سرقت اتومبیل های مدرن و مجهز و گران قیمت با روش های پیچیده، تبدیل به یکی از کسب و کار های غیر قانونی جدی به ویژه در اروپا شده است. بسیاری از اتومبیل هایی که به این شیوه سرقت می شوند، هرگز به صاحبان اصلی بازگردانده نمیشوند و اغلب به گروه های سازمان یافته از مجرمین (معمولا قاچاقچیان) فروخته می شوند. جالب آنکه این دسته از اتومبیل های سرقتی شامل BMW سری 7 و مرسدس بنز کلاس S نیز می شود.
این موضوع مود توجه نشریه فوربس قرار گرفته که چرا این اتومبیل های لوکس و گران قیمت که اغلب مجهز به سیستم های امنیتی و الکترونیکی مدرن نیز هستند، این اواخر مورد سرقت های پیچیده و قابل توجه قرار گرفته اند.
نکته آنکه در حالی که خودروسازان بزرگ جهانی در حال تلاش برای بهینه سازی سیستم های امنیتی خودروهای خود هستند، در عین حال سرقت آنها را نیز تسهیل می کنند. در واقع سیستم های امنیتی جدید خودروهای پیشرفته به راه های مختلف قابل عبور و کشف رمز است اما به طور کلی در این مورد سه روش وجود دارد: ابزارهای کشف رمز قفل، ارتباط وایرلس با اتومبیل و سیستم Keyless Entry آن و رمز گشایی کلی سیستم امنیتی خودرو با ارتباط با سیستم کنترل مرکزی آن که به ویژه این روش در مورد خودروهای مرسدس بنز صادق است.
معمولا صاحبان این خودروها بر این باور هستند که کلید اصلی برای باز کردن درب و روشن کردن خودرو لازم است؛ اما اخیرا و برای بهبود امنیت این خودروها، خودروسازان اقدام به ایجاد سیستم Keyless Entry کرده اند که شامل یک کلید مجازی برای صاحب خودروست.
همین موضوع منجر به سرقت ساده این خودروها از طریق روش های وایرلس برای عبور از سیستم Keyless است؛ البته به شرط در اختیار داشتن ابزارهای تکنیکی لازم. در واقع این سیستم با یک روش وایرلس امکان برقراری ارتباط بین کلید و سیستم امنیتی مرکزی خودرو را می دهد. زمانی که اعتبار داده های انتقالی بین کلید و سیستم مرکزی تأیید شود، درب های خودرو باز شده و اتومبیل با فشار دکمه استارت روشن می شود. این سیستم وایرلس می تواند از سوی هکرها و با ابزارهای خاص مورد مداخله قرار بگیرد و در نتیجه سرقت خودرو را به سادگی مقدور سازد.
در این سیستم زمانی که دارنده خودرو در فاصله حدود سه متری با خودرو قرار داشته باشد و سیستم را فعال سازد، سیگنال داده ها از کلید به سیستم دریافت کننده در خودرو منتقل می شود. سیستم دریافت کننده در این حالت اطلاعات دریافتی را اعتبارسنجی می کند و اگر داده های کلید با داده های موجود در سیستم مرکزی مطابقت داشته باشد، درب خودرو باز می شود.
فاصله تعیین شده برای فعالیت سیستم حدود سه متر است که به معنی آن است که فرکانس های ارسال اطلاعات در دامنه اندک عمل میک نند. این امر به این دلیلی است که عملیات از فاصله دور قابل مداخله نباشد. اما واقعیت این است که با استفاده از ابزارهای تکنیکی جدید و پیچیده سیگنال های ارسالی و دریافتی بین کلید و سیستم مرکزی از فواصلی دورتر از آنچه خودروسازان پیش بینی کرده اند قابل دریافت و مداخله است.
این تکنولوژی ها و ابزارها در حال حاضر به شکل قانونی در اختیار نهادهای قضایی و امنیتی قرار دارد؛ اما مانند همه مسائل مشابه، گرو های مجرمین سازمان یافته از مسیر های خاص خود قادر به تهیه و استفاده از آنها شده اند. همین موضوع منجر به آن شده که سرقت خودروهای مردن و لوکس جدید طی ماه های اخیر به ویژه در اروپا شدت فراوانی نسبت به گذشته پیدا کند.
