Thieves armed with "code grabbers" are breaking into cars by recording signals sent by remote keyless entry devices.
Automobile remote keyless entry systems (RKE) were introduced in the 1980s. They’ve proved to be a big hit, making it easier for the grocery-laden to unlock their cars and sparing many of the terminally forgetful from finding they’ve left their keys in the ignitions of their now-locked vehicles or their purses on the seats of same.
The earliest RKE systems were quite vulnerable to the sort of attack that was described in warning e-mails widely spread via the Internet. Their RF transmitters (usually built into key fobs) sent unique identifying codes that could be picked off by ‘code grabbers,’ devices that recorded the codes sent out when drivers pushed buttons on their remote key fobs to lock or unlock their cars:
[Collected via e-mail, August 2013]
I locked my car. As I walked away I heard my car door unlock. I went back and locked my car again three times. Each time, as soon as I started to walk away, I would hear it unlock again!! Naturally alarmed, I looked around and there were two guys sitting in a car in the fire lane next to the store. They were obviously watching me intently, and there was no doubt they were somehow involved in this very weird situation . I quickly chucked the errand I was on, jumped in my car and sped away. I went straight to the police station, told them what had happened, and found out I was part of a new, and very successful, scheme being used to gain entry into cars. Two weeks later, my friend’s son had a similar happening….
[Collected via e-mail, June 2008]
My oldest son Mike came over yesterday – He had to go to Canada for work last week. One of the other engineers traveling to Canada with him, but in his own car, had something happen that I need to share.
While traveling he stopped at the roadside park, similar to what we have here with bathrooms, vending machines etc. He came out to his car less than 4-5 minutes later and found someone had gotten into his car, and stolen his cell phone, laptop computer, GPS navigator briefcase… you name it.
They called the police and since there were no signs of his car being broken into — the police told him that there is a device that robbers are using now to clone your security code when you lock your doors on your car using your key-chain locking device. They sit a distance away and watch for their next victim. Since they know you are going inside the store, restaurant, or bathroom, they have a few minutes to steal and run. The police officer said to be sure to manually lock your car door by hitting the lock button inside the car. That way if there is someone sitting in a parking lot watching for their next victim it will not be you.
When you hit the lock button on your car upon exiting it does not send the security code, but if you walk away and use the door lock on your key chain, it sends the code thru the airwaves where it can be intercepted. I just wanted to let you know about this… it is something totally new to us… and this is real… it just happened this past Thursday June 19th to his coworker…
So be aware of this and please pass this note on. Look how many times we all lock our doors with our remotes. Just to be sure we remembered to lock them, and bingo the guys have our code, and whatever was in the car can be gone.
I just wanted everyone I know to hear this from me. I never knew about anything like this and do not want this to happen to anyone I know, If we can educate each other on bad things happening.
Keep safe everyone!
[Collected via e-mail, August 2006]
Tonight, John and I went to Church, out to dinner, and then to the movies at Loews, on Spring Valley and Central. Apparently, while we were in the movie theatre, someone broke into our car. John’s sun glasses were taken (they are going to be really surprised when they find out they were prescription!). Aside from the glasses taken and the two glove boxes open, nothing else was taken, including the home clicker. Now, here is the really odd part: there was NO forced entry into the car, nothing was broken, scratched, or removed from the outside of the car. We were really baffled as to how anyone could have gotten into the car that we had locked. The answer came from the security guard at Micro Center, who was in the parking lot talking to another man whose car had also been rifled. (In that instance, the man’s wallet, keys, checkbook, and credit cards were stolen.) But there was no forced entry there either. We soon learned that thieves now have some type of high tech gadget that can monitor and replicate the key pad locking device. In other words, when we got out of the car and started to walk away, John hit his key pad to make sure the doors were locked. When it beeped, apparently there was someone in the vicinity who had one of those devices/gadgets and replicated the key lock tone and then used it to get into the auto.
If you know of other instances where this has happened, please let the NA’s/HOA’s know, so they can spread the word to our neighbors to be cautious in locking their car doors. If this is indeed how someone could get into our car, then you can bet that from now on I will definitely manually lock all the doors. We will never again get out, walk off, and then use that key pad to lock the car. Great invention, but obviously you have to be discreet in where you use it.
Have a great day but keep a ‘heads up’!
[Collected via e-mail, November 2008]
Once again, we are approaching the holiday season and that often means a greater risk of becoming a victim of crime. We suspect that, with the current economic conditions, this year the risk could be even greater than normal. In addition, there is evidence that a new form of automobile burglary has begun to occur around the country. Thieves may be using a device that allows them to copy the signal sent out when automobile owners use their remote key button to lock their vehicles. The thief records the signal and then watches as the intended victim walks away. Then, they simply unlock the vehicle. These aren’t typical car break-ins. There is no broken window, the car lock is intact. It appears thieves may be scanning crowded parking lots with some sort of device, and when they see your lights flash, meaning they’ve made a hit, they help themselves. The only way to avoid this type of crime is to use the car door lock button located inside your vehicle, rather than using your remote locking device. While the Tallahassee Police Department reports they are not aware of this occurring in Tallahassee, they do say that it could be occurring in those instances where victims are unclear as to whether or not they had locked their vehicles.
