Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

this is a major problem and it turns out thousands of cars have been stolen using this method and shipped to south america where they are now being used as homes for people under 5' tall.

 

People will and can steal even the most well-protected cars so that's what insurance is for.

 

The problem here is that cars are expected to last a decade if not longer. Nobody will keep a computer or a wireless router a decade.

The hack was demonstrated by Johns Hopkins and RSA Labs back in 2005

About RFIDs and the TI DST - Car Thief Stoppers

By 2008, the original RFID system was shown to be completely broken

24C3 Mifare crypto1 RFID completely broken - Hack a Day

As FPGA (Field Programmable Gate Array) devices become even cheaper and powerful, along with host devices like smartphones, we will see the pendulum swing from RFID helping secure our cars, to making them absolutely easy to steal

Of course, there is no evidence of the theft. No broken windows, no busted steeering column, just the car mysteriously vanished and the insurance company denying a claim

 

Yes, saw this article today. Most likely there's a business there in making attractive, practical RF shield devices for keyless entry fobs. If it could be made in a way that you could just reach in your pocket or purse and "unshield" it enough to work without having to take it out of your pocket, and then re-shield it when the car lock was open, that wouldn't be too bad (isn't that about the same thing as the non-keyless fobs, though?).

Maybe they're already available, I haven't looked...this would be the Toyota recall, put your keyless entry fob in a metal case *smile*. My gas pedal is already shorter than it used to be.

I'm having a hard time dismissing this with "that's what car insurance is for", myself.

-Roger

 

If you can show them the two FOBs your insurance will cover the loss. You don't need a pile of broken glass.

So a knowledgeable professional can steal your Prius. So what else is new. They can also use a flatbed car carrier. Or how about a tow truck with bogey wheels under the front wheels of your Prius?

If you want a theft-proof car it's the one you haven't purchased yet.

 

I don't think most auto insurers will make you produce keys to prove that your car was really REALLY stolen. In fact, I think that they would have to cover the loss even if you left your key-fobby-thingy in the car.
Caveat: I've never had a car stolen...but I have a close relative that's been in the home/auto/life insurance biz for many years.

Mostly, they'll just take the police report...wait a looooong time for the vehicle to be recovered, and if it's not, they'll (eventually) pay the loss. This is why car torching is such a common occurrence when slugs want to get out from underneath their monthly car payments.

One thing is for sure. If your car ever does get stolen---it's private sale value will take a big ding once your VIN# gets attached to a police report, even if your kid just stole it for a quick spin around the block!

As far as the "Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars'' worries....it's not much to worry about in Priuses, unless you're just looking for something to worry about. According to the Highway Loss Data Institute's report on the most stolen, broken into, or stripped American cars of 2010---we're nowhere near the top of the list...(We're probably like, #74---behind the Suzuki Kizashi...)

Interestingly enough.....my GMC was number 6, and I sleep pretty well at night with my dumb old remote door lock/metal key start!
TIFWIW..... ($0.02)....

 

Well, a friend had a Civic CRX Si stolen from his driveway. He had full replacement value insurance on it, but he did have to show them the two keys (to prove his son/friend/relative/etc) didn't take it. He got paid out in a week. No indication of how they did it. It was just -gone-.

Do keep in mind the Prius is not an expensive car. Even the parts are not in great demand. Most thieves will be after your neighbors Lexus/Mercedes/Caddy/Lincoln/etc. Hondas are also in great demand for parts, because they are so popular for the hop-up crowd.

 

Correct.

 

Great find.

 

There are a lot easier ways of stealing most cars (without towing) rather than the method described. The point of adding technology is to make it difficult, but it's never impossible.

I don't think I've ever heard of a Prius being stolen, even though the technical capability exists, so I think we are pretty safe!

I have a friend who has had all her windows broken by kids about 4 times now. That's probably worse!

 

I am sure you are right.

 

Not sure if this applies to a Prius.

 

Here is what I don't understand about this form of attack: Most smart key systems, such as the one used in the Prius, use both RF (radio frequency) and LF (low frequency - essentially magnetic fields) for communication and detection. The RF is used for communication between the car and fob. LF is used for localization. The LF fields are generated by the coils in the car: one in each front door, one inside the car, and one at the rear for the three door system.

