Police 'stumped' by car thefts using electronic skeleton key

RF jamming?

The common method is to jam the key fob signal in the first place, so the car never locks. I haven't looked that hard into this case, but I couldn't see anything in the video that suggested they were disabling an active alarm whilst breaking in.

Keyless entry != remote locking

All the cars in the video are Hondas (Acura = Honda for the USDM).

They're touching the door handle. You have to do this to activate the keyless entry system as it's passive RFID. The range is only about 18" from the door handle. Wouldn't surprise me at all if Honda (deliberately or inadvertently) put a master key code into their system and all the thieves have is an appropriately coded dongle.

They don't steal the vehicle as they still can't start it. The lockout for the engine ECU is a separate system. All they've done is pop the lock and switch off the alarm.

Interestingly, no physical use

They get into the car, but do not attempt to drive it away because that needs a physical key to unlock the steering column and start the engine. If you have a keyless ignition system that second physical barrier doesn't even exist..

Been around a looong time!

In my distant youth used to legally repossess cars for finance firms as knew legally how to install and decommission alarms systems and locks.

This is nothing more complex than magnetics and parts can be assembled from maplins for around £25, good parlour trick, tried it yesterday after seeing the post with family and friends cars and works on around 40% of cars.

What I can;t believe is how they are all stumped, not rocket science, look at the material your central locking system is made off Mr Sheriff (there's a hint), used it 20 years ago to open cars but parts were more expensive and not so readily available then.

Jammer

On my most recent trip to South Africa I noticed a lot of posters in shopping centre carparks warning about the current favourite, which is some sort of jamming device which thieves use to stop remotes from locking cars. People have a habit of pressing the lock button on their remote while they are walking away from the car. The thief lurks nearby and presses his jammer at the exact same time, so the car fails to lock. You would think that people check that their car is locked after pressing the button, but apparently there are enough who don't for this to be a worthwhile venture for thieves. Police advice is similar to the age-old toilet seat problem: Look.

I know some UK crim types are using a jamming device.

They basically sit up in a car park / near driveway and actively jam the remotes signal resulting in cars left unlocked (apparently a lot of people don't check the car is locked or look for the indicators flashing when locking).

Its then just a case of waiting for people to walk away and hey presto - unlocked car.

Inductive charger jury rigged to fire door unlock solenoid?

It could be as simple as using a "wireless charger" inductive loop to produce a 12V pulse to the door solenoid.

It certainly looks as though you have to be very close to the car door to get it to unlock. These things have only just started being popular and I have seen a lot of people asking for them to make one for cars.

Unsurprisingly the manufacturers have no plans to make these for cars as the INDUCE VOLTAGES TO NEARBY WIRING, duh. The great unwashed clearly has no idea about physics.

Anyway. I bet you that is what it is. It will only unlock cars with central/power locking and only if they place it near where the solenoid is.

I don't know for sure why it would disable an alarm, but it probably would fry a good amount of IC's. I assume that there are mechanisms in place in ECU's to protect electronics from noise and power surges. Perhaps it has the benefit of tripping circuit protection.

Frequency Scanning

I think the idea here is similar to that seen in Gone In 60 Seconds.

By sitting in a neighbourhood scanning people opening there vehicles with there fobs the would be programmer who developed the tool could possibly create a piece of software that brute forces the locking software into opening? also if you notice there is quite a delay between presenting the device and the vehicle responding, further supporting the fact that it is possibly performing some kind of brute force entry.

On the other hand there could be someone who has taken the time to reverse engineer locking software on specific vehicles and found the backdoor (pardon the pun) in order to enter the vehicle.

Weren't BMWs were they

If you have a key-less BMW (at least 06-12) then you might want to watch this thread

http://www.pistonheads.com/gassing/topic.asp?h=0&f=72&t=1121571&mid=339769&nmt=New+BMW%27s+getting+stolen+using+blank+BMW+keys

A lot of people complain about their passenger doors not unlocking on these makes of cars, when they as the owner use the remote to unlock everything they still have to reach over to let passengers in.

Could be the starting point for the vulnerability.

My Honda has been opened up in this way several times, according to the police. The first time it happened I just thoght I'd forgotten to lock the door and the b********* who took my satnav from the glove box had struck lucky by trying the car that night. . But the police told me that the thieves have a device that can open the central locking. It's happened a few times since, which is inconvenient when I've been out and about and didn't have the satnav, becacause i can't just leave things in the car anymore.

They cops say that the b*****s can record the signal from the key and then use it later. with some cheap device they get off the internet.

Nothing new here

I remember reading 15 years ago something about using Palm Pilots for this purpose, so I Googled it: http://www.xent.com/FoRK-archive/nov98/0131.html

Magnets?

