X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 6 / 15





6 / 15

130 KHz



and filtering


Amplification and filtering

2.5 GHz antenna




< 30 cm

2.5 GHz Signal Generator

~ 100 m

Signal relayed at 2.5 GHz

130 KHz signal

Amplification and Filtering


Amplification and filtering




2.5 GHz Antenna

up to 8 m

2.5 GHz Signal Generator

Figure 4. Simplified view of the attack relaying LF (130 KHz) signals over the air by upconversion and downconversion. The relay is realized in analog to limit processing time.

3.4 Experimental Relays Results

Some measurement results on the delay versus distance are reported in Table 3 for both relay attacks.

In the cable LF relay, the delay is primarily introduced by the wave propagation speed in solid coaxial cables which is approximately 66% of that speed in the air. The delay of our amplifier is of the order of a few nanoseconds. In the wire- less LF relay, our measurements show a delay of approxi- mately 15 - 20 ns in both emitter and receiver circuitries, the remaining delay being due to the distance between the an- tennas, i.e., approximately 100 ns for 30 m. Therefore for larger distances, using the over-the-air relay should be pre- ferred in order to keep the delay as low as possible. In order to compute the total delay of the relay attack, i.e., including both the LF and UHF links, we should add the UHF car-key communication which assumes wave propagation with the speed of light and will only depend on the distance 4.

Figure 5(b) shows the part of the wireless relay that re- ceives messages from the car. Signals are received using the white loop antenna (right in the picture). This antenna must be positioned near to the car emitting antennas, for example at the door handle or the start button (Figure 6) in order to obtain a good signal from the car. This signal is amplified, up-converted and retransmitted at 2.5 GHz with a dipole an- tenna (black in front of the image).

4The processing delays at the car and the key do not need to be added as they do not change from the non adversarial setup.

Figure (a) shows the receiver side of the over-the-air re- lay which should be placed in the proximity of the key. The antenna (in front) receives the relayed 2.5 GHz signal, and a down conversion setup extract the original car signal which is then relayed to the key using a loop antenna. While the setup on those pictures is made of experimental equipment, it could easily be reduced to two small and portable devices.

4 Experimental Evaluation on Different Car Models

Both above presented setups were initially successfully tested on a few different car models. To further evaluate the generality of the attack we tested the attack on 10 cars on which we ran several experiments. The cars were either rented on purpose or the experiments were performed with the agreement of the car owners. In one case, a car manu- facturer representative proposed us to evaluate the attack on a car he made available to us. In another case, a car owner, who recently had a similar car stolen asked us to evaluate his second car’s PKES. The aftermarket PKES system was bought and analyzed for the purpose of our experiments for about 200$. Finding other car models for testing was not always easy. In some cases, we were able to rent cars or found volunteers through personal relationships. The tested cars models cover a wide range of types and price as fol- lows: 2 models in SUV class, 4 executive or luxury class 5

5including one after-market PKES

Document info
Document views69
Page views72
Page last viewedThu Dec 22 04:16:55 UTC 2016