Keyless entry car burglary for 2nd time since 8th April

Mach-Lee · May 27, 2024

If you live in a high-crime area, I'd recommend not using PAAK, remove the battery from one fob, and keep the other working fob in a faraday box at least 20' away from exterior walls and doors. Do not leave any fobs in the vehicle or garage.

If you've been broken into, the dealers needs to clear out and reprogram your fobs in case they cloned one of them.

the golden eel · May 27, 2024

Mach-Lee said:
If you live in a high-crime area, I'd recommend not using PAAK, ...

Why is this?

RickMachE · May 27, 2024

the golden eel said:
Why is this?

Because your phone is broadcasting the key...

the golden eel · May 27, 2024

RickMachE said:
Because your phone is broadcasting the key...

I've seen other people saying theives can't copy your phone's connection to the car like they can with a fob.

A quick google seach after I read mach-lee's post earlier didn't give me a concrete answer.

Mach-Lee · May 27, 2024

the golden eel said:
I've seen other people saying theives can't copy your phone's connection to the car like they can with a fob.

A quick google seach after I read mach-lee's post earlier didn't give me a concrete answer.

The effective range of PAAK is too high, 25' in some cases, so a thief could open your door if your phone was nearby in the house. Bluetooth relay attacks also exist.

Schmedlack · May 27, 2024

Mach-Lee said:
The effective range of PAAK is too high, 25' in some cases, so a thief could open your door if your phone was nearby in the house. Bluetooth relay attacks also exist.

Here is an idea..... Enhance the capabilities of a keyfob so that it only transmits when it is in motion. (There are several ways to do this). With this capability, a keyfob will transmit when someone is walking to their car, moving their arm/hand, etc. If the keyfob is in a static position, like hanging on a hook, its little transmitter will be turned off. Has anyone thought about this?

Mach-Lee · May 27, 2024

Schmedlack said:
Here is an idea..... Enhance the capabilities of a keyfob so that it only transmits when it is in motion. (There are several ways to do this). With this capability, a keyfob will transmit when someone is walking to their car, moving their arm/hand, etc. If the keyfob is in a static position, like hanging on a hook, its little transmitter will be turned off. Has anyone thought about this?

Next version will probably have that. Motion sensors are standard on the UK keys already.

nuMach · May 27, 2024

Mach-Lee said:
The effective range of PAAK is too high, 25' in some cases, so a thief could open your door if your phone was nearby in the house.

learned this the first week. phone is too close to the car it never locked, and caused other minor issues.
so no pAAK. not so much for security in my area, but it was 'always on'

MME72BB · May 27, 2024

Mach-Lee said:
The effective range of PAAK is too high, 25' in some cases, so a thief could open your door if your phone was nearby in the house. Bluetooth relay attacks also exist.

Not positive this is correct. PAAK is not broadcasting anything in the traditional sense. It connects to the vehicle using encrypted Bluetooth/NFC (when in range) and enables communication between the app/phone and vehicle. You would need to gain access to the users device or stand right next to them while using PAAK. As an extra layer of protection, I typically close the Ford Pass app at night and turn off NFC / Bluetooth. 99% of modern vehicle thieves are using a RFID relay attack to gain entry and copy the keyfob code.

With that said, I would love confirmation from Ford Engineering.

Mach-Lee · May 27, 2024

MME72BB said:
Not positive this is correct. PAAK is not broadcasting anything in the traditional sense. It connects to the vehicle using encrypted Bluetooth/NFC (when in range) and enables communication between the app/phone and vehicle. You would need to gain access to the users device or stand right next to them while using PAAK. As an extra layer of protection, I typically close the Ford Pass app at night and turn off NFC / Bluetooth. 99% of modern vehicle thieves are using a RFID relay attack to gain entry and copy the keyfob code.

With that said, I would love confirmation from Ford Engineering.

I mean, I've personally verified the doors unlock with my phone a measured 20' away from the car. The exact cutoff distance depends on your phone model.

The Bluetooth relay attack does not break encryption, it simply rebroadcasts the packets unchanged so it appears the phone is closer to the car than it actually is. The amount of latency the system allows is critical, and with opening success 20' away there's some time to work with. Tesla PAAK has for sure been hacked (there are videos), I'm not sure if Ford's PAAK is any more robust or not.

