Overview
Almost every modern car comes equipped with a key fob, offering the convenience of opening doors and starting the engine remotely. The primary appeal when purchasing a vehicle is this seamless convenience. You can simply keep the key fob in your pocket and eliminate the need for a physical key. It sounds incredibly practical and secure.
The inherent assumption is that these key fob systems are secure and protected against unauthorized access, preventing someone with readily available, inexpensive hardware from stealing your car. However, as consumers, we often lack the technical means to assess the robustness of these systems and are compelled to place our trust in car manufacturers. Unfortunately, this trust is not always justified, and vulnerabilities often emerge when security researchers and hackers probe these systems. These discovered flaws might have already been exploited by individuals with malicious intent.
Decoding Your Car’s Key Fob Frequency
Car key fob systems vary across manufacturers and models. Let’s begin by examining the key fob of a 2006 Prius to understand the fundamentals. Key fobs utilize a technology known as Remote Keyless System (RKS). In the United States, these systems typically operate at a Car Key Fob Frequency of 315 MHz, with a permissible deviation of +/- 2.5 MHz. In the case of my Prius key, the actual operating frequency was measured at 312.590 MHz.
Information regarding car key fob frequencies and system specifications are publicly available in the FCC database. Monitoring new entries in this database is a technique used to anticipate upcoming car models, as these entries often appear well in advance of official announcements.
You can determine your car key fob frequency using a Software Defined Radio (SDR) and software like GQRX or SDR# to analyze the radio spectrum. By pressing a button on your key fob while monitoring the spectrum, you should observe a brief spike in signal strength at its operating car key fob frequency. You might need to adjust the frequency band slightly, perhaps by a couple of MHz, to precisely locate the signal, as my Prius key was almost 2.5 MHz below the nominal frequency.
A word of caution: Avoid excessive button pressing during frequency identification. RKS systems employ a rolling code mechanism, which generates a new pseudo-random code each time a button is pressed. The key fob and the car maintain synchronization to ensure the car recognizes the subsequent valid codes. However, if the key fob advances too far in the code sequence (hundreds of button presses beyond the car’s expectation), synchronization is lost, rendering the key fob ineffective until resynchronization is performed.
When capturing the signal from a key fob, the output can be visualized as shown below.
The total duration of this plot is 10 seconds, illustrating two distinct key presses occurring shortly after 2 seconds and 5 seconds respectively.
Focusing on a 100 ms interval starting at the 2-second mark, we can discern the underlying digital signal:
Further magnification, zooming into the initial bits of the signal, reveals:
The bits are clearly distinguishable. A decision threshold around 15 would facilitate accurate bit detection. Applying this and plotting the initial digital data for both key presses yields:
Although both signals initiate identically, they rapidly diverge, a crucial security feature. If the signal remained constant with each press, it would be easier to replicate and compromise the system.
The data transmission method here is On-Off Keying (OOK). It also almost certainly uses split-phase encoding, also known as Manchester encoding. Instead of representing a “1” as a high signal and a “0” as a low signal, Manchester encoding encodes information in the transitions between high and low states. A “0” bit is represented by a rising transition (low to high), and a “1” bit by a falling transition (high to low). A characteristic of Manchester encoding is the limitation to a maximum of one or two consecutive low or high segments, ensuring frequent transitions. These transitions are easier to detect than sustained high or low levels, which is an advantage in signal processing.
This example utilizes OOK, a common modulation scheme for car remotes. Some systems employ Frequency-Shift Keying (FSK), where each bit is represented by a distinct frequency while maintaining a constant signal envelope.
Common Attacks Targeting Car Key Fob Frequency Systems
Numerous attack methods can target car remotes, depending on their operational mechanisms and the attacker’s objectives. Simpler attacks might only aim to unlock the car doors, while more sophisticated attacks can achieve complete control by cloning the remote. Understanding the car key fob frequency is often the first step in many of these attacks.
Most modern key fobs use a rolling code mechanism to enhance security. This system generates a unique waveform for each button press, based on the key fob’s ID, a random seed, and a counter tracking the number of presses. The car maintains a record of the last received code and anticipates a range of subsequent valid codes. Upon receiving a code within this expected range, the car responds, for instance, by unlocking the doors. If a previously used code is received, the car ignores it to prevent replay attacks. For certain vehicles like the Prius, resynchronization after excessive button presses might require a specific procedure, sometimes referred to as the “Chicken Dance,” or necessitate dealer intervention, which can be costly.
Several attack vectors exploit vulnerabilities in these systems. One straightforward method involves recording the key fob’s radio frequency output when the owner is away from the vehicle or when the signal to the car is being jammed. These recorded, unused codes can then be replayed later to unlock the car.
Another, more complex approach involves reverse engineering the RKS sequence. While generally challenging, there have been instances where weaknesses in implementation or encryption have made this surprisingly feasible.
Furthermore, some cars feature proximity-based unlocking systems that automatically open when the owner approaches. These systems rely on low-power signals intended for short-range communication. However, these signals can be intercepted and amplified to extend their range, enabling unauthorized unlocking from a distance.
The landscape of car remote attacks is constantly evolving, with new methods emerging as vehicles become more technologically advanced and incorporate more complex embedded systems.
Replay Attacks: Exploiting Recorded Car Key Fob Frequency Signals
Replay attacks are among the oldest and simplest forms of attack. They involve capturing the radio frequency waveform emitted by a key fob, often using a device like an RTL-SDR, and then retransmitting this recorded signal at a later time. This technique is effective against older garage door openers that used fixed, unchanging codes. Some older car models, such as certain pre-2000 Mercedes, might also be susceptible to such attacks if they utilize similar fixed-code key fobs.
