Passive Keyless Entry Relay Attack Device
07-26-17, 04:03 PM
#1
Driver School Candidate
Thread Starter
Passive Keyless Entry Relay Attack Device
I thought surely there would be a more recent thread about this but all I could find is one from 2013. Times have changed.
Locked cars are being "broken into" in my neighborhood, 4 last night, without keys or breaking glass. I don't know the makes and models but it got wondering if my 2010 IS250 is vulnerable.
The keyless entry system (at least in my IS) sends out a 125kHz beacon 4x a second and waits for the fob to respond. When the fob is close enough to "hear" this, it responds on 315 MHz it turns on the outside rear view mirror lights and then the car is unlocked when you touch the inside of a door handle.
1st Scenario: The thieves are using RF amplifiers to send the 125kHz signal further, in order to reach your key fob inside the house so that it responds and they can unlock the door.
2nd Scenario: If the key fob is too far from the car, say a shopper in a mall vs the parking lot, they use two devices to amplify both the 125kHz and 315MHz signals each way, in order to gain access.
There is no decrypting involved. Only extending the range of the existing systems. Commonly referred to as a Relay Attack Device or Relay Attack Unit.
So my question is: Is this happening to any Lexus owners? Thanks.
BTW one solution is to put the fob in a "Faraday Cage", i.e. a metal box like an Altoids can, when not in use, or use one of the RFID blocking pouches sold online.
Locked cars are being "broken into" in my neighborhood, 4 last night, without keys or breaking glass. I don't know the makes and models but it got wondering if my 2010 IS250 is vulnerable.
The keyless entry system (at least in my IS) sends out a 125kHz beacon 4x a second and waits for the fob to respond. When the fob is close enough to "hear" this, it responds on 315 MHz it turns on the outside rear view mirror lights and then the car is unlocked when you touch the inside of a door handle.
1st Scenario: The thieves are using RF amplifiers to send the 125kHz signal further, in order to reach your key fob inside the house so that it responds and they can unlock the door.
2nd Scenario: If the key fob is too far from the car, say a shopper in a mall vs the parking lot, they use two devices to amplify both the 125kHz and 315MHz signals each way, in order to gain access.
There is no decrypting involved. Only extending the range of the existing systems. Commonly referred to as a Relay Attack Device or Relay Attack Unit.
So my question is: Is this happening to any Lexus owners? Thanks.
BTW one solution is to put the fob in a "Faraday Cage", i.e. a metal box like an Altoids can, when not in use, or use one of the RFID blocking pouches sold online.
Last edited by sparkie001; 07-27-17 at 10:36 AM. Reason: Added Year
07-26-17, 04:55 PM
#2
Lexus Test Driver
I thought surely there would be a more recent thread about this but all I could find is one from 2013. Times have changed.
Locked cars are being "broken into" in my neighborhood, 4 last night, without keys or breaking glass. I don't know the makes and models but it got wondering if my IS250 is vulnerable.
The keyless entry system (at least in my IS) sends out a 125kHz beacon 4x a second and waits for the fob to respond. When the fob is close enough to "hear" this, it responds on 315 MHz it turns on the outside rear view mirror lights and then the car is unlocked when you touch the inside of a door handle.
1st Scenario: The thieves are using RF amplifiers to send the 125kHz signal further, in order to reach your key fob inside the house so that it responds and they can unlock the door.
2nd Scenario: If the key fob is too far from the car, say a shopper in a mall vs the parking lot, they use two devices to amplify both the 125kHz and 315MHz signals each way, in order to gain access.
There is no decrypting involved. Only extending the range of the existing systems. Commonly referred to as a Relay Attack Device or Relay Attack Unit.
So my question is: Is this happening to any Lexus owners? Thanks.
BTW one solution is to put the fob in a "Faraday Cage", i.e. a metal box like an Altoids can, when not in use, or use one of the RFID blocking pouches sold online.
Locked cars are being "broken into" in my neighborhood, 4 last night, without keys or breaking glass. I don't know the makes and models but it got wondering if my IS250 is vulnerable.
The keyless entry system (at least in my IS) sends out a 125kHz beacon 4x a second and waits for the fob to respond. When the fob is close enough to "hear" this, it responds on 315 MHz it turns on the outside rear view mirror lights and then the car is unlocked when you touch the inside of a door handle.
1st Scenario: The thieves are using RF amplifiers to send the 125kHz signal further, in order to reach your key fob inside the house so that it responds and they can unlock the door.
2nd Scenario: If the key fob is too far from the car, say a shopper in a mall vs the parking lot, they use two devices to amplify both the 125kHz and 315MHz signals each way, in order to gain access.
There is no decrypting involved. Only extending the range of the existing systems. Commonly referred to as a Relay Attack Device or Relay Attack Unit.
So my question is: Is this happening to any Lexus owners? Thanks.
BTW one solution is to put the fob in a "Faraday Cage", i.e. a metal box like an Altoids can, when not in use, or use one of the RFID blocking pouches sold online.
