Jump to content


Cracking Smart Key


Recommended Posts

hi there,

my coworkers told me that people can easily crack smart keys by using a handheld device like dell axim or hp.. apparently they did this test where mercedez dealer had an unbreakable car where they let people try to break in and this one guy walked up (didn't show what he did) and just open the door and drove off.. he had the signal from the smart key intercepted onto his pda and used the signal to open the door..

i don't know if this is true or not.. but if smart key gives off wireless signal, then i may be possible?? people do that all the time with garage openers, right?

i figure lexus is smarter and instituted some security onto these smart keys? anyone has any idea?

meanwhile, i am staying away from pda and pocket pc's!!!

Link to comment
Share on other sites


Thats an urban legend. Its no easier than replicating the code your keyless remote sends when you push "unlock".

Theres a signal that the car sends out so it knows when the smart key is in range, but when you put your hand behind the door handle it sends out a check which bounces a signal back from the key that is identical to when you simply push "unlock" on your keyfob.

Link to comment
Share on other sites

  • 4 months later...
hi there,

my coworkers told me that people can easily crack smart keys by using a handheld device like dell axim or hp.. apparently they did this test where mercedez dealer had an unbreakable car where they let people try to break in and this one guy walked up (didn't show what he did) and just open the door and drove off.. he had the signal from the smart key intercepted onto his pda and used the signal to open the door..

i don't know if this is true or not.. but if smart key gives off wireless signal, then i may be possible?? people do that all the time with garage openers, right?

i figure lexus is smarter and instituted some security onto these smart keys? anyone has any idea?

meanwhile, i am staying away from pda and pocket pc's!!!

I have asked a shop specializing in spare remote controls to make an extra remote so that I can ask someone to clean the inside of my car without authority to start the car. (My old BMW had such a key).

After much ado, they failed. The key fob remote is actually the shifting-code one. The code it sends is not the same as the previous one. So unless someone can duplicate the full list of codes of the system, nobody can make a replica. :pirate:

So it is no good to intercep the code sent. That particular code will not work the next instant you try to open the door.

Link to comment
Share on other sites

The shifting-code is more commonly known as a rolling-code. The meaning is the same and most wireless devices use this method along with encrypting the data etc… This is especially true for the automotive industry due to the high theft rate in many counties.

The biggest worry for a passive entry system is known as a “relay attach”. Basically thieves work as a team. The first thief will follow the victim away from the vehicle. Perhaps into the mall or what ever…. This thief will have a transmitting and receiving device design to communicate with the victim’s key fob. This device will also be able to communicate with the second thief who is located near the victim’s vehicle. The second thief will have a similar device that can communicate with the vehicle’s wireless system.

Therefore the second thief can, in theory, gain access to the vehicle using the victim’s key fob even though the key fob is far away from the vehicle by relaying the wireless message.

There is a large delay in communication because the wireless message has to be relayed from the vehicle through two other devices to the key fob and then returned to the vehicle.

The OEMs are well aware of this issue and have taken steps to prevent a relay attack. So I would not be very concerned about security issues on newer vehicles.

Link to comment
Share on other sites

The shifting-code is more commonly known as a rolling-code. The meaning is the same and most wireless devices use this method along with encrypting the data etc… This is especially true for the automotive industry due to the high theft rate in many counties.

The biggest worry for a passive entry system is known as a “relay attachâ€. Basically thieves work as a team. .....There is a large delay in communication because the wireless message has to be relayed from the vehicle through two other devices to the key fob and then returned to the vehicle.

The OEMs are well aware of this issue and have taken steps to prevent a relay attack. So I would not be very concerned about security issues on newer vehicles.

According to the technician of the shop I went to, it is more complicated than that. He said that they can handle the rolling-code remotes. The only thing required is a computer connection to the EMU of the car to instruct the car to learn the new key. That they tried with my IS using a Toyota rolling-code chip in the remote and failed. More accurately, they said that it had worked once and only once each time of initiation with the car's computer. So they said that some sort of code shifting mechanism was implemented beyond the usual pseudo-random-number-generator of a Toyota (also older generation Lexus, according to the technician) rolling-code remote control.

In my understanding, the relay attack targets the Smart Access / Start part only. The remote control signal works differently. But I am not sure. To me, the relay attack seems so cumbersome that robbing the key fob would seem a more clean approach.

Anyway, what I want to say is that it is nearly impossible just to use a pda, pocket PC or laptop to crack your key codes.

Link to comment
Share on other sites

I agree. As I mentioned, the rolling code is common. It is the encryption of the data that causes trouble for thieves and aftermarket add-ons.

The smart access/start and remote keyless entry (RKE) are interrelated. The RKE is a one way communication where a radio frequency (RF) signal is sent from the key fob to the vehicle when a key fob button is pressed. The smart access is a two way system triggered by a switch i.e. door handle sensor. When the door sensor is activated the vehicle then sends out a low frequency (LF) signal that tells the key fob to respond with a RF signal. Then the doors are opened if the door handle sensor was the trigger. The engine would start if the engine push button was the trigger etc….

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share



×
×
  • Create New...

Forums


News


Membership