TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

New $5 device easily unlocks car doors

Discussion in 'Model S: User Interface' started by mknox, Oct 31, 2013.

  1. mknox

    mknox Well-Known Member

    Joined:
    Aug 7, 2012
    Messages:
    8,568
    Location:
    Toronto, ON
    Just came across this article and am wondering what the implications (if any) are for Model S. The device is apparently being used to unlock car doors, but with so much of Model S being controlled by software I wonder what other threats exist.
     
  2. efusco

    efusco Moderator - Model S & X forums

    Joined:
    Mar 29, 2009
    Messages:
    4,592
    Location:
    Nixa, Missouri, United States
  3. mknox

    mknox Well-Known Member

    Joined:
    Aug 7, 2012
    Messages:
    8,568
    Location:
    Toronto, ON
  4. PaceyWhitter

    PaceyWhitter Member

    Joined:
    Dec 27, 2012
    Messages:
    75
    Location:
    Columbus, OH
    Obviously the MS, any any other fob based keyless car system cannot use a rolling code RKE security system so what do they use? Would that be easier to break? Harder?
     
  5. liuping

    liuping Active Member

    Joined:
    Jul 23, 2013
    Messages:
    1,858
    Location:
    San Diego
    Most fob based system use rolling codes. KeeLoq being one of the most popular (Rolling code - Wikipedia, the free encyclopedia)
     
  6. PaceyWhitter

    PaceyWhitter Member

    Joined:
    Dec 27, 2012
    Messages:
    75
    Location:
    Columbus, OH
    A rolling code would not work in this type of system, in a rolling code system uses a pseudo random number generator to create a unique code for every press of the fob button, the fob only has a transmitter and after sending one code it assumes that code was accepted and goes on to the next code in the series for the next fob press. Therefore, if the fob is pressed when not near the reciever the fob is out of sync with the car. To solve this problem the car will accept the next couple hundred codes in the series. However, If my two year old gets a hold of my fob and presses the button three hundred times away from my car, it will no longer unlock my car.

    The MS could not use such a system, the car has to sense the fob's presence both to unlock the doors and to allow the car to start, therefore I assume the MS fob has both a transmitter and a reciever (which somewhat justifies it's expense). I just don't know what system it uses to authenticate.

    Back to the OP's topic, I watched the video in the link and I have a different theory. I think the thieves may have bought a $5 device off the internet, but they were swindled. The reason they were able to get into the car in this instance is probably much simpler, the owner left it unlocked.

    First, an EMP generator would fry electronics, not trick them and anything that would have any effect on a car would cost much more than 5 dollars. Second, there is no reson to put an EMP generator near the lock, the EMP pluse would need to effect the CPU, which is nowhere near the lock. Finally, while they interview some guy about this, a true expert would be able to explain how this works, this guy cannot. I think this is just a scare tactic by the news organization along the lines of "5 things in your kitchen right now that are killing you... story at 11"
     
  7. swegman

    swegman Member

    Joined:
    Mar 27, 2012
    Messages:
    962
    I don't think it is a scare tactic. There have been numerous documented cases (caught on cameras) where such a device has been used, not just in AK, but also in CA. If you watch some of the video, you will see that the light in the car turns on before they open the car door. Also, you will see that it does not work on every car.
     
  8. PaceyWhitter

    PaceyWhitter Member

    Joined:
    Dec 27, 2012
    Messages:
    75
    Location:
    Columbus, OH
    If it is the same "documentation" as this video, then nothing in the video proved that the car was locked initially. If it does work, then they should be able to explain the mechanism. Otherwise, it makes no sense.
     
  9. liuping

    liuping Active Member

    Joined:
    Jul 23, 2013
    Messages:
    1,858
    Location:
    San Diego
    Rolling codes could still be used (the request for the next code could come from the car, instead of the user pressing a button), though they are probably replaced with something more sophisticated given the Tesla Keyfobs contain RFID chips, etc.
     
  10. mknox

    mknox Well-Known Member

    Joined:
    Aug 7, 2012
    Messages:
    8,568
    Location:
    Toronto, ON
    Do they? I was given to understand the exterior location by the windshield and the interior location in the cupholder simply allowed a fob with a weak battery to communicate by placing it close to the receiver. I suppose I'll have to pull the fob's battery and see if I can open and run the car with the fob in these spots.
     
