Shielding the Key One obvious countermeasure against relay attacks is to prevent the communication between the key and the car at all times except when the owner wants to unlock the car. The users of PKES-enabled cars can achieve this by placing the car key (fob) within a protective metallic shielding thus creating a Faraday cage around the key. small key case lined with aluminum might suffice for this purpose. While the key is in the key case, it would not re- ceive any signals from the car (relayed or direct). When the user approaches the car, he could take the key out of the case and open and start the car using the PKES system. The users who would opt for this countermeasure would loose only little of the convenience of PKES. Similar countermea- sures have been proposed to block the possibility of remote reading of RFID tags embedded in e-passports. However, an attacker might be able to increase the reading power suf- ficiently to mitigate the attenuation provided by the protec- tive shield. We note that designing a good Faraday cage is challenging . Still, this countermeasure would make the relay attack very difficult in practice.
Removing the Battery From the Key
measure against relay attacks is to disable the active wire- less communication abilities of the key. This can be simply done by removing the battery that powers the radio from the key. s a consequence, the UHF radio of the key will be de- activated. The key will then be used in the “dead battery” mode, which is provided by the manufacturers to enable the users to open the car when the key battery is exhausted. In this case, the car cannot be opened remotely but only using a physical key (the backup physical key is typically hidden within the wireless key fob). Given that the cars that use PKES cannot be started using a physical key, in order to start the car in the “dead battery” mode, the user needs to place the key in the close proximity of some predesignated location in the car (e.g., the car Start button). The car then communicates with the key’s passive LF RFID tag using short-range communication. Typically, wireless communi- cation with the LF RFID tags is in the order of centimeters, thus making the relay attack more difficult for the attacker; however, depending on the attacker capabilities relay from a further distance cannot be fully excluded. This defense dis- ables the PKES for opening the car, but is still reasonably convenient for starting the car engine. With such a defense, the realization of a relay attack becomes very difficult in
combination of the two countermeasures would pro- vide the highest protection, but would also be the least con- venient for the users. It would essentially reduce the usabil- ity of a PKES key to the one of the physical key.
6.2 Mid-term Countermeasures
While the previous countermeasures require only simple actions from the car owner, and without involvement of the manufacturer, they also significantly reduce the usability of the key system. Here, we present some lightweight modi- fications that provide better usability. Those modifications would require only simple software or hardware changes to the key system. While they are not solving the main cause of the problem, they do provide mitigation that are appli- cable immediately (by a software update or a key fob ex- change or modification).
Software Only Modification
simple software modifi-
cation to the Keyless vehicle unit could be provided to al- low the user to temporally disable the PKES. When a user is closing the car by pushing the close button on the key fob the PKES would remain disabled. That is, the car would open (and allow start) only after the user pushes the open button on the key fob. This effectively allows the user to deactivate the passive entry and start by simply pushing the close button. This countermeasure would be used for exam- ple by a car owner when parking in a unsafe place such as an underground parking or a public place. On the other hand if the car is closed by pushing the button on the door handle or simply by walking away from the car, the PKES system is used for closing the car and the car would therefore allow
passive keyless entry and start.
ccess Control Restrictions
t least one car model en-
forced some more strict policy. For example, the car would quickly stop sending signals after the door handle was pulled out without detecting the presence of a key. While not preventing the relay attack it forces the attacker to be well prepared and to be synchronized, the door handle needs to be pulled out when the key holder passes in front of the
In several cases, on this car model, the alarm was trig- gered and it was possible to disable it only by pushing the open button on the key fob. This is certainly deterrent to a thief. However, this again does not prevent the attack to be successful.
dding a simple switch to the
key would produce a similar countermeasure to that of re- moving the battery from the key fob. This switch would dis- connect the internal battery allowing the user to temporar- ily disable the PKES functionality of the key, while keeping convenience of PKES. Variants of this modification would keep the possibility to use the active open (i.e. opening the car by pushing the button on the key fob) while deactivating
only the passive entry.