Keyless Entry hack affecting Mazda CX-5?

johnhus said:
Just read a Wired.com article about a keyless entry/ignition vulnerability for the CX-5.

http://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/

Anyone heard of this before? I don't think I want to build a Faraday cage for keyfob storage. :(
Click to expand...

Yes, we are all so concerned about this we remove our key-fob batteries as soon as we arrive to our destination.

Not one of us are brave enough to leave the fob battery installed unless we are actually getting ready to drive the car. Fortunately, this simple precaution has been 100% effective as none of us forum members have had their CX-5 stolen. (spin)
 
says ADAC researcher Arnulf Thiemel. As it is, he says, the devices are simple enough that “every second semester electronic student should be able to build such devices without any further technical instruction.” for only $250" .... bad news for sure. My friend said I should lock the car manually when at the store because they can pick up the signal and copy it when you hit the lock button on the FOB and then come back
 
Last edited:
MikeM. said:
Yes, we are all so concerned about this we remove our key-fob batteries as soon as we arrive to our destination.

Not one of us are brave enough to leave the fob battery installed unless we are actually getting ready to drive the car. Fortunately, this simple precaution has been 100% effective as none of us forum members have had their CX-5 stolen. (spin)
Click to expand...

dang, you had me there for a second!! ha Thats why I didnt buy the GT with leather, so you high end CX5 guys can worry about it!!!
 
I don't remember the details, but it seems that if the battery in the fob dies, you can just bring the fob really close to the ignition button to start the car. For those of us with a 3rd-party remote (e.g. part of remote starter like Compustar or Viper), we probably don't use the Mazda fob as often, especially the 3rd-party has more range and 2-way confirmation. That makes me wonder if I can just remove the battery from the Mazda fob, use the 3rd-party for locking/unlocking instead, and bring the Mazda fob close to the button when I want to start the car. That might minimize the mentioned risk, until they publish how to hack the 3rd-party one, or the guy/gal sitting next to me on the bus has an RFID reader in his/her pant pocket.

EDIT: Related thread on the key fob and battery:
http://www.mazdas247.com/forum/showthread.php?123814929-Key-Fob-Battery

Also, the devices cost only $17 last year:
http://www.techlicious.com/blog/toyota-prius-smart-key-hacking-remote-keyless-entry-thief/
 
Last edited:
I removed the battery from the Mazda fob and tried to use it like that for the whole afternoon. Things worked as expected: use the Compustar remote to lock/unlock, use the end of the Mazda keyfob to press the Start button.

The only two things that affect me is the inconvenience of having to pull the fob out of my pocket to push the start button, and the tailgate requires unlocking the doors in order to open. Actually, I've been concerning about the tailgate being too convenient that anyone can open it when I'm near the car, even if the doors are locked. Also, it's been discussed here before about how to prevent a "cat" from jumping into the car without permission, so removing the fob battery at least would prevent the tailgate attack (also likely to prevent the request switch on front doors).

At this point, I'm too lazy to pull the Mazda fob out of my pocket to start the car, and haven't heard much about cars being stolen with this amplification method, so the battery is staying in. As soon as I feel the balance shifted, the battery can be out in 30 seconds.
 
Last edited:
erhayes said:
If I get paranoid, I may wrap my fob in AL foil to go with my Aluminum hat. Ha
Click to expand...

150301-news-better-call-saul.jpg
 
Kinghardcor said:
Wouldn't using the door button stop someone from stealing then signal/code?
Click to expand...

Probably not. When you press the request switch on the door, the car sends the signal to the keyfob asking for authentication, and the keyfob would send the verification back if it's within range.

This is probably how the amplification method works:
- attacker puts transceiver #1 near the car
- attacker presses the request switch on the door
- the car broadcasts authentication request, attacker's transceiver #1 listens to the signal, relays to transceiver #2 near the key fob, which would relay to the key fob
- the key fob sees the request from transceiver #2, replies with a verification which transceiver #2 would catch, then relay back to transceiver #1, which would relay back to the car
- car receives verification from transceiver #1, unlock door
- same thing with starting the car

The scenario probably would look like this: you park you car, lock the door, as soon as you walk away, one person will sneak in next to your car (perhaps on the other side) with transceiver #1, another person would walk next to you with transceiver #2. The first person will press the request switch on the door to unlock it, then will climb in, start the car, and drive away. If the range of the transceivers is good (300ft+), you probably won't even notice your car is being driven away.

If you remove the battery from the key fob, the request switch won't work as the keyfob cannot reply back to the car, thus you would then have to pull the physical key out of the fob and unlock the door the old way. But that's also how to prevent the amplification method as the key fob wouldn't be able to respond to transceiver #2 neither.
 
