Stray RF signal from key fob and your car being stolen

[BABY NSX]

Hi everyone!

A friend sent me this video last week. Maybe I’m paranoid but the possibility of your car getting stolen from stray RF signals coming from your key fob is a possible reality.

In this video, the gentleman speaks of using a Faraday pouch. He also has some good background information regarding RF signals and your key fob.



If you are anything like me, you may have multiple key fobs that won’t fit in that pouch. All I do at my house is use a metal cookie container or a small metal lunch box of any sort to block any stray RF signals from being intercepted.

To give myself an idea of how the RF signals are intercepted by the car itself, I used a closed/open cookie container and put my keys in it and stood next to the car and tried to open the door.

If the container had the lid on it then the car could not see the RF signal from the fob. Thus I could not unlock the doors by pulling on the handle. But if the lid was off and the container was at chest height then the door could still be open. Raising the height of the container without the lid to above my head actually blocked the signal to the car and the door could not be open. I just did this as an experiment for myself to see how the RF signals reach was.

I think that the video mentioned that with a new technology a car thief can use a device and scan your keys from 300 feet away. So that means they could be sitting in front of your house scanning for RF signals. ( I don’t know how they sort out all the signals if there are a lot of RF signals around. ) I don’t know how true that is but if it is true if your keys are in a closed metal container I would assume that whatever tool they are using cannot penetrate a metal container and get your RF signals because it works in the same way assumably as the Faraday pouch that the gentleman in the video was mentioning by blocking the RF signals.

Just making assumptions the metal box will block as effectively as the Faraday pouch.

Stay healthy and safe!

Sponsored

 

[sean465]

Yep two scumbags last night in my street caught on camera, waved a rucksack at a neighbours front door, which inside had the signal booster, which then allowed the door of the merc to be opened by the second scumbag. Thankfully this merc had no start stop button so they ran off.

I ordered a faraday box today and new pouches as my pouches stopped working after about pt a year and I’ve been using foil

 

[Shred]

I'm certain the scanners are much stronger and would still pick up the signal through such a metal box, as a Faraday box is a particular method of construction (or is meant to be) meant to block signals. Just because the key fob and receiver in the car aren't strong enough to communicate through it doesn't mean something else won't.

Not to say that this is bad advice by any means- I have a pouch for use outside the house and a box for inside so I 100% recommend getting some RFID blockers. Just to say something dedicated is going to suit the need better.

 

[timtzotz]

I wouldn't worry. The Type R has additional anti theft:

 

[hobby-man]

I wouldn't worry. The Type R has additional anti theft:

Surely professional car thieves with RF amplifiers can figure out a stick shift lol...

 

[Syntek]

Glad to see you posted this, we actually covered this vaguely in one of my cisco security classes. Another good determent would be installing a kill switch to the fuel pump incase the car does manage to get broken in to, only issue is trying to figure out where to hide the switch. (dont post suggestions if you manage to find a good spot for one lol)

 

[tinyman392]

I'm certain the scanners are much stronger and would still pick up the signal through such a metal box, as a Faraday box is a particular method of construction (or is meant to be) meant to block signals. Just because the key fob and receiver in the car aren't strong enough to communicate through it doesn't mean something else won't.

Not to say that this is bad advice by any means- I have a pouch for use outside the house and a box for inside so I 100% recommend getting some RFID blockers. Just to say something dedicated is going to suit the need better.

Most RFID blockers are actually faraday cages. The tin can should work so long as the metal can conduct electromagnetic waves. The tin would have a very similar affect as if you were to wrap your key fob in aluminum foil (a few layers to make sure none of it breaks).

 

[RedGiant217]

I'm certain the scanners are much stronger and would still pick up the signal through such a metal box, as a Faraday box is a particular method of construction (or is meant to be) meant to block signals.

Stronger signal won't matter, as long as the lid fits snug, and isn't painted where the lid and box come in contact. The "special" thing about a faraday cage is that it has holes but still blocks RF up to some frequency. A tin should block as well or better than any mesh pouch.

 

[s2kdriver80]

Stupid question. If the fob needs to be taken out of the pouch to open the door and to start the engine, can't the thief sniff out the signal right then? Or does his sniffing device need a certain minimum amount of time to properly resolve the signal?

And why don't they design fobs that rotate the frequency after each ping using a certain algorithm, so that if the thief somehow captures the current frequency, it won't do him any good later?

 

[Shred]

Stupid question. If the fob needs to be taken out of the pouch to open the door and to start the engine, can't the thief sniff out the signal right then? Or does his sniffing device need a certain minimum amount of time to properly resolve the signal?

And why don't they design fobs that rotate the frequency after each ping using a certain algorithm, so that if the thief somehow captures the current frequency, it won't do him any good later?

Theoretically yes the thieves can pick up your signal then if they are targeting you and they are quick enough to catch you as you enter the car. The problem being is that you then drive away. The hack isn't very advanced and has, to my understanding, relied mostly on relaying an existing signal in a sort of a chain, not explicitly duplicating it and storing it for later use. This would require a more advanced understanding of the encryption being used to identify the signals rather than exploiting the nature of broadcast signals.

