Critical security issue - should I or should I not expose it?

B

bmninada

Contributor
:
2016 CX-5 AWD GT+iActive Soul Red
B4 anyone says anything, I called Mazda US and dropped them an email too. Other than the automated response, got nothing back. Already 3 or 4 days now. Explained everything.

Bottomline: A guy in front of me started my car in 3 min flat, after entering my car. Yes, I did use the key fob to get him entry into the car but everyone knows how easy it is to jimmy the doors, to get in. The MEAT of the security lies in the immobilizer. He circumvented it in 3 minutes flat.

I want to share what he did but at the same time, it's visible to all. However, time and again its seen unless someone actually publishes the flaw in WWW, no one cares to take any action.

Let me know your thoughts.
 
" A guy in front of me started my car in 3 min flat"

What does that mean?

Did he bash you column with a hammer?

What is the premise of the story? Did he offer to start your car?
 
Doesn't seem too surprising. I accidentally found out how to start the acc with the key nowhere in sight.
 
bmninada said:
B4 anyone says anything, I called Mazda US and dropped them an email too. Other than the automated response, got nothing back. Already 3 or 4 days now. Explained everything.

Bottomline: A guy in front of me started my car in 3 min flat, after entering my car. Yes, I did use the key fob to get him entry into the car but everyone knows how easy it is to jimmy the doors, to get in. The MEAT of the security lies in the immobilizer. He circumvented it in 3 minutes flat.

I want to share what he did but at the same time, it's visible to all. However, time and again its seen unless someone actually publishes the flaw in WWW, no one cares to take any action.

Let me know your thoughts.
Click to expand...

What are you trying to say?? You've posted a lot recently, often on odd or unusual or dramatic topics. I'm not judging, just making an observation. You won't be taken seriously without some level of detail.
 
I checked my mails and Mazda did not respond. So here's the how part:

Assume you're connected using Mazda Remote - key-fob OR Mobile. It's REGISTERED to your car. So, when you press the button/screen it sends "whatever" to transmitter. Transmitter's INPUT side is coupled exclusively with that item and so transmitter recognizes it as authentic. Now, here's where the security chain breaks. Transmitter's OUTPUT side, sends a set volt(?), shorts(?), series of signals(?) into the coupler of the car to which it's connected. The white 3-prong connector - passenger side.

What this guy did was jury-rig that coupler and sent the same set of output. The car immediately started. He would not tell me what he sent but he said anyone with a decent measuring tool can capture the transmitter's output when its sending by removing the connection from the white jack and connecting it to his/her tool box. Once done, it'll work across ALL CX(x) series. What he said is that's why the remote key-fobs are so expensive @ Mazda. They have all the security logic, the transmitter's rather dumb.

BUT: I know after I have remote started the car, as soon as I open the door, the car shuts down. Here however, he was already INSIDE the car. So, that security feature he was able to bypass. Then, I also know as soon as you press the brakes, the remote thing should stop. This I don't know what he did, since I forgot to ask.
 
The thing that bothered me is the hood switch. I know I have it since when I bought it dealer had it installed for free (just the hood switch). However, in US that's not the case, generally until and unless you opt for remote start. Now, in reference to various threads here and elsewhere - I believe if that's NOT installed or installed correctly - the car refuses to start up - remotely. So, this whole bypass thing by default will work in non-US cars which have hood switch installed but for US cars: am not sure.
 
Only in New Jersey I guess :)) So the bad guy needs to understand the system and have/make a home-made gadget to circumvent the security system. I don't see this as unusual in the way any vehicle is stolen today so, what is the point of the complaint? Ed
 
Any kind of system like this can be circumvented, somehow. Sounds like this requires some specialized knowledge and tools.
 
bmninada said:
I checked my mails and Mazda did not respond. So here's the how part:

Assume you're connected using Mazda Remote - key-fob OR Mobile. It's REGISTERED to your car. So, when you press the button/screen it sends "whatever" to transmitter. Transmitter's INPUT side is coupled exclusively with that item and so transmitter recognizes it as authentic. Now, here's where the security chain breaks. Transmitter's OUTPUT side, sends a set volt(?), shorts(?), series of signals(?) into the coupler of the car to which it's connected. The white 3-prong connector - passenger side.

What this guy did was jury-rig that coupler and sent the same set of output. The car immediately started. He would not tell me what he sent but he said anyone with a decent measuring tool can capture the transmitter's output when its sending by removing the connection from the white jack and connecting it to his/her tool box. Once done, it'll work across ALL CX(x) series. What he said is that's why the remote key-fobs are so expensive @ Mazda. They have all the security logic, the transmitter's rather dumb.