Last edited:
sillyxone said:
Probably not. When you press the request switch on the door, the car sends the signal to the keyfob asking for authentication, and the keyfob would send the verification back if it's within range.

This is probably how the amplification method works:
- attacker puts transceiver #1 near the car
- attacker presses the request switch on the door
- the car broadcasts authentication request, attacker's transceiver #1 listens to the signal, relays to transceiver #2 near the key fob, which would relay to the key fob
- the key fob sees the request from transceiver #2, replies with a verification which transceiver #2 would catch, then relay back to transceiver #1, which would relay back to the car
- car receives verification from transceiver #1, unlock door
- same thing with starting the car

If you remove the battery from the key fob, the request switch won't work as the keyfob cannot reply back to the car, thus you would then have to pull the physical key out of the fob and unlock the door the old way. But that's also how to prevent the amplification method as the key fob wouldn't be able to respond to transceiver #2 neither.
Click to expand...

I thought the verification change like every few seconds after car receive the authentication request. I heard something about a student unlocked a BMW car with this thing few year ago, I doubt they can still do that right now.
 
hek8560 said:
I thought the verification change like every few seconds after car receive the authentication request. I heard something about a student unlocked a BMW car with this thing few year ago, I doubt they can still do that right now.
Click to expand...

Besides who will wants to steal a Mazda, when they can steal much better car like BMW, Mercedes, Audi, Lexus. As far as I know they all have key less entry system.
 
hek8560 said:
I thought the verification change like every few seconds after car receive the authentication request. I heard something about a student unlocked a BMW car with this thing few year ago, I doubt they can still do that right now.
Click to expand...

Yes, they probably use rolling code, but this is not a store-and-use-later like the garage's hack that jams the signal, tricking the owner in pressing the request twice. This is instant relay. It works similar to how you have wifi-repeater to extend the range of your home wireless network.
 
Perpetual Nomad said:
Take your box, keys within, and stand next to the locked driver's door. Does it open? Should simulate what these folks are doing and if the box is effective.
Click to expand...

Not necessarily. They could be using receivers that are more sensitive and emitters that are more powerful than the ones on the car, so they might get through the box even if the car can't.

In any case, I have way too much to worry about in my every day life to give even a second of though to this non-issue.
 
sillyxone said:
Probably not. When you press the request switch on the door, the car sends the signal to the keyfob asking for authentication, and the keyfob would send the verification back if it's within range.

This is probably how the amplification method works:
- attacker puts transceiver #1 near the car
- attacker presses the request switch on the door
- the car broadcasts authentication request, attacker's transceiver #1 listens to the signal, relays to transceiver #2 near the key fob, which would relay to the key fob
- the key fob sees the request from transceiver #2, replies with a verification which transceiver #2 would catch, then relay back to transceiver #1, which would relay back to the car
- car receives verification from transceiver #1, unlock door
- same thing with starting the car

The scenario probably would look like this: you park you car, lock the door, as soon as you walk away, one person will sneak in next to your car (perhaps on the other side) with transceiver #1, another person would walk next to you with transceiver #2. The first person will press the request switch on the door to unlock it, then will climb in, start the car, and drive away. If the range of the transceivers is good (300ft+), you probably won't even notice your car is being driven away.

If you remove the battery from the key fob, the request switch won't work as the keyfob cannot reply back to the car, thus you would then have to pull the physical key out of the fob and unlock the door the old way. But that's also how to prevent the amplification method as the key fob wouldn't be able to respond to transceiver #2 neither.
Click to expand...

Thank you kindly for that thorough explanation.
 
Please log in or register to reply here.

Similar Threads

B
Advanced Keyless entry issue…Any ideas? 2020 CX-5
Replies
2
Views
1K
ceric
ceric

New Posts

M
Identifying Upstream Oxygen Sensor Location
Replies
2
Views
100
Moteje
M
CTt3P5
    • Like
    • Love it!
ND MX-5: Jeff's 2016 ST GT Build
7 8 9
Replies
160
Views
34K
Antoine
Antoine
A
    • Welcome!
Android Auto and possibly Apple CarPlay crashing
Replies
3
Views
316
Antoine
Antoine
2
    • Like
2024 CX-5 GS Ride Quality and Noise Levels
8 9 10
Replies
197
Views
11K
24CX-5GS-RW
2
sm1ke
    • Like
  • Sticky
What have you done to your CX-9 today?
71 72 73
Replies
1K
Views
459K
Agape_365
Agape_365
J
JaLMP5 Build/Progress Thread
9 10 11
Replies
215
Views
41K
two_cam_ham
T
View more…

New Threads

Back