This is why this tends to happen more around people's homes. They leave their keys near the front door, which is typically well within 100 ft for a receiver to detect it and then relay as an accomplice walks up and down the block to see which car they now have access to. This makes it more attractive to have to park a few blocks away in the city ?

Since these thieves are more tech based than your old school car thieves, this might help since they likely won't know how to pick a lock. Won't save any items you might have inside if they want those, but they'll have a harder time starting your car and driving off.

https://www.amazon.com/Dent-lion-Anti-Theft-Clutch-Safety/dp/B073CJ6YFP/

 

[tinyman392]

Stupid question. If the fob needs to be taken out of the pouch to open the door and to start the engine, can't the thief sniff out the signal right then? Or does his sniffing device need a certain minimum amount of time to properly resolve the signal?

And why don't they design fobs that rotate the frequency after each ping using a certain algorithm, so that if the thief somehow captures the current frequency, it won't do him any good later?

So a thief could sniff out the signal right there and then. However, he wouldn't be able to just sniff it, he'd have to jam it and hijack the code in such a way that the car never receives it. You'd probably be able to see the thief at some point as well, granted you might not be able to tell that he's doing it. But the hijacking would have to happen as you leave the car not as you are planning to drive (as that would roll the codes to something unknown). You could easily counter this by tossing your fob into a faraday cage in the car and lock the car on your way out using the physical lock button in the car. Can't sniff a code if there is no code to sniff. You'd have to be very paranoid to start doing this though.

Rotating codes have been a thing since the 90s. There are a few ways this could work:

• Pseudorandom number generator: The fob sends out a code, then a command. The car will then send back a reply to let the fob know to move to the next code. The car knows what the next code should be for said fob and the process continues. The next code is known since it's based off a pseudorandom number generator. The fob now is pinging that code out, so it can be picked up and spoofed. If the number generator is known, then the next value can be figured out. This process also disables the old fob from working. If the random number generator isn't known, then you can really only do one action (unlock for example) and the car will essentially lock you out after that.
• Car master, fob slave: The fob sends out a code, then a command. The car then relays that the message was received. The fob then sends the car the next code to be used. Car relays that the message received again. At this point, both the car and the fob know what the next code is. This is easier to spoof since if you intercept the current code the fob is putting out, you can then generate the next code to use. This also disables the fob the code was stripped from from working since the code will never match again.
• Fob master, car slave: The fob sends out a code, then a command. The car returns a message received then the next code to be used. Fob returns message received. At this point, both devices know what the next code is. This is also easier to spoof as the fob will be transmitting the code. When the spoofer sends the code to the car, it will send the next one to use. This also disables the original fob.

Note that if no back and forth goes on between the fob and the remote, (IE no sending back and forth that code received), it's possible for the car to continue to use the next or previous X number of codes in the event the receiver had missed some codes. The use of previous, next, or both will depend on how the system is implemented. Note that using the next or previous X number of codes is a lot less failure prone but also less secure.

The weakness is that the fob is always pinging out the current code to the car since I doesn't know the proximity of the car to the fob. Before the proximity stuff was implemented, the code would only be transmitted when the fob pressed a button. This could also be intercepted, jammed, and then spoofed. However, with proximity today, the fob is always pinging some code and listening for a response. The car, however, would always be listening for said code, but only responding after it hears said code.

I feel like one way you might be able to deal with the issue is by having two rolling codes. One for proximity and one for action-based items (unlock, start car, lock, etc.). In this setup, if the proximity code is used, then the car and fob set up a new code (however it's done above). However, when trying to do an action, the car will ask for the second code. But let's say that you don't use proximity, then you press the button to unlock, the car unlocks. As you get near the car, it'll look for the proximity code. If that isn't correct, it'll undo the action.

This isn't 100% secure (there is no such thing). But would require the spoofer to get a hold of both codes. One can only be grabbed when the key fob is doing a certain action while the other is always kind of just pinging about.

 

[Mcclaughry95]

Why do we pay for insurance again? Take the car insurance will buy me model year newer. If I'm going to prevent claims why have insurance?

 

[Gruber]

Why do we pay for insurance again? Take the car insurance will buy me model year newer. If I'm going to prevent claims why have insurance?

You get what you pay for. If you have a policy with the premiums high enough, your insurance could even afford to buy you 3 new current model year cars to replace one used that was stolen. And sure, it's a waste money to pay insurance premiums for years and decades and never have the car stolen or the house burned. So if you are planning to file claims often, I wish you luck with your insurance.

 

[unholy79]

I've had Faraday pouches since I bought my '18 Si. Keys stay in them when I'm not driving the car. Very inexpensive protection. I use these: https://www.amazon.com/gp/product/B07MDF5TX9/. There are some comments on the product claiming they don't work, those folks didn't read the instructions and put the fobs in the internal pouch.

 

[Mcclaughry95]

You get what you pay for. If you have a policy with the premiums high enough, your insurance could even afford to buy you 3 new current model year cars to replace one used that was stolen. And sure, it's a waste money to pay insurance premiums for years and decades and never have the car stolen or the house burned. So if you are planning to file claims often, I wish you luck with your insurance.

Not at all but I will not waste my life trying to avoid criminals. Enough stress in this world without adding possessions to the list. Break in the garage and insurance is the least of anyone worries.

Sponsored