However, times change and technology advances. In response to the fixed code security weakness, automakers shifted from RKEs with fixed codes to systems employing rolling random codes. These codes change every time a given RKE system is used to lock or unlock car doors and thus rendered the earlier ‘code grabbers’ ineffective. That form of more robust code system became the industry standard for remote keyless entry systems in the mid-1990s, so automobiles newer than that are not vulnerable to being quickly and easily opened by criminals armed with the first generation of code grabbers.
It is theoretically possible for a thief armed with the right technology and the ability to manipulate it correctly to snatch a modern keycode from the air and use it to enter a vehicle. However, it’s unclear how many (if any) crooks have managed to overcome the issues of complexity and time involved in the process to use it as a practical means of stealing from cars. If the scheme requires would-be thieves to have specialized knowledge and equipment and spend hours (or more) crunching data and replicating a device to produce a correct entry code, its application to boosting valuables from cars in parking lots would be rather limited. As Microchip Technology, the manufacturer of KEELOQ brand RKE systems, noted of this possibility:
The theoretical attack requires detailed knowledge of the system implementation and a combination of data, specialized skills, equipment and access to various components of a system which is seldom feasible. These theoretical attacks are not unique to the Keeloq system and could be applied to virtually any security system.
So far we haven’t encountered any documented cases of items being stolen from locked cars via entry gained through the use of code grabbers, much less evidence that it’s a widespread form of theft. There have been a few reported incidents of thieves’ managing to gain entry to locked vehicles through the apparent use of some form of electronic device, but the specific nature of those devices has yet to be determined.
In some similar cases it has been speculated that thieves who have been stealing purses and other valuables from parked vehicles have been using a device that blocks remote keyless signals and thus prevents car doors from locking (rather than using a device that emulates remote keyless signals to open locked doors). In 2016, researchers theorized some makes and models were potentially vulnerable to such an attack, but again there was little to indicate that cars are routinely (or even rarely) stolen in such a fashion:
It is conceivable that all VW Group (except for some Audi) cars manufactured in the past and partially today rely on a ‘constant-key’ scheme and are thus vulnerable to the attacks,” the paper argues.
The only exception the researchers found were cars built on VW’s latest MQB production platform, which is used in its top selling model, the Golf VII, which they found does not have the keyless flaw.
A VW spokesman said that the current Golf, Tiguan, Touran and Passat models are not vulnerable to the attack.
“This current vehicle generation is not afflicted by the problems described,” VW spokesman Peter Weisheit said in a statement[.]
For the most part, any efforts by car thieves to steal vehicles by exploiting RKE systems have likely been supplanted by a much easier method, that of using boosting devices to relay the RKE signals from far enough away that the car’s owner is unaware of it:
A group of researchers at the Beijing-based security firm Qihoo 360 recently pulled off the so-called relay hack with a pair of gadgets they built for just $22. That’s far cheaper than previous versions of the key-spoofing hardware. The Qihoo researchers, who recently showed their results at Amsterdam’s Hack in the Box conference, say their upgrade also significantly multiplies the radio attack’s range, allowing them to steal cars parked more than a thousand feet away from the owner’s key fob.
The attack essentially tricks both the car and real key into thinking they’re in close proximity. One hacker holds a device a few feet from the victim’s key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. That elicits a radio signal from the car’s keyless entry system, which seeks a certain signal back from the key before it will open. Rather than try to crack that radio code, the hacker’s devices instead copy it, then transmit it via radio from one of the hackers’ devices to the other, and then to the key. Then they immediately transmit the key’s response back along the chain, effectively telling the car that the key is in the driver’s hand.
“The attack uses the two devices to extend the effective range of the key fob,” says Jun Li, one of the researchers in the Qihoo group, who call themselves Team Unicorn. “You’re working in your office or shopping in the supermarket, and your car is parked outside. Someone slips near you and then someone else can open up and drive your car. It’s simple.”
The following demonstration video demonstrates this technique in action:
One of the versions of this warning circulated in 2008 contained the contact information for Const. Wally Henry, an RCMP officer from Sherwood Park, Alberta. Henry disclaimed the story being spread in his name, saying in his voice mail message to those who telephoned, “If your call is concerning an e-mail with my name attached to it, please be advised that the information in that e-mail is false, and please do not disseminate it any further.”