BUT: I know after I have remote started the car, as soon as I open the door, the car shuts down. Here however, he was already INSIDE the car. So, that security feature he was able to bypass. Then, I also know as soon as you press the brakes, the remote thing should stop. This I don't know what he did, since I forgot to ask.
Click to expand...

This seems to be similar to how a remote starter kit works (starting the car but still need the keyfob to drive away)? I also see this as being similar to the relay attack, where the attacker jam and capture the signal, then replay it later:
http://www.mazdas247.com/forum/show...nlocks-cost-cars-and-many-garage-door-openers

Somebody please shine some more light/details into this scenario.
 
The FOB uses a rolling code, so can't be intercepted in the air and repeated to get in the car. This guy had to get inside the car, without tripping the alarm, and then plug his box into wiring to bypass FOB input. Pretty sure if you set off the alarm, it won't start without keyfob to turn off alarm.

In the unlikely event you leave it unlocked, and a person with a magic box could steal your car.
Not very likely.
 
There's NO alarm in US versions. Opening the door is piece of cake. After that it literally took him less than 3 min to start the car. Yes: FOB has rolling code, etc., etc. but the bottom line is he circumvented all of that.
 
bmninada said:
Bottomline: A guy in front of me started my car in 3 min flat, after entering my car. Yes, I did use the key fob to get him entry into the car but everyone knows how easy it is to jimmy the doors, to get in.
Click to expand...

Here you imply this hack would work if the big bad guy simply jimmied your door to gain entry.

But in your following post you appear to say that the remote transmitter needs to be in range and activated by a button press. I fail to see how this is a real problem like you imply. The real security threat is an attacker gaining physical entry to your car and waiting for you to arrive and raping/kidnapping/robbing and/or forcing you to drive somewhere else. This requires no computer wizardry, just common burglar tools. But this is easily circumvented by simply checking your vehicle for unauthorized occupants before entering. And this is true for ALL vehicles.


Let me know your thoughts.
Click to expand...

(shrug)...(yawn)...(sleep)
 
CC58 said:
The FOB uses a rolling code, so can't be intercepted in the air and repeated to get in the car. This guy had to get inside the car, without tripping the alarm, and then plug his box into wiring to bypass FOB input. Pretty sure if you set off the alarm, it won't start without keyfob to turn off alarm.

In the unlikely event you leave it unlocked, and a person with a magic box could steal your car.
Not very likely.
Click to expand...

Rolling codes can be intercepted and jammed, then spoofed. The way I've read works like this, IIRC: Press button on fob, an interceptor grabs whats transmitted then jams the signal so car does not receive. Person pushes fob button again, interceptor records the second code but sends the car the first. The car unlocks, but the interceptor has a second code it can always use as long as it is turned on.
 
sillyxone said:
This seems to be similar to how a remote starter kit works (starting the car but still need the keyfob to drive away)? I also see this as being similar to the relay attack, where the attacker jam and capture the signal, then replay it later:
http://www.mazdas247.com/forum/show...nlocks-cost-cars-and-many-garage-door-openers

Somebody please shine some more light/details into this scenario.
Click to expand...

Absolutely correct. But - pre 2016 models, you can drive away the car without the key fob present. In my 2016 - it says key-fob not detected and does not allow moving the gear from P. There's a thread here somewhere where this is covered as to how someone (spouse) drove away and then he had to rush to give her the key fob.
 
craigo said:
Rolling codes can be intercepted and jammed, then spoofed. The way I've read works like this, IIRC: Press button on fob, an interceptor grabs whats transmitted then jams the signal so car does not receive. Person pushes fob button again, interceptor records the second code but sends the car the first. The car unlocks, but the interceptor has a second code it can always use as long as it is turned on.
Click to expand...

Yes, but it's not easy, tools and instrument are hard to come by. This one: is extremely simplistic.
 
Please log in or register to reply here.

Similar threads

jadmt
    • Wow
    • Thinking
    • Sad
Reason #1 and #2 why it's better to change your own oil Vs a dealer
3 4 5
Replies
83
Views
9K
sm1ke
sm1ke
D
2020 CX-5 Radar issues
Replies
10
Views
1K
CX5Nut
C
T
It happened again! CPO Warranty - Should this be covered?
2 3
Replies
53
Views
9K
The ManLaw
The ManLaw

Latest posts

Back