Hands-free car entry systems, which typically unlock car doors without requiring the pushing of any buttons when owners are close to their vehicles, provide great convenience. Unfortunately, however, people have begun marketing for sale devices that allow criminals to exploit a technological vulnerability in these systems, and crooks have been seen using "mystery devices" to open cars equipped with hands-free car entry systems. Once in a car, crooks can steal whatever is in it, and, while most of the recent issue has been just that, they can also potentially connect a device to the vehicle's diagnostic port in an effort to download sufficient information in order to create a key to drive and steal the vehicle, a problem about which the British police are now warning.
Anyone wishing to protect the contents of his or her car from being taken, or perhaps the vehicle itself from being stolen, might want to take action.
While there have been various suggestions as to how keyless entry systems can be hacked, and various techniques have been discussed at conferences, the current issue seems to be the following:
The communications between your key fob and car are intended to take place only when the fob is near the vehicle (usually "near" means within approximately a yard or so from the vehicle), thereby ensuring that the car can be opened only when the owner is nearby. A relatively simple device that physically boosts the wireless signal between fobs and cars, however, enables communication to take place between at least some manufacturer's fobs and cars when the two are much further apart. By leveraging such a signal booster, a criminal can trick a car into thinking that the fob is close by even when it is much further than a yard away; some reports claim that devices for sale online may work to open cars even if their associated fobs are as far away as the distance of an entire football field!
So, if your car is parked not far from your home – on your driveway or in a parking spot nearby – someone intent on breaking into your vehicle can potentially use the device to allow the car to "see" the fob located in your house as close by (a process that takes place almost instantaneously) and then open your car door as if you were standing next to the vehicle. The same is true for someone who enters your office parking lot while you are at work, or approaches your car in a restaurant parking lot while you are at dinner. Walls and the like may sometimes interfere with a thief's attempts – but they often don't; there are enough reports of successful break-ins to undermine any claim that they are a sufficient defense.
Car manufacturers could easily correct this problem by requiring people to press a button on the fob to activate it (although such a solution would be viewed as adversely impacting convenience), or by adding technology to vehicles to determine the distance the fob is from the car rather than just relying on weak signals that are not supposed to travel more than a short distance.
In the meantime, if your car has a feature that allows disabling the proximity feature and using a button on the fob to unlock your car, it may be wise to take advantage of this feature. If not, the easiest way to address the risk of unauthorized access to your vehicle may be to simply to keep your car fob wrapped in aluminum foil (which blocks the relevant communication signals) and to open the foil slightly when you want to use the fob. Any fobs not normally used and stored at home can be wrapped as well. Want a cleaner look than a fob wrapped in foil? Put the fob in a "Faraday Bag" as sold on Amazon and at other retailers.
Unfortunately, however, some very bad alternative ideas as to how to prevent criminals from breaking into people's cars with signal boosters have been floated around in the media in recent days; I mention two here in order to advise people NOT to follow them. A New York Times piece suggested that people store their key fobs in their home freezers. Besides the fact that this approach will do nothing to prevent cars from being broken into at work, a mall, or anywhere else besides home, it is also problematic because the temperatures in the freezer can temporarily or permanently damage the fob (either on their own or by causing condensation problems). But freezers are not the worst idea that has been mentioned: Some have suggested that people store their key fobs in their microwave ovens; besides not addressing the issue when people are parked at locations other than their homes, storing anything that is not microwave-safe in a microwave oven is a terrible, hazardous idea. Someone may attempt to use the microwave without noticing the fob in it – which can not only destroy the fob, but create a dangerous situation as well.
Last week, I started keeping my car keys in the freezer, and I may be at the forefront of a new digital safety trend.
Let me explain: In recent months, there has been a slew of mysterious car break-ins in my Los Feliz neighborhood in Los Angeles. What's odd is that there have been no signs of forced entry. There are no pools of broken glass on the pavement and no scratches on the doors from jimmied locks.
But these break-ins seem to happen only to cars that use remote keyless systems, which replace traditional keys with wireless fobs. It happened to our neighbor Heidi, who lives up the hill and has a Mazda 3. It happened to Simon, who lives across the street from me and has a Toyota Prius.
And it happened to our Prius, not once, but three times in the last month.
The most recent incident took place on a Monday morning 10 days ago. I was working at my kitchen table, which overlooks the street in front of my house. It was just after 9 a.m., when one of my perky-eared dogs started to quietly growl at something outside.
I grabbed my coffee cup and wandered to the window, where I saw two teenagers on bikes (one girl, one boy) stop next to my 2013 gray Prius.
I watched as the girl, who was dressed in a baggy T-shirt and jeans, hopped off her bike and pulled out a small black device from her backpack. She then reached down, opened the door and climbed into my car.