I remember in school we fitted a lift with a magnetic switch to bypass the key. The key was given to students with mobility issues. Our mobility issues were connected with laziness rather than any infirmities.

I don't see it being possible to actuate the door locking solenoid with a magnet from the outside. Car doors are typically made of steel and all of the door lock solenoids I have come across (not too many) are oriented in the wrong plane. There would be tell-tale marks on the outside of the car from the magnet affixing itself to the door and then been run back and forth. Get a very small NdFeB magnet and try it on a car door. Now try and get the bugger off!

If the car manufacturers have fitted a simple bypass to the security system, they should be billed for the thefts. What's the point of a sophisticated alarm where all you have to do is speak "friend" and enter. In elvish, obviously.

You can steal some BMWs by breaking the window, pressing the brake pedal for 30 seconds, connect ODB key programmer, store another RFID you have brought along to the programmed keys. Press start. Even the electronic steering lock withdraws.

Locksmiths?

I suspect that the police need to reach out to different locksmiths. Wonder if they thought of that?

Really? I can find similar techniques being used dating back to 2005 (and there's probably earlier ones too), where robbers were using devices that did exactly that. How does it work? Very simple.

Put the device in a car park or where the target usually parks, in a bush, with a battery.

What does the device do? Sniff all wireless packets and record them.

How does the device work? Play the recorded packets back.

How big is the device? Smaller than a cell phone. In fact, some newer phones can do it out of the box. A laptop can do it too, or a tablet.

I'm stumped that police are stumped. This is the epic fail of the day.

ROFLMAO

Re. comment "I have friends in low places" ... IIRC this was on "Sherlock Holmes" .

Re. solenoids, I had wondered about this method but the NIB magnet trick works a lot of the time; the locksmiths know about it and this is one of their methods for opening key-locked-in-vehicle vehicles without ruining the trim etc.

I also recall reading that a certain model of car, if you kick the bonnet in "just the right way" the airbag sensor activates and the airbag goes off, causing the failsafes to initialise and unlocking every door (!)

The problem is that this is a safety feature built into the electronics and can't be disabled without compromising the airbag function.

Other tealeaving rogues also know of methods involving a laser that "burns" the PCB located directly under the front fascia on some cars causing a similar effect.

Turns out that the manufacturers didn't consider that burning lasers might one day exist that could go through glass and still burn plastic underneath.

Yet another method involves sending a malformed RFID code that causes the controller to poo itself and guess what, unlocks. Yes, seriously, they forgot to include buffer overrun protection.

AC x472

Oops

And another method which I like to call "The Drill of Doom."

A variant on the old petrol tank drilling scam, this one relies on cars unlocking the door(s) if the battery is low.

An endoscopic probe is used (about $40 or so or less if stolen parts are used) to drill several 3mm holes in the battery case, causing the electrolyte to drain.

An hour later, thief comes back to a nicely unlocked car, installs their Acme JumpStarter (tm) and off they go.

Bonus:- usually the car has a failsafe for low battery that resets the security key to "AnyKey" mode.

There is no defence against this, simply putting the battery higher up doesen't work.

About the only way you could stop this would be to add several batteries in parallel and include 100A fuses.

The even nastier variant of this is to abandon said vehicle somewhere having "liberated" the airbag, radio, electronic controllers ($800+), etc rendering it worthless even if the Police eventually recover it.

Installing a dead battery to hide the evidence ($0, from many scrapyards who are happy to be rid of them)

AC x472

It's not the ability to develop electronic digital keys...

...that has the cops mystified, it's that the crimes are only able to disable the alarm and open the passenger's door. They can't unlock the ignition nor start the car so more than likely they've developed some cheap tool that sends a default signal to disable the alarm and unlock the pass door but nothing more. Real thieves would have the good stuff and actually steal the car not the contents. Thus these are likely to be amateurs such as teens or drug addicts without the resources to chop-shop the vehicles. They might have modded a remote control garage door opener?

Gone but not noticed

A client of mine who lives in a quiet cul-de-sac in a salubrious part of north London, told me that there had been a number of break-ins of cars in the cul-de-sac but the owners hadn't notice because when they went to the cars they were still locked as they had left them.

The cars were different makes and models and the perps targetsed all different price bands.

The thefts happened over several days but the residents weren't aware that it wasn't just their car that had been 'visited' and in fact oftern thought that they had misplaced what had been stolen. It was only when one realised that something was actually missing from their car and went to the policew and then spoke to another neighbour that they discovered that they were having a small epidemic.

All the owners claimed that their cars were locked up normally at night and were still loc ked qwhen they went back to them the next morning.

This was two years ago.

The police are still looking into it.