RF has a relatively long range. If you press the the unlock button on your fob, it sends an command to the car via RF, which causes the door to unlock. This mode requires active operation by the owner, and is not susceptible to relay attack. A relay could extend the range, but you would still need to press the unlock button. Also, this would only unlock the car, not allow it to start.

In smart mode, a beacon signal is used to tell the fob that it is close to the car. When the fob senses this beacon, it measures the LF field to determine the fob's orientation from the car and the distance from the car. It then encodes this information and sends it back to the car via RF. The car looks at this positional information and decides which door to enable for unlocking.

In a similar fashion, the LF field is used to verify that the fob is inside the car in the drivers area before the engine is allowed to start.

The RF signal is easy to relay. All you need is a receiver, a transmitter, and two antennas. This is what makes a relay attack possible. However, it isn't so simple with the LF field. Low frequency magnetic fields don't amplify and relay the same way as RF. For this to work, you would need to generate a phantom LF signal in close proximity to the fob, and then use the RF relay. You would have to do it twice with two different LF signals: once simulating the LF on the outside of the vehicle to allow the door to unlock, and a second time on the inside of the vehicle to start the car. This isn't a trivial problem to solve.

So how did the relay attack work on some cars? It's likely these cars use a simplified smart key system that doesn't include the LF oscillators. It's just like mechanical locks: some are cheap and easy to break; others are very secure. Some are much better than others.

Tom

 

I'd recommend not being so confident it can't be broken - I have no doubts it can be. It's not terribly likely that lots of people will start doing it, of course. It's more likely that somebody would try an attack that doesn't require a relay, which also might be possible. A relay attack is just a pain.

Car manufacturers haven't had to think much about security - like what happens if somebody figures out a way to hack the Nav unit via Bluetooth? Or the TPMS wireless links? Some of these things may not have very well-thought-out security. Sometimes, that's just because, well, 'who cares if somebody figures out how to make your TPMS light turn on?' But cars haven't been something that people have traditionally tried to write viruses and other malware for. And maybe they never will. But it doesn't mean it can't be done. It's just a matter of return on investment - if you have to spend $100,000 to steal a $20,000 car, or invest months of time to do it, it's probably not worth it to most thieves.

 

My guess is that the low frequency signal is just another radio signal. The low frequency (134.2 KHz) and small antennas make for the short range. The car-to-keyfob information is something like "this is the driver's door oscillator looking for a key for car X". When a keyfob hears the signal, it compares its car number with the transmitted value. If there is a match, then the keyfob replies "I hear the driver's door oscillator and here is my current rolling code and encrypted identification". Each oscillator could be transmitting a different message that identifies its location on the car.

I know that the keyfob signal uses rolling code and encryption. I don't know what the car-to-keyfob data is. Since the car-to-keyfob data can be interpreted by all keyfobs, it probably isn't encrypted. In fact it may not even be varying. I wonder if you recorded the car-to-keyfob signal, would replaying that signal cause the keyfob to reply? My guess is yes.

 

Yes, but this wouldn't work with the LF position sensor. Any idea how you would defeat that?

Tom

 

Unlocking the door and hitting the Power button are two distinct processes from a SKS point of view. To unlock the door with SKS from the outside, the car has to be powered off and doors locked. The keyfob has to be detected within about 3 feet of the outside of the door. When this condition has been met, then touching the sensor on the door handle triggers a door unlock. It also turns off the the outside oscillators, and turns on the inside oscillators. In order to enable the Power button, the keyfob then has to be detected by the inside front oscillator. This is a second detection, at a different location.

I've observed this behavior with a low-band receiver that can tune to the low frequency oscillators. Actually, I have to tune it to the 2nd harmonic at 265 KHz, but the data is there. The outside oscillators are on while the car is turned off and locked. As soon as the car is unlocked, the outside oscillators turn off and the inside ones are on. When the car is turned on, all of the oscillators are disabled. There are a few more conditions that cause the oscillators to turn on, such as opening the door with the power on.