As soon as I realized what had happened, I ran outside and they quickly jumped on their bikes and took off. I rushed after them, partly with the hope of catching the attempted thieves, but more because I was fascinated by their little black device. How were they able to unlock my car door so easily?
When the police arrived, they didn't have much of an answer. (The thieves didn't get away with anything; after all the break-ins, we no longer keep anything in the car.) I called Toyota, but they didn't know, either (or at least the public relations employee didn't know).
When I called the Los Angeles Police Department's communications desk, a spokesman said I must have forgotten to lock my car. No, I assured him, I had not. But his query did make me question my sanity briefly.
The Toronto Police Service issued a news release last Thursday warning that thieves "may have access to electronic devices which can compromise" a vehicle's security system. But the police did not specify what that "device" actually was.
Thieves have been breaking into and stealing cars with the help of electronic gadgets for several years now. Jalopnik, the car blog, has written about a "secret device"used to unlock cars. And dozens of other websites have told stories about burglars hacking into cars. As these reports illustrate, and videos online show, in some instances thieves are able to drive away with the cars without needing a key.
Still, I continued my search. Diogo Mónica, a security researcher and chair of the Institute of Electrical and Electronics Engineers Public Visibility Committee, said that some sophisticated thieves have laptops equipped with a radio transmitter that figures out the unique code of a car's key fob by using "brute force" to cycle through millions of combinations until they pick the right one.
The most famous case, he said, was in 2006 when thieves were able to steal David Beckham's $100,000 BMW X5 by using such a rig.
Security researchers I spoke with said that most cars with a keyless entry system can be hacked.
But none of the contraptions Mr. Mónica or others told me about seemed to be what those teenagers used.
A more likely answer came from the National Insurance Crime Bureau, a trade group for auto insurers and lenders, which issued a warning last month about a "mystery device" that can emulate a key. In one YouTubevideo, the group compiled surveillance footage that showed thieves using the gadget to open doors with ease.
April 17, 2015I think that a microwave can also serve as a Faraday Cage, so it doesn't have to be a freezer
April 17, 2015Interested in knowing if anyone has considered the type of home where the keys were located when the remote signal was amplified? Stucco...
April 17, 2015The freezer?!? Wouldn't a small Faraday cage made of a box lined with a few layers of heavy-duty aluminum foil work as well and keep your...
Similar reports have surfaced on The Register, a technology news site, and on car message boards, about a simple $30 device made in China and Eastern Europe that allows thieves to break into and steal BMWs. Since I don't own a BMW, that wasn't right, either.
I finally found what seems like the most plausible answer when I spoke toBoris Danev, a founder of 3db Technologies, a security company based in Switzerland. Mr. Danev specializes in wireless devices, including key fobs, and has written several research papers on the security flaws of keyless car systems.
When I told him my story, he knew immediately what had happened. The teenagers, he said, likely got into the car using a relatively simple and inexpensive device called a "power amplifier."
He explained it like this: In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don't have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet.
Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.
"It's a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, 'hello,' " Mr. Danev said. "You can buy these devices anywhere for under $100." He said some of the lower-range devices cost as little as $17 and can be bought online on sites like eBay, Amazon and Craigslist.
Mr. Danev said his company was in talks with several car manufacturers to install a chip that can tell how far the key is from the car, thereby defeating the power-amplifier trick.
While I can't be 100 percent certain this is the device they used to get into my car, until car companies solve the problem, he said, the best way to protect my car is to "put your keys in the freezer, which acts as a Faraday Cage, and won't allow a signal to get in or out."
Which is why my car key is now sitting next to a tub of chocolate ice cream.
My investigation did reveal some Chinese sites selling devices which claimed to be able to detect and amplify car key signals at range
Charles "Chuck" McGill, the WiFi fearing pseudo-retired fictional lawyer on AMC Networks Inc.'s (AMCX) hit Better Call Saul was on the right track. But if wireless signals can harm you, it's the pocketbook -- and likely not the brain. That's the take home from a wild investigative piece by USA Today. The claim in the piece is that car thieves are using homebrewed power amplifiers to pick up faint signals of car owners from key fobs. The signal can then be amplified, cleaned up and outputted at full strength to a car which thinks its owner's keyfob is telling it to unlock.
It's a wild claim and one worthy of skepticisim surely. But it may be close to the truth. (Or it may not be, as I later explain.)
First, while the piece mentions several strings of break-ins (in Toronto, Ontario; Tonawanda, N.Y.; and Springfield, Miss.) that might fit a profile of the wireless thief, it's important to acknowledge that there's no hard evidence in these cases that such a strategy was employed.
