Since the days of the wild 90s, only a fraction of vehicles are currently stolen in the Czech Republic. Nevertheless, it is still more than 2,000 cases per year. And with modern cars with keyless entry, theft can be easier than ever before. Especially if we take into account the carelessness or ignorance of most owners.
Relay attack (signal extension)
Keyless entry systems use relatively simple technology. FOB/RFID chips or compatible smartphones emit a “friendly” short-range radio signal (a few meters at most).
When the appropriate vehicle is within range, the car recognizes the signal and allows the door to be unlocked – often just by touching the door handle or pressing a button on the handle. The same process is used for starting, where the digital key must already be inside the car itself.
In so-called relay attacks, thieves extend the range of the key signal. They use a device the size of a WiFi modem to do this. They mostly work in pairs. One villain approaches the original key with this device, which can be, for example, behind the front door of the house, in a coat on a hanger in a restaurant, in a purse…
The device captures the signal from the right digital key and extends the range to the vehicle in question. A companion standing close to the vehicle unlocks it just as easily as the owner of the digital key, because the car thinks it is in close proximity. And once the thief gets in, just repeat the process to start the engine.
Soon after the car without a key goes on the road, the system records its absence and displays a message on the on-board computer, but this does not prevent thieves from getting where they need to go.
After turning off the engine, restarting is no longer possible, however, the stolen car is usually “cleaned up” somewhere, where it will be disassembled for spare parts, or a new digital key will be created (see programming a new key)
The German Auto Club ADAC has been testing the resistance of various car models to this attack since 2016. And the results are deeply disturbing. The first cars that resisted these attacks appeared only in 2018 and were more luxurious brands. As of September 2, 2022, only 25 cars out of 533 tested passed the test! You can find the complete results on the ADAC website..
Signal interference
A small device that broadcasts on the same radio frequency as the remote keys is used to jam the signal that locks the car. It also fits in a thief’s pocket, so there is basically no chance of being noticed.
When the owner presses the lock button on their key, the signal doesn’t reach the vehicle and it remains unlocked – making it easy for a thief to get inside. There he can steal valuables or try to steal the car itself.
Getting the code from the key signal
Keyless unlocking appeared already in the 80s. The original systems used an immutable code that thieves learned to pick up when the owner locked. And then they just used the same code to unlock the car whenever it was convenient for them.
In response, the technology has improved so that the code to open the car changes with each use of the key. And so it’s not enough to just capture it and send it again, because it wouldn’t work anymore.
But advanced thieves can trick even this system. How? This is related to the previous point about signal interference.
An experienced thief can simultaneously jam and read the signal from the key. The owner tries to lock the car, but the thief interrupts this first attempt. Therefore, the owner tries again. The thief interrupts it again and saves the second signal as well. At the same time (within milliseconds), the thief’s device sends the code that comes from the first attempt. This locks the car, and the owner has no idea that the villain has just obtained the code from his second attempt, with which he will later unlock the car.
Creating a new digital key
Whatever technique thieves use, once inside, vehicles with a push-button start instead of a key can easily be stolen through the diagnostic port.
The OBD2 (formerly OBD1) port became standard for all cars as early as 1996 and is still used today. It is usually located in the space under the dashboard near the passenger.
The car cannot be directly started using the diagnostic port itself, but data can be downloaded via it, which is used to create a new digital key, for example in case of loss of the original.
Automobile companies state that in this way it is only possible to obtain a new key through an official service at an authorized service center. And that it is a relatively complex and well-secured procedure. However, the reality is that thieves tend to be one step ahead.
Various devices to download the data needed to program a new key can be purchased for as little as a few hundred. And paradoxically, it tends to be much easier with them than with many times more expensive devices that are used by professional authorized services.
Of course, it depends on the software security of the particular car, but the whole process from downloading data to programming a new digital key can take only a few tens of seconds for an experienced thief.
Mobile application hacking
This method is not very widespread yet, because only a small percentage of cars on the road today have the ability to unlock and lock with a smartphone. But it will be a more widespread problem in the future.
It is possible to have mobile digital keys in several phones, which is convenient if several people share the car. But it is a new area of security problems. Thieves only need to hack the mobile phone of one of the users or know the login details for the application.
How to defend yourself?
If you are leaving the car, make sure that it is actually locked (flashing of lights, lowering of mirrors or sound of locks).
Use a shielded security key case that can shield the signal when the key is not in use. You can get it for less than 200 CZK.
If you lock with the remote key and the car locks for the second time for no apparent reason, be smart. The thief may have saved the code from your first attempt.
Try to always keep the vehicle software (or mobile app) updated to the latest version.
If you unlock your car with a mobile app, be especially careful about unsecured and unknown WiFi networks and spyware.
Consider using classic mechanical systems such as gear lever, pedal or steering wheel locks. These devices are not pleasant to use, but they are such archaic protection that today’s thieves are paradoxically not prepared for them.
If you can, park in a garage or under cameras, which of course deters any thief in general.
Although the GPS tracker does not protect you from theft itself, it significantly increases the chance of finding the car. Even a cheap tracker in the form of a key fob, for example, can be enough, but some thieves have GPS jammers that block such simple trackers. It is therefore better to turn to professionals who are dedicated to the GPS location of cars and offer more reliable protection.
What about car companies?
Manufacturers are aware of modern risks and try to respond to it. Below are some positive steps in recent years:
- E.g. owners of Subaru or Mercedes cars can already turn off the keys as soon as they lock their car.
- Land Rover and Jaguar have introduced ultra-wide frequency bands in all keyless entry models registered after 2021.
- E.g. Ford, Mercedes, BMW or Audi have introduced keys with a motion sensor, so when you leave the key at home, it switches to sleep mode after a short time.
- Kia introduced a shielded case for its customers Safewhich can be purchased from vendors for a few hundred.
- Tesla has introduced a feature that requires the driver to enter a PIN to start the vehicle.