Even with rolling code key fobs, replay attacks remain relevant. If an attacker can gain access to a key fob when it is out of range of the car and record several button presses, these recorded signals can be replayed to unlock the vehicle later.
If direct access to the key fob is not possible, a more sophisticated replay attack can be executed using a device that simultaneously records the key fob’s transmission and jams the signal reaching the car. A common technique is to listen to the key fob’s transmission and initiate jamming just as the error correction bits are transmitted at the end of the data packet. This ensures the jamming signal doesn’t interfere with the recording process. The car will not receive a valid signal due to the jamming, but the attacker captures a valid code. By recreating the error correction bits if necessary, the attacker can then retransmit the recorded waveform later to unlock the car.
Furthermore, a jammer alone can prevent the remote from successfully locking the car. If the driver is not observant, they might inadvertently leave their car unlocked and vulnerable.
Retransmission Devices: Extending the Range of Car Key Fob Frequency Signals
These attack methods rely on the attacker’s ability to both receive and transmit radio frequency signals. While RTL-SDRs excel at receiving and capturing signals, transmitting requires different hardware. Several USB dongles based on chips like the TI CC111X, commonly used in key fobs, offer transmission capabilities. One example is:
Another device that has gained significant attention is the Flipper Zero:
This device incorporates the same chip as the USB dongle but is packaged in a more user-friendly and accessible format. It is often described as the “Swiss army knife” of RF hacking due to its versatile capabilities. The Flipper Zero has generated considerable controversy, which is a topic worthy of further exploration.
A particularly flexible and cost-effective transmission method involves using a Raspberry Pi to generate RF signals. By sending carefully crafted data sequences to the Raspberry Pi’s GPIO port, it can emulate RF transmissions. Detailed instructions, videos, and code are available here:
Raspberry PI transmitter for RF signals
This approach allows for generating virtually any digital packet waveform, and the power output is sufficient for emulating car key fobs. Combined with the RTL-SDR’s excellent support on the Raspberry Pi platform, these tools create a comprehensive and affordable key fob hacking system for around $50, as will be demonstrated.
Attacking Passive Keyless Entry and Start (PKES) Systems: Range Extension Exploits
Many high-end vehicles utilize Passive Keyless Entry and Start (PKES) systems, which automatically unlock the car as the owner approaches. These systems operate by transmitting a low-power challenge signal from the car. A key fob within close proximity is expected to respond with an authentication signal. The car assumes close proximity based on the low signal power and unlocks if a valid response is received.
These PKES systems are vulnerable to relay attacks. Attackers can construct a repeater device placed near the car. This repeater intercepts the car’s challenge signal, amplifies it, and retransmits it at a higher power. This extended range signal can reach a legitimate key fob located much further away, even hundreds of meters. The key fob, upon receiving the amplified signal, responds as normal. The repeater then captures the key fob’s response and relays it back to the car. The car, receiving a valid response, incorrectly concludes the key fob is nearby and unlocks.
The advantage of this relay attack is that it requires minimal knowledge of the key fob’s internal workings, only the car key fob frequency is needed. There is no need to reverse engineer the communication protocol; the attack simply leverages the legitimate key fob’s functionality.
A video demonstrating car thieves using this technique to steal a Tesla Model 3 is available:
Passive Remote Attack on Tesla Model 3
Mitigating the risk of such attacks requires understanding these vulnerabilities and implementing preventative measures.
Exploiting Rolling Key System Vulnerabilities: Code Cracking
More advanced attacks target the rolling key system itself. Typically, in a rolling code system, the key fob transmits its unique ID along with a counter value that increments with each button press. This data is encrypted before transmission to the car.
If robust encryption is employed, deciphering the user ID and counter should be computationally infeasible. However, several notable cases have revealed critical weaknesses. One prominent example involves Volkswagen vehicles manufactured over a 20-year period (including Audi, Porsche, and other brands within the VW group). Another case involves Subaru vehicles.
Details of the VW RKS system vulnerability are described in this article:
VW Key Fob Hack Exposes Millions of Cars
This link leads to a Wired article (currently behind a paywall) and references a technical paper providing in-depth analysis of the vulnerability. Researchers investigated VW RKS systems spanning two decades.
While the encryption used in the more recent systems was relatively strong, equivalent to a 90-bit key, a critical flaw was discovered: the same encryption key was used across millions of vehicles, estimated at 100 million cars!
The challenge then became determining this universal key and the encryption algorithm. The car itself inadvertently aids in this process. When a button is pressed, the car receives the signal and decrypts it within its onboard computer (ECU). The encryption key and algorithm are stored in the ECU firmware. Researchers acquired ECUs from eBay, downloaded the firmware, and successfully reverse engineered the encryption, which often involved relatively simple bitwise operations. With this knowledge, by capturing a single key press transmission, the user ID and counter could be decoded, and the key fob effectively cloned, granting complete control over the vehicle.
Several alarming implications arise from this vulnerability. Firstly, every VW car’s ECU is capable of decrypting signals from any VW key fob due to the shared key. By monitoring the ECU’s operations, it’s theoretically possible to extract user IDs and counters for all nearby VW vehicles. Reports suggest that similar techniques have been used to target other car manufacturers as well.
The reason a car only responds to its paired remote is due to an “allow list” of authorized key fob IDs stored within the car’s system. This list is configured during the key re-keying process.
These revelations highlight significant security shortcomings in car key fob systems, and further vulnerabilities continue to emerge as cars become more complex.
