How To Steal An Anti-Theft Car

Let's say you just bought a 2006 Mercedes S550, a state-of-the-art, high-tech vehicle with an anti-theft keyless ignition system. After pulling into a Starbucks to celebrate with a grande latte, you pull out your Blackberry to send off a smug e-mail to a colleague, boosting about your new ride. As you are typing away, a man in a t-shirt and blue jeans sits down next to you. He opens his laptop and starts up a friendly conversation. "Is that the S550? How do you like it so far?" Eager to share, you converse for a few minutes. The man thanks you and is gone. A moment later you look up to discover your new Benz is gone as well!

Remote keyless entry systems, those black fobs we all have dangling next to our car keys, have been around since the 80's. The RFID chip in the keyfob contains a select set of codes designed to work with a given car. These codes are rolling 40-bit strings, meaning that with each use, the code changes slightly creating about 1 trillion possible combinations in total. When you push the unlock button, the keyfob sends a 40-bit code along with an instruction to unlock the car doors. If the synced-up car receiver gets the 40-bit code it is expecting, the car performs the instruction. If not, the car does not respond.

Now, decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car...making the hack tempting for thieves. The owner of the code is now the TRUE owner of the car. While high-end, high-tech auto theft like this is more common in Europe, it will soon start happening in America. The sad thing is that manufacturers of keyless devices don't seem to care.

How a keyless car gets stolen isn't exactly a state secret. Much of the required knowledge is Basic Encryption 101. Given that the car is more or less broadcasting its code and looking for a response, it's possible that a thief could try different codes to determine what the responses are - AKA, crack the encryption. By sitting close to someone with a keyless ignition device in their pocket, it takes less than 1 second for a thief to perform several scans without the victim knowing. Using a laptop equipped with a microreader, you can capture the code sequence, decrypt it and then disengage the alarm. Ultimately this will allow you to unlock and drive away without the key. If you think that such a hack could only occur in a pristine academic environment with the right equipment, you're wrong. It's happening in local coffee shops.

It's suggested that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks and that automobile manufacturers place a protective cylinder around the ignition slot. This latter step would limit the RFID broadcast range and make it harder for someone outside the car to eavesdrop on the code sequence. Unfortunately, the companies making RFID systems for cars don't think there's a problem. Most likely, preventive action will not be taken by the automotive industry until this method of car jacking reaches epic proportions here in the States. Consider yourself informed and warned.