6

Some cars unlock whenever the key fob is within a certain distance.

Do such systems generally guarantee the maximum distance in a secure fashion (namely, by requiring the fob to respond within a certain time, thus relying on the speed of light for security), or do they simply work on the basis that a weak enough radio signal won't travel very far?

In other words, are any such systems susceptible to an attack utilising a device that relays and amplifies the signals between the car and a reasonably far away key fob?

RomanSt
  • 1,180
  • 9
  • 25
  • I'm guessing the close votes are because car entry doesn't sound like IT security. It seems very similar to me to NFC/RFID security, which appears to be on topic, but if the community disagrees, by all means close this. – RomanSt Apr 19 '15 at 03:07
  • 1
    If the votes of this being on-topic are close, that's really bad. This is quite obviously information security. Just because the computer is in a car, and the security is a lock doesn't mean it's not information security. I'm afraid the "on topic" Nazis have taken over. – Steve Sether Apr 21 '15 at 01:28

2 Answers2

3

I suppose this fall backs to active RFID type of communication issues and, maybe 1-2 years ago, I read an article on the subject (sadly I do not remember the reference now). Researchers tried to authenticate under the following condition:

  • The victim bearing the genuine RFID token was in some crowded public place (subway, ...),
  • Attacker A goes near the victim (no need to steal the token), he bears an RFID tranceiver linked to a mobile phone,
  • Attacker B is near the door to open, having also a mobile phone and an RFID tranceiver.

Here is a quick representation of the communication path established between the RFID token and the RFID lock:

Genuine RFID token <--> RFID tranceiver <--> Mobile phone A <--> Mobile phone B <--> RFID tranceiver <--> RFID lock

Thanks to this system, the researchers manage to extend the RFID range to unlimited. However, the issue they encountered was, as you mentioned, timing issue making this attack practically not doable with current technology (ie. up to 3.5G), however they emitted some worries on the subject with technology evolution which would fatally come up with this timing issue.

So, to answer your question, technically the attack is doable, but not practical yet. However, if I were to wear such a key and would have such safety concern, we see more and more faraday pouches designed to prevent such issue (some are even integrated to bags and jacket pockets, a discussion on the subject is here).

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • The paper linked in the other answer has demonstrated the attack in multiple cars, so the part of this answer that states it's not practical yet appears to be false. – RomanSt Apr 20 '15 at 12:47
  • The other post does not deal with exactly the same attack than the study I was referring to. Here, the smartcard does not even need to be in the 50 meters range, the card owner could be at the other side of the world that it would not matter since the mobile phone system itself is being used to relay RFID authentication. And for the practical use of this attack, I will have to check if someone tried to replicate it using latest 4G networks which have a far lower latency... – WhiteWinterWolf Apr 20 '15 at 14:31
3

This is indeed a known attack on proximity based keyless entry systems. See http://eprint.iacr.org/2010/332.pdf for a paper by researchers who used a simple device to extend the range to 8m. Doesn't sound like a lot, but if you park your car outside your house at night then the fob is probably that close.

It's from 2010, and so more modern cars may well have implemented countermeasures, but articles like http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html?_r=0 suggest that this is still an effective attack.

Graham Hill
  • 15,394
  • 37
  • 62