It never ceases to amaze me that vehicle companies put so much time and expense creating such technologically advanced cars, but with a key entry system that is about as secure as a wet paper bag.
It could be mitigated to a degree by reducing the range of both the car's and key fob's to say 20 feet. There's really no good reason to be longer than that.
Or better still, simply just open the car door with the physical key. You have to walk to the car anyway so no time is lost! I guess it’s because even that is too much effort these days!
Well, as a software engineer with security as my main field; there are ZERO education in proper secure design of digital locks when you educate yourself as a software engineer at tech universities. Zero! But the entire world expect you to be a security genius as an engineer. So all these security-illiterate engineers end up being “creative” and make up their own horrendously bad security solutions that only keep themselves out. 😂 fun fact to scare you even more: 100% of all digital safe locks in the entire world can be opened with a factory master code. I know this particularly well, because I developed the world’s first tempest-certified timelock-system for civilian safe-locks to prevent illegal covert governmental level Abusive break-ins done by corrupt cops and corrupt intelligence agents targeting innocent civilian wealthy people. This project has been a big eye opener for me in many fields. The world you live in is not as secure as you might think it is. 😂👍❤️
It's criminal that car makers don't put motion sensors in the keyfobs to disable them when sitting idle - would cost peanuts and eliminate relay attacks. Some makers ( VW I think) do some fancy time-of-flight stuff to check response time to prevent relay attacks.
your videos are getting more and more informative and interesting as time goes on. I really look forward to your next videos especially these radio related ones. You've got great knowledge and know-how and you're teaching us all. Absolutely superb stuff!
Many years ago I was at a rave and wanted to get my coat because I was getting a bit cold. In in the state I was in, I managed to open three other Mini Metros before I got the right one. I still had the ultimate deterrent though: a car that no one would ever want to nick.
There are only so many key cuts used. Probably with worn key or tumbler ones that are close might even work. They make "tryout keys" for automotive applications which are just a bunch of different key cut patterns. Sooner or later one of them will probably open the lock.
… priceless! Taking that idea one step further, my old jalopy used to have a damaged battery connection. Not being familiar with the car, a thief would be unlikely to know that this “dead” car just needed to open the engine compartment and shove that battery connector back on to start.
Jesus, I had the ultimate anti-theft one, beige with rusty red fabric interior, HLS trim with a massive 1300cc engine. It was a good car in it's day as a first car, 155/65 SR12 tyres!!! ( I think). I had to replace the head gasket, went through numerous sets of front brakes, all 4 gas suspension units and connecting pipe at the rear, then the two radius arms "fell off" at the back and the rear bearings fell apart - it was a fun car, but also cheap to fix. The slimline 12band graphic EQ and 4x40Watt booster from Dixons and the Matsui 3 way shelf speakers were pinched and they left the car!!! I had even fitted a centre console with a radio, EQ and booster and tape holder in! They left my Ham International Multimode 2 that was under the switches on the right hand side, but broke the steering lock, surround and ignition switch as I think I disturbed them. The door lock had been "removed" or punched through in to the inside of the door.
I highly recommend a good quality Faraday pouch. I'm a mechanic and use them when working especially on hybrid or electric vehicles as you don't want an engine to start when you've drained down the oil or your fingers are in there. And you really don't want a 900 volt EV coming online. I always check the ignition switch with the key in pouch within the vehicle to insure it can't be detected.
For anti-theft - Take the fuse out that provides power to the diagnostics socket, not many people carry a 12v battery about to power up their controllers and programmers. MOVE the diagnostics socket to a different location by extending the wires. Or you could replace the OBD2 socket for a completely different type, like an old parallel port connector off a computer (providing you have plug and socket) and make an adaptor with a plug and short lead going to the original socket. People trying to pinch the car would be going WTF! They would find some random connector and not have a clue which wire was which. You could also use a multi pin circular type. You can give the garage the small adaptor for services etc, then they can plug it in and put the OBD2 plug in the other part of it. Then I would fit a hidden switch connected up to one or more electrical circuits like the fuel pump and starter circuit. Anything to slow people down. Modern cars can be taken within minutes, even without keys. Sites sell everything people need apparently.
Easy (and effective) cure, hide a kill switch in the car to disable the starter. The only way the start button will work even with a relay attack is if they 1. KNOW about the kill switch, and 2. Know where it's hidden. They might still be able to GET IN your car, but it will still BE THERE when you go out the next morning. You COULD get even fancier and ad an alarm relay to the start button, that's active when the kill switch is on that will let you know someone is attempting to take it. Then you let your friends Smith and Wesson take care of the rest.
Previous owner of my old audi installed a kill switch, that allows engine to start, and kills it after about 30-60 seconds with alarm, if you don't push a hidden button. It honks before to remind you. It starts working each time after closing any door, even if engine is already running. In case of carjacking it allows supposedly armed criminal to drive off, leaving you safe. I think it was banned some time ago, because of stopping engine while riding. One can still park with momentum though, it doesn't brake.
Our local ham repeater was moved frequency to avoid jamming cars! We've now got a new 9 MHz split, and we added a notch filter on the TX for 433.920 MHz (ISM band centre) to help.
Had a faraday pouch. It worked for a bit but then it started to let the key fob signals through. So had an old tin , lined it with tin foil and that works 100%
I was always told that locks only stop honest people and if they really want it, they will take it. The only thing you can realistically do is to make it very obvious that it will be more difficult to take, these people don't like wasting time.
@@JamesWilliam70 sometimes a solution could be free, effortless, and relatively quick...pull the fuse for the fuel pump. Car won't go without any gas supply.
Most often crimes are opportunistic. If your door is unlocked then there's a much higher chance of something being stolen versus them breaking a window to get in.
That is exactly right: locks are only there to stop honest people When and IF some'one' wants to get in - a LOCK will not stop them. Locks did not work on chastity belts either. One reason why DNA testing fro family connections is totally invalid and useless One does not know who had s-ex with whom and when. Just be thankful for being alive - Leave the past behind.
Thats why i installed Trunk Monkey in my vehicle the only sure fire way to deter thieves from taking your vehicle. From the makers of Suburban Auto Group.
I ask the logical question after reading what you wrote: And I quote : "" i installed Trunk Monkey in my vehicle the only sure fire way to deter thieves from taking your vehicle. "" So the question is : How is installing ' Trunk Monkey ' in YOUR vehicle going to deter thieves from taking MY vehicle ? RIDDLE ME THAT greymann1384 - I would suggest that you undertake an extensive reading program to better educate yourself - study English and LEARN HOW TO ACCURATELY DESCRIBE what it is you are thinking about - AVOID AMBIGUITY AT ALL COSTS. Learn to write accurately. It is not that difficult for the educated people - but not so easy for peasants ( commonly known these days as Citi-Zens )
@@andrew_koala2974 Thank You Ken For replying, can I call you Ken you seem to be a person who would be called a Ken and may I suggest Ken that you research What levity is. Also my writing skills may not be on par with your Superb Standards of the English Language I commend you for reminding the rest of us lower classes of your Superiority and Intellectual Prowess that you possess, I hope you have a wonderful day and also lest I forget say hello to KAREN for me.
This criminal jamming action is absolutely off the scale in South Africa. There is actually warning notices on all the walls of all the shop car parks . The crims are always looking to remove the car from your possession day or night.
Yup, just said that to another person here who said Andy just taught the theives something new.... Some people are very ignorant in their little bubbles.
The assailants from the 2021 "CIT video" from Pretoria were using cellphone jammers, that's why when Leo Prinsloo told his partner Lloyd Mthombeni to "phone Robbie, phone Josh", he couldn't get through.
Another great video. I have just purchased a brand new car today and will be having another Pandora alarm fitted asap. They are brilliant alarms but my installation can't be done straight away due to no free appointments. I purchased two Faraday cases from Amazon and they do work even standing next to the car. They are worth the £6 they cost for 2. But you can't beat the alarms.
The type of alarm you need is the one with the immobiliser that is programmed using switches in the car, so when you get in, to start it you pick a combination such as - left indicator, rear demister, right indicator twice and A/C button BEFORE it will then start the car! No one can guess the combination or start using OBD2 to get the info etc.
You got the relay attack details slightly wrong. The car transmits on 125kHz, and it is this signal that is relayed to the portable antenna, The keyfob receives this and then replies on 433MHz, which has plenty of range to get to the car as it's also used for the keyfob pushbutton modes. The reasons for using 125kHz are that the range is limited and very predictable ( limited to area around doors and driver seat), and it can be received with near-zero quiescent power draw in the fob.
I don't think that's correct as why would there be a challenge & response visible on the keyfob UHF frequency when you press the start/stop button? I do know my car also has a method to start it using RFID but you have to hold the keyfob very close to a section on the steering column in order for it to energise. Passive 125khz RFID has a super localised range of maybe 10cm, that's not what's being used here. I find it hard to beleive its possible to do a long range passive RFID scam because the transmission distance of the fob is so short, it could be possible thiugh, I have seen videos of thieves with a very large wire antenna. In my car though it is active RFID which is in the UHF range. Passive RFID I think is used in cars that have a physical key inserted into the ignition,, then that key by nature can be very close to a reader all the time as it remains in the ignition.
