78

The German automobile club ADAC did a test with several cars which open doors and start the engine with a "keyless entry" system. You don't have to push a button on your car key. If you get near your car, key and car will recognise each other. If you pull the door handle the car will open. Inside the car your push the ignition button and the engine starts.

The security relies on the distance between key and car. Car thieves have built a repeater to tunnel the radio signals over long distances. One thief stands near the key and the other near the car. Then the car will open. The distance between car and key can easily be several hundreds of meters. Lots of cars are stolen this way.

  • How could car manufacturers solve this problem or is this an unpatchable design flaw?
  • Are there any mitigations a car owner could take in place?
  • How should wireless physical access control look like for cars?
honze
  • 1,106
  • 1
  • 8
  • 19
  • 3
    I am making assumptions, but you still have a physical key on it if the wireless system doesn't work, right? Isn't there a battery you can remove on your device? – Yuriko Mar 17 '16 at 10:44
  • Yes, there is a traditional metal key. Yes, you could remove the battery. But you have to remove several covers on the exterior and interior. I don't know how the immobiliser would be affected. This could be a problem. But you could order a key without the "keyless" ability. This might work, but I am not sure, whether the car manufacturer is able to sell such a key. This could be an effective mitigation. You could fall back to a "classical" remote key with buttons. Thank you very much for your guidance pointing me to this maybe-solution! – honze Mar 17 '16 at 15:44
  • 4
    I dont think it can be patched. I'd get a pocket with metal inlay for the key (effectively a Faradays cage) so that the car unlocks only if i intetionally pull out the key. – marstato Mar 17 '16 at 17:02
  • 8
    Can you edit your question to clarify what you are asking? Are you asking what *car manufacturers* can do, or are you asking what *car owners* can do? Who is the "you" in the question? – D.W. Mar 17 '16 at 17:45
  • There are car steering wheel "locks" that look great and prevent full use of the steering wheel. – Dave Mar 17 '16 at 19:28
  • Thank you for your overwhelming support. Because there are so many comments, suggestions and edits, I don't want to close the question yet. I think there are some solutions out there, which nobody has mentioned yet. There could be a to-do list (like a hardening guide) for manufacturers and a tips and tricks list (quick hacks) for customers. – honze Mar 17 '16 at 19:30
  • 4
    @Yuriko, Chevy Volt owner here. Opening the door with the metal key will trip the alarm. Once inside the car, you'd have to open a compartment on top of the dash, remove whatever junk you have stored there, remove the rubber liner from the floor of the compartment, and insert the metal key in the keyhole that is thus revealed in order to silence the alarm and start the car.... Or something like that, anyway. I haven't yet had to actually _do_ that. – Solomon Slow Mar 17 '16 at 19:50
  • 6
    I'm no fan of car thieves, but I gotta say, that's pretty clever. – Reinstate Monica -- notmaynard Mar 18 '16 at 17:01
  • Car manufacturers could install a GPS system into the key fob and the car, and verify they are in proximity. They might have to sign the GPS coordinates with a private/public key pair. Of course, [that's also hackable](http://www.wired.com/2012/07/drone-hijacking/). – Chloe Mar 21 '16 at 02:51
  • This question is too broad. This site works best when you ask one question per question. Each of your three questions should be separated out into a separate post/question, as each could allow for very substantial answers. – D.W. Mar 21 '16 at 04:43

7 Answers7

60

From a layman point, Yes its a design flaw and yes the signals are boosted to unlock the cars from far far away. This is knows as Relay Station Attack(RSA). Some of the ways to mitigate such attacks are:

  • measuring Group delay time to detect illegal high values
  • measuring Third-order intercept point to detect illegal Intermodulation products
  • measuring Field strength of the Electric field
  • measuring response time of 125 kHz LC circuit
  • using a more complex Modulation (i.e. Quadrature amplitude modulation) which can't be demodulated and modulated by a simple relay station
  • putting a physical on/off switch on the key

I don't think these mitigations can be used by the car owner themselves as there is quite technical detail behind it.

Taken from wikipedia. Smart keys and Security requirements

beppe9000
  • 555
  • 1
  • 4
  • 10
Mohsin Khan
  • 742
  • 1
  • 4
  • 9
  • 6
    A passive or nearly-passive repeater doesn't need to demodulate and remodulate if only the frequency range used is known; it can blindly retransmit on the output side whatever is received on the input side. You only need to demodulate (but even that can be done in a separate signal path) if you want to analyze the signal on the air to know whether it makes sense to retransmit or not. – user Mar 17 '16 at 14:49
  • @MichaelKjörling Repeaters will always be bound by the speed of light. If the endpoints transmit data simultaneously (on different frequences if necessary) and reliably measures which outgoing bits and incoming bits are transferred simultaneously, then it will be possible for the legitimate endpoints to measure a fairly accurate distance between each other. Then the car just has to refuse unlocking wirelessly if the distance is measured as more than say 20m. Whether the hardware to do this can be embedded in a key is another question. – kasperd Mar 17 '16 at 17:00
  • 5
    @kasperd Of course there are ways to make use of a repeater more difficult. My comment was in response to the statement that *QAM* "can't be demodulated and modulated by a simple relay station", pointing out that a repeater wouldn't even need to demodulate the signal. – user Mar 17 '16 at 22:50
  • 1
    RSA is an unfortunate TLA – craq Mar 19 '16 at 09:53
51

