Securing Your Vehicle: How to Prevent Keyless Entry Thefts and Other Key Fob Hacks
Must-knows about key fob security
A couple years ago, a writer from The New York Times claimed to have found
a way to prevent his car from being burglarized; he kept his keep fob in his freezer,
so thieves wouldn’t be able to hack the fob’s signal.
Attacks on keyless entry vehicles have garnered a lot of media attention. These vehicles instead of using a key to unlock or start a car allow drivers to operate the vehicle if the fob is within a few feet of the car. A hacked key fob transmission allows thieves to get inside cars and drive them away. One video even shows how quickly – in about a minute and a half – it can happen if the right technology is used by sophisticated criminals.
Overall, UL Technology and Security
Director Andrew Jamieson says attacks on keyless entry vehicles are uncommon.
“In some of these high-profile thefts, the chip
in the fob was at least 15 years old,” Jamieson says. “It was found to be insecure
back in 2005, and the manufacturer still used it.”
How key fob attacks work
Most vehicle key fobs use messages/passwords that change over time or two-way messages. Sometimes these transmissions are done in insecure ways, Jamieson says. Take for instance a pre-play attack in which a thief can ping the fob and learn upcoming passwords.
Another type of hack is a replay attack. A
thief targets less-secure car fob chips that reuse passwords, which can allow the
hacker to try previous passwords until one works.
Both pre-play and replay attacks, which rely on
vulnerabilities in the fob’s technology, require thieves to be close to the key
fob and the car in order to intercept messages.
Relay attacks, like the type performed in the
video, require thieves to be close to the key fobs as well as within a few feet
of the car.
“While possible, generally if the key fob is in
your house, getting the message through the walls is a little more complex,” Jamieson
says. “Even with a repeater that amplifies the signal, it is going to be
difficult if your key is not close to a thin wall, external door, or window.”
“If you’re concerned about this type of attack,
keep your keys away from the walls and windows, where it’s going to be easier
for a signal to be captured and amplified.
Because all of these types of attacks are uncommon,
he says most people should not feel the need to keep their key fob in an radio-frequency
identification-protective case ̶ or the
freezer. Of course, people need to assess their own unique situation and make
Planning for the future
Jamieson noted that changes in technology may also have impacts on the security of our cars. Currently in development is the ability to unlock and start cars from mobile phones; a technology that will enable vehicle-sharing services.
security doesn’t involve a physical fob where someone has to come into close
proximity of your fob and your car, so the threat model is quite different,”
Jamieson says. “If they can break into the app, they can potentially commit
crimes remotely and at scale. They could even do a denial of service attack
instead of breaking into a vehicle, requiring people to pay ransom to gain
control of their car. This is why UL is working with a number of organizations
to create secure Standards and evaluate applications for this technology.”
Protecting your vehicle
To reduce the likelihood of someone hacking your key fob, use these tips:
- Leave your car in a safe place, like a closed garage. If you can’t leave it inside a garage, evaluate the risk of leaving it in the driveway, but understand that these types of attacks are uncommon
- Research the car manufacturer before purchasing a vehicle to learn if the manufacturer is indeed following best practices in its key fob security.
- Consider where you leave your keys at night. Don’t just drop them in a tray right next to the front door.
main takeaway is that you need to be aware of the security of your systems, of
your cars, of your household, and of the products and services you’re using as
far as car ride services,” Jamieson says. “This information needs to be built into
your decision about whether or not to use them. Once you’ve made that decision
and you’re happy with it, I wouldn’t worry it about it. With some notable
exceptions, the security in these systems is generally sufficient.”