A couple years ago, a writer from The New York Times claimed to have found a way to prevent his car from being burglarized; he kept his keep fob in his freezer, so thieves wouldn’t be able to hack the fob’s signal.

Attacks on keyless entry vehicles have garnered a lot of media attention. These vehicles instead of using a key to unlock or start a car allow drivers to operate the vehicle if the fob is within a few feet of the car. A hacked key fob transmission allows thieves to get inside cars and drive them away. One video even shows how quickly – in about a minute and a half – it can happen if the right technology is used by sophisticated criminals.

Overall, UL Technology and Security Director Andrew Jamieson says attacks on keyless entry vehicles are uncommon.

“In some of these high-profile thefts, the chip in the fob was at least 15 years old,” Jamieson says. “It was found to be insecure back in 2005, and the manufacturer still used it.”

How key fob attacks work

Most vehicle key fobs use messages/passwords that change over time or two-way messages. Sometimes these transmissions are done in insecure ways, Jamieson says. Take for instance a pre-play attack in which a thief can ping the fob and learn upcoming passwords.

Another type of hack is a replay attack. A thief targets less-secure car fob chips that reuse passwords, which can allow the hacker to try previous passwords until one works.

Both pre-play and replay attacks, which rely on vulnerabilities in the fob’s technology, require thieves to be close to the key fob and the car in order to intercept messages.

Relay attacks, like the type performed in the video, require thieves to be close to the key fobs as well as within a few feet of the car.

“While possible, generally if the key fob is in your house, getting the message through the walls is a little more complex,” Jamieson says. “Even with a repeater that amplifies the signal, it is going to be difficult if your key is not close to a thin wall, external door, or window.”

“If you’re concerned about this type of attack, keep your keys away from the walls and windows, where it’s going to be easier for a signal to be captured and amplified.

Because all of these types of attacks are uncommon, he says most people should not feel the need to keep their key fob in an radio-frequency identification-protective case ̶ or the freezer. Of course, people need to assess their own unique situation and make decisions accordingly.

Planning for the future

Jamieson noted that changes in technology may also have impacts on the security of our cars. Currently in development is the ability to unlock and start cars from mobile phones; a technology that will enable vehicle-sharing services.

“The security doesn’t involve a physical fob where someone has to come into close proximity of your fob and your car, so the threat model is quite different,” Jamieson says. “If they can break into the app, they can potentially commit crimes remotely and at scale. They could even do a denial of service attack instead of breaking into a vehicle, requiring people to pay ransom to gain control of their car. This is why UL is working with a number of organizations to create secure Standards and evaluate applications for this technology.”

Protecting your vehicle

To reduce the likelihood of someone hacking your key fob, use these tips:

  1. Leave your car in a safe place, like a closed garage. If you can’t leave it inside a garage, evaluate the risk of leaving it in the driveway, but understand that these types of attacks are uncommon
  2. Research the car manufacturer before purchasing a vehicle to learn if the manufacturer is indeed following best practices in its key fob security.
  3. Consider where you leave your keys at night. Don’t just drop them in a tray right next to the front door.

“The main takeaway is that you need to be aware of the security of your systems, of your cars, of your household, and of the products and services you’re using as far as car ride services,” Jamieson says. “This information needs to be built into your decision about whether or not to use them. Once you’ve made that decision and you’re happy with it, I wouldn’t worry it about it. With some notable exceptions, the security in these systems is generally sufficient.”