@@andykirby What you are seeing when you press start/stop is the keyfob's 433MHz response ( possibly duplicated) Yes, normal car immobiliser keys are passive RFID but keyless entry systems are not - they use the same frequency but a larger antenna than the coil round the ignition key, and active receiver in the fob, which returns a signal via 433MHz UHF. 125kHz with a moderately high transmit power available from the car battery plus an active receiver in the fob can easily do a metre or so - cars typically have at least one antenna at each door & boot, and at least one around the drivers seat. The fob uses an inductive antenna (often 3 coils at right-angles to each other) tuned to resonate at 125khz, which can produce enough voltage directly from the received signal to wake the fob's control chip without any active receive power draw when idle. It is not practical to make a continuously-listening 433MHz UHF receiver running off a fob's coin cell - it would draw too much power for sensible battery life. The backup starting method does use conventional RFID - the chip in the fob can act as a passive RFID transponder if the battery is flat.
@andykirby It's important to note that information on this topic can vary by manufacturer and by the function being performed. IE, opening the door using the fob vs starting the vehicle. There are some interesting vulnerabilities in fobs and the replay and relay attacks require zero understanding of the vehicles security system and only operational knowledge to carry out the attacks. Having said that, the popularity of the topic of car hacking is growing due to flipper zero videos. Once they know what people in my profession know, vehicle theft will be a lot worse.
I had a Peugeot 405 with a chinese lock, since previous owner lost the key. It had no steeringlock anymore, I could start the car with a coin.... I learned that when suddenly my keys fell to the floor when I was driving. I hadn't seated it far in enough to let some pin to hold the key in.
My work has a scrap yard. One day about a 92 towncar came in. Wasn't too rusty and had really nice condition leather interior. Person scrapped it after buying it due to the quote for the work required to pass a safety. They put the forks of the loader through the windshield before I saw it. Man I was pissed
Greetings from the US , I have tested the faraday pouches and they do work. they make them with pocketbooks , purses and wallets as well to protect credit card chip readers as well. One thing I did is installed a aftermarket remote relay and put it on my fuel pump module b+ and hid it the the car so I can cut power to the fuel pump. so they might get in and start my car but its not going to drive anywhere and now the are sitting there with a disabled car and most likely want to flee very quickly . Next up , I think I will in addition cut power to the receiver if possible while leaving the alarm active ,so the car will not talk at all . One night my car was parked away from the cars in the supermarket parking lot and a couple of guys parked next to it . I remote started it which change the code on them and they seen me coming and drove off , that's what started this project for me . another min and my Corvette might have been gone.
Andy, this was news ten years ago. The car makers all denied it. Then they formed a 17 manufacturer group to investigate solutions. That was over six years ago, and they've done nothing yet. Rolling code technology was in widespread use ten years before these hacks--but never used by the auto makers. Mercedes used to make at least one model where the key fob had to be inserted in the dash to start it, because that was a separate infrared coded system, like a tv remote.
This does not only apply to cars. I was fitting CCTV to my house and using a Baofeng uv-5r to call to the wife who was at the monitor to ask if it was aligned correctly, the radio knocked out the the recording box and had to be restarted each time...
I suspect that was from a different issue, like RFI, just good ole plain interference....doesn't have to be on frequency, like lightning. That coax cable for the CCTV cameras acted like an antenna, especially for a "dirty" modulated radio like a Baofeng.
A pad with a few thousand volts on the door handle is also an effective deterrent. Don't do it though - it's illegal (or make sure you have an effective way of disposing of the smouldering trash afterwards!). Thanks, Andy. Good tips.
When these key fobs were first introduced there were many incident where car parks that house a 70cm repeaters had reports of cars being un-lockable because of the repeater. Silly frequency to choose for key fobs.
When Lothian and Borders police first went to Airwave, there was a spate of cars (Rovers and Metrocabs) that if switched off near the police HQ, wouldn't restart unless you towed them a mile or so away. Those used to use the alarm to immobilise the car, rather than the LF/RFID stuff that's the norm now.
@@Ayrshore I can see that happening if there was an AW base station on the roof. Although in a different part of the spectrum, there would be enough power to swamp the basic receiver for the immobiliser.
It is possible to swap someones car too. You get a rental the same, swap the number plates and all contents with the target after getting a second set of keys made, and stuff the key under the dash. Any key will now start the car, and you report the car stolen. After a while the police will pull the person over and check the VIN which wont match so now the target has a LOT of explaining to do. Revenge.
Andy - you need to beg, steal or borrow and review a HackRF + Portapack! What the Flipper gains in portability the HackRF surpasses in flexibility. I just know that this beast would be right up your street! Of course I would never condone illegal use of these but it is scary that a modern day "coat hanger" could be as effective if not more so - education is the key here as it empowers owners to become more aware and take precautions where possible. P.S Yes Faraday cages do work at medium range.
A hacksaw and 20 seconds to cut the steering wheel takes care those. There is a hollow metal tube inside the steering wheel that is simple and easy to cut and the device slips right off. Your best bet is a hidden kill switch. It only costs a few dollars and 20 minutes to install. Cutting power to the ignition or the fuel pump won't allow them to start the car.
I moved to spain 15 years ago. First thing i did was put an alarm in my car. Now i find it amusing you need one. I ocassionally forget to lock the doors at night here and dont bother to get out of bed if i remember. I leave the shed door open most nights. Frequently go out for the day with the shed door wide open. There are some advantages to not living in a country full of hooligans
I once visited a country town out in the middle of nowhere. We rode around with some girls. It was 1979. I forgot to lock my car. I said if we are going to be gone long, I need to lock my car. One of the girls said if you go back and somebody sees you walk over and lock the car and walk away the locals will take great offense. I should have moved there now that I think about it.
@@dougtaylor7724 yeh i live in a small village, probably more like a hamlet, everyone know who everyone is, like there are literally 40 or 50 houses. I have padlocks on the shed doors etc, but I literally never shut them, theyre just there to give the appearance of being locked. I dont htink it would enjoy living in a city again .
its worth noting that some cars with rolling codes are vulnerable to replay attacks so long as a valid code has been captured' and that code has NOT been seen by the vehicle. this is why jamming is so effective. By jamming the fob, and capturing the code, then letting the next code hit the car, the previous code is not marked invalid. so now, all that is left is to replay it. I personally lookup the fccid of a device first because that will tell you what frequency it works on.
If my key and mobile phone are close together, IE in the same pocket, and then the car will not start, so I always keep them close to each other when I am not using the car
Brilliant info. I think I'll go out street shopping for a new car tonight.😂 I didnt know of this antenna gain attack. My keys are far away from the car but I recently bought those pouches, I must try them out.👍🍻🤠
Many modern car key fobs use rolling code technology, which generates a different code each time the fob is used to unlock the car. This enhances security by making it more challenging for potential intruders to intercept and replicate the signal.
A rolling code blocks sophisticated replay attacks yes. But the simpler idea is for the attacker to jam all remote locking and watch for those car owners who don’t check to notice that their remote locking attempt has failed. A rolling code doesn’t help in a simple jamming scenario.
@@laulaja-7186 To prevent attackers from blocking car fob signals, manufacturers often implement anti-jamming technology in their keyless entry systems. This technology detects interference and adjusts the frequency or signal to avoid potential disruptions.
@@laulaja-7186It doesn't really block them. The car has to have multiple codes active at once (else an accidental press of the button would mean the car and fob were out of sync and you'd no longer be able to unlock the car). Thieves know this and will jam the car so they can capture a working code (as you press the button multiple times to unlock it). They then let you open and drive away the car, follow you and wait for it to be parked - then replay the earlier saved code (which is still active in the car) and drive your vehicle off.
Which firmware is that? I appear to have the same one but under the frequency number (when in scan mode) I don't have those three series of 4 digits. And it doesn't reliably lock in to my key fob signal. Either I have a slightly different firmware or I need more info on how to operate that particular firmware properly. lol
Great video, but I think you missed one of the attack scenarios - they will typically use something to block the signal, as per the start of your explanation. When doing that, they can then sniff the alarm fob when the person tries to unlock the car and store it for later (multiple unlock codes are valid at the same time). They will then follow the target vehicle and wait for it to be parked up and locked, then use the saved code to open the car. They then don't have to damage it and just need to get the car started.
The faraday pouches do work or at least the ones I have from amazon, that I got four years ago when I got my vehicle. I also got a good quality steering wheel lock so any potential thief has to get past that in order to drive off. Just a few days ago I found that bluetooth can reach over 50 meters, I was at one of these parcel boxes at the local super market and had trouble with the QR code so rang the number, my wife was in the car and had the radio on and when I dialled the contact number I heard the phone ring from the car as my phone was still linked to the car even at 50 odd meters, so any car that uses a blue tooth app is really vulnerable.
There is a specific auto gate manufacturer out here who's fobs are also able to block vehicle fobs from operating. I always, always stand at my car to check that it's locked, not only that, but, most modern vehicles are able to unlock only the driver side door without the others, a double tap opens the rest, I've had to educte people here as to why they should rather enable and that feature, if not, you may find yourself at gun point inside your car from an uninvited passanger...
Interesting to see someone do this with an HT. There are a number of products on the market that people can use for this beyond the Flipper. It is fairly well known that most devices work on the same frequencies and often use the same modulations. Simply put, radio, wifi or BLE security is a farce. Awesome video. 👍
The Flipper is an over-rated expensive toy, no one that buys them ever knows what to do with them when they get delivered. They copy their own office access cards/fobs, read a credit card which they can't use from the flipper, maybe clone a garage door opener, that's it. I have never seen anyone use one for anything remotely interesting. They are handy for testing, that's it. Definitely not used in car thefts.
