A car parked on the sidewalk recognized me in a couple of steps. She turned on the interior lighting, opened the mugs of the mirrors and reacted to the outstretched hand with a characteristic click of the central lock. I start the engine, drive off - and I notice a warning message on the display: "Key not found". That's right, I really don't have the key to this car. And it wasn't. But there is electronic device, which allows you to open and start cars by telepathic methods - at a distance. The hijackers call him Long Arm.
Have you ever driven a car with a "golden key"? The one that automatically arms the car, opens the doors and allows you to start the engine with the button without taking the key fob out of your pocket? Cool stuff! The system is so smart that now an ordinary ignition key is like a stone axe. In industry terminology, such systems are called PKES (Passive Keyless Entry and Start - “passive keyless entry and engine start”), and in a simplified form, their work looks like this. As soon as the driver approaches the car and presses the button on the door handle (instead of it there can be a touchpad or an electronic gate that reacts to the hand), the car “wakes up” and starts a dialogue with the key:
Hello, I am car X electronic number Y and identifier code Z. And who are you?
On the left is the "emulator" and on the right is the "reader". Inside these boxes are hidden receivers and transmitters for three bands (125 kHz, 433 MHz and 900 MHz), bandpass filters, amplifiers, processors and lithium polymer batteries. large capacity. The brown edging encircling one of the blocks is a loop antenna. After turning on the power, the blocks establish a high-speed data transmission channel between themselves, which allows you to relay the “key” vehicle requests and remotely receive tag responses. The creators of the criminal radio extender are well versed in electromagnetic compatibility issues: when working with the Long Arm, you can speak on mobile phone or, conversely, turn on cellular communication jammers to block GSM traffic of monitoring systems
This message is broadcast on the “transponder” frequency of 125 kHz, and if the key fob is nearby and understands the language of the request, it immediately answers the machine using its own operating frequency (in our country and in Europe it is 433 MHz or 868 MHz). Moreover, it answers with a cunning digital combination generated by an individual encryption algorithm:
Hey, I'm your key! Response code: X123.Y456.Z789.
To exclude electronic fraud (playing pre-recorded packages, transmitting a code via cellular or mobile Internet channels), the response from the electronic key must come in real time (delays are counted by nanoseconds), so that any "audio performances" and attempts to open the car " under plywood" are doomed to failure. But…
The criminal vulnerability of PKES systems was discussed in 2011, when a team of Swiss programmers demonstrated a method of "lengthening" the car-key communication channel. The technology was called Relay Station Attack. It's funny that by that time Russian hijackers were already using such devices with might and main (AR No. 8, 2011). And this summer, two radio extenders fell into my hands at once.
The first is designed to steal "keyless" Toyota cars and Lexus, released before 2013, and the second "extends" the Intelligent Key access systems nissan cars and Infiniti current generation. Each Long Arm consists of two units, a "reader" and an "emulator", which fit easily into a small shoulder bag. After switching on, the blocks establish a high-speed data transmission channel between themselves, which allows relaying the “key” vehicle requests and remotely receiving tag responses.
Sounding antennas for 125 kHz are installed along the perimeter of the body so that their diagrams do not overlap. Thanks to this, the machine always knows where the key is responding from, and only allows the execution of "geographically-referenced" commands. For example, the engine will start if the antenna in the back is involved in the radio exchange with the key driver's seat, and the trunk will open only if the key is successfully polled from the rear sector
I opened the cars of my friends like this. At first, I waited for the rightful owner to park the car, get out, close the door, look around ... Now, holding the “emulator” turned on in advance in my bag, I go up to driver's door- and at the moment when my accomplice with the “reader” approaches the owner of the car (we coordinate our actions by phone using innocent verbal turns), I press the button on door handle. The car issues a search query, the "emulator" receives it, demodulates it, amplifies it - and then immediately transmits an accomplice over the radio bridge. Its equipment performs the reverse action - and "interrogates" the key in the owner's pocket. Having grabbed the response message, the "extension cable" sends it back in the same way - and relays it to the machine through the "emulator". I pull the handle - and the door swings open hospitably!
