CCTV footage shows crooks using some kind of universal keyless entry fob

CCTV footage from Long Beach, CA shows crooks robbing cars after opening them with some kind of keyless entry fob that appears to defeat the cars' built-in cryptographic security. The fobs evidently don't work on all models, and may require operation from the passenger side. It's not clear what method the fobs use to attack the locks. Any guesses?

Adding to the mystery, police say the device works on some cars but not others. Other surveillance videos show thieves trying to open a Ford SUV and a Cadillac, with no luck. But an Acura SUV and sedan pop right open. And they always seem to strike on the passenger side. Investigators don't know why.

"We've reached out to the car manufacturers, the manufacturers of the vehicle alarm systems: Nobody seems to know what this technology is," Hendricks told us. "When you look at the video and you see how easy it is, it's pretty unnerving."

Police admit they're 'stumped' by mystery car thefts (via /.)


    1. I was thinking of that movie earlier today. I went out and bought a new car stereo after I saw it.

      1. I destroyed every one of my Jason Donovan albums practicing that flip thing but I could never quite get it right.

  1. They mention the thefts occurring in people’s driveways, and it being a little unreliable. Perhaps they are using a transmitter and amplifier to relay the signals between the car door and the key real key fob which is most likely located somewhere in the person’s house./

    1.  Now that’s interesting, perhaps the real advancement they’ve made is getting the owner’s key fob to answer, and they use that signal to unlock the car

  2. I heard a suggestion that you can trigger air bags by hitting an accelerometer, even when a car is stopped and locked, and that when the airbags fire the car unlocks for safety reasons. Not saying that this is the case here, just that there might be other ways to unlock a car.

  3. I’m not convinced they’re using a device. People accidentally leave their cars unlocked all the time, and thieves go around testing handles.

    1. I thought the same thing, but at least once you can see the interior light come on before the people touch the door handle, which is what happens when you hit the unlock button on the fob.

  4. There must be some tech out there allowing emergency responders or car technicians to bypass the unique crypto-key on the fob. Some dude figured out what it was.

  5. It took me two minutes of searching to find this link, which sounds like the likely suspect in this case:

    1. I have good reason to believe you are correct. This is a variant of the classic man-in-the-middle replay attack, one I’ve seen termed a Farva (after a character in “Super Troopers” who gets goaded into exclaiming “Shenanigans?!”)

      1. Or more than 10 metres from your car. I guess some people put their keys near the garage, it makes sense from a certain point of view to put the keys near the door you’d use to get to your car. 

        1. More than ten meters from the walls, and/or more than a hundred meters from the car.

  6. He actually doesn’t have a device in his hand. It just looks that way because there is a shadow from the door handle. Before he walks up, you can see two dark dots, which indicate each end of the door handle. The light space in the middle is the main part of the handle. Watch: he places his hand on the main part and the same dark spot doesn’t move, neither before or after he touches it. He doesn’t block the light source and shouldn’t be able to cast a shadow in that spot. Also watch his hand as it moves away from the door. It slides open-palmed around the edge of the door. Such a motion would be unnatural for someone holding an item but very natural for someone who just released a door handle. The accomplice also clearly has nothing in their hand. I think the comment above about the locking signal being jammed seems the likeliest, assuming the door wasn’t just left unlocked.

  7. Glove box is on the passenger side.  It’s probably just more efficient to loot a car from that side.

    1. Yup. Also, the driver’s seat is typically occupied by the driver – so any items they have placed to hand will probably be in the front passenger seat.

      On the other hand, the trunk release is on the driver’s side, and I guess they’re not bothering with that?

      1. I have a 2002 Acura and a 2010 Toyota.  If you hit the unlock button on the door inside the cab, you unlock the entire vehicle.  Also, I’ve owned 5 Japanese cars from model years 1977 to 2010,  on each of those vehicles, that release on the floor, left of the driver, opens the gas tank cover. 
        I’m now curious as to what car has a trunk release on the driver’s side?  That Caddie in the video should have a yellow button on the left wall of the glovebox for a trunk release.  

          1. That’s what you get for having a Honda.  /s
            The new TSX doesn’t even have the gas release on the floor anymore.  Trunk release is in the door well below the armrest/window controls.
            All the fancy stuff eventually trickles down to Honda, you’ll just have to wait a few years.  My Acura cost only a grand more than the comperable Honda, and the differnce in service levels between the two dealerships made that a grand very well spent. 

  8. I suspect 2 things could be related to the passenger side of the car. 

    1) As others have stated the steering wheel is not in the way allowing easier looting without the possibility of bumping the horn, brakes etc.

    2) I googled Acura MDX alarm antenna location and it indicated it is behind the glovebox…this leads me to believe it works better in proximity to the antenna.

  9. it is a rolling code hack, nothing more. cars have very weak electronic security and are vulnerable to a variety of attacks.  

  10. it is a rolling code hack, there is a re-sync vulnerability in some cars. cars have notoriously crappy security, and is doesn’t take much to exploit it

    1. Yea. Not all states require it. But those that do always are the ones they filmed those crappy 1970s TV shows where the officer yells at the speeder to pull out their license and registration.

