Stealing cars without difficulty

In the trend to be always more user-friendly, car manufacturers have introduced a new breed of keys : Passive Keyless Entry and Start (PKES) systems. The idea is that the car detects the right key and acts correspondingly. For instance, if your key is in the range of 2 m if will allow to open the door with the handle, if you are inside the car, it will allow to start the engine. And that, of course, with the key in your pocket. you don’t have to push any button. Awfully convenient.

Unfortunately, three researchers from ETH Zürich, Aurélien Francillon, Boris Danev and Srdjan Capkun, have demonstrated a simple attack: a classical relay attack. In PKES, the car is at the initiative of the challenge. They take a first antenna that captures the emission of the car (as the antenna of the key would do) and relay it to a second antenna close to the key (8-10m). The second antenna will act as the car antenna would act. And this is independent of any logical protocol. The two antennas are linked by a cable of RF transmission for longer range. Thus, if you know where the owner of the car is, and can come reasonably near from this owner, you may steal the signal of the key, and thus your accomplice can steal the car. They successfully experimented on real cars.

The recommended countermeasures are to deactivate the key with a switch. This is the worst scenario of countermeasure. You may be sure that people will forget to deactivate the key when leaving their car, or they will forget that they will had deactivated the system and thus will struggle. In nay case, adding a button would annihilate the perceived benefit of this system: being button less. And here is the problem. Unlocking is done without any conscious action of the user.

They propose another countermeasure that is far more complex to implement because it requires to accurately measure the trip time to detect the presence of the relay. And we know how difficult it is (we struggled on that with local control on content in DVB-CPCM).

The problem is that the action is done without the consent of the user, assuming that his presence means access granted. But the car cannot be sure of the actual physical presence.

Leave a Reply

Your email address will not be published. Required fields are marked *