Carhackers: Interdicting Vehicle Theft
Guarding your ride, securing your drive
An almost unhackable chip set had been used for decades in millions of vehicles. It was then hacked by thieves who discovered a method to jam the signal to the car, and capture the transmitter output via an antenna between the two.
This was an impractical method to conduct motor vehicle theft, but it had happened — and was a vulnerability that needed to be corrected. That led a client to approach MTSI’s engineers to diagnose the exploit and invent a solution.
How were thieves stealing cars with key fobs?
If a vehicle is operated by a key fob, thieves can hijack the signal with a relay device, accessing the vehicle, and then driving away in the car. In this approach, one thief aims the relay device at the front door of a residence, where proximity keys are often left. The device then transmits the key’s signal to an accomplice near the driver’s door of the vehicle.
“With these amplifiers they’re able to get in and sometimes even start a vehicle,” AAA Northeast spokesperson Diana Gugliotta said.
Solution
MTSI designed a development kit with 200-foot range to help T.I. sell the chipsets to OEMs.
Capable of controlling up to 15 separate remote keyless entry devices, the TRC1300/1315 encoder/decoder can learn up to four self-programming encoders allowing different users to access the same system.
The MarcStar line of RF and mixed-signal security ICs protects against the theft of transmitted security codes in remote keyless entry (RKE) systems. According to the company, the TRC1300/1315 encoder/decoder and the TRF1400 RF receiver incorporate the industry's first self-programming 40-bit hopping-code technology, which changes the security code after each use. Configurable as encoders or decoders, the TRC1300/1315 provide single-chip encoding of control signals intended for transmission over RF or infrared links. One decoder controls up to 15 RKE devices, either four independently or 15 one at a time. A single decoder also “learns” the codes of up to four self-programming encoders, allowing different users to access the same system. Operation is from either 2.7 to 6 V ('1300) or 2.7 to 15 V ('1315).
The TRF1400 is a complete return-to-zero (RZ) ASK receiver on a chip. The tuned-radio-frequency receiver requires no manual alignment and has features such as an RF amplifier and comparator for detection and signal shaping, two low-noise front-end amplifiers, and a demodulated RZ ASK baseband output that interfaces to MARCSTAR and third-party decoders. Decoding logic enables the device to interface with any microcontroller using Manchester-encoded data. The TRF1400 receives 315-MHz signals, but future products are planned for the entire 200 to 450-MHz RKE range. The TRC1300/1315 are available in 14-pin SOPs and 16-pin PDIPs, and the TRF1400 is offered in 24-pin SOPs. (TRC1300D/15D, from $0.98 ea/1,000; TRF1400DW, $1.68ea/5,000–available now.)