RFID / Transponder equipped keys
Thread Starter
Rookie
Joined: Jan 2006
Posts: 67
Likes: 0
From: CA
RFID / Transponder equipped keys
Lexus Ignition transponder safe or not?
I know I have brought this topic up before on this forum. About how the supposedly impregnable transponder can’t be fooled or compromised – yeah right.
There is a very interesting article in the current issue of Wired Magazine, “Pinch My Ride”.
The author (who has had his own transponder equipped Honda stolen) mentions how insurance companies are taking the stance that this transponder technology is fool proof and are denying claims to people who have had their car stolen. His first example with with a LA police office who had his Lincoln Navigator stolen. The owner could still account for all the keys. When the car was eventually recovered, the ignition was broken. However, since the transponder in the car still worked, the insurance company denied the claim. Their stance is that the owner must have been involved with the theft, as the car would have been impossible to drive without a key. Remember, this is an LA cop.
The author also mentions that more expensive cars like Mercedes and Lexus use a rolling code. He states “..some Mercedes and Lexus models use sophisticated rolling codes generated anew after each start, passed to the key and fed back for authorization during the next ignition cycle”. Anyone know if the IS models have this feature?
Ther much more to the aricle. He goes on to mention how some models have a “secret” bypass feature to let a owner start the car in case the key was lost. For his Honda it was a series of e-brake maneuvers. He also mentions how easy it is to purchase a RFID cloning kit that will read a key’s code and imprint it on a new “blank” key.
I would have posted the article’s url, but Wired doesn’t have it on their website.
I know I have brought this topic up before on this forum. About how the supposedly impregnable transponder can’t be fooled or compromised – yeah right.
There is a very interesting article in the current issue of Wired Magazine, “Pinch My Ride”.
The author (who has had his own transponder equipped Honda stolen) mentions how insurance companies are taking the stance that this transponder technology is fool proof and are denying claims to people who have had their car stolen. His first example with with a LA police office who had his Lincoln Navigator stolen. The owner could still account for all the keys. When the car was eventually recovered, the ignition was broken. However, since the transponder in the car still worked, the insurance company denied the claim. Their stance is that the owner must have been involved with the theft, as the car would have been impossible to drive without a key. Remember, this is an LA cop.
The author also mentions that more expensive cars like Mercedes and Lexus use a rolling code. He states “..some Mercedes and Lexus models use sophisticated rolling codes generated anew after each start, passed to the key and fed back for authorization during the next ignition cycle”. Anyone know if the IS models have this feature?
Ther much more to the aricle. He goes on to mention how some models have a “secret” bypass feature to let a owner start the car in case the key was lost. For his Honda it was a series of e-brake maneuvers. He also mentions how easy it is to purchase a RFID cloning kit that will read a key’s code and imprint it on a new “blank” key.
I would have posted the article’s url, but Wired doesn’t have it on their website.
Pole Position
Joined: Mar 2006
Posts: 353
Likes: 0
From: CA
I could have sworn that I read somewhere the IS has rolling code on the transponder and supposedly uses unique logarithms for generating the codes. However, there are only so many codes it can generate....yada yada yada... and I also read that it's possible that someone can accidentally unlock the vehicle; however the likelihood of that actually happening is miniscule. which is why they don't really think it would be a problem, considering there are sooo many cars out there with rolling codes.
I've pretty much combed the New Car Features and the Factory Service Manual. As expected Toyco is tight lipped about this. However, from the descriptions, there is very clearly a challenge/response system being used regardless of whether the battery in the smart key is working or not.
There is a separate certification ECU that handles requests requiring the key, and according to the documentation, there is a signal this ECU sends to the key and the key has to return a signal. It doesn't go into bits and bytes of how it works, I suspect because the failsafe (holding the smart key within 10mm of the start button) implies there is a simple RFID chip in the smart key.
The failsafe mode uses another ECU to generate a request to the certification ECU, and this ECU generates a signal that goes out to the RFID in the smart key. When it "sees" the smart key's RFID, it responds to the challenge from the certification ECU with a code generated by it's own logic and the RFID in the smart key. This is clearly the weakest point in the system.
It is possible to get an RFID to divulge its code from quite a distance. Many security companies won't tell you about their devices being vulnerable at distances. They are keen to tell you a badge or smart card needs close physical proximity to work, but they are not keen to tell you malicious people have been able to activate RFID based "keys" from as much as 10 meters away. There are devices now that have shown the ability to harvest RFID information at a distance, and replicate the physical devices electronically. This is the "cloning" kit you mentioned.
Whether this kind of attack is viable with the system Toyota has chosen is anyone's guess. I seriously doubt they will be forthcoming with an answer, even if asked directly. However, I do know someone at Toyota who might be able to give me some clues. I'll update this thread after I hear from him.
There is a separate certification ECU that handles requests requiring the key, and according to the documentation, there is a signal this ECU sends to the key and the key has to return a signal. It doesn't go into bits and bytes of how it works, I suspect because the failsafe (holding the smart key within 10mm of the start button) implies there is a simple RFID chip in the smart key.
The failsafe mode uses another ECU to generate a request to the certification ECU, and this ECU generates a signal that goes out to the RFID in the smart key. When it "sees" the smart key's RFID, it responds to the challenge from the certification ECU with a code generated by it's own logic and the RFID in the smart key. This is clearly the weakest point in the system.
It is possible to get an RFID to divulge its code from quite a distance. Many security companies won't tell you about their devices being vulnerable at distances. They are keen to tell you a badge or smart card needs close physical proximity to work, but they are not keen to tell you malicious people have been able to activate RFID based "keys" from as much as 10 meters away. There are devices now that have shown the ability to harvest RFID information at a distance, and replicate the physical devices electronically. This is the "cloning" kit you mentioned.
Whether this kind of attack is viable with the system Toyota has chosen is anyone's guess. I seriously doubt they will be forthcoming with an answer, even if asked directly. However, I do know someone at Toyota who might be able to give me some clues. I'll update this thread after I hear from him.
Thread Starter
Rookie
Joined: Jan 2006
Posts: 67
Likes: 0
From: CA
Quite a bit of new facts I heaven't heard before Lobuxracer. Specially having the simple fallback RFID built into the Lexus fob.
You're right about the companies involved being tight lipped. Well, except for the companies that make the RFID equipment. They keep (falsely) stating how secure their system is. Apparently, the insurance companies believe them!
You're right about the companies involved being tight lipped. Well, except for the companies that make the RFID equipment. They keep (falsely) stating how secure their system is. Apparently, the insurance companies believe them!
Thread
Thread Starter
Forum
Replies
Last Post
NateJG
RX - 3rd Gen (2010-2015)
25
Aug 28, 2021 05:41 PM
swat1727
GS - 2nd Gen (1998-2005)
16
Apr 30, 2012 09:10 AM
