Key Fob Sleep Mode - You're going to LOVE this!

[FleshTuxedo]

Brave man. Kiestering your Fob.

Sponsored

 

[Tex]

I'm not twerking, just trying to get the remote start going

 

[KyTruckPlant]

Ford key fobs have some serious rolling codes. Nobody in the locksport/pen testing communities that I'm a part of have been able to duplicate the code more than once, even with vehicles that are over a decade old or more at this point. They could get a signal to replicate your key long enough to open the door, but if they ask the vehicle to do anything beyond that like starting it, they need another code generated for that operation. When you unlock the door, the vehicle tells the fob to roll to the next code, and that last code is no longer valid. When you hit the start button, the vehicle tells the fob to roll to the next code with its own rolling code, then listens to the fob for that next code that should match the same encryption, and until it does, it'll give you the no key detected message. It's a two-way encrypted signal. What that means is they would have to replicate the first code that the key fob announces to unlock the door, not terribly difficult if the fob is in your pocket and you're walking away, I've personally done it with my own stuff. In order to start the vehicle, they would have to spoof your vehicle's query signal (an encrypted rolling signal itself) to make the key fob generate another encrypted code to start it, out of range of the vehicle itself (if the vehicle hears it, then the code they swiped is useless to them). Once they have that code, they would need another one to take it out of park and drive it...you see where this is going.

Someone would not only require the hardware to intercept your fob but also the ability to start two-way encrypted communication with the fob without you or your vehicle knowing, and then some rather high end software in order to crack the encryption from only two intercepted codes. It would be a little easier if there were more than two codes to work with, but getting those extra codes is its own challenge. That's a nearly insurmountable task, but somewhere, someone out there may be working on a way to do it or find some other exploit to use. The odds really are in your favor though, especially given the fact that the fob is not constantly transmitting (Ford does this to save battery life, but it just so happens that it also aids in security). There are far more exotic and expensive vehicles to steal than yours if they're going through that kind of trouble. Honestly it's probably a lot easier to gain physical access to your cell phone and get your FordPass credentials installed on their phone, compared to cracking a key fob.

The more likely scenario is that someone would be working at Ford in a rather shady or unsecure dealership, and is able to program a fob by VIN without having one of the fobs available. Or, someone gains access to that software via Ford and pulls your code from their database. Your vehicle security is only as good as the most vulnerable dealership in the country, and only as good as the database your codes are stored on. But at that point, it wouldn't do you any good to hide your fob in a faraday cage regardless, as they wouldn't need your fob for anything at that point. Chances are, this is how people are stealing vehicles without keys or key fobs, not by spoofing or cloning existing fobs.

The keypad is technically a vulnerability, given how you can literally just rip it off the vehicle and take it home to play with at your discretion, but it's only useful for unlocking doors. It won't provide codes that can be used to start the vehicle as that's a separate signal that they'd have to decode too.

TL;DR no, don't bother with a faraday cage unless it compliments your tinfoil hat. And if you find that your keypad was ripped off your Bronco, maybe contact your dealership about what kind of security measures they could take in response.

Finally! Someone explaining this in a language I can understand.

 

[daddycreswell]

I can leave my fob in my pocket and still not be able to unlock my doors, extended range my ass.
Well...it probably is my ass getting in the way, but still.

I have to turn to the same side of the pocket that my keyfob is in for mine to unlock. I switch it up every time, I don't want to be predictable. Someone might be watching....

 

[tock13]

Absolutely love the bronco but this post makes walking to my ‘94 Toyota pickup, sticking the key in the door lock then in the ignition to start it all the sweeter. No OTA blowups, no key fob in tinfoil, hell it is not even OBD II.

 

[userdude]

Finally! Someone explaining this in a language I can understand.

 

[userdude]

Absolutely love the bronco but this post makes walking to my ‘94 Toyota pickup, sticking the key in the door lock then in the ignition to start it all the sweeter. No OTA blowups, no key fob in tinfoil, hell it is not even OBD II.

Well, my 98 Silverado had higher insurance because I lived near a city (Dallas) AND it was the easiest car to steal for like a decade. It's more a wonder the new tech works at all than that it allows miscreants to steal your stuff.

 

[vrtical]

Absolutely love the bronco but this post makes walking to my ‘94 Toyota pickup, sticking the key in the door lock then in the ignition to start it all the sweeter. No OTA blowups, no key fob in tinfoil, hell it is not even OBD II.

I can say the same thing about my 1986 mustang, but you can steal it with a screwdriver.

 

[Who iz]

Admit, my perspective is jaded. Have had one of my trucks stolen and I am now always on point.
Perhaps it would it be Ideal if Ford or someone designed a fob that the battery would only be engaged by the owner only as it is needed. Simply further limiting the risk of the fob transmitting (and being hacked), when the owner is moving/carrying it. Likely preventing scum from potentially entering your truck, and even extending battery life?

