Just to be clear, it is only phone as key that is 4cm? The fob is much larger distance. Are we sure bmw keys go to sleep if not moving? I know of two Range Rovers being stolen using relay whilst the fob is in the house. If you don't have comfort access, there is little yo no risk. The key only transmits when you use it (presumably to lock or unlock whilst you are watching the car) and the rolling code means that if someone did capture that signal it doesn't work the next time. Well that is my poorly educated take on this.
Wireless Key Fobs and Security
-
BMW i4 Reservation Tracker: Add Yours Here!
41 - 60 of 76 Posts
i4 e40 msport 19" 859M Sunset Orange, cognac vernasca, open pore oak trim
Joined
·
3,073 Posts
I'll bet that's not true!
Joined
·
829 Posts
Yes we are sure the key goes to sleep. Easy to test. Just place the key on the mirror, lock the car and wait a minute or two. You won't be able to open the car unless you rock the car or move the key. I tested this the same day I received my 330e. The i4 is not different. Obviously the Range Rover does not have this. BTW, it's the car looking for a key, not the other way.
I don't think so. Comfort access is about sensors, the only thing transmitting is still your fob, so, I believe, comfort access makes you no more vulnerable. Also, see the test below, which seems to confirm this.
Everything I have read online indicates this is the case. It is very easy to add this technology to a fob (motion detector and timer) and it would be stupid of car manufacturers not to. This article was a test of relay attacks on different cars - Car Theft Group Test
Here is a YouTube video of somebody testing sleep on a 2019 BMW 530e - Do BMW key fobs go to sleep?. Spoiler, it did. He only tested it once at 7 minutes. You can repeat the test yourself at different lengths of time to see if it is actually two minutes. N.B. He used a car with comfort access because it makes it easy to test as you can keep the fob still and see if you can still open the car. Once the key was asleep, comfort access did not work, which backs up my belief that comfort access makes no difference to the security of your car.
They believe that the BMW fob stops transmitting after two minutes of inactivity. The article is two years old and they quote a BMW spokesperson saying "all new BMW and Mini keyless entry keys now have motion sensor technology as standard". They also say that it can be retrofitted to older cars that don't have it (presumably new fobs).
Edit: After posting this, I decided to repeat the YouTube test. I can confirm that after 1m45s, I can still open the car without moving the fob using comfort access. After 2m 10s, the car no longer unlocks (presumably as the fob is no longer transmitting). So it appears that the fob does stop transmitting when stationary for 2 mins and comfort access makes no difference to your security.
I think we need to take a reality check about all this. Relay attacks require someone to be within 5-6 metres of an active fob (one that has been in motion in the last two minutes). Someone else has to be by your car. The attack is done in real time, so both people have to be in place for this to work.
Now think about the circumstances where this can occur. As long as you don't carry your keys in your pocket, there is only a two minute window of opportunity at home. Possible if someone is waiting for you to arrive home but they have to be near to your house waiting for you, no dead of night stuff for this to work! Alternatively, someone could see you arrive and follow you around in a shopping centre. Again possible but is it likely?
As has already been pointed out. Easy protection for shopping trips is to pop your keys in a faraday bag which can be bought for £5+postage in the UK (for two bags!) This is mine - Defender Signal Blocker, I bought the mini bag that is big enough to hold my fob, house key and Tile. Because this is a real time attack, I don't think you need to be quite as paranoid as @gsbaker, as long as the keys are secured before you leave the vicinity of your car, you should be protected. N.B. If you use a device like a Tile with your keys, you will have to get an extra one to attach to the outside of the bag as the bag will block the Tile signal. I also pop the keys in as soon as I get home although, with the sleep timer, this should not be necessary.
However, none of this will stop someone breaking into the house and taking the fob. I have written about this before about this but while on the subject of your cars security, it is worth bringing up again. There are loads of videos online showing how easy it is to defeat nearly all house locks (you don't have to smash the door in or break a window), often in under a minute. Other thieves trick their way into someone's house, so make sure you keep the keys hidden away, not on a hook by the front door!
In the UK, this is now so common that police have a specific term to describe this type of car theft (breaking into a house to steal the car keys) - Hanoi. The thefts are called Hanoi after Operation Hanoi, the first to crack down on this sort of crime.
I suspect you are far more likely to loose your car this way than a sophisticated relay attack.
During the long wait for my car, I wondered about the best place to keep our fobs. This was my £180 solution...
This is the model with the fingerprint entry as well as digital code etc. Needs to be secured to a solid wall but otherwise easy to fit. As well as the keys (in their faraday bags!), I also keep identity documents etc. in it.
I am with you on the reality check given that the keys sleep when not touched. I would add though that the difference between comfort access and standard access if the key is in your pocket is that the standard fob is "asleep" in your pocket. You have to press a button on the fob to wake it up. With Comfort access, the key is always awake so more prone for relay theft.
For your assertion to be correct, BMW would have to make two different sorts of fobs. One that went to sleep after two minutes of inactivity (which I know happens with my fob, see the Edit I made to may post above) and one that went to sleep after two minutes of being used, whether it was in motion or not. I doubt that is the case; I think, if you are in motion, the 'standard' fob in your pocket is still transmitting. That is my personal unverified belief, unfortunately the only way to verify it would be with something that can detect the signals from fobs and I'm fresh out of relay attack equipment and it would have to be tested with a fob for a car that doesn't have comfort access. Maybe the mods can recover the deleted post from the guy trying to sell them here and I can order one and then order an i4 without comfort access 😄
You may have a wait for me to try this out.