Before starting the engine, the access system must once again request the key (through the antenna in the back of the driver's seat), so I still keep the "emulator" nearby - and by pressing the "Start / Stop" button, I hear the peppy roar of the starter. Let's go! Now the key is no longer needed - neither real nor "emulated": the motor will work until I turn it off myself!
But what about the ban on "radio performances"? The trick is that the information between the blocks is transmitted without digital signal processing, by direct spectrum transfer, and this allows you to meet the time limit allotted by the car's access system for a dialogue with the key.
Here is my catch. sedan Q50, Nissan X-Trail, Nissan Pathfinder, Toyota Highlander, Toyota Land Cruiser 200, Toyota RAV4 and Lexus RX 350. Not bad for a couple of days?
In open areas, criminal boxes “clung” their keys from the pockets of drivers at a distance of one to three meters (the spread was determined by the location of the “reader”, the antenna of which has a pronounced radiation pattern, and the presence of interference). The range of the "transfer" of the code, that is, the distance between the owner and the car at the time of theft, even in the city can reach more than three hundred meters. However, hijackers usually play it safe by attacking the victim as soon as they leave the parking space.
There are as many ways to get close to a person so as not to an eyesore: an elevator, revolving glass doors at the entrance to a hypermarket, a line at the cashier ... You can even make an electronic tag respond from a closed room. When you go home, you put the keys ... Let's say, on the bedside table in the hallway, right? The front door is iron, but the blocks that line the box are radio-transparent!
I report: out of five attempts to “steal” the code from the car “through the wall”, three were successful - Copperfield will envy! And if you build an external directional antenna (an open umbrella would be a suitable camouflage for it), then the range of the transponder “shot” will increase significantly. And most likely most hijackings expensive cars this is how it is done from suburban areas.
Toyota/Lexus radio extender units are assembled from standard housings for radio electronic devices. The boards have an antistatic coating, the console-mounted elements are secured with cable ties and hot-melt adhesive, and the power is supplied through reliable power connectors. Marking from key elements of the scheme is removed mechanically(this makes it difficult to copy the device by reverse engineering), and the loose connector of the radio bridge antenna hints at the possibility of using an external emitter. We did not find traces of the nationality of this device, but some technological features suggest that the radio extender was assembled in one of the countries of the former socialist camp
Have you already looked out the window, scared for your car? Do you remember today's fellow travelers in the elevator? The only consolation is that only a stable criminal group can afford to fork out for a key code repeater: such a thing costs from ten to fifty thousand euros. The spread of prices is determined by criminal marketing, because it makes no sense for a manufacturer of repeaters to sell a universal “opener” to hijackers. As a rule, hardware is offered with a specific firmware, “formatted” for access systems for cars of a certain brand. And then they go out software updates for cars of fresh years of production, for which you need to pay separately. Familiar approach, right? And if you believe the manufacturer's advertising materials (the ends are easily found on the Internet for key queries), then you can buy any repeater - even for Renault, even for Bugatti - so, alas, the problem is global.
What to do to tie the hijackers to their long arms?
Disable the Keyless Go system by removing the battery from the key! (In secret: with a documented deactivation of PKES, some insurance companies offer owners of criminogenic cars preferential rates for the risk of "Theft".) But then you have to put something in return. If you decide, then in no case do not settle for a two-way communication security system operating in the “Slave” mode: in fact, this is an analogue of the standard PKES system and “lengthens” in the same way. An intelligent recipe against Relay Station Attack is to turn off the standard radio channel and transfer control of the SmartKey module to the block third party manufacturer, controlled by its label. Car protection specialists ask for 15 thousand rubles for such a service. An "intelligent" protection module has also been developed, which analyzes the radio environment around the machine, detects the operation of the radio extender and is able to resist it. It costs about 8000 rubles.
