blog BTW. Keep up the good work.
As regards how to differ the signals, that part requires a little luck, and a directional antenna, or a pair of directional antennas. Your jammer can be targeted easily at the parked car, while your record aerial is pointed at the fob/mark. This will reduce cross-talk, plus you know the jamming bits you are sending. If you are really good, you will find a null lobe on the transmitter aerial and target the mark with that, while pointing the record aerial at the mark with the highest gain part.
Simple signal processing will allow the true signal to be retrieved. This is made even easier if you know the check bits from the data stream (if any) as this lets you play “what if” on the signal. And as we know, a fast PC can do a lot of signal processing and manipulation in the half second between presses.
Your aerials reverse use just after the second press, and play the first recording, leaving you with one opening in hand. The mark will not be expecting anything, as the car opened fine on the second button press, and the 0.1 second delay (tops) will not be noticed as anything suspicious, if at all. During this 0.1 second, you could play back a few dozen different possible opening codes, increasing the odds of success.
How to avoid this? Don’t press to open your car from a distance. Wait until you are right by the door, as (if my idea is correct) you will make it far harder to split the signals, as the two aerial gains will be superimposed. Use the regular common sense and check for tails. Press unlock before you lock your car and leave it.
Those three things will (help) stop your stereo walking off without any trace of the door being opening.
The other way would be to use some sort of microwave emitter to totally overwhelm the car electronics, but this would likely set off the alarm or totally destroy the car’s system. These anti-car systems have been trialled by the police for use in stopping high-speed pursuits. However, I haven’t seen any more than manufacturers blurb, and I can’t track that down right now.
ok i know u can open a lock car door useing a cell when i got locked out of my car at the mall i called my mom she has back upremote keys and opend my door over the phone so it has to be done with sound not radio i have an 90 some thing buick with factory remote unlock
can any one tell me away to learn more on this
mrchitownsteve@yahoo.com
if this is true, then we should suggest another way to lock a car. I think there might a some device for them, any suggestions?
the reason for this is because those tools can be purchased from the market, and the police should stop people selling those tools, so our cars would be more safer.
>the reason for this is because those tools can be purchased from the market, and
>the police should stop people selling those tools, so our cars would be more safer.
If life were only that simple. Crime-groups have proven over and over again to be very efficient at spreading “restricted access” technology and knowledge, especially when they are confronted with a largely unprotected world that thinks legislation/enforcement is protecting them. Security is an arms race, and consumers need to put their money with vendors that are willing and able to keep up. But to do this, they must first be allowed to know which vendors are keeping up. Protecting the bad vendors with legislation and restricting access to knowledge and tools disrupts the evolutionary process that gives us good security.
did anyone find out how they get into the vehicles. we are having the same burglary problem in the US.
A couple of ideas come to mind.
1. Were these owners of the cars the original owners? If not, perhaps the original owner, or car dealer, or employee of the car dealer had a spare key.
2. Perhaps a spare key was made at the dealer from a person providing the correct information to make a key. (VIN #, name and other necessary information)
3. Did anyone actually call a forensic locksmith to determine that car opening tools were in fact NOT used (there are many tools and ways to open a car).
4. Domestic troubles…. family / friend with a copy of the key.
5. Random person with key to similar make / model chancing on a random “Match”
I can think of a few other ideas, but they are a little less likely.
Locksmith.