X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 3 / 15





3 / 15

Periodic probing for a key

1. Wake up (LF)

2. Ack (UHF)

Challenge the key

3. Car ID with challenge (LF)

If correct, open the car

4. Key response (UHF)



If Key in range


If Car ID correct


Periodic probing for a key

If correct, open the car


1. Car ID with challenge (LF)

2. Key Response (UHF)

If Key in range and If Car ID correct


Figure 1. Examples of Passive Keyless Entry System protocol realizations. a) In a typical realization, the car periodically probes the channel for the presence of the key with short beacons. If the key is in range, a challenge-response protocol between the car and key follows to grant or deny access. This is energy efficient given that key detection relies on very short beacons. b) In a second realization, the car periodically probes the channel directly with larger challenge beacons that contain the car identifier. If the key is in range, it directly responds to the challenge.

car, the key wakes up the microcontroller, demodulates the challenge, computes a response message and replies back on the LF channel. This mode of operation requires close proximity between key and car because the key has to har- vest energy from the car to function and the decrease of intensity of the magnetic field is inversely proportional to the cube of the distance.

2.3 Passive Keyless Entry Systems

The first proposal that describes Passive Keyless Entry Systems (PKES) appeared in [46]. In that work, the authors proposed a system that automatically unlocks the vehicle when the user carrying the key approaches the vehicle and locks the vehicle when the user moves away from the ve- hicle. The system is referred to as ’Passive’ as it does not require any action from the user. The communication be- tween the key and car is characterized by a magnetically coupled radio frequency signal. In this system, the car con- cludes that the key is in the close proximity when it is ’in the car’s communication range’.

PKES car key uses an LF RFID tag that provides short range communication (within 1-2 m in active and a few centimeters in passive mode) and a fully-fledged UHF transceiver for longer range communication (within 10 to 100 m). The LF channel is used to detect if the key fob is within regions Inside and Outside of the car. Figure 2(b) shows the areas in proximity of the car that must be detected in order to allow a safe and convenient use of the PKES sys- tem. The regions are as follows.

  • Remote distance to the car (typically up to 100 m). Only open/close the car by pushing a button on the key fob is allowed.

  • Outside the car, but at a distance of approximately 1 - 2 m from the door handle. Open/close the car by using the door handle is allowed.

  • Inside the car. Starting the engine is allowed.

The PKES protocols vary depending on the manufac- turer. Typically two modes of operation are supported, namely normal and backup mode. The normal mode re- lies on a charged and working battery, while the backup mode operates without a battery (e.g., when the battery is exhausted). The locations and authorizations of the two modes are summarized in Table 2.

Figure 1 shows two example realizations of car open-

ing in a normal mode.

The car sends beacons on the LF

channel either periodically or when the door handle is op- erated. These beacons could be either short wake-up mes- sages or larger challenge messages that contain the car iden- tifier. When the key detects the signal on the LF channel, it wakes up the microcontroller, demodulates the signal and interprets it. fter computing a response to the challenge, the key replies on the UHF channel. This response is re- ceived and verified by the car. In the case of a valid response the car unlocks the doors. Subsequently, in order to start the car engine, the key must be present within the car (region Inside in Figure 2(b)). In this region, the key receives dif- ferent types of messages that when replied will inform the car that the correct key is within the car itself. The car will

then allow starting the engine. normal mode the LF channel is

It should be noted that in only used to communicate

from the car to the amount of energy.








In backup mode, e.g., when the battery is exhausted, the user is still able to open and start his car. The manufacturers

Document info
Document views81
Page views84
Page last viewedMon Jan 23 10:48:35 UTC 2017