But there are some more credible reports. A surveillance video posted by the Long Beach, Calif. Police Department shows a pair of thieves -- who appear to be young white or hispanic males -- breaking into a pair of SUVs. In the video it's clear that they somehow get the car too electronically unlock as there's no shimmying of locks that typically occurs with mechanical breakins. Instead the the culprits simply place their hands on the door handle, and seconds later open in it and walk inside.
One comes Nick Bilton, a Los Angeles, Calif.-based columnist for The New York Times, who reportedly caught a pair of kids in the act of middle of breaking in his 2013 Toyota Motor Corp. (TYO:7203) Prius hybrid. He writes:
Let me explain: In recent months, there has been a slew of mysterious car break-ins in my Los Feliz neighborhood in Los Angeles. What's odd is that there have been no signs of forced entry. There are no pools of broken glass on the pavement and no scratches on the doors from jimmied locks.
I watched as the girl, who was dressed in a baggy T-shirt and jeans, hopped off her bike and pulled out a small black device from her backpack. She then reached down, opened the door and climbed into my car.
As soon as I realized what had happened, I ran outside and they quickly jumped on their bikes and took off. I rushed after them, partly with the hope of catching the attempted thieves, but more because I was fascinated by their little black device. How were they able to unlock my car door so easily?
One answer might be a brute force wireless attack, in which a key assumes every possible identity until it succeeds in finding one that unlocks the target vehicle. Indeed, experts say it's very possible to brute force keycodes for static remotes -- even encrypted ones.
Diogo Mónica, a security researcher and chair of the Institute of Electrical and Electronics Engineers Public Visibility Committee, "said that some sophisticated thieves have laptops equipped with a radio transmitter that figures out the unique code of a car's key fob by cycling through millions of combinations until the right one is found (a so-called "brute force" attack)."
Here's a demonstration of security researcher Silvio Cesare employing a brute force attack to open up a locked car:
This makes sense. A teen might park their car nearby with a laptop with the ability to broadcast a WiFi signal. They'd then receive that signal and rebroadcast via some sort of small fob as the laptop cycled throught millions of potential keys.
But there's one problem with using that technical explanation on some of the recent incidents. Brute force attacks tend to be slow taking minutes at minimum. These attacks, like the one in the video above appeared to be carried out in seconds.
Boris Danev, founder of 3DB Technologies, offered an even more exotic claim to Bilton -- that there's a new wave of electronic theft devices that are able to break-in in an even more devious strategy -- amplification. Say the owner of the car is inside the house or their keys were left on the entryway counter. The premise goes that the thief would detect that faint signal -- to weak to allow the door to unlock, amplify it, clean it up, and rebroadcast causing it to unlock in seconds.
Danev claims:
It's a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, 'hello.' You can buy these devices anywhere for under $100. You can buy these devices anywhere for under $100. Some of the lower-range devices cost as little as $17 and can be bought online on sites like eBay, Amazon and Craigslist. [To avoid this] put your keys in the freezer, which acts as a Faraday Cage, and won't allow a signal to get in or out.
It's important to note that Danev does have a vested interest in selling that claim -- simply put, he's literally selling it. His company makes proximity-based unlock solutions that he claims are more secure. The claim pitched to potential automakers and aftermarket parties is that the 3DB Tech.'s chips will block known brute force attacks and amplification attacks as well.
There's reason to be a bit skeptical of these claims as well.
First, there was a long running urban legend/email scam regarding thieves using cell phones to receive your key fob presses and resend them. Signal engineers will recognize why this story is obviously false -- cell phones don't transmit on the same frequency ranges as typical car key fobs.
But what about specialty equipment that is designed to retransmit signals? The most probable route would be the one presented back in 2011 [PDF] at the Network and Distributed System Security Symposium by none other than Danev and his colleagues Aurélien Francillon (researcher) and Srdjan Capkun (an assistant professor of computer science). At the time the trio was working in the system security group at ETH Zürich, Switzerland's top technical university.
Remote keyless entry (RKE) is divided into two categories -- active and passive. Both typically operated on encrypted channels in modern vehicles. Active RKE involves actually pushing a button on a key fob to unlock doors. Passive keyless entry -- often found on luxury models -- automatically unlocks the doors when the driver's key comes in range of them (some models only unlock the driver's side door).
Passive RKE seems the more attractive target as all you have to do is somehow complete a call-and-response chain via signal interception and amplification of the signals between the vehicle and the owner's keys.
