X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 1 / 15





1 / 15

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars

ure´lien Francillon, Boris Danev, Srdjan Capkun Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {aurelien.francillon, boris.danev, srdjan.capkun}@inf.ethz.ch


We demonstrate relay attacks on Passive Keyless Entry and Start (PKES) systems used in modern cars. We build two efficient and inexpensive attack realizations, wired and wireless physical-layer relays, that allow the attacker to en- ter and start a car by relaying messages between the car and the smart key. Our relays are completely independent of the modulation, protocol, or presence of strong authenti- cation and encryption. We perform an extensive evaluation on 10 car models from 8 manufacturers. Our results show that relaying the signal in one direction only (from the car to the key) is sufficient to perform the attack while the true distance between the key and car remains large (tested up to 50 meters, non line-of-sight). We also show that, with our setup, the smart key can be excited from up to 8 meters. This removes the need for the attacker to get close to the key in order to establish the relay. We further analyze and discuss critical system characteristics. Given the generality of the relay attack and the number of evaluated systems, it is likely that all PKES systems based on similar designs are also vulnerable to the same attack. Finally, we propose im- mediate mitigation measures that minimize the risk of relay attacks as well as recent solutions that may prevent relay attacks while preserving the convenience of use, for which PKES systems were initially introduced.



Modern cars embed complex electronic systems in order

to improve driver safety and convenience.

reas of signifi-

cant public and manufacturer interest include access to the car (i.e., entry in the car) and authorization to drive (i.e., start the car). Traditionally, access and authorization have been achieved using physical key and lock systems, where by inserting a correct key into the door and ignition locks,

the user was able to enter and drive the car. In the last decade, this system has been augmented with remote ac- cess in which users are able to open their car remotely by pressing a button on their key fobs. In these systems, the authorization to drive was still mainly enforced by a physi- cal key and lock system. Physical keys also often embedded immobilizer chips to prevent key copying.

Recently, car manufacturers have introduced Passive Keyless Entry and Start (PKES) systems that allow users to open and start their cars while having their car keys ’in their pockets’. This feature is very convenient for the users since they don’t have to search for their keys when approaching or preparing to start the car. The Smart Key system was introduced in 1999 [1]. Since then, similar systems have been developed by a number of manufacturers under differ- ent names; a full list of systems can be found in [2].

In this work, we analyze the security of PKES systems and show that they are vulnerable to relay attacks. In a relay attack, the attacker places one of her devices in the proxim- ity of the key, and the other device in the proximity of the car. The attacker then relays messages between the key and the car, enabling the car to be opened and started even if the key is physically far from the car. This corresponds to the scenario where the key is e.g., in the owner’s pocket in the supermarket, and the car is at the supermarket parking lot. We tested 10 recent car models from 8 manufacturers and show that their PKES systems are vulnerable to certain types of relay attacks 1. Our attack allowed to open and start the car while the true distance between the key and car re- mained large (tested up to 50 meters, non line-of-sight). It worked without physically compromising the key or raising any suspicion of the owner. We also show that, with our setup, the smart key can be excited from a distance of a few meters (up to 8 meters on certain systems). This removes

1Instead of providing names of car models and manufacturers that we tested, we describe the operation of the PKES system that the tested models use. We leave it to the readers to verify with the manufacturers if the described or similar PKES system is used in specific car models.

Document info
Document views54
Page views57
Page last viewedFri Oct 28 22:10:01 UTC 2016