  11. guyfromhe

    guyfromhe New Member

    Joined:
    Nov 5, 2013
    Messages:
    3
    Location:
    Canada
    Basic 1 way keyless entry systems you find on less expensive cars (fob to unlock the doors, no key less start and no touch to unlock) allow for the code to "roll" up to 256 times beyond where it was last at to account for pocket pressing the button... So it will accept the next 1-256 "rolls" of the code... But they are not using a fixed code system on any car made past the 90s... Even garage door openers and the like have rolling codes now.

    More advanced 2-way systems (touch to unlock, push to start, turn to start, etc) the car has antennas generally at each entry door that can keylessly unlock and one that's tuned to very precisely monitor the inside of the car. When you push, turn or touch (whatever the user does to initiate the unlock or start) the car immediately transmits a signal to the fob and then the fob sends back a signal to the car. This is generally both a rolling code and encrypted signal and may involve a 2 way cryptographic handshake process to identify the fob and the car know each other. Each manufacturer has their own secret method of doing this and each one is different and this generally is never reverse engineered due to there being many easier ways to skin a cat.

    Now I can't find any detailed info on this "box" they are using but based on some reading I have been doing and the news reports I saw it seems like some kind of electromagnetic wave type device... something that induces a current (one demo I saw on the news showed a fluorescent light flickering like when you put it in the microwave) and what I have heard is they are inducing a small current in the unlock wire in the door switch which is causing the system to think a user is pressing the unlock button and therefore unlocking the door. This isn't possible on all cars which is why it doesn't always work... I have not heard of a single case of a car being actually taken with this method and all the reading I have done has been theories.

    Seeing as how most criminals can unlock a car door with nothing more than a little plastic wedge I think this is more of a news scare story than something to be actually worried about..

    I think if this was that big it would be all over the internet exactly what it was and how you could get one rather than just people asking questions.
     
  12. guyfromhe

    guyfromhe New Member

    Joined:
    Nov 5, 2013
    Messages:
    3
    Location:
    Canada
    I forgot to add the RFID portion is for backup if your fob is dead. The car is able to induce a current in the RFID chip to "power it up" at a very close range. They can then communicate and confirm your identity to allow you to start your car even without a battery in the fob.
     
  13. mknox

    mknox Well-Known Member

    Joined:
    Aug 7, 2012
    Messages:
    8,568
    Location:
    Toronto, ON
    Has it been confirmed the Model S fob has RFID capability? I was given to understand that with a "weak" battery it can communicate when placed close to the car's receiver, but nothing more. Has anyone yanked the fob's battery and tested this?
     
  14. Larry Hutchinson

    Joined:
    Dec 15, 2012
    Messages:
    93
    Location:
    Beaverton, OR
    I tested this quite some time ago and it did NOT work.
     
  15. mknox

    mknox Well-Known Member

    Joined:
    Aug 7, 2012
    Messages:
    8,568
    Location:
    Toronto, ON
    That is consistent with my understanding. I keep a spare battery in the glove box figuring I could unlock the car with the mobile app and replace the fob battery once inside.
     
  16. liuping

    liuping Active Member

    Joined:
    Jul 23, 2013
    Messages:
    1,858
    Location:
    San Diego
    That's a great idea. I will definitely do that.
     
  17. bareyb

    bareyb Active Member

    Joined:
    Sep 2, 2013
    Messages:
    1,067
    Location:
    Silicon Valley, CA
    Good idea. What battery do these take?
     
  18. mknox

    mknox Well-Known Member

    Joined:
    Aug 7, 2012
    Messages:
    8,568
    Location:
    Toronto, ON
    It's a fairly standard CR2032 and is about the size of a quarter.
     
  19. bareyb

    bareyb Active Member

    Joined:
    Sep 2, 2013
    Messages:
    1,067
    Location:
    Silicon Valley, CA
    Perfect. I have some of those on hand. Thanks!
     
  20. guyfromhe

    guyfromhe New Member

    Joined:
    Nov 5, 2013
    Messages:
    3
    Location:
    Canada
    This would be one of the few then... I don't know much about the Tesla S I was actually just looking for info on the topic and figured I would share what I found...
    I hope your system warns you when your fob battery is low... I just got one of these on my car and it was nice to know it was looking out for me.

    Most cars have an actual passive RFID system as a backup to the active system... If you break your fob or drop it in the toilet or something you'd need a spare set of keys or a tow truck to get it going...
     

Share This Page