@@Bond2025 people have created a panic around the Flipper. Between ignorance and fake videos people drastically overestimate the threat it poses. It's actually been a fantastic tool for bringing awareness to our lack of security. The latest claims are that BLE spam can interfere with critical medical devices like pacemakers and insulin pumps, things that shouldn't even be possible with approved medical devices. With coding knowledge and add on boards it's capable of alot but the worst I've seen is temporarily disabling iPhones due to their poor protocols. A flaw which I believe they've claimed to have fixed.
Presumably they could send a 'wake up' from the car to the fob to get the fob into an active mode thats ready to phase-lock the challenge signal, then issue a challenge and get a response with very predictable latency... the car could then use phase discriminator to ensure there's a direct path with no repeaters. Perhaps that's not reliable in the ISM, but it's surely possible at higher frequencies. Perhaps in the 23cm band and above. Demodulating and remodulating does take a little time and introduces phase shifts - so I'm sure this could be a valid thwart for relay attacks.
I think that the challenge from the car to the key is on a different frequency (150khz?) much lower and low power to limit the range to inside the car, the signal on the tinysa is the response from the key to the car. Also my Tiguan disables keyless unlocking by pressing lock on the key followed by a touch on the lock point on the door handle. VW have introduced a movement sensor in latest keys that put them to sleep when stationary for a period of time so they cannot respond to this type of attack.
Probably due to 70cm hams, we’ve had an intermittent and infrequent issue where the car will not respond to the fob. This can last from a minute to best part of an hour. It dates back almost 20 years, starting with a Kia Carnival and continuing with a Micra. At one time we thought the receiver had failed only to have it start working again several hours later.
There is a lot of RF junk in the 433 MHz area…fobs, door openers, tire pressure sensors, military, etc. the sporadic transmission of hams isn’t going to be a 20 year long cause.
For my car, I use the old fashioned "press the lock" when exiting. No fob necessary for locking. (The car will check for a fob inside the car and unlock to prevent an accidental lockout.)
I had a car that you could remove the key from the door with the lock barrel not fully returned home, meaning it would Unlock with an ice block stick. But with our sort of gear could we not block multiple vehicles over a wide area? Then we can go into business selling car alarms that work😂!
In my experience, the car communicates to the key on a low frequency. Usually 125kHz. The key fob to car is on ~433.920 MHz Inside your car example, what you're seeing on the TinySA is the key fob answer the challenge back on UHF. Run a sweep on 125kHz and you'll see the car call the key. 125kHz is used because it's easier to receive by the key than 432 MHz. The 125kHz is received by a passive diode envelope detector. Important given the key fob is on a tiny battery. 👍
Interesting info George thanks. I did wonder after posting this and thinking on it a bit because like you say you only see one pulse on UHF when you press the start stop button. I will run a sweep at 125khz to see for myself. This seems to make sense because I have seen other videos of these attacks where one thief has a large wire antenna, presumably that's connected to a RFID transmitter with a bit of power behind it! Love your videos by way. I particularly liked your 23cms experimentation I saw somewhere. Very cool!
I think you should always have some sort of physical security as well Such as a disklok. Also trackers are cheap these days so have a few fitted. But usually if the scum want something they'll find a way of having it. All you can hope to do is slow them down
Make your own using an old mobile phone, very effective, live tracking...hide it anywhere. Commercial ones fitted by lazy installers always go in the same locations, so get ripped out after being blocked.
Empty Smash tubs are good for sheilding the signal of the fob. Although some foil under the lid as it's replaced gives total sheilding. I know it's messy but it works. My little lad made me one and decorated it. It's pretty cool really.
Fit an ignition switch from an old model on the steering column from an earlier audi , the steering shaft , and column assembly is the same , since you are only using the mechanical lock it is fairly easy .
MBs newer key fobs deactivate after a few minutes and wake up with motion to help mitigate this. Also, MB fobs since the introduction of keyless entry have been bale to be "deactivated" by double tapping the lock button on the key fob. This puts the remote to sleep and will only strat to transmit once a button is pressed on the remote to activate it again. Unfortunately most owners dont know or utilize this second feature.
Like a radio is needed. Nothing is needed. The thief watches you get out - filling station, blah blah - people seldom hit the "lock" button - they walk off with the "key" in their pocket. Thief sits into car & just waits. Owner walks back, coffee in hand & is shocked to see someone sitting in their car. Taps on window.. Key is within range. Thief presses start button, drives off. Bye now. No tech required - the tech crap can be leisurely done in some hidden garage before the vehicle heads off abroad. The "key" can be reproduced easily using readily available kit. The solution is to get someone like me to wire in a hidden kill switch that you hit religiously every time you leave your vehicle. One lo-tech button. Unless they have a tow-truck, they're going nowhere when that switch is off. EVERYTHING else including fancy immoblilisers is just kidding yourself as the thieves have figured them all out ages ago. Looking for a hidden kill-switch is a ball-ache - so they go take easier prey.
That ^ is just one version - the rest use signal boosters blah blah - same same. If a crucial system is not getting power, the cars not moving - which is the power of old-skool kill switches. "Keyless" has a safety feature that prevents the car stopping if key communication is lost - if the key is present it will start & not stop till the "stop" button is pressed. That's an invitation to thieves - if they leave it running as they refuel, they can run that car without a key for ages. Fit a kill-switch & hide it real well - but make it easy to press so you use it. Thank me later./
Hmm.... I'm not really talking about glorified car jacking, car jackers wont get far in this country at least with cameras everywhere and ANPR... the majority of serious car theft is done at night when the owner is unaware, container waiting at a nearby port and the car is shipped to another country before its even noticed. This is very stealthy organised crime.
Porsche keyfobs (at least newer ones) allow you to press lock and unlock together and a red light will flash. This will disable the transmitter on the key until next time one of the buttons is physically pressed, which is great for overnight at home etc.
On our dodge caravan, you have to actually be pressing the button to get it to unlock. But this is scary though because even my baofeng uv5r could theoretically be used to jam the key fob.
Capturing a signal from a fob and replaying it may de authorize / unsynced you fob that may have a rolling key. You will need to take your key and get it reprogrammed...may need to get the car towed at a dealer also. Most of these attacks are for high valued cars.
Always watch to see your indicators flash when leaving the car after setting the alarm. Fit an independent "Thatcham grade 3 alarm system" to the car your insurance will be lower and the car will not be able to be driven away. The alarm will also sound depending on how set up if the door is opened after a short delay if not disarmed separately. Even in a workshop very difficult to remove the alarm system even for an auto electrician talking hours!
Very interesting. Seems to me like older cars that have rolling codes but the keyfobs don't receive a signal from the car are more secure. I always felt uncomfortable with cars that auto unlock when you approach them. My OCD makes me check the door handle multiple times so I know it's locked.
Putting your keys in a metal box works really well, just don’t forget about the spare key. If you don’t want to keep it in the same place then wrapping it in a couple of layers of tinfoil works just as well.
I have a 2023 Kia Telluride and "I think" its beaten the odds. Yes, it has all of the vulnerabilities of the key fob you outlined...but only IF you use the keys...which I don't (they are stored in my home in a faraday box that I have tested and it works). . I put the digital key on my cell phone, which works just like a contactless credit card/RFID communication. So ultra short range and its only active when the key is displayed on the screen...which is even safer than credit cards which can be activated at any time if someone got close enough to you. The car unlocks when you have he key displayed on your screen and touch your phone to the door handle. To start the car, you have to place the phone in a certain position while the key is displayed and voila the car starts. Short of hotwiring the car (if thats still a thing) or breaking into my home and taking the actual keys that I never use, I don't see a way they could steal my new Kia Telluride...though I guess this is my chllenge to Andy to see if I am being overly bold in my positivity. :-)
I've jammed the frequency as a prank on occasion. Like my friend cant get the keyfob to work but her boyfriend had no problem. Confusion and hilarity ensues.
Reminds me of the pranks Apple's Woz did and I must admit to doing a few hacking the school computers. Making the teacher think the monitor was broke, I sent rand values to the BEEB's video control memory over the ethernet (network). The screen went haywire. A shame he left the network manual lying around lol Another mate wrote a program to guess his password after we noticed it only seemed to be 4 chars long. We got it, "FROG". We used it to make ourselves priviledged. I then wrote a program on the server to go through all the server code to search for the ChangePrvi command. I then changed it to a new secret command name. Next time it booted it loaded up the new command. And only myself and my mates could make people priv or unpriv them lol
I've also seen a video of a guy hacking his own car...to learn and figure out the operation he was intending. He was able to control certain functions on his car remotely. He was using a SDR transmitting to his car's computer as if it were the car's TPMS Tire Pressure Monitor Sensor since it then communicated by wire to the car's computer. He had a friend drive his car slowly, like 10-15 MPH, while another friend drove another car pacing his car while he was a passenger using his laptop and SDR. He was able to do things like turn on the windshield wipers, turn the headlights on and off, etc. (not steering or braking)
This was all possible via the OnSTAR system in GM cars, once in to that you could do anything, so could the control room, law enforcement used to listen in on criminals cars and get GPS data. Cars could also be speed limited, have faults introduced and were ready for the Pay Per Mile system we are getting this year. The engine could also be shut off if the car was stolen and emergency services called if it crashed. Other makes have similar systems and it means law enforcement can bug you without going near the car. It used to only be done when the car was taken in for a service.
