Case Studies Security
Carhackers: Marc Star Radio Transmitter
_

Carhackers: Interdicting Vehicle Theft

Guarding your ride, securing your drive

An almost unhackable chip set had been used for decades in millions of vehicles and garagde doors. It was finally broken by hackers.

How are thieves stealing cars with key fobs?   If a vehicle is operated by a key fob, thieves can hijack the signal with a relay device, accessing the vehicle, and then driving away in the car. In this approach, one thief stands near the door and aims the relay device at the front door of a residence, where proximity keys are often left. The device then transmits the key’s signal to an accomplice near the driver’s door of the vehicle, who pulls on the handle. It’s basically a range extender.

Method:

 

  1. Two antennas are connected by a coaxial cable (and optionally an amplifier).

  2. One antenna is placed near the car door handle to pick up the low-frequency (LF) signal emitted by the car.

  3. The signal is relayed through the cable to the second antenna, positioned near the front door near the key fob  inside the victim’s home.

  4. The key, upon receiving the signal, sends a UHF unlock/start signal back to the car.

  5. The attacker can now access and start the vehicle.

Marcstar

In the Marcstar system used in millions of devices, the owner would have to press the button. So the amplifier technique would not work for cars.  But garage doors are hackable. Hackers put an antenna aimed at the driveway and another aimed at a garage door.  One antenna picks up the keyfob press. The other jams the signal to the garage door. The hacker device records the signal and saves it.  The unwitting owner presses the button again,  and this time the door opens.  

The hackers can get that ‘jammed’ key and can use it to open the garage door later. 

The flaw they exploit is in the 256 code window.  A 40 bit rolling code wih 1 trillion combinations is sent. The receiver knows the last code sent and can accept any valid code plus or minus 128 codes, a totoal of 256, so a second ytransmotter that is out of sync will stil be useable.  So accidental presses are skipped.  
OUr WORK

MTSI designed a development kit with 200-foot range to help T.I. sell the chipsets to OEMs.  Photo shows the development transmitter. A super regenerative receiver was also designed and delivered.  The artwork had LEDs positioned to show which button did what and a set of terminals was avauable to quickly connect to the car wiring harness for demo purposes.

Capable of controlling up to 15 separate remote keyless entry devices, the TRC1300/1315 encoder/decoder can learn up to four self-programming encoders allowing different users to access the same system. 

The MarcStar line of RF and mixed-signal security ICs protects against the theft of transmitted security codes in remote keyless entry (RKE) systems. According to the company, the TRC1300/1315 encoder/decoder and the TRF1400 RF receiver incorporate the industry's first self-programming 40-bit hopping-code technology, which changes the security code after each use. Configurable as encoders or decoders, the TRC1300/1315 provide single-chip encoding of control signals intended for transmission over RF or infrared links. One decoder controls up to 15 RKE devices, either four independently or 15 one at a time. A single decoder also “learns” the codes of up to four self-programming encoders, allowing different users to access the same system. Operation is from either 2.7 to 6 V ('1300) or 2.7 to 15 V ('1315).

The TRF1400 is a complete return-to-zero (RZ) ASK receiver on a chip. The tuned-radio-frequency receiver requires no manual alignment and has features such as an RF amplifier and comparator for detection and signal shaping, two low-noise front-end amplifiers, and a demodulated RZ ASK baseband output that interfaces to MARCSTAR and third-party decoders. Decoding logic enables the device to interface with any microcontroller using Manchester-encoded data. The TRF1400 receives 315-MHz signals, but future products are planned for the entire 200 to 450-MHz RKE range. The TRC1300/1315 are available in 14-pin SOPs and 16-pin PDIPs, and the TRF1400 is offered in 24-pin SOPs. (TRC1300D/15D, from $0.98 ea/1,000; TRF1400DW, $1.68ea/5,000–available now.)

Tweet
Picture of Robert Beckhusen

Robert Beckhusen

Robert Beckhusen is a case studies and content marketing editor for Micro Technology Services.