In the meantime, hide the key fob from the car in a Faraday cage: a case or a case with a metal (foil) screen. You can make such a shelter for the "golden key" yourself - at least from a cigarette pack.
This is a handwriting sample of a Nissan and Infiniti theft repeater taken by an Agilent Technologies professional spectrum analyzer. The signal at a frequency of 902 MHz is the radio bridge used to transmit encrypted packets between Long Arm blocks
At present, the so-called smart key, which allows the lock to be opened in car door V automatic mode, became available only to owners of vehicles related to premium segment. Today, if desired, the owner of any vehicle can order a similar gadget and enjoy the action of the security alarm, which will automatically recognize it, and keyless access to the interior of his car. I really like this system of communication between the owner and his " iron horse” and hijackers who learned how to hack it within a few seconds.
According to official statistics, the number of car thefts equipped with such a system is increasing day by day. Law enforcement officers regularly report that attackers are actively mastering special equipment, which allows them to hack even the most technically advanced systems. Why does reasonable question, but is it possible to somehow protect yourself from such a nuisance? If you believe the experts, then you can. However, first you need to understand how this system works in principle. keyless system access.
About the working principle
It should be noted that today each manufacturer of smart keys is trying to implement the operation of such a system in its own way. However, the basic principle of its operation is similar, and it is based on individually programming the key and lock, which are triggered after the correct code is entered, usually using a key fob. After the code is entered, data is exchanged within the specified algorithm, and if they match, the alarm system is deactivated. Then the owner of the car can also start the engine using the key fob.
Keyless entry
About hacks
Of course, attackers are well aware of the principle of operation of the “smart-key” system, and their main task is to catch the signal sent from the key fob. car lock. For this purpose, they use a special radio scanning device, thanks to which they receive an access code to the car alarm system. After that, they only have to send the received data to the system, which works on “their” code, turns off and provides access to the car. The sad situation is aggravated by the fact that such scanners can be purchased completely freely, and their cost is low.
About protection
According to experts, the owner needs to store the smart key to his car in special boxes made from a material that suppresses the radio signal that is constantly exchanged between the system and the key fob. You can wrap it in aluminum foil, which is able to drown out the transmission of information.
In addition, do not forget about the high level of efficiency of mechanical anti-theft means, in particular, about the blockers that can be installed on the pedals, steering column or on the gear lever. With such devices, it will be extremely problematic for attackers to steal a car, even if they manage to catch the signal of your key fob.
As an option, you can consider the possibility of flashing the system itself, which will work on a system different from the standard algorithm. This can be done in specialized centers, as a result, the upgraded smart key will mislead intruders and more effectively cope with its functions.
An intelligent car entry system (other names are keyless entry, smart key, smart key) is electronic system, which is designed to make life easier for an ordinary car owner, it identifies the owner by the answer, which is written in in electronic format on the key, if it is correct, the door is unlocked, you just need to touch the handle, the engine starts with just one press of a special button. The electronic key, as well as the usual one, fits in your pocket without any problems.
The first keyless entry system was used in cars from German company Mercedes-Benz over 10 years ago. Today, the intelligent access system can be offered in standard equipment(but, more often as an option).
Different automotive manufacturers, the smart key system can have its own unique name, for example:
- Advanced Key-Audi;
- Comfort Access - BMW;
- Keyless Go-Mercedes-Benz;
- Keyless Entry - Kia;
- Advanced Keyless & Start System - Mazda;
- FastKey-Mitsubishi;
- Hands Free KeyCard - Renault;
- Intelligent Key - Nissan;
- Smart Key System - Toyota;
- Keyless Drive - Volvo.
The design of the intelligent access system includes antennas, a transponder, touch sensors, an engine start button, the electronic unit management.