I have a car with such a keyless entry system. My dad saw a report about those ADAC findings on TV and he had an idea which works:

enter image description here enter image description here

By placing the key in a steel can like the one above, the car does not detect the key any longer, so I figure range extenders would not pick up the key's signal either. Of course, this is annoying as it defeats the whole purpose of not having to take they key out of my backpack when I want to open the car and drive. But I guess this is still better than coming back to where I left the car, only to find it gone.

Matthias Nehlsen
  • 581
  • 3
  • 4
  • 40
    Pocket size Faraday cage? :) – PTwr Mar 17 '16 at 11:20
  • 19
    well, guess i gotta start smoking then... – Gigala Mar 17 '16 at 12:05
  • 20
    (Who)Germany sells cigarettes in Faraday cages? – KDecker Mar 17 '16 at 12:40
  • 1
    I have always wondered why no one makes a snap-on key cover which disables the buttons on a standard "digitial" key (to avoid "butt dialing" your car). Making it also be a passable Faraday cage would be a plus. – Hot Licks Mar 17 '16 at 12:46
  • 1
    There are also [less cool](http://www.fobguard.com/) ones available. – SilverlightFox Mar 17 '16 at 13:26
  • 7
    I'm thinking an [Altoids](https://en.wikipedia.org/wiki/Altoids) can might be equally appropriate? Not sure if it's thick enough though. I'm personally dreading the day I get a car with passive-entry or keyless-start features. Tinfoil hat gets all kinds of tingly just thinking about it. – Iszi Mar 17 '16 at 19:28
  • Yes, a Faraday cage for €5, much cheaper & including cigarettes. I just need to add some padding. Makes too much noise when the key hits the metal. Tried an Altoids-like can and that one wasn't thick enough. – Matthias Nehlsen Mar 17 '16 at 22:26
  • @HotLicks, I need one that just covers the damned alarm button. The other keys on my ring twist themselves around in a conspiracy to butt-dial that stupid alarm about once a week! – John Deters Mar 22 '16 at 17:03
  • @JohnDeters - This is my problem too. Except that twice now I've had the side door of my van opened this way ... in the rain. (It doesn't help that there's a second mega car key on the same ring.) – Hot Licks Mar 22 '16 at 21:18
  • Maybe you could just throw the remote key in Orodruin (Mount Doom) to destroy it and use normal metal key. – Tomáš Zato - Reinstate Monica Apr 21 '16 at 13:57
21

If you truly fear an RFID proximity relay attack, such that you would keep the key fob in a Faraday cage in your pocket, you must recognize that you will be giving up all the convenience of proximity, plus other inconveniences. You'll have to carry some kind of larger container, and you'll have to open it to take out the key to use the remote or the key.

I see two clear alternatives. If you are willing to give up proximity but don't want to sacrifice the other conveniences, there is a much cleaner solution than a band-aid tin in your pocket: disable the proximity system in your vehicle. That way, no external attacker can attack the fob in your pocket. You retain the convenience of being able to use the normal RF functions to lock and unlock the doors with the buttons. Check your owner's manual for instructions.

The other option is to pass the risk to a third party: buy theft insurance, and don't worry if someone attacks the proximity system; hooks up a tow truck; smashes your window; or any of the many other attack vectors. You give up no convenience, only money. And you're protected regardless of the form of theft.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Thank you for your great answer. At the moment the only "secure" way is to deactivate the system. There are other great workarounds, described in the other answers, but this one should work best, because you fall back just one technology level. Great hint to transfer the risk to an insurrance. This is the way to go. – honze Mar 20 '16 at 13:04
11

You could use a Faraday cage to create a physical security layer. By having a box with a built in cage to the correct specifications where the keys are stored, you remove the potential for this attack to work.

Keyless entry systems have many more avenues of attack however, so if you're seriously concerned about vehicle security you may wish to store it in a garage, purchase manual vehicle security items like wheel, pedal or gear locks, install an aftermarket immobilizer or install active tracking systems. There is a (possibly apocryphal) story of a tracking company who have a 99.9% success rate with recovering vehicles. the one they haven't recovered is in an African nation under the "ownership" of a local warlord, hence the lack of recovery!

