I received this e-mail from a co-worker this morning. I don’t think it will work, so I’d like to do a test – Jon is particularly good at locking his keys in his car (he managed to do so on Saturday, while driving it, which is quite impressive), so perhaps he’d try this out for me:
> Apparently this works. Good to remember
>
> This only works if your car has remote controlled locks. Also
> you need a CELL PHONE handy at your car.
> Ever lock your keys in the car? If you lock your keys in the
> car and the spare keys (remote) are home, call someone at home on
> your
> cell phone.
> Hold your cell phone about a foot from your car door and have
> the other person at your home press the unlock button on the remote,
> holding it near the phone on their end.
> Your car will unlock. Saves someone from having to drive your
> keys to you. Distance is no object. You could be hundreds of miles
> away,
> you can reach someone who has the other “remote” for your car,
> you can unlock the doors (or the trunk!)
>
> Editor’s Note: * It works fine! We tried it out and it
> unlocked our car over a cell phone!)
I think this is a hoax – as I understand it, these remote central locking devices send a radio signal, not an audio signal (capable of being carried over a telephone). And before anybody suggests ultrasonic, remember that telephones – and particularly mobile telephones – have a low dynamic range, designed to cater for the human voice (ever noticed how shit music sounds over a mobile phone): this is the same reason that conventional modems can’t be used on a mobile. But now I’m curious, so somebody try it and tell me what happens.
Car alarm key fobs generally have two different methods of operating. One is an infra-red LED in the keyfobs, which pulses the light at a reciever normally mounted where the rear-view mirror is. The other (more common) type uses RF energy (i.e radio waves) just like FM radio, etc. These are more common as there was an unfortunate series of car thefts associated with people using things like auto-learning remote controls to copy the IR pulses, then beam them back to the waiting BMW…
In the UK there are various slices of spectrum allocated to these kinds of devices. I think you will find that most are in the 250Mhz to 455Mhz range. There are several systems in use, fixed code (where the number sent each time is the same) or the more cunning rolling code system. Landrovers / Rovers / I am guessing things like BMW now use this kind of code. This means a replay attack becomes technically infeasable (assuming the algorithm is good and the system isn’t equipped with a soft fallback option – but this is probably getting boring now) so you can’t record the keyfob and just play it back using a digital scanner.
I heard recently that a new Chrystler (I think it was) uses SMS to unlock / start the car. The owner just sends a text (presumably with a password) to their car… Not a bad idea on a cold winters day when you want the engine / car warm before you go…
I suspect this will become common in top end cars, but I suspect that bluetooth might replace some of these kayfob units. It is almost certainly more secure still than even the rolling codes, and has the advantage that you can potentially integrate it in to mobiles etc. Not sure on that one – manufacturers are likely to be reticent to “hand over” security to anything they haven’t built.