The transponder directly identifies the owner. This node is a microchip with an antenna that can be installed in the place where the physical key of the car would be installed or run as a separate plastic card. The most common option is to combine a transponder and a physical key. This solution is one of the most reliable.
The antenna provides radio communication between the machine and the electronic key. Full signal coverage - up to 1.5 m, depending on the type of model.
Photo of a car door handle touch sensor from an Audi A5 S-Line
Touch sensors can be installed in outer handle doors. Touch recognition occurs due to a change in capacitance.
The engine is started by pressing the "Start" button, which is placed in the place where the traditional ignition switch should be installed. Sometimes, instead of a button, a switch may be installed.
Electronic control unit. This node provides a direct implementation of the intelligent access function, it also starts the engine without a key. Control units and central locking interact with the engine management system.
Intelligent car access system: how it works
As soon as you touch the door handle, the sensor will work, then the information is transmitted to the control units. Then the signal goes to electronic key, it recognizes the position relative to the auto. The signal is transmitted to the antenna, then it is processed. If the data matches, then the door opens. Either a microchip or a special magnetized surface is responsible for the safety of data; it is almost impossible to fake a device.
Starting the motor is made by pressing one pressing of the button. Visually, this is no different from starting the engine with a key. However, the startup process is different. The signal is sent to the control units, then through the antenna to the electronic key. It recognizes the position inside the car and transmits it to the central locking antenna, and also unlocks the anti-theft alarm. Anti-theft locks turn off. The system control unit sends a request to the motor control units and if the motor is ready to start, then it starts.
When the car stops and the driver leaves the car, the doors are automatically locked and the anti-theft alarm is activated. Depending on the system model, blocking can be done different ways: Pressing the button on the door, touching the door or exiting the vehicle. Typically, an intelligent vehicle access system can combine several locking and locking methods.
In some highly advanced systems, system settings can be made using the smart key. When the car is opened, the position of the driver's seat, outside mirror, temperature regime and other systems. On the key, with such a wide functionality, touch or voice control can be located, advanced systems cost 50-100% more.
At school, I was taught that under communism all sorts of locks and keys would become unnecessary by definition. Homo sapiens will be so conscious that it would never occur to him to use what is intended for another. And although the construction of communism has been stopped (or temporarily suspended), the keys are slowly beginning to fade into history. But isn't it too early?
Mercedes was the first to acquire a serial keyless access system to a car back in the last century, today almost everyone uses a similar solution. The names of the systems and the specific circuitry may vary - Hands Free, KeyCard, Comfort Access ... But the main thing is that manufacturers have already accustomed us to this convenient and simple access system: I went to the car, opened the door, sat down, pressed the start button - and forward. The only requirement is to have proximity key, the so-called label. Without her, no way. Or are there options?
Rental without demand
Unfortunately, there are options. Recall that a label is such a microcircuit with an antenna. The car emits a modulated high-frequency signal of high duty cycle, and the tag picks it up at a distance of no more than a couple of meters. Having identified her car, she sends an airborne anti-theft system signal to unlock access to the cabin and allow the engine to start. The exchange of information usually takes place at frequencies from 125 kHz to 2.4 GHz. The ignition lock, of course, is absent: to start the engine, just press the Start button. Leaving the car, the owner simply slams the door, after which he touches the button on the door handle with his finger. That's it, the car is locked and armed! Now we remember what a repeater is: it is a radio transceiver device located at intermediate points of radio communication lines, which amplifies the received signals and transmits them further. For example, a television signal that brings enlightenment to a distant mountain village. If the repeater amplifies the signal from the tag, then the machine will begin to obey not only its owner, but also ... the owner of the repeater!
Got the idea? No? Then here's a crime scenario for you.
They wrote the crime
Making a repeater compact enough to hide in a small bag or briefcase is not difficult today. And let the label lie in the owner's pocket, no one is going to steal it. It is enough for a criminal with a repeater to just stay a couple of tens of seconds next to the owner of the car. The assistant will do the rest.