      1. It just seems so onerous. We used to have stickers on the vehicle window in Australia, but we’ve got rid of them now in NSW. The cops just check your license plate and match the details electronically. I seem to remember they were implementing technology that would recognise all nearby license plates and check them as they drove, and warn them if anything was amiss.

        1.  Good news for riders, now you don’t have to have a daggy plastic rego holder hanging off the side of your numberplate! (but bad news for the guys who make those rego tube things)

    1. Disqus just jumped to a new layer of suck with handling animated gif links.  Tried to delete the post, but no go.

      I tried a ninja move on Disqus below, see if that works better…

  11. Who’s to say that with the compromised databases in the past few years, a few of them couldn’t have been the big car manufacturers or the subsidiaries? I’d argue that someone could have the codes/algorithms. If you were to lose your keys you’d go to a dealership & pay some big bucks to have another keyless entry fob & key set made. Those codes must reside in some computer somewhere, and it was probably compromised. It’s probably a brute force attack. It might get tweaked if the model of car is known, but it explains why it doesn’t work on all of the cars (those algorithms were not hacked). The guys doing the stealing aren’t the ones manufacturing the fobs, that’s for sure.

  12. A friend just had a very old Saturn SL1 stolen for a joyride, then got it back.  The police recovered a keyring with thirty Saturn keys (this car was before chipping of any kind), which apparently are enough to open any such car.  

    I recently lost the key for my bike lock and learned via a youtube video that this particular model can be opened with just a blank key.

    I had another combo lock where all you had to do was cut off the flimsy plastic cover to see the what combination had been set.

    Point being that even though a system should have enough combinations to make it prohibitive to go through them all, there are often implementation details that ruin the security. 

    And there are user errors like forgetting to press the lock button.

  13. This happened to me about 5 years ago (or at least that’s the conclusion I came up with. Possibly the thieves employed one of the other strategies presented in the comments). At the time I was driving a Honda CR-V and had parked in a near empty parking lot on my undergrad campus on a Saturday to go to some function. The thing I remember most distinctly is that I manually locked the doors of the car with the key because mysteriously, the key fob would not work although it worked fine when I got in the car at my house. When I came back from my function, I tried the key fob again. It worked. I got in the driver’s side and was about to drive away when I realized my passenger side door was slightly ajar. The only thing stolen was the GPS in my glove compartment.

    Neither I nor the police found any signs of forced entry, and the cops chalked it up to me forgetting to lock the doors. But as I said, I had manually locked them.

    1. How old was that CR-V at the time?  By “manually locked” do you mean you pushed the electric swith, or physically pushed down the lock stem?  Maybe the passenger side was still unlocked.

      My Accord is about 14 years old, and the electric lock is getting unreliable on the passenger side. If I push the lock stem down, or use the key from the outside, it locks.  But using the electric lock switch, or the remote fob, sometimes will only lock the driver’s side (so no “beep”).

      1. By manually locked I mean I put the key in the keyhole from the outside. This was a 97′ CR-V, first generation.

  14. Yeah, the glove box is on the passenger side.  That’s where I stash my fancy watches.

  15. My car (VW) makes a definite (click-clunk) sound as the locking mechanism works, and the lights flash.  You really know it’s locked, and I press the fob until I get that confirmation.  If I didn’t get that, I’d move the car.

  16. Speaking as a locksmith: That video looked more like “you forgot to lock the car.” Which is more common than most folks want to admit.

  17. The moral of the story is,  don’t leave valuable stuff in your car on the street.  or in your driveway.  Even without hacking the keys, the windows are not impenetrable.  Having lived in Chicago for about 8 years pretty much every one of my cars has been opened in some way.  EVERY time it was because I left something on the seat / in view that would spark the interest of the local thugs.

  18. Might be a car version of the infamous “TV B Gone” universal remote. Some guy has figured out the access codes for all major TVs. You carry your TV B Gone into a restaurant and, if it has a loud TV on, or if it is tuned to a channel you don’t like, take your TV B Gone out of your pocket and turn it off.

  19. I have a hard time believing that the ‘encryption’ that the locks use is really that robust. It could be a case to me of thieves just aiming some sort of antenna at the car as the owner locks or unlocks it, waiting for them to go away and then rebroadcasting the signal they record of the code back at the victim car to get it to unlock again. To me an accomplice wheel-man in another car outside the picture is most probable in this case who is remotely unlocking the car while the  guy doing the car entry/theft will have a way to bail and get away from the scene in case the car owner comes back. One can waste a lot of time thinking of how complex and hi-tech this magic tech is that they are imagined to be using when it’s more likely to be something very simple and low-tech in reality.

  20. My guess…
    There is no fob transmitter opening the doors.
    There is a jammer used to keep the vehicle from being locked in the first place, and the thief merely fakes the use of a fob to look inconspicuous and conceal the jamming.
    This explains why the lights don’t flash when “unlocked”.

  21. This was posted to hackaday and they were discussing all the super complicated ways this could be achieved but having met a few people that make a living committing petty thefts before I can say most of them are lazy, which is why they make their living that way.  

    The answer is going to be something incredibly simple such as either the car was unlocked or they are doing something like zapping the lock with a taser to fry the circuits.  The light coming on momentarily before the door opens could be explained by the door latch triggering so the lights know the door is opening but before the thief has actually opened the door. 

Comments are closed.