I guess the center frequency is 433.92MHz, as it is the ISM-frequency in EU for this band. Which however in fact is a ham band, where ISM is secondary users. I tried to listen to 433.92MHz in AM, and could hear all the weird signals in the morning when people went to work :)
Thanks for an interesting and enjoyable video... Yet again we see "another" example of the eternal struggle between convenience and security... And as is almost always the case security looses out...... How much extra do I have to pay to make my car only open lock and start using the physical key ?? (and Yes I know that "key locks" can be easily picked, but I'd still prefer and trust it more in today's "climate") Best regards. :)
My recommendation would be to keep the key fob in a lead container when not in use. But you have covered that with the metal box mentioned in your vid.
On VW with keyless entry, if you lock the car with the key-fob lock button, then touch the dimple on the door handle within 5 seconds, it disables keyless entry until the next time you unlock the car (using the unlock button on the key fob)
Also for rolling codes, they could capture the first signal while blocking it and the second press will send the first signal, keeping a spare in memory
Thank you for this informative video. My car, with keyless entry and push button start, was stolen at night even though both of the keys are always far from the front of the house and in Faraday pouches. Could the signal to my key have been scanned by someone (or a team) whilst I was out, for example at a supermarket or even in traffic? What then happens to these stolen cars if they are not able to be restarted after the thieves have turned off the engine?
There is a way especially dor connvertibles. My cousin had such a device after WWII on an MG TA. When you get out of the car open the bonnet turn the lock on the gasoline line and remove the key.
On older cars ypu coukd add a removable kill switch on the battery and hide it somewhere. I suppose a fuel valve would work on any modern car too Somehow accesable under the dash for easy access.
@@Dave85262 if done properly it would be ok, most fuel tanks are under the rear seat these days and the fuel line from the pump is visible under the seat. it would have to be done with a proper grade fuel line of oem spec, then mounted correctly to avoid chaffing, shouldnt cause any issues.
Now you just need to reprogram one of those flippers so that it records and stores your key press for the panic button from your key fob. Then when its enabled if it receives the signal from the car it sends back the panic button press while your keys are in your metal box and do not respond.
The car should transmit a random code that's encrypted so that the keyfob can decode it. The keyfob then sends the same code back to the car re-encrypted so that only the car can decode. Problem solved. The car and the keyfob would require one time programming at the dealer to share each other's encryption keys. It's amazing how little the manufacturers will do to thwart auto theft. Shaking my head. Thanks for bringing this to our attention Andy. People should keep their fobs in Faraday bag at home as a mitigation measure until the manufacturers can figure this rocket science out.
When I was younger I used to have a tiny universal remote. It was designed for TV use. It had a useful feature where you could get it to turn on or off at the time you set or switch to a different channel. It could also learn the code from car key fobs which I tested and it worked. I think this must have been before they switched to changing codes each time. I might have bought it from the innovations catalogue or something like that.
Im thankful my 2012 Audi doesn't have keyless ignition or keyless entry at this point, the key has to be in its hole in the dash for the car to start. Great video, very insightful.
"If you are truly afraid, I recommend installing a switch on a data power cable for OBS. To prevent radio theft, use a disconnect switch on a starter fuse with a system that requires activation with a separate remote control or has a timer to deactivate that starter fuse during hours when you are at home or asleep."
My 2007 RS4 as well as my 2004 S4 both keep me out...radio keyfob wise. I have to use the actual key in the keyhole and open the door on both. Local shops haven't been able to make me replacement keys and program these for my car. Yet, the theifs have little trouble it appears by your video. Of course I can go to the nearest Audi dealer and get raped money-wise and get new replacement keys that will auto lock and unlock my car - which I'm stubborn enough to resist. You have pretty much shown the in-effective nature of most anti-theft systems for sophisticated car thiefs to me. I'm a testimony to the fact these systems end up causing owners like me grief, either because the owner can no longer use the electronic lock/unlock keyfob feature, or simply because the car can be stolen regardless. With all of the tech today you'd think there'd be a better system that is both owner-friendly and robust enough that the car theifs have to go back to other means of criminal activity?
One method criminals are able to use to get past rolling code protection is to follow you out of a shop, jam the frequency you send the code on, so it doesn't work, they then wait for you to spam the unlock button, generating a new code after code in the rolling chain. they pick up every instance of you pressing the button, the car doesn't know these new codes are generated and so will still accept old ones in the chain. Finally, they play the next working code to unlock your car, making you just think the battery is getting low etc. car follows and watches you park up, they play one of the codes the car is willing to accept that was recorded earlier.
Most cars can have wireless access and wireless ignition turned off by an OBD diagnostics tool. Then, only buttons for lock/unlock work, and to start the car, there is a special place in cars (check your manual) which is intended to be used in case of a flat battery in the key fob. You'd just put the fob on the designated spot and use the ignition button while holding it on that spot.
If I were you, my primary concern would have been dropping my keys through that drain grate below your driver door… …until you taught us all how to nick it… 😂 Thank you - very interesting and informative!
It never ceases to amaze me that vehicle companies put so much time and expense creating such technologically advanced cars, but with a key entry system that is about as secure as a wet paper bag.
Good for the market. The (ex)owner will buy a new one.
It could be mitigated to a degree by reducing the range of both the car's and key fob's to say 20 feet. There's really no good reason to be longer than that.
Or better still, simply just open the car door with the physical key. You have to walk to the car anyway so no time is lost! I guess it’s because even that is too much effort these days!
@@timlc its kind of a big deal if you have kids and hands full all the time
Well, as a software engineer with security as my main field; there are ZERO education in proper secure design of digital locks when you educate yourself as a software engineer at tech universities. Zero! But the entire world expect you to be a security genius as an engineer. So all these security-illiterate engineers end up being “creative” and make up their own horrendously bad security solutions that only keep themselves out. 😂 fun fact to scare you even more: 100% of all digital safe locks in the entire world can be opened with a factory master code. I know this particularly well, because I developed the world’s first tempest-certified timelock-system for civilian safe-locks to prevent illegal covert governmental level
Abusive break-ins done by corrupt cops and corrupt intelligence agents targeting innocent civilian wealthy people. This project has been a big eye opener for me in many fields.
The world you live in is not as secure as you might think it is. 😂👍❤️
It's criminal that car makers don't put motion sensors in the keyfobs to disable them when sitting idle - would cost peanuts and eliminate relay attacks. Some makers ( VW I think) do some fancy time-of-flight stuff to check response time to prevent relay attacks.
That would be a good solution.
@@andykirby Stolen cars go to Africa etc. Insurance pays for a new one to go to the UK. Helps the car industry.
@@andykirbyFord do!
good points, well presented! 👍
Later BMW and Mini fobs have the motion sensor in the key, articles reference this around 2019.
Nice one Sir. I'm writing this from the inside of -your- my Audi while listening to 20m on my new 7100 😉
Crime does pay.
your videos are getting more and more informative and interesting as time goes on. I really look forward to your next videos especially these radio related ones. You've got great knowledge and know-how and you're teaching us all. Absolutely superb stuff!
Pity that the right- wing sometime mis-use it to push their agenda?
I always say, if something is made more convenient for the punter, then it's even more convenient for the crook. Great vid. Love the kit.
Many years ago I was at a rave and wanted to get my coat because I was getting a bit cold. In in the state I was in, I managed to open three other Mini Metros before I got the right one. I still had the ultimate deterrent though: a car that no one would ever want to nick.
Hey, it was good enough for Diana Spencer. :D
There are only so many key cuts used. Probably with worn key or tumbler ones that are close might even work. They make "tryout keys" for automotive applications which are just a bunch of different key cut patterns. Sooner or later one of them will probably open the lock.
… priceless! Taking that idea one step further, my old jalopy used to have a damaged battery connection. Not being familiar with the car, a thief would be unlikely to know that this “dead” car just needed to open the engine compartment and shove that battery connector back on to start.
Jesus, I had the ultimate anti-theft one, beige with rusty red fabric interior, HLS trim with a massive 1300cc engine. It was a good car in it's day as a first car, 155/65 SR12 tyres!!! ( I think). I had to replace the head gasket, went through numerous sets of front brakes, all 4 gas suspension units and connecting pipe at the rear, then the two radius arms "fell off" at the back and the rear bearings fell apart - it was a fun car, but also cheap to fix. The slimline 12band graphic EQ and 4x40Watt booster from Dixons and the Matsui 3 way shelf speakers were pinched and they left the car!!! I had even fitted a centre console with a radio, EQ and booster and tape holder in! They left my Ham International Multimode 2 that was under the switches on the right hand side, but broke the steering lock, surround and ignition switch as I think I disturbed them. The door lock had been "removed" or punched through in to the inside of the door.
@@Bond2025 well at least if you got a puncture you could likely find a new tire in the lawn and garden section of a store
I highly recommend a good quality Faraday pouch. I'm a mechanic and use them when working especially on hybrid or electric vehicles as you don't want an engine to start when you've drained down the oil or your fingers are in there. And you really don't want a 900 volt EV coming online. I always check the ignition switch with the key in pouch within the vehicle to insure it can't be detected.
You should disconnect high voltage lines before working on EVs.... as a mechanic you should know this.
No reason to do a master disconnect to change the oil tho
The word is actually "Ensure"...not "Insure" in this context...You`re welcome.
For anti-theft - Take the fuse out that provides power to the diagnostics socket, not many people carry a 12v battery about to power up their controllers and programmers. MOVE the diagnostics socket to a different location by extending the wires.
Or you could replace the OBD2 socket for a completely different type, like an old parallel port connector off a computer (providing you have plug and socket) and make an adaptor with a plug and short lead going to the original socket. People trying to pinch the car would be going WTF! They would find some random connector and not have a clue which wire was which. You could also use a multi pin circular type.
You can give the garage the small adaptor for services etc, then they can plug it in and put the OBD2 plug in the other part of it.
Then I would fit a hidden switch connected up to one or more electrical circuits like the fuel pump and starter circuit.
Anything to slow people down. Modern cars can be taken within minutes, even without keys. Sites sell everything people need apparently.
@@mjh5437 *you're welcome. You used a 'grave' accent instead of an apostrophe.
Easy (and effective) cure, hide a kill switch in the car to disable the starter. The only way the start button will work even with a relay attack is if they 1. KNOW about the kill switch, and 2. Know where it's hidden.
They might still be able to GET IN your car, but it will still BE THERE when you go out the next morning.
You COULD get even fancier and ad an alarm relay to the start button, that's active when the kill switch is on that will let you know someone is attempting to take it. Then you let your friends Smith and Wesson take care of the rest.
Previous owner of my old audi installed a kill switch, that allows engine to start, and kills it after about 30-60 seconds with alarm, if you don't push a hidden button. It honks before to remind you. It starts working each time after closing any door, even if engine is already running. In case of carjacking it allows supposedly armed criminal to drive off, leaving you safe. I think it was banned some time ago, because of stopping engine while riding. One can still park with momentum though, it doesn't brake.
Haha! The loose damaged battery connector in my old car used to serve exactly that purpose. Stealthy secret smart high tech kill switch.
so like a 2 way switch that sends the power to the horn every time they hit the start button instead of the starter :)
Our local ham repeater was moved frequency to avoid jamming cars! We've now got a new 9 MHz split, and we added a notch filter on the TX for 433.920 MHz (ISM band centre) to help.
Haha that's interesting 😁
There were some MOD buildings blamed for blocking entire roads of garage door openers!
Had a faraday pouch. It worked for a bit but then it started to let the key fob signals through. So had an old tin , lined it with tin foil and that works 100%
What brand was that? I would hate to get one, test it, be confident it worked then find out it degraded and wasn’t blocking.
Your faraday pouch story is BS.
But that won’t stop the transceiver attack !?
@@BitsofSkinI keep my car keys under my foil hat!!.
@@BitsofSkin No it's not mate, get up to speed.
I was always told that locks only stop honest people and if they really want it, they will take it.
The only thing you can realistically do is to make it very obvious that it will be more difficult to take, these people don't like wasting time.
yep i also use a steering lock as a visual deterrant even though i have an immobiliser and tracker.
@@JamesWilliam70 sometimes a solution could be free, effortless, and relatively quick...pull the fuse for the fuel pump. Car won't go without any gas supply.
Most often crimes are opportunistic. If your door is unlocked then there's a much higher chance of something being stolen versus them breaking a window to get in.
That is exactly right:
locks are only there to stop honest people
When and IF some'one' wants to get in - a LOCK will not stop them.
Locks did not work on chastity belts either.
One reason why DNA testing fro family connections is totally invalid and useless
One does not know who had s-ex with whom and when.
Just be thankful for being alive - Leave the past behind.
The same applies to hacking, everything is hack-able, you just make it as hard as possible so it's not worth the effort
Thats why i installed Trunk Monkey in my vehicle the only sure fire way to deter thieves from taking your vehicle. From the makers of Suburban Auto Group.
Growing up I used to love trunk monkey!!!
I ask the logical question after reading what you wrote:
And I quote : "" i installed Trunk Monkey in my vehicle the only sure fire way to deter thieves from taking your vehicle. ""
So the question is :
How is installing ' Trunk Monkey ' in YOUR vehicle
going to deter thieves from taking MY vehicle ?
RIDDLE ME THAT greymann1384
- I would suggest that you undertake an extensive reading
program to better educate yourself - study English and
LEARN HOW TO ACCURATELY DESCRIBE what it is you are
thinking about - AVOID AMBIGUITY AT ALL COSTS.
Learn to write accurately.
It is not that difficult for the educated people - but not so easy for peasants
( commonly known these days as Citi-Zens )
@@andrew_koala2974 Thank You Ken For replying, can I call you Ken you seem to be a person who would be called a Ken and may I suggest Ken that you research What levity is.
Also my writing skills may not be on par with your Superb Standards of the English Language I commend you for reminding the rest of us lower classes of your Superiority and Intellectual Prowess that you possess, I hope you have a wonderful day and also lest I forget say hello to KAREN for me.
I miss the days of a slide hammer and screw driver
I miss the days of the pillory
a straightened out wire coat hanger! 👍
@@C...G...With the top corner of the door slightly bent... Apparently 😉
Dang! 😂😂😂
@@k1ortia yrs yes, bent out using a small plastic wedge... apparently! 👍
This criminal jamming action is absolutely off the scale in South Africa. There is actually warning notices on all the walls of all the shop car parks .
The crims are always looking to remove the car from your possession day or night.
Yup, just said that to another person here who said Andy just taught the theives something new.... Some people are very ignorant in their little bubbles.
Banana 🍌 people
Car companies could use South Africa as a testing ground.
The assailants from the 2021 "CIT video" from Pretoria were using cellphone jammers, that's why when Leo Prinsloo told his partner Lloyd Mthombeni to "phone Robbie, phone Josh", he couldn't get through.
I bet especially some demographic group in particular does that...
Another great video. I have just purchased a brand new car today and will be having another Pandora alarm fitted asap. They are brilliant alarms but my installation can't be done straight away due to no free appointments. I purchased two Faraday cases from Amazon and they do work even standing next to the car. They are worth the £6 they cost for 2. But you can't beat the alarms.
The type of alarm you need is the one with the immobiliser that is programmed using switches in the car, so when you get in, to start it you pick a combination such as - left indicator, rear demister, right indicator twice and A/C button BEFORE it will then start the car! No one can guess the combination or start using OBD2 to get the info etc.
You got the relay attack details slightly wrong. The car transmits on 125kHz, and it is this signal that is relayed to the portable antenna, The keyfob receives this and then replies on 433MHz, which has plenty of range to get to the car as it's also used for the keyfob pushbutton modes. The reasons for using 125kHz are that the range is limited and very predictable ( limited to area around doors and driver seat), and it can be received with near-zero quiescent power draw in the fob.
I don't think that's correct as why would there be a challenge & response visible on the keyfob UHF frequency when you press the start/stop button? I do know my car also has a method to start it using RFID but you have to hold the keyfob very close to a section on the steering column in order for it to energise.
Passive 125khz RFID has a super localised range of maybe 10cm, that's not what's being used here. I find it hard to beleive its possible to do a long range passive RFID scam because the transmission distance of the fob is so short, it could be possible thiugh, I have seen videos of thieves with a very large wire antenna. In my car though it is active RFID which is in the UHF range.
Passive RFID I think is used in cars that have a physical key inserted into the ignition,, then that key by nature can be very close to a reader all the time as it remains in the ignition.
@@andykirby What you are seeing when you press start/stop is the keyfob's 433MHz response ( possibly duplicated)
Yes, normal car immobiliser keys are passive RFID but keyless entry systems are not - they use the same frequency but a larger antenna than the coil round the ignition key, and active receiver in the fob, which returns a signal via 433MHz UHF.
125kHz with a moderately high transmit power available from the car battery plus an active receiver in the fob can easily do a metre or so - cars typically have at least one antenna at each door & boot, and at least one around the drivers seat.
The fob uses an inductive antenna (often 3 coils at right-angles to each other) tuned to resonate at 125khz, which can produce enough voltage directly from the received signal to wake the fob's control chip without any active receive power draw when idle. It is not practical to make a continuously-listening 433MHz UHF receiver running off a fob's coin cell - it would draw too much power for sensible battery life.
The backup starting method does use conventional RFID - the chip in the fob can act as a passive RFID transponder if the battery is flat.
Understood, useful information thank you.👍🏼
@andykirby It's important to note that information on this topic can vary by manufacturer and by the function being performed. IE, opening the door using the fob vs starting the vehicle.
There are some interesting vulnerabilities in fobs and the replay and relay attacks require zero understanding of the vehicles security system and only operational knowledge to carry out the attacks.
Having said that, the popularity of the topic of car hacking is growing due to flipper zero videos. Once they know what people in my profession know, vehicle theft will be a lot worse.
Security has come along way since a half inch vanity case key could open and start my Cortina from long ago
I had a Peugeot 405 with a chinese lock, since previous owner lost the key. It had no steeringlock anymore, I could start the car with a coin....
I learned that when suddenly my keys fell to the floor when I was driving. I hadn't seated it far in enough to let some pin to hold the key in.