An ideal place for a crime is sites near large supermarkets and entertainment centers. Cars - the sea, people - the ocean. The owner closes the car and goes shopping, followed a couple of meters away by a hijacker with a repeater in his bag. As soon as they are removed at a respectful distance from the car, the offender gives a signal to his colleague - for example, calls him on his mobile phone. He opens the car in one movement with the help of the second repeater unit, camouflaged, for example, under a conventional walkie-talkie, starts the engine and leaves. Communication with a real label is no longer needed - the car, having lost it, will no longer stall.
And what is left in the pocket of the real owner, in fact, turns into a black mark for him, on which is written: "Sentenced to confiscate the vehicle."
The keyless entry system is becoming more and more widespread, and today even medium-sized cars are being installed. price range. Keyless entry is a special technology for identifying the owner of a car. The essence of the method is to block the car after its owner leaves and moves away from it at a certain distance. Approaching the driver automatically removes all locks.
How wireless access works
In essence, a system that provides access to a car without a standard key is special kind immobilizer using smart key technology. The principle of operation of the whole system is quite simple:
Currently, keyless entry into the car is increasingly combined with additional features, for example, by starting the engine when the driver approaches. Most often, cars regular system keyless entry do not have a conventional ignition key at all - it is replaced by a dash-mounted start button.
Keyless Entry Features
The keyless go system has quite serious capabilities and can be upgraded depending on the specific requests of the car owner. Among its main features are the following:
- one-step interface for easy management;
- the starter can be started without engaging the ignition mechanism;
- the ability to lock not only the doors, but also the steering;
- the ability to obtain information about the state of the car in real time;
- built-in immobilizer;
- remote control warning mode.
The keyless entry and start system may look different for different car manufacturers, although the same principle of operation will be used. The main difficulty in creating such a system was to provide technical feasibility ensuring an adequate level of security. The unit, located in the cabin, had to respond only to the native radio signal coming from the smart card chip or key.
To exclude the possibility of intercepting the code, for which complex technical devices, cryptoprotection was used, and later a floating code was developed. It implies a huge number of code options, the generation of which occurs randomly from the available options. Even if the used code is successfully captured, the next time it is no longer valid, because the next one will be generated.
Advantages and disadvantages of a keyless car access system
The presence of keyless access to a car has pros and cons, and it is up to the owner to decide whether or not to have such a system in his car. Benefits include things like:
- high level protection that they provide modern systems keyless-go;
- there is no need to constantly get the keys - it is enough to have a key fob or a smart card that you can carry in your wallet;
- opportunity auto start engine when approaching a car;
- integration with multimedia system or a system of settings for individual parameters of the position of the steering wheel, seats or mirrors, increases comfort for the driver.
Currently, key fobs are also undergoing significant modernization. So, by Jaguar a system of keyless entry into a car was released, where the chip is mounted in a wrist bracelet made in a waterproof case. It’s not easy to lose one, and you don’t have to think about where to put your car keys, for example, when traveling to the beach.
In the event that the car does not have such a system in the list of standard equipment, it is quite possible to install it yourself. A standard keyless entry system kit, with instructions in Russian, will cost about 15 thousand. It includes two key fobs, two antennas and control units. The ability to work as a security alarm provides a shock sensor. Installation is simple and can be done in a few hours.
Among the shortcomings of the system, it can be noted that despite the floating code, there is still the possibility of intercepting it, and, accordingly, stealing the vehicle. It’s not worth talking specifically about how cars with keyless entry are stolen, but you can reassure drivers a little - such equipment for intercepting a signal costs several tens of thousands of euros, and it is usually configured for a specific brand. To reduce the probability of reading the code, it is possible to reduce the range of the key fob / card. So, if you set the system to operate within a radius of 20-30 cm from the car, it will become almost impossible to intercept the signal. One of the tricks for reading protection is described in the video:
