$17 radio amp lets thieves steal Priuses



Sweet. Now, show me the way to the metalic thread 'cause I need to knit myself a Faraday satchel toute suite.

Also, the Prius just happened to be the article subject’s car, but if it works with a Toyota product, it probably works on all Japanese makes, if not the majority of makes across the world with proximity key detection. Thanks global OEM parts producers!


Relevant: http://www.internetsociety.org/doc/relay-attacks-passive-keyless-entry-and-start-systems-modern-cars-paper


This has always worked with just about any RF keys which don’t use encryption, the only difference is what frequencies to snoop in. There are ways to avoid the exploit by using encryption which hops in both the fob and lock to not use the same key twice in a row. (there is probably a name for this)

In this case encryption has nothing to do with it. THe devices are amplifying the signal such that it is the owners actual key talking to the car, just at a longer range than intended so the car unlocks while the key remains inside the house.


(yes, I drive a 2005 Prius with said Toyota Smart Key)


Found this procedure for disabling keyless entry for hybrid Camrys. Unknown if this works also on Priuses.

If you have to keep the Smart Key in a Faraday cage / pouch, then there’s no point in having a Smart Key, as you have to remove the Smart Key from the pouch to use it, completely defeating the advantage of having it in the first place.


That’s what I get for skimming while I cook lunch!

Yes, that’s quite sneaky. But encryption having nothing to do with it was my point. If the same signal is always emitted, then it doesn’t change every time it is in proximity to the car. You fix it by the car and fob both generating a new key each time the fob is brought into proximity to the car. Using a two-way repeater, and even making it change between unlocking and ignition would make it more difficult and risky for the thieves.

I hear ya. The alternative is some jackass driving off with my damned car when I’m at the friggin’ grocery. Imma gonna sew one of these satchels into my purse key pocket and make a free-floater for when I don’t carry a purse. (2010 Prius, smart key not even optional)


Actually, encryption does have something to do with it, including why these amplifier devices merely open doors, not start cars, even when the fobs also do keyless ignition.
To defeat a car that uses an encryption handshake between key and car (instead of a garage-door-opener style of rolling code), you would need two amplifiers working simultaneously on two different frequencies, with one placed at the car and one placed at the key. When using just an amplifier as in the article, you could defeat a non-encrypted key, or you could defeat an encrypted key if the key was sitting next to the car (in which case the car is supposed to be unlocked already and there is nothing to defeat) or if the key is sufficiently poorly designed, but you couldn’t defeat an encrypted key that is not with the car and properly designed, because only half of the necessary challenge/reply conversation is being broadcast with more than a few feet of range. (In the article example, it’s not clear which is happening - it could be an unencrypted key, or it could be that the key was encrypted but the car was parked beside the kitchen with the key next to it on the kitchen counter. However since these articles have been appearing for years and they always talk about doors being opened, not cars started, my assumption is that some models of cars open their doors with a one-way transmission, ie without encryption, presumably just a rolling-code like a garage-door-opener. This allows someone to use the same system to lock their car at a distance using a fob button without the manufacturer having to equip the car with a more powerful variable-distance transmitter, and because there is no need for ignition at a distance, ignition is not included in their low-security corner-cutting system.

This attack does not appear to work on cars that have encrypted fobs.


Im in ur base, stealing ur Priapus…


Isn’t that a relatively slight advantage anyway, unless your daily armload of bundles are too slight for a shopping cart yet too burdensome for convenient rifling through pockets or purse for car keys?

I assume it varies from person to person, but in my experience it’s one of those things where you don’t realize what a big advantage it is until you’ve gotten used to it then have to go back to the old way (eg with a rental) and discover what a constant annoyance it really was. You get to have you hands free to carry things, you don’t need grocery carts, you don’t need to wear pockets or you can wear pants with awkward pockets (jeans), you never accidentally leave your car unlocked, you never remember too late and you’re out of range and have to walk back to lock the car, you never lock you car while preoccupied with more important things then later wonder if you’re sure you locked it and whether you should go back and check, you don’t need to be hunting around in a bag trying to find the damn keys all the time, or constantly having to fiddle with fiddly stuff all the time, you just step out your car and do the thing you want to do. It’s a bit like a smartphone in that when you’re not used to them, their advantage seems considerably smaller than when they’re part of your life.


Another day, another hit piece on the Prius… in reality, this problem is not restricted to the Prius and there are models of Prius that aren’t vulnerable.

However, current models of both the Toyota Prius and the Nissan leaf do have proximity keys, that open the doors and also start the car and optionally do other things.

Obviously I can focus a dish on the owner’s house, pull the signal, repeat it to the car, it’ll open. If I can copy the fob (no or very simple encryption) then I can drive away with the car, too.

Keyless entry and start is all that is offered, because screw you, that’s why. You’ll buy alloy wheels, too, even though you’d rather have steel, because screw you. Welcome to the auto industry!

1 Like

So I know this attack has been previous demonstrated in a theoretical sense (with lab equipment and shorter range), but if you can really buy these off of ebay or amazon for $20, what kind of journalist wouldn’t get one and try it himself?


The absence of encryption appears to be on the doors, not the ignition. If they don’t have encyption on the ignition, that would be really stupid (but not surprising - I’m sure there are auto manufacturers who drop the ball on security) however I’ve been reading these articles for years and never seen one where the keyless ignition could be activated by these simple attacks. The more complex and impractical attack (that I mentioned earlier) seems to be necessary.

(Keyless ignition is more secure than a key switch, which are hotwired in seconds)

1 Like

2014 Prius C Two owner here, with a “dumb” key that requires button presses to transmit lock and unlock signals, and a standard ignition-like switch that requires the key to be inserted and turned. It may be primitive by car gadget standards, but it’s pretty secure.

(Of course, as with all cars, it just takes a few seconds with a prybar, or a rock, and no witnesses to open the door anyway.)

1 Like

Some cars can be hotwired quickly. Many cannot.

Some cars appear to have key switches, but actually it’s a chip in that key’s big black plastic head that’s starting the car.

Oh great, now I’m 2 for 2