A penny will open most old fords 😅
Any Cortina key seemed to open most other Cortina's
Ah, my old 1988 Town Car with its old fashioned metal key!
My work has a scrap yard. One day about a 92 towncar came in. Wasn't too rusty and had really nice condition leather interior. Person scrapped it after buying it due to the quote for the work required to pass a safety. They put the forks of the loader through the windshield before I saw it. Man I was pissed
my 2003 bmw still has a metal key, but was the last, one year newer and they changed to the fob. p.s. love your channel.
@@juliogonzo2718 If it wasn't wrecked and was complete that was a terrible mistake! Easily worth several thousand bucks!
Greetings from the US , I have tested the faraday pouches and they do work. they make them with pocketbooks , purses and wallets as well to protect credit card chip readers as well.
One thing I did is installed a aftermarket remote relay and put it on my fuel pump module b+ and hid it the the car so I can cut power to the fuel pump. so they might get in and start my car but its not going to drive anywhere and now the are sitting there with a disabled car and most likely want to flee very quickly . Next up , I think I will in addition cut power to the receiver if possible while leaving the alarm active ,so the car will not talk at all .
One night my car was parked away from the cars in the supermarket parking lot and a couple of guys parked next to it . I remote started it which change the code on them and they seen me coming and drove off , that's what started this project for me . another min and my Corvette might have been gone.
Andy, this was news ten years ago. The car makers all denied it. Then they formed a 17 manufacturer group to investigate solutions. That was over six years ago, and they've done nothing yet.
Rolling code technology was in widespread use ten years before these hacks--but never used by the auto makers.
Mercedes used to make at least one model where the key fob had to be inserted in the dash to start it, because that was a separate infrared coded system, like a tv remote.
Everything that exists that was designed to be accessible in any way at all, is hackable. There are no exceptions.
This does not only apply to cars. I was fitting CCTV to my house and using a Baofeng uv-5r to call to the wife who was at the monitor to ask if it was aligned correctly, the radio knocked out the the recording box and had to be restarted each time...
I suspect that was from a different issue, like RFI, just good ole plain interference....doesn't have to be on frequency, like lightning. That coax cable for the CCTV cameras acted like an antenna, especially for a "dirty" modulated radio like a Baofeng.
maybe some interference, however you have to be also wary of deauthing on wifi CCTV.
A pad with a few thousand volts on the door handle is also an effective deterrent. Don't do it though - it's illegal (or make sure you have an effective way of disposing of the smouldering trash afterwards!).
Thanks, Andy. Good tips.
When these key fobs were first introduced there were many incident where car parks that house a 70cm repeaters had reports of cars being un-lockable because of the repeater. Silly frequency to choose for key fobs.
I can see that totally.
When Lothian and Borders police first went to Airwave, there was a spate of cars (Rovers and Metrocabs) that if switched off near the police HQ, wouldn't restart unless you towed them a mile or so away. Those used to use the alarm to immobilise the car, rather than the LF/RFID stuff that's the norm now.
@@Ayrshore I can see that happening if there was an AW base station on the roof. Although in a different part of the spectrum, there would be enough power to swamp the basic receiver for the immobiliser.
@@davidjowett8195 Exactly. The receiver in the Lucas stuff Rover Group used was garbage.
I used to get locked in and out of a Land Rover going to one PMR site in Wales, the RF was so strong on UHF it swamped the car!
It is possible to swap someones car too. You get a rental the same, swap the number plates and all contents with the target after getting a second set of keys made, and stuff the key under the dash. Any key will now start the car, and you report the car stolen. After a while the police will pull the person over and check the VIN which wont match so now the target has a LOT of explaining to do. Revenge.
Andy - you need to beg, steal or borrow and review a HackRF + Portapack! What the Flipper gains in portability the HackRF surpasses in flexibility. I just know that this beast would be right up your street! Of course I would never condone illegal use of these but it is scary that a modern day "coat hanger" could be as effective if not more so - education is the key here as it empowers owners to become more aware and take precautions where possible. P.S Yes Faraday cages do work at medium range.
You still can't do much with the HackRF and Portapack, it's just a Flipper on steroids.
A nice locking steel bar through the steering wheel helps, too, if they get in, they cannot steer it!
or they cut the wheel and replace it for selling the car, or they just sell the parts. A steel rod on your steering is lost after at least 5
seconds
A hacksaw and 20 seconds to cut the steering wheel takes care those. There is a hollow metal tube inside the steering wheel that is simple and easy to cut and the device slips right off.
Your best bet is a hidden kill switch. It only costs a few dollars and 20 minutes to install.
Cutting power to the ignition or the fuel pump won't allow them to start the car.
When I leave my truck in a forest and backpack for a few days, the fuel pump relay is in the pouch with the keys. Takes 20 seconds to pull out.
That was a good idea before the development of battery operated angle grinders with cut-off wheels. Those locks can be removed in a matter of seconds.
@@flyingdoctor99 some people let advertisements and media give them a warm and fuzzy feelings without using common sense.
I moved to spain 15 years ago. First thing i did was put an alarm in my car. Now i find it amusing you need one. I ocassionally forget to lock the doors at night here and dont bother to get out of bed if i remember.
I leave the shed door open most nights. Frequently go out for the day with the shed door wide open.
There are some advantages to not living in a country full of hooligans
I once visited a country town out in the middle of nowhere. We rode around with some girls. It was 1979. I forgot to lock my car. I said if we are going to be gone long, I need to lock my car. One of the girls said if you go back and somebody sees you walk over and lock the car and walk away the locals will take great offense.
I should have moved there now that I think about it.
@@dougtaylor7724 yeh i live in a small village, probably more like a hamlet, everyone know who everyone is, like there are literally 40 or 50 houses.
I have padlocks on the shed doors etc, but I literally never shut them, theyre just there to give the appearance of being locked.
I dont htink it would enjoy living in a city again .
This felt like a behind the scenes of a real life Gone in 60 seconds.
Try 30 seconds. Watch this YT video of 2 car thieves stealing a Mercedes with a SDR. czcams.com/video/KlFPInFxjvY/video.htmlsi=QYjSkM72TpCtfuoK
Ford developed a key that goes to sleep if there is no movement of the key. Simple ideas are the best.
Your TinySA won't pick up the 125kHz signal from the car to the fob when you pull the handle
its worth noting that some cars with rolling codes are vulnerable to replay attacks so long as a valid code has been captured' and that code has NOT been seen by the vehicle. this is why jamming is so effective. By jamming the fob, and capturing the code, then letting the next code hit the car, the previous code is not marked invalid. so now, all that is left is to replay it.
I personally lookup the fccid of a device first because that will tell you what frequency it works on.
If my key and mobile phone are close together, IE in the same pocket, and then the car will not start, so I always keep them close to each other when I am not using the car
Brilliant info. I think I'll go out street shopping for a new car tonight.😂
I didnt know of this antenna gain attack. My keys are far away from the car but I recently bought those pouches, I must try them out.👍🍻🤠
Many modern car key fobs use rolling code technology, which generates a different code each time the fob is used to unlock the car. This enhances security by making it more challenging for potential intruders to intercept and replicate the signal.
A rolling code blocks sophisticated replay attacks yes. But the simpler idea is for the attacker to jam all remote locking and watch for those car owners who don’t check to notice that their remote locking attempt has failed. A rolling code doesn’t help in a simple jamming scenario.
@@laulaja-7186 To prevent attackers from blocking car fob signals, manufacturers often implement anti-jamming technology in their keyless entry systems. This technology detects interference and adjusts the frequency or signal to avoid potential disruptions.
@@laulaja-7186It doesn't really block them. The car has to have multiple codes active at once (else an accidental press of the button would mean the car and fob were out of sync and you'd no longer be able to unlock the car).
Thieves know this and will jam the car so they can capture a working code (as you press the button multiple times to unlock it). They then let you open and drive away the car, follow you and wait for it to be parked - then replay the earlier saved code (which is still active in the car) and drive your vehicle off.
Which firmware is that? I appear to have the same one but under the frequency number (when in scan mode) I don't have those three series of 4 digits. And it doesn't reliably lock in to my key fob signal. Either I have a slightly different firmware or I need more info on how to operate that particular firmware properly. lol
I believe he's using the firmware labeled uv-k5-firmware-fagci-mod-v1.1.2-SSB-lite-test.bin
Someone replied to my comment but you seem to be sh@dow banned or something as your reply isn't visible.
Great video, but I think you missed one of the attack scenarios - they will typically use something to block the signal, as per the start of your explanation. When doing that, they can then sniff the alarm fob when the person tries to unlock the car and store it for later (multiple unlock codes are valid at the same time). They will then follow the target vehicle and wait for it to be parked up and locked, then use the saved code to open the car. They then don't have to damage it and just need to get the car started.
Criminals will be delighted to hear your advice......You think they don`t watch this stuff or what?
@@mjh5437 I know about it because the criminals have been doing it for decades, I'm not teaching them something new 😂
The faraday pouches do work or at least the ones I have from amazon, that I got four years ago when I got my vehicle. I also got a good quality steering wheel lock so any potential thief has to get past that in order to drive off. Just a few days ago I found that bluetooth can reach over 50 meters, I was at one of these parcel boxes at the local super market and had trouble with the QR code so rang the number, my wife was in the car and had the radio on and when I dialled the contact number I heard the phone ring from the car as my phone was still linked to the car even at 50 odd meters, so any car that uses a blue tooth app is really vulnerable.
