How does this magic PKES work?  Simple. The car recognises when the key is close by and unlocks the doors, and will respond a press of the starter button when the key is very close to the button.   Technically, the car is constantly searching for the key using low-powered signals, if the key responds, then the car will unlock automatically, or allow itself to be started depending on exactly where the car thinks the key is.

 

Unfortunately, this system can be hacked.  [ UPDATE: We have also covered the remote hack of the Jeep ]

 

It is possible to break the encryption between key and car, decipher the commands sent and then send your own commands.  That is very difficult, given the nature of the encryption.  But there’s an easier way, and it’s called a relay attack.

 

The concept is simple.  Amplify the signals sent from the car that search for the key and send them, over a distance, to the key.  Amplify the key’s return signals and send back to the car.  It’s important to note that it’s not just amplifying the car’s signal, the key’s signal also needs to be amplified so the car sees the response.

 

Then car and key think they are close together, when in fact they may be hundreds of metres away – possibly more.  The amplification and distance introduces a tiny delay, and the tolerance of the car/key system to that delay is the major factor limiting the distance.  The basic flaw is that the car’s security system assumes that the key can only respond if it’s close by.

 

How it works in practice is equally simple.  Let’s say you’re at a cafe, keys on the table.  An antenna connected to an amplifier is placed close to your car, and a similar unit is placed close to your key.  Now your key thinks it is close to your car, so the thief can simply open the car and get in.  Then the thief places the antenna close to the keystart button, and presses the button.  The car starts.   Or you could be waiting by an elevator, at a friends house…there’s so many places where someone or something could be close enough to the key without arousing suspicion, and need only be close by for the moments it would take the thief to open the car.  The research paper we’ve looked at indicates that the key-side antenna might be as far as eight metres away from the key, and the total distance from car-to-key might be as much as sixty metres.

 

Of course, once the car moves off it will break contact with the “key” but that won’t matter, because all cars I’ve tested (and have been tested for this attack) permit the vehicle to keep moving and operate even when it loses contact with the key.  There may just be a warning message, nothing more.

 

This is a dangerous attack because it doesn’t need the encryption broken, there’s no proof of forced entry – indeed, it looks just like the owner has opened the car – and no alarms will go off because the actual, proper key has been used.  Might make for an interesting insurance claim in the event of theft.

 

First, only keyless cars are at risk, which is those that do not require inserting a key in a lock to open.  This is also not a new risk, it’s been know about for years.  It’s just that some people are realising it exists now.  In fact, the risk of car theft in one way or another has existed since about one minute after the first car was built.

 

Also, it’s not the case that kids can drop by Jaycar and buy kits, then go joyriding.  Electronics expertise is needed to carry out this attack.

 

However, this attack is a small risk and increasing as knowledge of vulnerability grows, and increasing numbers of keyless cars appear on the market.

 

 

Well, you could isolate your car key so its signals cannot be hijacked – this is a Faraday cage.  Contrary to popular suggestion fridges are not a good idea – try it, put your phone in the fridge and see if you can call it.  Instead, try a microwave which is designed to block such signals, but we emphasise, do NOT switch the microwave on! 

 

Perhaps it’s easier just to invest in a RFID shield bag.  Plenty on ebay.

 

Or, you could just remove the key’s battery, not a bad idea if you’re going to be away for a while but hardly convenient for everyday use.

 

More technical users could wire up a switch to turn the key on and off or modify the car so it requires additional authentication before being started or entered, for example a PIN.

Note that only PKES cars are vulnerable to this attack.  If your car requires you to press a button to open it then it isn’t vulnerable to a relay attack unless the attacker can manage to press the key’s button.  And if your car requires a key to be inserted to start it, then again it isn’t vulnerable to this attack.  But it could be vulnerable to another, simpler attack – the jammer.

 

Most of the time you get out of the car, press the lock button, and walk away.

 

Do you ever check the car is locked, or just trust it locked?

 

The jamming attack is simple – remote locking uses a known set of radio bands (dictated by law) and all you need do is fill the airwaves with high-powered noise, preventing the key’s signal from getting through.   The driver presses the key to lock the car, but the car doesn’t lock because it never sees the signal.  The driver walks off, confident the car is locked, and the thief moves in.

 

The prevention is simple too – make sure that you check your car’s response to locking, which is usually a flash of the hazard lights and a small beep.  Make sure it’s the right response, because if a door is ajar then the car will respond but differently to usual as it can’t lock.

 

A good idea is to configure your car so it folds its mirrors in when locked, so you can tell at a glance if you really did lock it.