Let's say your bedroom is right above the garage and you leave your phone on the nightstand at night. That could be closer than 20' from the car, so anybody can just come up, press the button on the door, and it will open. Starting the car would be more difficult, but with relay attack equipment they can rebroadcast the signal inside the car to start it.

MME72BB · May 27, 2024

Mach-Lee said:
I mean, I've personally verified the doors unlock with my phone a measured 20' away from the car. The exact cutoff distance depends on your phone model.

The Bluetooth relay attack does not break encryption, it simply rebroadcasts the packets unchanged so it appears the phone is closer to the car than it actually is. The amount of latency the system allows is critical, and with opening success 20' away there's some time to work with. Tesla PAAK has for sure been hacked (there are videos), I'm not sure if Ford's PAAK is any more robust or not.

Does it switch to NFC to start the car? That would require much closer range. The Tesla hack requires the device to be unlocked, open and actively next to the hacker. Unless something has changed….

Mach-Lee · May 27, 2024

MME72BB said:
Does it switch to NFC to start the car? That would require much closer range. The Tesla hack requires the device to be unlocked, open and actively next to the hacker. Unless something has changed….

No, NFC is not used by Ford. BLE only. Phone does not need to be unlocked for the hack to work, if it's sitting close enough on your nightstand they can get it to work. Their relay device was 23' away from the phone in a different room.

https://www.theautopian.com/researc...k-that-allows-cars-to-be-unlocked-and-driven/

DevSecOps · May 27, 2024

In my humble opinion you should probably be using PaaK instead of a key FOB. Remove the batteries completely from the FOB and stash them away.

While BLE can be relayed with tools like Gettacker, and can even be done across the globe with a VPN in the middle, it's not the low hanging fruit and it's much easier to target RF based FOBs. The tools they use are different and they're not carrying around a whole arsenal of tools. Additionally, if 95% of vehicles are using FOBs vs 5% which use BLE (guesstimates), most thieves will go for the 95% because they will have a higher success rate. It's a crime of opportunity and I doubt you're specifically being targeted.

Furthermore, these attacks normally take 2 people. One located near the key and one located near the car. If you park your car away from your residence it's not likely that they would know to go 2 houses down, for example, for the car parked in front of a house that's not yours. Again, it's a crime of opportunity. Most of the time they send one person to the house and the other stands at the cars in front of the house. If a car lights up, bada-bing they're in.

Lastly, key FOBs don't get updates, like ever... TI instruments (as one example) has put out advisories, updates and CVE's exist for BT/BLE vulnerabilities in regards to relaying of automobile keys. Manufacturers can update the car. Phone manufacturers can update BT radio firmware and PaaK applications can also be modified to help thwart attacks. I'm not saying this always happens but there's a higher likelyhood that your phone and car will get updates before your key FOB.

If you do go the PaaK route you can use apps like Tasker to create rules - If entering home proximity from outside of home proximity then disable bluetooth. In the morning you turn on BT and off you go for the day. Or even use a rule to turn of BT when charging, or get an NFC chip and tap your phone to turn on and off BT with a rule. Make it easy so you don't forget. But my guess is that it's an RF based attack and you don't even have to worry about turning on/off BT.

phil · May 27, 2024

Or you could just enter codes to unlock the door and start the car. It would be relatively easy to read the door code, if someone were trying to do that, but the start code would be harder. A little inconvenient, but safer?

I'm just gonna keep using the phone key.

GRAS-E · May 27, 2024

jbooth said:
You reprogrammed your 5 digit door code from the factory one, or whatever it was last time it was broken into, yes?

yes, I did. Ty

Keyless entry car burglary for 2nd time since 8th April

Mach-Lee

Well-Known Member

the golden eel

Well-Known Member

RickMachE

Well-Known Member

the golden eel

Well-Known Member

Mach-Lee

Well-Known Member

Schmedlack

Well-Known Member

Mach-Lee

Well-Known Member

nuMach

Well-Known Member

MME72BB

Active Member

Mach-Lee

Well-Known Member

MME72BB

Active Member

Mach-Lee

Well-Known Member

DevSecOps

Well-Known Member

phil

Well-Known Member

GRAS-E

Member

Similar threads