X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 7 / 15





7 / 15

(a) Key side.

(b) Car side.

Figure 5. Experimental wireless relay setup.

Table 3. Distance vs. Relay link delay: The measured delays are for the LF channel only. The UHF link delay is based on direct car-key communication and assumes wave propagation with the speed of light. The latter should be added to obtain the total relay delay.


Relay over cable Wireless relay

Distan (m) 30 60 30 1 2


Delay (ns) 160 (±20) 350 (±20) 120 (±20)


Opening and starting the engine works reliably With some cars signal amplification is not required Opening of the car is reliable, starting of the engine works

1 2

With an amplifier between two 30 m cables. Tested distance. Longer distances can be achieved.

(>50K$) cars, 1 minivan and 2 cars in the compact class (<30K$). We had two different models for only two of the tested manufacturers. During the evaluation of the 10 dif- ferent PKES systems, we observed that all of them differ in their implementation. We also noticed that even if they rely on the same general idea and similar chips the overall sys- tem behaves differently for each model 6. The differences were found in timings (as shown below), modulation and protocol details (e.g., number of exchanged messages, mes- sage length). Only the aftermarket system was obviously not using any secure authentication mechanisms.

When possible, on each car we measured the distances for the relay, the maximum acceptable delay and the key response time and spread.

4.1 Distance Measurements

In order to validate the feasibility of the attack in prac- tice, we tested several distances for the cable relay. This allows to evaluate the possible attack setup, a longer relay distance over the cable will allow the thief to act when the car owner is relatively far from his car, reducing chances of

detection. We further measured the distance form the re- laying antenna to the key, a longer distance will make the attack easier (e.g., avoid suspicion from the user).

The cable relay was performed with off-the-shelf coaxial cables. We built two 30 m cables that we combined for the 60 m relay tests. We used a set of antennas, two small sim- ple home made antennas, and a large antenna 7 for an im- proved antenna-key range. We performed the attacks with these antennas both with and without amplification. If the LF signal near the car was weak we used a 10 mW low- noise amplifier to increase the signal level. To further im- prove key to antenna range we used a power amplifier with a nominal power of 2 to 5 W.

The results of those experiments are shown in Table 4. The relays over the 3 cable lengths were always successful when we were able to test them. Furthermore, only in few cases we had to use an amplifier, in most of the cases the sig- nal received on the collecting antenna was strong enough to perform the relay over the cable without any amplification.

However, without amplification at the key-side relay an- tenna, the key could only be excited from a few centime- ters up to 2 m. With a power amplifier, we were able to

6This remains true for the models from the same manufacturers.


ntenna size 1.0 x 0.5 m Texas Instruments RI- NT-G04E

Document info
Document views52
Page views55
Page last viewedThu Oct 27 07:13:19 UTC 2016