If anybody who doesn't have comfort access wants to test whether their fobs stop transmitting, two minutes after use, even if they are still in motion, you can get a detector for as little as £24 - Remote Key Frequency Tester
Fobs most commonly use a frequency of 315MHz in the the U.S. and Japan, and 433.92MHz in Europe. Europe has also opened up the 868MHz band to accommodate the growing demand for remote keyless entry systems. This detector works with all three frequencies.
I would spend the money just to find out, but as I said before, I know what my fob does, what I would like to know is whether the fob from a car without comfort access is any different. I'm even prepared to bet the £24 that it isn't 😄
Fobs most commonly use a frequency of 315MHz in the the U.S. and Japan, and 433.92MHz in Europe. Europe has also opened up the 868MHz band to accommodate the growing demand for remote keyless entry systems. This detector works with all three frequencies.
I would spend the money just to find out, but as I said before, I know what my fob does, what I would like to know is whether the fob from a car without comfort access is any different. I'm even prepared to bet the £24 that it isn't 😄
Joined
·
37 Posts
The key fob disables after 2 mins. Also the range has been significantly reduced and each transaction only lasts for a short time.
Indeed there have been some issues with unauthorised car access by jaming the signal when locking the car, with the result that the owner came back to an emptied car. This usually happens at malls.
Indeed there have been some issues with unauthorised car access by jaming the signal when locking the car, with the result that the owner came back to an emptied car. This usually happens at malls.
OK. Now I get it 💡
I did originally say I didn't understand why comfort access should make any difference, and now you have explained why 👍
I think I have read so much about relay attacks that I just thought all fobs were constantly transmitting.
Yes. Digital Key uses NFC (near-field communication) like tap-to-pay. That's the 4cm thing (and, in my experience, it's less than that!).
Yes, the fobs go to sleep when not moving. They also use rolling keys. So only a relay attack can work, not a replay.
A few days ago I spoke with my friend about this. An automotive tech and electronics specialist, he said that for high value vehicles the main threat is not the usual relay attacks, but a somewhat different and more advanced technique. I think he said it was an "RID" attack. His description of the attack itself was scary. It is not real time and is very hard to defend against. Also the perpetrators tend to be in organized crime, so they are ready to rumble if confronted.
Anyway, back on Earth...
Today I received one of the SLNT blocker bags. It is meant to address only the key fob use case, not the phone key use case (so the oddly contentious "4 cm" scenario is not in question here). In my first test, the blocker bag was so effective that it rendered the key fob unusable for unlocking or locking the car. I have yet to test it inside the car, but I assume the results will be the same there.
This suggests to me that the value proposition for using such a blocker is to greatly reduce the odds of a successful attack by reducing the amount of time in which the key fob is active and unblocked. That plus BMW's key fobs' rolling codes and sleep state should give the car owner the advantage of being the least attractive mark among others who are not protected.
As I understand it, this means that the driver has to keep the key fob in the blocker bag until the moment they will unlock the car, then unlock and operate the car, then lock the car and return the key fob to the blocker bag.
If so, then that's a lot of work and is inconvenient. But that's the whole point, isn't it? With the advent of convenience came new risk. It is fitting, then, that a degree of convenience should be the price of mitigating that risk.
I'd like to know more about this attack. If it's not real time, I don't understand how it would work with the rolling codes. I don't find "RID" in a quick search. It could be the coding up of a blank fob (using the OBD port). Can you offer a few more details, please?
Yes, my friend said there wasn't much about it online. My recollection of his description could be inaccurate, so I was reluctant to post it here. I will ask him again and take notes.
EDIT: One detail I remember is that once the hack is done, they start the victim's car remotely ("The car is already running.") So the thief per se just enters the running car and drives it away, never to be seen again.
Meanwhile, there is this. It is long, but fascinating, scary, and encouraging. The transcript has some errors, but is still easy to follow:
Security on CAN bus with Ken Tindell
A lot of interesting facts about cyber security and automobile hacking that you would not want to miss! Watch through the end and make sure to check the additional resources below.
Thanks... I'm very interested in the attack vector.Yes, my friend said there wasn't much about it online. My recollection of his description could be inaccurate, so I was reluctant to post it here. I will ask him again and take notes.
EDIT: One detail I remember is that once the hack is done, they start the victim's car remotely ("The car is already running.") So the thief per se just enters the running car and drives it away, never to be seen again.
Meanwhile, there is this. It is long, but fascinating, scary, and encouraging. The transcript has some errors, but is still easy to follow:
Security on CAN bus with Ken Tindell
A lot of interesting facts about cyber security and automobile hacking that you would not want to miss! Watch through the end and make sure to check the additional resources below.resources.altium.com
Joined
·
11 Posts
WOW!!!! An attack happening wirelessly that is currently undocumented so the manufacturers cannot attempt to mitigate against it. If only someone had attempted to warn the community about the potential disadvantages of Wireless technology and how it can be hacked. Who would have ever thought such a thing could happen? Not just in Bangalore but in any country in the world.
Joined
·
829 Posts
I don't think the fob transmits all the time, only when it is interrogated and if the motion sensor activated it. If it would be transmitting all the time while in your pocket it would drain that tiny battery pretty fast. I have so far after 3.5 years with my 330e, never changed the fob battery, so I doubt it is constantly transmitting.
Prior to my BMW Z4, my previous car was an Acura TL. It wasn't until my BMW key battery went dead, that I realized that I had never changed my acura key battery in the 10 years I had the car. Turns out the Acura dealer would secretly replace the battery for my key fob, every time I took it in for regular maintenance. I could tell because there were little scratch marks on my Acura key fob where you pry it open, that I didn't make.
It just costs them pennies, but I really appreciated them going the extra mile. It sure beats the hassle of having to go buy and replace a batter every few years...
41 - 60 of 76 Posts