There is a specific auto gate manufacturer out here who's fobs are also able to block vehicle fobs from operating. I always, always stand at my car to check that it's locked, not only that, but, most modern vehicles are able to unlock only the driver side door without the others, a double tap opens the rest, I've had to educte people here as to why they should rather enable and that feature, if not, you may find yourself at gun point inside your car from an uninvited passanger...
Interesting to see someone do this with an HT. There are a number of products on the market that people can use for this beyond the Flipper. It is fairly well known that most devices work on the same frequencies and often use the same modulations. Simply put, radio, wifi or BLE security is a farce.
Awesome video. 👍
The Flipper is an over-rated expensive toy, no one that buys them ever knows what to do with them when they get delivered. They copy their own office access cards/fobs, read a credit card which they can't use from the flipper, maybe clone a garage door opener, that's it. I have never seen anyone use one for anything remotely interesting. They are handy for testing, that's it.
Definitely not used in car thefts.
@@Bond2025 people have created a panic around the Flipper. Between ignorance and fake videos people drastically overestimate the threat it poses. It's actually been a fantastic tool for bringing awareness to our lack of security. The latest claims are that BLE spam can interfere with critical medical devices like pacemakers and insulin pumps, things that shouldn't even be possible with approved medical devices. With coding knowledge and add on boards it's capable of alot but the worst I've seen is temporarily disabling iPhones due to their poor protocols. A flaw which I believe they've claimed to have fixed.
You should always have the old fashioned KEY & LOCK as an alternative to this radio stuff.
Yeah that's why I drive a 2004. Doesn't even have power windows. It had a chip key but I epoxied the chip in the column so I can use a $2.50 key
@@juliogonzo2718 They probably don't really want your 2004...
Old fashioned Key and Lock cars get stolen all the time genius. What is your point...???
Presumably they could send a 'wake up' from the car to the fob to get the fob into an active mode thats ready to phase-lock the challenge signal, then issue a challenge and get a response with very predictable latency... the car could then use phase discriminator to ensure there's a direct path with no repeaters. Perhaps that's not reliable in the ISM, but it's surely possible at higher frequencies. Perhaps in the 23cm band and above. Demodulating and remodulating does take a little time and introduces phase shifts - so I'm sure this could be a valid thwart for relay attacks.
I think that the challenge from the car to the key is on a different frequency (150khz?) much lower and low power to limit the range to inside the car, the signal on the tinysa is the response from the key to the car. Also my Tiguan disables keyless unlocking by pressing lock on the key followed by a touch on the lock point on the door handle.
VW have introduced a movement sensor in latest keys that put them to sleep when stationary for a period of time so they cannot respond to this type of attack.
Probably due to 70cm hams, we’ve had an intermittent and infrequent issue where the car will not respond to the fob. This can last from a minute to best part of an hour. It dates back almost 20 years, starting with a Kia Carnival and continuing with a Micra. At one time we thought the receiver had failed only to have it start working again several hours later.
There is a lot of RF junk in the 433 MHz area…fobs, door openers, tire pressure sensors, military, etc. the sporadic transmission of hams isn’t going to be a 20 year long cause.
More modern cars have a higher frequency band solution outside the ham radio band to avoid that specific problem.
Apparently the US and Japan use 315Mhz and Europe has started using 868mhz.
Pesky radio Hams
For my car, I use the old fashioned "press the lock" when exiting. No fob necessary for locking. (The car will check for a fob inside the car and unlock to prevent an accidental lockout.)
I’ve never owned a fob.
I use the key method.
Standard practice in South Africa! ALWAYS check that your car has locked before you step away from it.
I had a car that you could remove the key from the door with the lock barrel not fully returned home, meaning it would Unlock with an ice block stick.
But with our sort of gear could we not block multiple vehicles over a wide area?
Then we can go into business selling car alarms that work😂!
In my experience, the car communicates to the key on a low frequency. Usually 125kHz. The key fob to car is on ~433.920 MHz
Inside your car example, what you're seeing on the TinySA is the key fob answer the challenge back on UHF. Run a sweep on 125kHz and you'll see the car call the key.
125kHz is used because it's easier to receive by the key than 432 MHz. The 125kHz is received by a passive diode envelope detector. Important given the key fob is on a tiny battery. 👍
Interesting info George thanks. I did wonder after posting this and thinking on it a bit because like you say you only see one pulse on UHF when you press the start stop button. I will run a sweep at 125khz to see for myself. This seems to make sense because I have seen other videos of these attacks where one thief has a large wire antenna, presumably that's connected to a RFID transmitter with a bit of power behind it!
Love your videos by way. I particularly liked your 23cms experimentation I saw somewhere. Very cool!
@@andykirby Cheers mate! My videos are junk compared to yours! Keep it up! 73 for now!
I think you should always have some sort of physical security as well Such as a disklok. Also trackers are cheap these days so have a few fitted. But usually if the scum want something they'll find a way of having it. All you can hope to do is slow them down
@@owenwilliams857 Every village has one........
Make your own using an old mobile phone, very effective, live tracking...hide it anywhere. Commercial ones fitted by lazy installers always go in the same locations, so get ripped out after being blocked.
Ford’s new key fobs on 2019+ cars sleep after the keys are not moved for a certain amount of time
Empty Smash tubs are good for sheilding the signal of the fob. Although some foil under the lid as it's replaced gives total sheilding. I know it's messy but it works. My little lad made me one and decorated it. It's pretty cool really.
Fit an ignition switch from an old model on the steering column from an earlier audi , the steering shaft , and column assembly is the same , since you are only using the mechanical lock it is fairly easy .
MBs newer key fobs deactivate after a few minutes and wake up with motion to help mitigate this. Also, MB fobs since the introduction of keyless entry have been bale to be "deactivated" by double tapping the lock button on the key fob.
This puts the remote to sleep and will only strat to transmit once a button is pressed on the remote to activate it again.
Unfortunately most owners dont know or utilize this second feature.
Like a radio is needed. Nothing is needed. The thief watches you get out - filling station, blah blah - people seldom hit the "lock" button - they walk off with the "key" in their pocket. Thief sits into car & just waits. Owner walks back, coffee in hand & is shocked to see someone sitting in their car. Taps on window.. Key is within range. Thief presses start button, drives off. Bye now. No tech required - the tech crap can be leisurely done in some hidden garage before the vehicle heads off abroad. The "key" can be reproduced easily using readily available kit.
The solution is to get someone like me to wire in a hidden kill switch that you hit religiously every time you leave your vehicle. One lo-tech button. Unless they have a tow-truck, they're going nowhere when that switch is off. EVERYTHING else including fancy immoblilisers is just kidding yourself as the thieves have figured them all out ages ago. Looking for a hidden kill-switch is a ball-ache - so they go take easier prey.
That ^ is just one version - the rest use signal boosters blah blah - same same. If a crucial system is not getting power, the cars not moving - which is the power of old-skool kill switches. "Keyless" has a safety feature that prevents the car stopping if key communication is lost - if the key is present it will start & not stop till the "stop" button is pressed. That's an invitation to thieves - if they leave it running as they refuel, they can run that car without a key for ages. Fit a kill-switch & hide it real well - but make it easy to press so you use it. Thank me later./
Hmm.... I'm not really talking about glorified car jacking, car jackers wont get far in this country at least with cameras everywhere and ANPR... the majority of serious car theft is done at night when the owner is unaware, container waiting at a nearby port and the car is shipped to another country before its even noticed. This is very stealthy organised crime.
A good video with some really good tips on how to help secure your car for those who didn't know about this.
2:02 This gave me a giggle especially as you tickle your hood 😂…excellent video and very helpful to make folk aware..73’s
Great video Andy and a nice demo again of the TinySA
It does not matter when electronics always have the small bits to hack. Awesome video
i read that they plug a device into the OBD port and create a new key there and then after using the relay attack to unlock the door.
i don't even have a car, or know how to drive, but if i ever got one this is just another reason i'd get one from the early 80s.
Porsche keyfobs (at least newer ones) allow you to press lock and unlock together and a red light will flash. This will disable the transmitter on the key until next time one of the buttons is physically pressed, which is great for overnight at home etc.
On our dodge caravan, you have to actually be pressing the button to get it to unlock. But this is scary though because even my baofeng uv5r could theoretically be used to jam the key fob.
need key to turn off power to key or a disingage battery switch. like you need power on all night . when burgs most likely happen
Capturing a signal from a fob and replaying it may de authorize / unsynced you fob that may have a rolling key. You will need to take your key and get it reprogrammed...may need to get the car towed at a dealer also. Most of these attacks are for high valued cars.
Also have you done what I did when I got my first transponder key fob. It detects the fob when you test the locked door and promptly unlocks 🤣🤣🤣
Always watch to see your indicators flash when leaving the car after setting the alarm.
Fit an independent "Thatcham grade 3 alarm system" to the car your insurance will be lower and the car will not be able to be driven away. The alarm will also sound depending on how set up if the door is opened after a short delay if not disarmed separately. Even in a workshop very difficult to remove the alarm system even for an auto electrician talking hours!
Very interesting. Seems to me like older cars that have rolling codes but the keyfobs don't receive a signal from the car are more secure. I always felt uncomfortable with cars that auto unlock when you approach them. My OCD makes me check the door handle multiple times so I know it's locked.
