$17 radio amp lets thieves steal Priuses

[waves in this direction]
edit: [waves also in that direction]

1 Like

On my 2008 Prius there is a button under the wheel bellow the dash that turns off the Smart Key system (automatic keyless entry) so that you to open the car you must press the button on the remote and then you actually have to insert the key in the slot to be able to turn the car on. It is there for when you are not going to drive the car for more than 7 days (if you go away on vacation without the car) because the keyless entry system is always “looking” for the key and that can drain the 12V auxiliary battery over a week or so (it does in fact do that from personal experience).

Disabling obviously defeats the whole purpose of the automatic system. I am spoiled, when I get rental cars I am always dumbfounded when the thing doesn’t automatically unlock when I put my hand on the handle.

3 Likes

You can build a simple range detection circuit with a phase lock loop. At say 200 MHz there is plenty of scope to work out if your remote is one or ten metres away. Using signal strength is dumb.

1 Like

OK, having thought about this a bit, I believe a countermeasure is possible, though I am doubtful Toyota would be interested - they’d rather just sell me a whole new car :wink:

Based on the fact that anything the car sends out would be near-instantaneously amplified for this man-in-the-middle (?) / impersonation attack, I’d have the vehicle listen for an amplified, slightly delayed version of its hailing message, going into a 1 second lockdown should it be detected.

Toyota: You’re welcome

Edit: This might be the germ of an idea for a small intervention device which can be installed into the car door, listening for the hail message, and the echo, and preventing the unlock relay from firing should it be detected.

Crowdfunding, anyone?

My 2010 Prius doesn’t let you start it from the fob. You have to push a button inside the car (and it has to detect that a fob is inside the vehicle…).

1 Like

…what about a RFID/NFC tag in one’s trousers, at the knee position? Knee-bump the door (with built-in reader at the proper height), and it unlocks. No hands needed. No long-range transmission needed. If coupled with a mechanical switch or low-power capacitive proximity sensor, negligible power consumption so no battery drain over weeks.
A proper challenge-response protocol would also make it hardened against replay attacks.

Do thieves like to steal Priuses a lot? Are they great for joyriding?

They get good mileage. :slight_smile:

1 Like

I thought the communication was two way, a sort of challenge and response. Also a “wake up” round trip. So I would think you would need two way amplifiers to do it properly, but the white papers seem to only show one way transmission from the car to the key. I would have suspected the key would be weaker power due to the smaller battery.

Anyway, the Prius can be driven an unlimited distance without the key present once it has been started. They don’t want the car cutting out on a lonesome highway if the fob battery dies. So until the ignition is powered off, the car can be driven even if the key is with the person the car was jacked from. Hence you could in theory steal the whole car not just open the door with this approach.

I like the idea of storing the keys in the fridge at home as a workaround. Or under your tin foil hat.

Network effect: the more popular a car model the more in demand it’s parts will be

1 Like

Shiznit, that’s pricy stuff. I will have to experiment with whatever I can find at the fabric store or dig around our various thrift stores for appropriately sized little metal boxes.

Re: your comment at 27-ish - I’m now under the strong impression that you don’t live somewhere that snow regularly occurs. The last thing I want to do is physically touch my car with my pants two days after a snowfall. The car will be covered in road salt.

My experiments with RFID shielding shown that a fairly durable material with decent shielding properties is the aluminium-lined cardboard-plastic composite used in TetraPak-style packagings. The prototype I tested for ID cards was made from material salvaged from an orange juice carton.

Some snow, not much. Rarely a lot, unless you’re in the mountains. The road salt yuck factor can be handled by a proximity sensor.

As cheezy as the little sleeve my drivers license came in when the state sent it to me seems, it works quite well. I’ll keep a sharp eye on our out-going food packaging for something similar. Ooooh, I know! The soup we got from Costco came in weird metalic-lined boxes! Too big, but I can cut it down to size with the old xacto.

Oi, now we’re right back to the same exploitable proximity sensors.

Also, some instant food bags, e.g. for powdered soup. Look for things with thick-ish aluminium layer, must not be translucent to bright light (though pinholes are okay for this application). The foils can be cut to shape and joined by e.g. ironing over the edges (using aluminium cooking foil or maybe even paper as a barrier layer from the outside); a little hot-melt adhesive can be added to the joint.

Not really; the proximity sensor here only serves to start the NFC comm reader. Which has its own vulnerabilities, but that can be addressed by the proper challenge-response protocol in the tag, and grossly limited operating distance. (Proxying the reader through a remote link would still work, but the adversary would have to get close enough to you. And the tag may have an indicator, whether a beeper or a little vibration motor with a coin battery, that it is being interrogated.)

Of course, all of this “thieves steal” nonsense is partly caused by auto bureaucracy and it’s belief in “ownership”. Is there really any reason to assume that somebody wants to steal your car? When I was a kid, the local military base merely parked fleets of vehicles together. They weren’t locked, and the ignition was a simple toggle switch - it worked perfectly well.

Right, same as my 2012. I point my pickup at your house, grab the signal from your pants pocket, relay it to the car, door opens, I get in, point my pickup out of the window at your house, relay the signals while pushing the button, car starts.

The only tricky part is that (in the 2012 at least) I don’t think you can drive away from a full stop without a signal originating inside the car, so you’ll need to clone the signal well enough to defeat that. Eventually my pickup will be out of range, and just relaying signals won’t work!

That might be quite a trick given how weak (low powered) the passive signal must be in order for me to never have to change batteries…

Did you ever hear of the bluesniper rifle? Picks up bluetooth over a mile away. I saw one in action back around Defcon 9 or thereabouts; it’s amazing what you can do with a highly directional antenna and some noise-canceling.

1 Like

Oh, I’m sure. I’ve been to Defcon the last 7 years in a row… That said, you need to know where to point it as well. My fob lives in a drawer somewhere inside my house when I’m not driving. Lots of interference.

I’m jealous, I haven’t been since the Bush\Obama economic miracle. Ah, those heady Clinton days…