This quote from Tex is tweaking my PTSD:

"The more likely scenario is that someone would be working at Ford in a rather shady or unsecure dealership, and is able to program a fob by VIN without having one of the fobs available. Or, someone gains access to that software via Ford and pulls your code from their database. Your vehicle security is only as good as the most vulnerable dealership in the country, and only as good as the database your codes are stored on. But at that point, it wouldn't do you any good to hide your fob in a faraday cage regardless, as they wouldn't need your fob for anything at that point. Chances are, this is how people are stealing vehicles without keys or key fobs, not by spoofing or cloning existing fobs."

 

[jxc]

Ford key fobs have some serious rolling codes. Nobody in the locksport/pen testing communities that I'm a part of have been able to duplicate the code more than once, even with vehicles that are over a decade old or more at this point. They could get a signal to replicate your key long enough to open the door, but if they ask the vehicle to do anything beyond that like starting it, they need another code generated for that operation. When you unlock the door, the vehicle tells the fob to roll to the next code, and that last code is no longer valid. When you hit the start button, the vehicle tells the fob to roll to the next code with its own rolling code, then listens to the fob for that next code that should match the same encryption, and until it does, it'll give you the no key detected message. It's a two-way encrypted signal. What that means is they would have to replicate the first code that the key fob announces to unlock the door, not terribly difficult if the fob is in your pocket and you're walking away, I've personally done it with my own stuff. In order to start the vehicle, they would have to spoof your vehicle's query signal (an encrypted rolling signal itself) to make the key fob generate another encrypted code to start it, out of range of the vehicle itself (if the vehicle hears it, then the code they swiped is useless to them). Once they have that code, they would need another one to take it out of park and drive it..

+1 insightful. Somebody must have slept at a Holiday Inn last night!

 

[userdude]

I can say the same thing about my 1986 mustang, but you can steal it with a screwdriver.

How about a rum and coke? Do you keep in one hand or can you set it down? I got questions! lol

 

[Ground_zero298]

I know my bronco key does not have a sleep mode. It’s always active and the range is minimal for key recognition to start it.

My suburban does have key sleep and it’s annoying as shit. Leave the keys in that one 90% of the time. Have to physically shake it to wake it up to start the truck. Truck sees the key is in it but it has to be moved to activate.

 

[Tex]

Absolutely love the bronco but this post makes walking to my ‘94 Toyota pickup, sticking the key in the door lock then in the ignition to start it all the sweeter. No OTA blowups, no key fob in tinfoil, hell it is not even OBD II.

OTA stuff aside (you can disable that), I prefer having all of that complicated security crap on my Bronco because the chances of it being stolen via security weaknesses are beyond the ability of most defcon speakers and beyond the ability of virtually anyone that wants to steal it. Older Toyotas are fantastic vehicles to practice locksport on though, because picking is all you need to gain complete access. The tolerances and bitting are good for a beginner to learn how to pick with both traditional picks as well as a Lishi tool, and I actually have a Lishi that'll fit your truck. It would take me about 5min to drive off without damaging anything or leaving any trace that it was picked. Plus, once I get an open, I now have your bitting, and I could find a quiet spot to cut myself a spare key with my nipping pliers in another 5min, giving me persistent access any time I want it. I'd go up to the door, unlock it without opening the door, copy the bitting, lock it back again, and leave. Later on when conditions were good I'd come back with a freshly made key and drive away. It's so ridiculously easy to steal a non-electronic vehicle that it's surprising any are left.

Another good example of relying on purely physical security is the Kia Boys exploit, where it was found that all you need to start and drive an embarrassingly huge number of Kia models is a USB drive to replicate an unlocked ignition (not electronically, just the physical size of the USB-A plug is a perfect match). They pop a panel underneath the steering column, pushed a button to pop the ignition core out, and then inserted the USB dongle into the rectangular cutout like a key.

It's a real give and take relationship...the more secure your vehicle is, the more likely it's going to integrate some sort of electronics as an added layer of protection. The more electronics, the more stuff that can go wrong, the more potential exploits it has that the average person can't protect against. If an exploit were to be found in the Bronco, giving someone else the ability to unlock my vehicle electronically, I'd be out of my element and incapable of addressing it. Aside from installing some relays or switches that I could covertly activate to power the fuel pump or some other critical component, my only hope would be that Ford steps up and fixes the problem before it gets stolen. An unused aux switch would be decent for that purpose.

 

[userdude]

... beyond the ability of most defcon speakers...

Ooh, where do I pick those bad boys up?!? My speakers are wankers.

But for real, you're right. The real trick is getting/keeping it all working long term; most criminals will want to move on, or (maybe) an insider threat leads to some scheme that the car companies want to cover up for liability reasons.

 

[helifino16]

Lately, if you want a 'steal-proof' vehicle, I've heard that a Manual Transmission defeats more than half the criminals - lol. Google "Manual Transmission defeats car thief" - too funny

Sponsored