Remember - any car can be stolen. if someone really wants your car all they'll do is literally pick it up and stick it on the back of a flatbed truck. The main point of most vehicle security is to delay theft attempts, rather than to completely defeat them.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Miller86
  • 212
  • 1
  • 7
  • 7
    Anti-theft systems have a great deterrence effect. The thieves do not want your car, they want **a** car (unless they are Nicholas Cage), so they will always go after an easier mark. – Mindwin Mar 17 '16 at 11:48
  • 3
    Indeed, as @Mindwin says - it is unlikely your car would be a target to such an advanced attack as "lifting onto a flatbed" there are very few occasions where *your* car will be the one thieves want, rather than *a* car (or *a* Ferrari, or *an* Aston Martin).Taking basic precautions goes a long way to migitgating these attacks. If your car is particularly rare, or has particular options or paintjobs that make it appealing to steal, there's always a chance you could be a victim of a targeted theft, however, so if this is the case explore additional layers of security. – Miller86 Mar 17 '16 at 11:59
  • 1
    "if someone really wants your car all they'll do is literally pick it up and stick it on the back of a flatbed truck" What if you chain it to the ground with a carbon nanotube chain? – PyRulez Mar 17 '16 at 13:58
  • 7
    @PyRulez Asphalt is removable, given enough effort. – user Mar 17 '16 at 14:51
  • 32
    @PyRulez: In that case they are probably stealing your carbon nanotube chain, which the 2 ton car is protecting by somewhat anchoring it in place. – dotancohen Mar 17 '16 at 15:16
  • References for reading more about the car recovery company? – Joel B Mar 20 '16 at 17:10
  • I'm afraid its a story I overheard from a friend who works for Thatcham Research, and I don't have a source. – Miller86 Mar 21 '16 at 08:39
4

Most of the answers I'm seeing (e.g., Faraday cages) defeat the purpose of the wireless key: to unlock and start the car without having to grab the key out of your pocket.

Why not have a time dependent encryption system work both ways? When the door handle is touched, the car sends a public key signal that changes with time (in ns), which the key incorporates into its own signal which it sends back to the car. If the car does not receive the key signal within so many ns (c is 1 foot per ns), it doesn't unlock.

I don't know much about the inner workings of the passive key signal, but if this isn't possible with watch-battery powered technology then cell phones or other mobile devices may have to replace the smart key, which of course introduces a litany of other security questions.

user1717828
  • 2,392
  • 13
  • 19
  • 1
    Thats a great idea imho! But i think it is very expensive to put a measuring device into a car that is capable of nanosecond precision and resolution. – marstato Mar 20 '16 at 19:47
  • 1
    Using the speed of light would be a physically unbreakable verification of the distance between your car and your key, but it's certainly not easy to implement. It takes multiple microseconds for the car to send a cryptographic challenge and for the key to compute and send a response. Working a 10-20ns delay limit into this in such a way as to make it _guaranteed_ to be impossible to extend the range sounds like a tough engineering challenge. – RomanSt Mar 21 '16 at 00:18
2

You should also think about what other stupidity your car manufacturer could've done. What if the key isn't even necessary, because the "security" is so weak that the authentication system could be brute forced remotely in a reasonable amount of time ?

The only solution would be to reverse engineer the firmware of each control module in the car and patch their security flaws. Since this is pretty much impossible unless you have a team of engineers and unlimited amount of money, your best bet is just to pay for some good insurance and cross your fingers, or buy your car from a vendor that has a good security track record.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 1
    This applies equally to wireless keyfobs as commonly used, not just entirely keyless entry. – user Mar 18 '16 at 14:49
  • How easy is it to crack a wireless key fob, today? Do you just have to know a shared secret? Like a password or a code? A few years ago the secret was only 4 digits long, if i remember correctly. – honze Mar 20 '16 at 13:11
1

We may need a 2 phase security. Along with the keyless entry system add a strong biometrics authentication too. For instance, the drivers door is still pulled to open by him. Let us have a system in the door handle which detects his finger prints and if he/she is in the authenticated list; the door opens else triggers an alarm.

Kannan_SJD
  • 111
  • 4
  • It's perfectly possible to enter the car from the passenger's side and climb over into the driver's seat. Not particularly inconspicious, but perfectly doable. – user Mar 18 '16 at 14:51
  • What if the driver is wearing gloves? – Reinstate Monica -- notmaynard Mar 18 '16 at 17:03
  • @Micheal, Most of the cars will be centrally locked and needs some kind of initiation from the driver. but what you have said is still an issue. Will make my answer more detailed to handle that scenario. – Kannan_SJD Mar 21 '16 at 09:28
  • @iamnotmaynard, yes that is a drawback too. I just meant thumb as an eg, you could go with eye or something. But that will reduce the convenience. Will improve my answer taking all this into account. – Kannan_SJD Mar 21 '16 at 09:39