3rd Gen Wireless Key Fob Hacking

wire in a fuel cut switch

 

I have full coverage, they can buy me a new one every model year if they want

 

But won't the truck cut off eventually? Mine starts beeping and acts like it will kill the engine if I start it and then get out of the truck and ,ove away where the signal gets weak. But I don't know if it would cut off or not? Curious as to what you guys think.

 

It's good till it's shut off .... then it's not gonna start..!

 

Move. You'll sleep better.

SB

 

The truck does not turn off if you leave the FOB area, the beeping is just an indication the FOB is not within range.

 

This is the reason? Makes you wonder how they stole cars when there were just regular ole dumb keys, lol.

In all seriousness though, I prefer the dumb key on principle.

 

I too prefer the dumb key on principle. I just like a physical key in ignition to turn over rather than a push button.
It's the icing on the cake for not wanting a smart key.

 

I'd let someone steal my truck if they promised to fix the howling and vibrating.


Also, you are absolutely retarded if you think this is a serious problem.

 

I've said it before, and I'll say it again. I want a crank start engine again. It's the only way to get the control I need over my vehicle. It's ridiculous to think that you would even want to use anything other than that!

 

if someone stole my truck i'd just get the trd pro the next month lol

 

Against my better judgement I will respond with actual information in this thread. To alleviate the absolutely absurdly anxious people that should probably be wearing tinfoil everyday....

(Check this out: http://www.ti.com/lit/ds/slws011d/slws011d.pdf)

Basically, car transmitters use 40bit (or more) rolling code generators. 40 bits works out to be about 1 trillion different code possibilities. The transmitter is sync'd with your car's reciever. The transmitter/fob has a memory that stores the latest code. It sends it over to your car (with the function it should perform like unlock/lock/alarm <--im sure you tinfoilers use that last one a lot) which also has the latest code stored in memory--it matches it and execute the function. They will stay in sync and live happily ever after and open your car for ever.

WHAT HAPPENS WHEN I PUSH THE BUTTON OUT OF RANGE?!?! Well, they thought of that and allow the next 256 codes to also open the door. BTW, before you spazzmos start asking "THAT MEANS SOMEONE CAN OPEN MY CAR BY ACCIDENT". There is literally a 1 in a trillion chance that this is possible. Its only a one in a trillion chance if all car makers are using 40bit as well (which isn't the case..some are using more bits and slightly different variations of this technique. This means its even more astronomical for someone to accidentally open your vehicle by chance).

On to why this article is horse shit and why you would be dumb to believe it...

Because these rolling code generators generate random numbers EACH time they transmit, it would be pointless for anyone to intercept a transmission...because the next number could never be predicted--its going to be random. Only the transmitter and the receiver can produce the next numbers (and match them). BUT WHAT IF THEY JUST SCAN ALL OF THE POSSIBLE CODES!?!?! Well, in hundreds of years they might open your car. AND YOU'LL BE SCREWED!!!

Life Lesson #45: Dont believe every bullshit, click-bait article someone posts on your facebook wall.

 

garage door openers.

 

What roundysquare said. Both fobs.

 

KeeLoq (32-bit block) was broken a long time ago. This is the Microchip device used in just about every car keyless entry.

https://en.wikipedia.org/wiki/KeeLoq

It didn't take a brute force approach at all, in fact a slide technique in about 500 CPU days, actually 64 cores in just under 8 days, was able to crack it back in 2007 or 2008. It's a very lightweight cipher.

https://people.eecs.berkeley.edu/~daw/papers/keeloq-fse08.pdf
http://www.gregorybard.com/papers/keeloq_tatra.pdf
https://pdfs.semanticscholar.org/1431/189b0580b8893c90fc40808c1037c8a11c21.pdf
https://eprint.iacr.org/2011/242.pdf
https://eprint.iacr.org/2007/055.pdf

And, FWIW, I do use my physical key to unlock and the door switch to lock my doors most of the time. But it doesn't really matter since the protocol is broken anyway.