Same
Putting your keys in a metal box works really well, just don’t forget about the spare key. If you don’t want to keep it in the same place then wrapping it in a couple of layers of tinfoil works just as well.
I have a 2023 Kia Telluride and "I think" its beaten the odds. Yes, it has all of the vulnerabilities of the key fob you outlined...but only IF you use the keys...which I don't (they are stored in my home in a faraday box that I have tested and it works). . I put the digital key on my cell phone, which works just like a contactless credit card/RFID communication. So ultra short range and its only active when the key is displayed on the screen...which is even safer than credit cards which can be activated at any time if someone got close enough to you. The car unlocks when you have he key displayed on your screen and touch your phone to the door handle. To start the car, you have to place the phone in a certain position while the key is displayed and voila the car starts. Short of hotwiring the car (if thats still a thing) or breaking into my home and taking the actual keys that I never use, I don't see a way they could steal my new Kia Telluride...though I guess this is my chllenge to Andy to see if I am being overly bold in my positivity. :-)
Faraday pouches work very well. The two I tried off Amazon at least.
I've jammed the frequency as a prank on occasion. Like my friend cant get the keyfob to work but her boyfriend had no problem. Confusion and hilarity ensues.
Reminds me of the pranks Apple's Woz did and I must admit to doing a few hacking the school computers. Making the teacher think the monitor was broke, I sent rand values to the BEEB's video control memory over the ethernet (network). The screen went haywire. A shame he left the network manual lying around lol Another mate wrote a program to guess his password after we noticed it only seemed to be 4 chars long. We got it, "FROG". We used it to make ourselves priviledged. I then wrote a program on the server to go through all the server code to search for the ChangePrvi command. I then changed it to a new secret command name. Next time it booted it loaded up the new command. And only myself and my mates could make people priv or unpriv them lol
Fantastic Info Mate.
Just found ur channel thanks to Ringway Manchester 🙏
Cheerz from Down Under⚡🙏⚡
Is this the uv5k?
I've also seen a video of a guy hacking his own car...to learn and figure out the operation he was intending. He was able to control certain functions on his car remotely. He was using a SDR transmitting to his car's computer as if it were the car's TPMS Tire Pressure Monitor Sensor since it then communicated by wire to the car's computer. He had a friend drive his car slowly, like 10-15 MPH, while another friend drove another car pacing his car while he was a passenger using his laptop and SDR. He was able to do things like turn on the windshield wipers, turn the headlights on and off, etc. (not steering or braking)
This was all possible via the OnSTAR system in GM cars, once in to that you could do anything, so could the control room, law enforcement used to listen in on criminals cars and get GPS data. Cars could also be speed limited, have faults introduced and were ready for the Pay Per Mile system we are getting this year. The engine could also be shut off if the car was stolen and emergency services called if it crashed. Other makes have similar systems and it means law enforcement can bug you without going near the car. It used to only be done when the car was taken in for a service.
I guess the center frequency is 433.92MHz, as it is the ISM-frequency in EU for this band. Which however in fact is a ham band, where ISM is secondary users. I tried to listen to 433.92MHz in AM, and could hear all the weird signals in the morning when people went to work :)
I'm surpsied thag the custom firmware for the K5/K6 doesn't include a replay option
Thanks for an interesting and enjoyable video...
Yet again we see "another" example of the eternal struggle between convenience and security... And as is almost always the case security looses out...... How much extra do I have to pay to make my car only open lock and start using the physical key ?? (and Yes I know that "key locks" can be easily picked, but I'd still prefer and trust it more in today's "climate")
Best regards. :)
My recommendation would be to keep the key fob in a lead container when not in use.
But you have covered that with the metal box mentioned in your vid.
On VW with keyless entry, if you lock the car with the key-fob lock button, then touch the dimple on the door handle within 5 seconds, it disables keyless entry until the next time you unlock the car (using the unlock button on the key fob)
What is the device between the handheld radio and antenna? A small HT antenna tuner?
I'm here looking for this answer too
Another interesting update cheers Andy
Also for rolling codes, they could capture the first signal while blocking it and the second press will send the first signal, keeping a spare in memory
Its amazing how Lursa and Baytor thought of finding your cars sheild frequency in star trek using a cheap visor that was also probably made in China
Thank you for this informative video.
My car, with keyless entry and push button start, was stolen at night even though both of the keys are always far from the front of the house and in Faraday pouches.
Could the signal to my key have been scanned by someone (or a team) whilst I was out, for example at a supermarket or even in traffic?
What then happens to these stolen cars if they are not able to be restarted after the thieves have turned off the engine?
There is a way especially dor connvertibles. My cousin had such a device after WWII on an MG TA. When you get out of the car open the bonnet turn the lock on the gasoline line and remove the key.
On older cars ypu coukd add a removable kill switch on the battery and hide it somewhere.
I suppose a fuel valve would work on any modern car too
Somehow accesable under the dash for easy access.
@@spr00sem00se Afuellibe inside a car...I don't think so
@@Dave85262 if done properly it would be ok, most fuel tanks are under the rear seat these days and the fuel line from the pump is visible under the seat.
it would have to be done with a proper grade fuel line of oem spec, then mounted correctly to avoid chaffing, shouldnt cause any issues.
@@spr00sem00se The easiest and safest access would be to put it in the engine compartment.
@@Dave85262 it would be safer , but then youd need to pop the bonnet to acess it , and people woudlnt do it
Now you just need to reprogram one of those flippers so that it records and stores your key press for the panic button from your key fob. Then when its enabled if it receives the signal from the car it sends back the panic button press while your keys are in your metal box and do not respond.
The car should transmit a random code that's encrypted so that the keyfob can decode it. The keyfob then sends the same code back to the car re-encrypted so that only the car can decode. Problem solved. The car and the keyfob would require one time programming at the dealer to share each other's encryption keys. It's amazing how little the manufacturers will do to thwart auto theft. Shaking my head.
Thanks for bringing this to our attention Andy. People should keep their fobs in Faraday bag at home as a mitigation measure until the manufacturers can figure this rocket science out.
When I was younger I used to have a tiny universal remote. It was designed for TV use. It had a useful feature where you could get it to turn on or off at the time you set or switch to a different channel. It could also learn the code from car key fobs which I tested and it worked. I think this must have been before they switched to changing codes each time. I might have bought it from the innovations catalogue or something like that.
Im thankful my 2012 Audi doesn't have keyless ignition or keyless entry at this point, the key has to be in its hole in the dash for the car to start. Great video, very insightful.
You just didn't pay for the "Comfort Key" extra, all Audi models since 2009 have this feature built in and can actually be unlocked through VAGCOM.
"If you are truly afraid, I recommend installing a switch on a data power cable for OBS. To prevent radio theft, use a disconnect switch on a starter fuse with a system that requires activation with a separate remote control or has a timer to deactivate that starter fuse during hours when you are at home or asleep."
My 2007 RS4 as well as my 2004 S4 both keep me out...radio keyfob wise. I have to use the actual key in the keyhole and open the door on both. Local shops haven't been able to make me replacement keys and program these for my car. Yet, the theifs have little trouble it appears by your video. Of course I can go to the nearest Audi dealer and get raped money-wise and get new replacement keys that will auto lock and unlock my car - which I'm stubborn enough to resist. You have pretty much shown the in-effective nature of most anti-theft systems for sophisticated car thiefs to me. I'm a testimony to the fact these systems end up causing owners like me grief, either because the owner can no longer use the electronic lock/unlock keyfob feature, or simply because the car can be stolen regardless. With all of the tech today you'd think there'd be a better system that is both owner-friendly and robust enough that the car theifs have to go back to other means of criminal activity?
One method criminals are able to use to get past rolling code protection is to follow you out of a shop, jam the frequency you send the code on, so it doesn't work, they then wait for you to spam the unlock button, generating a new code after code in the rolling chain. they pick up every instance of you pressing the button, the car doesn't know these new codes are generated and so will still accept old ones in the chain. Finally, they play the next working code to unlock your car, making you just think the battery is getting low etc. car follows and watches you park up, they play one of the codes the car is willing to accept that was recorded earlier.
Theirs some nice cars around here, i guess I will have to get a radio 😮😅😅 kidding. Ive never seen this before, its crazy. Cheers Andy
Hi ya Andy...what model is the radio you have an is it standard...?...is the spectrum display in the factory menu?..
P.s love the videos
would a dead-man switch that cuts the power in the keyfob, either a second button or within the actual switches prevent a replay attack?
Most cars can have wireless access and wireless ignition turned off by an OBD diagnostics tool. Then, only buttons for lock/unlock work, and to start the car, there is a special place in cars (check your manual) which is intended to be used in case of a flat battery in the key fob. You'd just put the fob on the designated spot and use the ignition button while holding it on that spot.
Andy, Are you a Paul Van Dyk fan ? Guessing by that ending song you've made, Yes... Love it... I want more 🙏👍👍👍👌
If I were you, my primary concern would have been dropping my keys through that drain grate below your driver door…
…until you taught us all how to nick it… 😂
Thank you - very interesting and informative!
That damn drain grate 😂
I never use my key fob, I always use the sensors on the door handles. It's the safest way!
Providing the mesh of the Faraday cage is under 1/4 wave they work