GolfGTIforum.co.uk
Model specific boards => Golf mk8 => Topic started by: fredgroves on 27 April 2021, 13:08
-
So we all know keyless is a massive security risk.... strap in for Fred's latest homework briefing.... (thanks Massimo for the pointers!)
Loads of cars are stolen using what is called a "relay attack", which basically is a highly sensitive receiver placed on your front door that picks up your key and forwards your key's signal to another piece of kit (over a radio link) held next to your car. The car thinks the key is present and lets the bad guys unlock, enter and start your car.
Its been going on for a few years, the kit is widely available to do it. Using it doesn't take genius, its no more difficult to use than the key itself. These aren't clever guys, these are just users of a tool.
On the Mk7/7.5 you are best off disabling it with OBD11 or risk losing your car.
On the Mk8 you can disable it in the menu - much easier!
But should you?
Let me explain how it works on the Mk8.... here is a slide from the VW self study guide on the Mk8:
(https://i.postimg.cc/nzBZkXzk/keyless.jpg) (https://postimg.cc/mzL0Z27z)
What are the mysterious green things that offer "break-in protection"??
Well they are Ultra Wide Band (UWB) sensors. Your key also has UWB.
There are no low tech motion sensors in your MK8's key. That is old skool basic security, this is much more!
What UWB does is to provide highly accurate, tamper hardended range detection.
It means that the car knows where the key is - down to about 10cm. If the key is not present in those green zones, it will not work.
A company called NXP made this for VW.
Here are their slides:
https://media.nxp.com/static-files/8cf4341d-f16d-4971-9b92-c003c39bfa22
Here is another article on the new UWB key security and VW:
https://www.eetimes.com/volkswagen-and-nxp-show-first-car-using-uwb-to-combat-relay-theft/
All good right? Nothing could possibly go wrong, lets reenable kessy and enjoy wireless unlocking!
Sadly, not.
Firstly look back at the picture I pasted, it is possible your key location in your house could be inside of the green zone. Be careful!
Secondly, there exist several papers on how to overcome UWB ranging technology.
Good one here if you really want a read:
https://www.usenix.org/system/files/sec19fall_singh_prepub.pdf
Essentially the main thing protecting the system from attack is the lack of a software defined radio (thats a radio you can control with a computer, also used in the old skool kessy attack system) that operates in the UWB frequency range.
This is going to be a problem for not very long.... after that, expect the attacks to become available - if they are not already.
My advice, leave kessy disabled or you could be the first person to discover that the bad guys have made the leap - its definitely going to happen at some point - the money to be made from selling the kit to thieves and from the theft of the vehicle is so high that it WILL happen.
Lastly, if you really want to fix the technical problems of kessy not working (and I suggest you don't bother).... the answer is an upgrade to the B7 Start System controller (J518 hardware version 070) to version 0706. TPI's exist for this, its definitely the fix. You can't upgrade it yourself, your dealer can.
-
Fantastic work fredgroves, anybody would think you enjoyed doing that sort of thing :wink: :afro:
Well worth a sticky jv :nerd:
-
Thank you for this in depth write up, just up my street!!
Can you post a link to download the Self Study Guide for the Mk8, these sort of things I love to get stuck into reading!
Many thanks in anticipation.
So we all know keyless is a massive security risk.... strap in for Fred's latest homework briefing.... (thanks Massimo for the pointers!)
Loads of cars are stolen using what is called a "relay attack", which basically is a highly sensitive receiver placed on your front door that picks up your key and forwards your key's signal to another piece of kit (over a radio link) held next to your car. The car thinks the key is present and lets the bad guys unlock, enter and start your car.
Its been going on for a few years, the kit is widely available to do it. Using it doesn't take genius, its no more difficult to use than the key itself. These aren't clever guys, these are just users of a tool.
On the Mk7/7.5 you are best off disabling it with OBD11 or risk losing your car.
On the Mk8 you can disable it in the menu - much easier!
But should you?