Indeed Danev and his fellow researchers tapped into passive RKE systems' low power, short range signals which are supposed to only be detected by the key fob and responded to when the owner is nearbly.
By intercepting and retransmitting that signal to a distant keyfob they were able to unlock the car. But the attack wasn't as simple as you might think. The attacker obviously needed an antenna near the car door to intercept the low power signal. But they also needed an antenna near the fob itself to intercept and relay the signal. The researchers put for a couple scenarios, including one where a key near a window responded to a cloned signal from the vehicle.
Bilton says his key was "on the kitchen counter" so that makes sense from a line of site premise. So how did thieves get around placing the second antenna? The answer may lie in the case of an amplifer. A standard signal frequency of 315 MHz for North America-made vehicles and at 433.92 MHz for European/Asian-made vehicles is used in most OEM branded remote keyless entry (RKE) systems.
Thus a system like that described might be built out of a microcontroller, antenna, and other assorted off-the-shelf parts. Indeed a team of student engineers at the Rochester Institute of Technology claim to have done precisely that [PDF]. However, most people would lack the knowledge to constructing a black box capable of automatically detecting nearby signals and boosting their range.
While I was unable to confirm Danev's claim of complete solutions being available on eBay, Inc. (EBAY) I did however find a number of similar solutions on a shadier site named "ADK Auto Diagnostics". Notably I found a black box "433Mhz 315Mhz Rolling Code Remote Control Detector Duplicator" that is being billed as a "car locksmith tool."
Assuming these are actually authentic (which they may not be) they may work in a couple of ways. First they could be cloning the signals of passive RKE systems and found a more compact way to handle the interception of the low-power vehicle signal and higher power response from the key fob.
Second, they could be used by a lurking burglar or burglars to possibly intercept key codes from an active RKE system. As modern active RKE systems typically cycle the keys on their signals to prevent easy theft, a car thief would have to act quickly -- perhaps intercepting the signal of someone who walked out to their car and grabbed something. The thief could then strike a minute or two later as soon as the person went inside, depending on how long it takes for the code to cycle.
The real question I have is that if these premade sort of lockpicking tools are for real, why aren't we seeing more of them? Yes, that's what the USA Today report seems to be trying to suggest, but ultimately it only offers up a handful of highly publicized incidents. Overall there's little sign that this is becoming a widespread technique to get into cars. Typical "Slim Jim" style mechanical attacks remain the popular and somewhat ubiquitous solution.
A skilled thief can use a "slim jim" to perform a mechanical attack to circumvent car locks, leaving no signs of damage or forced entry.
Assuming these isolated incidents are for real, its premature to suggest it's some sort of new amplification-based passive RKE hack. After all there are too many other possibilities.
For example, if you wanted to get really outlandish, perhaps the hackers didn't even use the key fob, instead hacking directly into the wireless link of the CAN bus and injecting instructions, as seen in this Motherboard special.
Or yet another more down to Earth possibility is that the thieves simply worked by day at a local repair shop or dealership and cloned the car's remote. Many such remote duplicators exist on eBay, but they only work on static code chips not rolling code (cycling) chips. Given that Bilton's Prius uses the standard Toyota G chip -- an EEPROM based static code -- the idea of key duplication is one possibility that satisfies the Occam's Razer principle.
A far less sensational hypothesis is that these car thieves may simply be cloning keys at auto shops when they go in for repairs.
Or yet another somewhat simpler explanation (that's still somewhat exotic) is that the young thieves might have used a frequency jammer (perhaps the black box seen). A jammer would provide a plausible explanation in both the Long Beach, Calif. theft and the theft experienced by Bilton in the LA area. The victim might have thought they locked their car, when it really remained unlocked, thanks to the attacker's jammer. Such jammers are more widely available and a proven quantity, if rarely used by thieves due to their expense. (They're also illegal.)
USA Today and The New York Times both carry Danev's suggestion to put your key in either the freezer or the microwave -- Faraday cases. But that may be an overly paranoid suggestion. A simpler solution is to not leave anything valuable in your car (as most of these car thieves appear to be searching for valuables, not trying to steal the vehicle) or -- alternatively -- secure the vehicle physically (i.e. put it in your garage).
And while it's one part scary, on part entertaining to think we're entering some bold new era where hacker kids can unlock our cars reality may be far more boring. Maybe they just used copied key fobs. At worst it appears these kinds of electronic attacks are quite rare in the wild, although they draw much media attention.