- 11 413
µs µs µs µs µs
25 162 436
Table 5. Experimental maximum delay, key response
Key Response Time (std dev)
time and spread per model Key Response Time Spread
confident that his car is locked (feedback form the car is often provided to the owner with indicator lights or horn). Once the car is out of user’s sight, the attackers can place the second antenna to the door handle. The signals will now be relayed between the passage point and the car. When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the car and will send the open command to the car. s this mes- sage is sent over UHF it will reach the car even if the car is within a hundred meters 10. The car will therefore unlock. Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the allow start message. The car can now be started and driven. When the attacker drives away with the car, the relay will no longer be active. The car may detect the missing key; however, for safety reasons, the car will not stop, but continue running. Similarly, the car might detect a missing key for several other reasons including if the key battery is depleted. Some car models will not notify the user if the key is not found when the car is on course, while some will emit a warning beep. None of the evaluated cars stopped the engine if the key was not detected after the engine had been started.
This attack therefore enables the attackers to gain access (open) and to get authorization to drive (start and drive) the car without the possession of appropriate credentials.
be difficult for the owner to know if his car was entered and driven. Similarly, it will be difficult for the owner to prove that he is not the one that actually opened and used the car. This is because there will be no physical traces of car en- try. This can have further legal implications for car owners in case that their cars or property from their cars are stolen due to this PKES vulnerability.
vulnerabilities have been identified in computer systems of modern cars , allowing for example to control safety systems such as brakes or lights from the car internal com- munication bus. One of the most dangerous results of this study is the demonstration of rootkits on car computers that allow an attacker to take control of the entire car. Moreover, the malicious code could erase itself leaving no traces of the attack. The practical risks of such attacks is reported to be reduced as the attacker needs access to the ODB-II commu- nication port, which requires to be able to open the car. The relay attack we present here is therefore a stepping stone that would provide an attacker with an easy access to the ODB-II port without leaving any traces or suspicion of his actions. Moreover, as the car was opened with the original key if an event log is analyzed it would show that the car
owner did open the car.
We tested a variant of this attack by placing a relay antenna close to a window to activate a key left inside a closed building (e.g., on a table). This is possible when the antenna–key range is large such as the 6 - 8 m achieved on some models. In such case, if the car is parked close to the building, the attacker is able to open and start it without entering the building.
Stealth traced. records
ttack. The described relay attack is not easily Unless the car keeps a log of recent entries and exchanged signals (e.g., for later analysis), it will
10UHF signal could be also relayed, which would further extend the distance from which this attack can be mounted.
In this section we discuss countermeasures against re- lay attacks on PKES systems. We first describe immediate countermeasures that can be deployed by the car owners. These countermeasures largely reduce the risk of the relay attacks but also disable PKES systems. We then discuss possible mid-term solutions and certain prevention mecha- nisms suggested in the open literature. We finally outline a new PKES system that prevents relay attacks. This sys- tem also preserves the user convenience for which PKES systems were initially introduced.