Figure 3. The relay with antennas, cables and an (optional) amplifier.
presented are modulating and demodulating the signal, in other words they often rely on fake reader and a fake RFID tag. n obvious advantage of such attacks is that they can be performed with commercial off-the-shelf (COTS) hard- ware. The same setup can also be used to perform replay or message forging. However, this approach has several draw- backs. First, modulation and demodulation significantly in- creases the response time of the attack; this extra time could be detected and used as a proof of the presence of a relay. Second, such a realization is dependent on the modulation and encoding of the signal, which makes the relay specific to some key model. Both drawbacks are avoided in our de-
message over the UHF channel. The message sent by the key will depend on what was originally sent by the car. The car will send open command to the key from the outside antennas and the start command form the inside antennas. Therefore, the attacker (e.g., car thief) first needs to present the relaying antenna in front of the door handle such that the key will send the open signal. Once the door is unlocked, the attacker brings the relaying antenna inside the car and after he pushes the brakes pedal or the start engine button the car will send the start message to the key. In both cases the key answers on UHF and the action (open or start) is
sign and implementation of the relay attack.
3.3 Relay Over-The-
3.2 Relay Over-Cable ttack
In order to perform this attack, we used a relay (Figure 3) composed of two loop antennas connected together with a cable that relays the LF signal between those two antennas.
n optional amplifier can be placed in the middle to im- prove the signal power. When the loop antenna is presented close to the door handle, it captures the car beacon signal as a local magnetic field. This field excites the first antenna of the relay, which creates by induction an alternating sig- nal at the output of the antenna. This electric signal is then transmitted over the coaxial cable and reaches the second antenna via an optional amplifier. The need for an ampli- fier depends on several parameters such as the quality of the antennas, the length of the cable, the strength of the orig- inal signal and the proximity of the relaying antenna from the car’s antenna. When the relayed signal reaches the sec- ond antenna of the cable it creates a current in the antenna which in turn generates a magnetic field in the proximity of the second antenna. Finally, this magnetic field excites the antenna of the key which demodulates this signal and recovers the original message from the car. In all the pas- sive keyless entry systems we evaluated, this is sufficient to make the key sending the open or the start authorization
Relaying over a cable might be inconvenient or raise sus- picion. For example, the presence of walls or doors could prevent it. We therefore design and realize a physical layer relay attack over the air. Our attack relays the LF signals from the car over a purpose-built RF link with minimal de- lays. The link is composed of two parts, the emitter and the receiver. The emitter captures the LF signal and up- converts it to 2.5 GHz. The obtained 2.5 GHz signal is then amplified and transmitted over the air. The receiver part of the link receives this signal and down-converts it to ob- tain the original LF signal. This LF signal is then amplified again and sent to a loop LF antenna which reproduces the signal that was emitted by the car in its integrity. The proce- dure for opening and starting the engine of the car remains the same as discussed above.
Using the concept of analog up and down conversion al- lows the attacker to reach larger transmission/reception re- lay distances, while at the same time it keeps the size, the power consumption and the price of the attack very low (see Section 3.4) 3.
3It could be possible to transmit in the LF band over a large distance. However this would require large antennas and a significant amount of power.