Newer cars have probably moved to a 128-bit key AES (which may be broken already, depending on who you ask) using a newer KeeLoq chipset. That's why the range increasing attacks are used. To defeat this hiding your key in a Faraday cage will work at the individual level. But as far as the original KeeLoq, the master key and manufacturer keys are assumed to be known so it's not really secure anymore.

http://emsec.rub.de/media/crypto/veroeffentlichungen/2010/09/07/africacrypt2009_keeloq.pdf
https://www.iacr.org/archive/crypto2008/51570204/51570204.pdf
https://eprint.iacr.org/2008/058.pdf
https://securewww.esat.kuleuven.be/cosic/publications/article-1045.pdf

 

Thanks! Those look like some awesome reads. When I have more time I'll dig into them deeper.

I was posting from memory (and honestly haven't researched this recently). What I know, I learned about years ago when I curiously googled how this stuff worked.

I figured its probably moved to 128 or 256 (or even 1024/2048) for more modern cars, but the fact of the matter is, as long as your use a big enough key/block size, its just math. As computational power increases the smaller sizes can be broken, but I'm assuming (since I haven't read most of these yet) that these are mostly theoretical or focused on smaller key sized <64-bit. It's probably reasonable to assume that they've increased the size or updated how the key derivation process works on modern cars to reduce the likelyhood of people "hacking" them. (IE I bet they aren't using a masterkey or a week "seed" for the keys anymore).

My point was to highlight that most people read these sensationalist articles without understanding how this stuff works. Then they get spooled up and start spreading rumors and putting their keys in faraday bags all of the time--which is really ridiculous. Truck owners are hilariously techno-pessimists.

IF you guys want to do something the help yourselves out, maybe where a helmet when you drive? You're more likely to get in a car accident than have someone hack your key fob.

 

If this in fact works, problem solved. Obviously not ideal, but better then carrying your key in a faraday bag, or taking a microwave with you

 

How about turning your FOB off by pressing and holding the lock button and pushing the unlock twice. It won't answer when you're not using the vehicle.

 

Those links are academic in nature, but they described how they actually broke the original KeeLoq (e.g. Microchip's Classic KeeLoq). It's not theory, they were actually able to break it and therefore the presumption is criminals have, too.

The number of bits in the block could be 128, 256 or any number but if the key algorithm isn't complex then it doesn't matter. In the case of 32-bit block KeeLoq there's not enough variability to use the whole block, they fixed too much in the encryption to make it a question of brute force. That's why an algebraic technique worked, the algorithm has too many fixed bits and around 63% of the possible outcomes are automatically thrown away before even looking for keys. Then the basic protocol isn't very secure, an identify-friend-or-foe gives you so much data in the transaction that just a couple of hours of collecting transactions produces a huge data set to analyze for the rest of the outcomes. As it is now it take something like 4 seconds (it's not 2^64 clock cycles) for a tablet to generate all the known legitimate possible combinations to unlock a Classic KeeLoq, 2^16 pairs approximately.

So without introducing enough randomness into the algorithm to use all the bits it's not robust. That's one way Microchip improved KeeLoq. For example they now use a synchronized clock when training the transponder to make each individual less susceptible to a key breach, at least for the Ultimate version. The Advanced uses AES128 instead of NLFSR64, but is otherwise similar.

I think the analogy is better made that there are a fixed number of keys that can be cut for a mechanical lock so eventually you will either find the same key or be able to work around the tumbler. In this case, though, once the encryption key is figured out then it's like everyone just has a master key so it doesn't matter. To me the main vulnerability is that not needing a physical key anymore in the ignition makes them unacceptably vulnerable to software hacks. At least the cars with fobs just to unlock the doors and those big RFID engine immobilizer physical keys require two decryptions from two active (user initiated, push button, turn key) transactions vs. one passive from a car constantly looking for a fob. While the protocol is not necessarily secure the whole system isn't as vulnerable.