Let me explain how it works on the Mk8.... here is a slide from the VW self study guide on the Mk8:
(https://i.postimg.cc/nzBZkXzk/keyless.jpg) (https://postimg.cc/mzL0Z27z)
What are the mysterious green things that offer "break-in protection"??
Well they are Ultra Wide Band (UWB) sensors. Your key also has UWB.
There are no low tech motion sensors in your MK8's key. That is old skool basic security, this is much more!
What UWB does is to provide highly accurate, tamper hardended range detection.
It means that the car knows where the key is - down to about 10cm. If the key is not present in those green zones, it will not work.
A company called NXP made this for VW.
Here are their slides:
https://media.nxp.com/static-files/8cf4341d-f16d-4971-9b92-c003c39bfa22
Here is another article on the new UWB key security and VW:
https://www.eetimes.com/volkswagen-and-nxp-show-first-car-using-uwb-to-combat-relay-theft/
All good right? Nothing could possibly go wrong, lets reenable kessy and enjoy wireless unlocking!
Sadly, not.
Firstly look back at the picture I pasted, it is possible your key location in your house could be inside of the green zone. Be careful!
Secondly, there exist several papers on how to overcome UWB ranging technology.
Good one here if you really want a read:
https://www.usenix.org/system/files/sec19fall_singh_prepub.pdf
Essentially the main thing protecting the system from attack is the lack of a software defined radio (thats a radio you can control with a computer, also used in the old skool kessy attack system) that operates in the UWB frequency range.
This is going to be a problem for not very long.... after that, expect the attacks to become available - if they are not already.
My advice, leave kessy disabled or you could be the first person to discover that the bad guys have made the leap - its definitely going to happen at some point - the money to be made from selling the kit to thieves and from the theft of the vehicle is so high that it WILL happen.
Lastly, if you really want to fix the technical problems of kessy not working (and I suggest you don't bother).... the answer is an upgrade to the B7 Start System controller (J518 hardware version 070) to version 0706. TPI's exist for this, its definitely the fix. You can't upgrade it yourself, your dealer can.
-
That is some great piece of information Fredgroves. Thank's very much for your time spent on researching it.
-
Thank you for this in depth write up, just up my street!!
Can you post a link to download the Self Study Guide for the Mk8, these sort of things I love to get stuck into reading!
No problem.... the self study guides are not publicly available....only through Erwin it seems.
-
Does this have anything to do with lights randomly coming on whilst the car sits in the driveway?
I’ve seen them come on as I walk past the front door occasionally.
Strangely, the car doesn’t unlock and the mirrors remain in the locked position.
Yet the lights often just wake up and switch on.
-
Possibly the detection zone for approach (ie lights on) might be further than unlock. It certainly has the technical capability of detecting the exact location of the key over quite some distance.
I've got it disabled at the moment but I'll give it a try if you like.
-
Any technical details on the key-fob?
It would be interesting to see if the 'I'm here' signal is continuous or pulsed and how far it's range is.
My car's no where near my front door and keys are then in another room not near the door.
Disabling it with a touch of the door-handle is now second nature when I park up.
-
It pulses and the frequency I don't know but the pulses are also data transmission as well as locating pings. It's super low power though, I've seen people say that at one pulse a second a typical 2032 battery (like in a car key) can last seven years... But it won't last that long because its sending data once you get close.
The theoretical range in line of sight is 200m.
-
I've just tried to make my car turn the lights on... The only way I could trigger it was with unlock on approach turned on but the lights came on and the doors unlocked, the mirrors unfolding.... So no idea what it's doing there.
Would love to investigate that... But I can't make mine do it.
-
Thanks for trying Fred.
I decided to disable all the keyless functions to see if it made a difference.
Even with it all off, it still switches the lights on randomly but remains locked.
The key fobs also constantly blink red when within approx 10m of the car.
Unsure if this is linked.
I fear taking it to the dealer will only result in many a shrug of shoulders and them being unable to replicate it.
-
The key flashing I've heard someone say about on here... What it means i don't know.
-
My car is due in at the dealers for this issue next week. They think it’s related to some sensor in the car. Apparently they need the car for two days to work this out!