07-26-17, 05:03 PM
#3
Driver School Candidate
Thread Starter
07-26-17, 08:45 PM
#4
Driver School Candidate
Thread Starter
A couple examples if you're looking for more info, except of course the non-techy reporters got it wrong in some cases. The info is readily available on the internet so I'm not giving away any secrets...
http://www.usatoday.com/story/money/...reau/95085746/
https://eprint.iacr.org/2010/332.pdf
http://makezine.com/2015/08/14/block...-faraday-cage/
https://www.gizmodo.com.au/2017/05/c...0-of-hardware/
https://www.nytimes.com/2015/04/16/s...c-thieves.html
http://www.usatoday.com/story/money/...reau/95085746/
https://eprint.iacr.org/2010/332.pdf
http://makezine.com/2015/08/14/block...-faraday-cage/
https://www.gizmodo.com.au/2017/05/c...0-of-hardware/
https://www.nytimes.com/2015/04/16/s...c-thieves.html
07-26-17, 11:33 PM
#5
I tend not to worry about problems or things I can't control. If thieves are that good and can break into my car and not be caught, more power to then.... garantee they won't take anything valuable in their. If the steal the car, that's what I pay insurance for.
Way on Earth I'm walking around putting my fob in an Altoids tin can hoping to prevent thieves from picking me off....😏
V.
Way on Earth I'm walking around putting my fob in an Altoids tin can hoping to prevent thieves from picking me off....😏
V.
07-26-17, 11:41 PM
#6
Driver School Candidate
Thread Starter
07-27-17, 09:46 AM
#7
Driver School Candidate
Thread Starter
You might be able to deactivate the fob when not in use... the 3rd gen fob has a battery-saving function that stops the fob from receiving or transmitting - when in this state, the keyless entry will not function, as the fob is essentially dead. I use it when not in use for long periods of time.
Specific to 3rd gen, page 115 in online manual.
When battery-saving mode is set, battery depletion is minimized by stopping the electronic key from receiving radio waves. Press UNLOCK twice while pressing and holding LOCK. Confirm that the electronic key indicator flashes 4 times. While the battery-saving mode is set, the smart access system with push-button start cannot be used. To cancel the function, press any of the electronic key buttons.
The 2010 MY manual lists a battery saving function but different accessibility. Page 34 in 2nd gen online manual. You might try it out.
Specific to 3rd gen, page 115 in online manual.
When battery-saving mode is set, battery depletion is minimized by stopping the electronic key from receiving radio waves. Press UNLOCK twice while pressing and holding LOCK. Confirm that the electronic key indicator flashes 4 times. While the battery-saving mode is set, the smart access system with push-button start cannot be used. To cancel the function, press any of the electronic key buttons.
The 2010 MY manual lists a battery saving function but different accessibility. Page 34 in 2nd gen online manual. You might try it out.
Thanks
Trending Topics
07-27-17, 10:13 AM
#8
Driver School Candidate
Thread Starter
Will your 2 gen fob retain its programming if the battery is removed? If so, and you are that concerned about thieves boosting its signal to unlock your car, maybe just remove the battery so it doesn't transmit... but I'd recommend prior to doing so, making sure your fob does not loose its programming with bat removed. Good luck.
I'm just asking if anyone has had their car "broken into" without damage, which would possibly indicate that this relay attack method works on a Lexus IS, (probably) and trying to warn other owners of the problem. Six people in my neighborhood have now reported the break-ins. And that's just the people that participate on nextdoor.com
Thanks all...
07-27-17, 10:51 AM
#9
Advanced
Same thing here, we were robbed (took $1300 in tools) from our garage about a month ago, "broke" into locked cars, no glass or other damage (no signs of forced entry), took garage door openers and let themselves in and proceeded to go shopping in my garage. They were as bold to open the door to the house (which is squeeky) it woke my wife who woke me. They were scared off when they heard me walking around up stairs grabbing a "defensive tool". They got into my Ram, not the ISF, also an RX and new Infinity across the street and a Chevy truck down the road a bit. Seems locking your cars no longer means jack *****.
07-27-17, 06:54 PM
#11
Driver School Candidate
Thread Starter
A local TV station interviewed one of the victims and made it their "exclusive" <G> lead story. Except that they got some of the technical parts wrong as usual.
07-28-17, 10:51 AM
#12
Nothing is completely impervious, but there are more-important things to think about, relatively speaking. And Oregon, where I live, is a concealed-carry state, if you catch my drift.
Same thing goes for our home. It would be easy to break into, but I don't think you'd really want to.
Same thing goes for our home. It would be easy to break into, but I don't think you'd really want to.
07-28-17, 06:03 PM
#13
Lexus Test Driver
Thread
Thread Starter
Forum
Replies
Last Post
8UANEW1
IS - 2nd Gen (2006-2013)
9
10-30-12 08:10 PM
