X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 8 / 15





8 / 15

(a) Loop antenna placed next to the door handle.

(b) Starting the engine using the relay.

Figure 6. The relay attack in practice: (a) opening the door with the relay. (b) starting the car with the relay, in the foreground the attacker with the loop antenna starts the car, in the background the table (about 10 meters away) with the receiver side (Figure 5(a)) of the wireless relay and the key. Emitter side (Figure 5(b)) of the wireless relay is not shown on this picture.

achieve a range between 2 and 8 m, (with the key fob in the person’s pocket which corresponds to the typical key place- ment). We note that the distance achieved between the relay antenna and the key depends on the strength of the collected signal from the car side and the sensitivity of the key. On the car side, the signal strength depends on the sensitivity of our antenna and its placement as close as possible to the car’s antennas. The differences in the distances between the vehicles for the open or start actions are likely to depend on the signal level at which the key accepts the messages 8. Fi- nally, the values reported here show that the attack is practi- cal as the key can be activated up to 8 meters away from the antenna and the distance from the key to the car can be ex- tended up to 60 meters. It is likely that using more powerful amplifiers would only further increase these distances.

4.2 Maximum cceptable Delay

In order to know the maximum theoretical distance of a physical layer relay we computed for each tested PKES the maximum acceptable delay by relaying LF messages with a variable delay. For this purpose we used a USRP1 from Ettus Research [5] with LFRX and LFTX boards. This al- lowed us to receive and send messages at 135 KHz. How- ever, we found that the minimal processing delay achievable by this software radio platform was between 10 and 20 ms. This proved to be too slow on all but one PKES we tested.

The delay in a software defined radio device is mainly due to buffering and sending data over the USB to (resp. from) the computer for processing and the software pro- cessing. To reduce this delay we modified the USRP FPG to bypass the RX (resp. TX) buffers and the communica- tions with the computer. With this modification and appro- priate configuration of the USRP the digitized signals were directly relayed by the FPG from the receiving path to the transmitting path. We experimentally measured the result- ing minimal delay to be 4 µs. To insert an additional, tun- able, delay we added a FIFO between the RX and TX path. Changing the depth of this FIFO, and the decimation rate, allowed us to accurately test delays between 4 µs and 8 ms. However, the memory on the FPG was limited which lim- ited the FIFO depth and the maximal delay achievable. To achieve delays above 8 ms we had to use an unmodified USRP with a tunable delay in software. This allowed us to increase delay above 8 ms but with less maximum delay precision.

Table 5 shows the measured maximum delays on the ve-

hicles on which we were able to make those tests.


delays allow to relay messages over large distances with a physical-layer relay. The maximum delays were measured to be within 35 µs to tens of ms depending on the car model. This leads to a theoretical distance of a physical relay over- the-air between 10 and 3000 km 9. dditionally, the mod- els with higher tolerance to delays would allow relays at higher levels than the physical layer, i.e. relays that demod-

8This level can be set by a configuration parameter on some chips [44].


nd from 7 to 2000 km with a physical relay over a cable.

Document info
Document views53
Page views56
Page last viewedFri Oct 28 04:55:15 UTC 2016