Half of all new cars sold in the U.S. have keyless entry as a standard feature. It’s convenient, but it leaves your car wide open to thieves to either break in or drive the car away, using nothing but a $17 amplification device and a small loop antenna. You can defeat thieves, but isn’t as easy as putting the key in the freezer, like some urban myths suggest.
Researchers from ADAC (General German Auto Club), the world’s largest automobile club, managed to start and drive away in models with keyless entry from 24 different brands. “The radio connection between keys and car can easily be extended over several hundred meters, [r]egardless of whether the original key is, for example, at home or in the pocket of the owner,” reads the study, originally in German, translated through Google Translate.
Passive Keyless Entry and Start (PKES) or “Smart Key” systems have been around since 1999, and in the last five years have become standard equipment on millions of cars. A quick search of the BestRide database reveals 1.5 million cars for sale right now equipped with Smart Key technology. ADAC tested more than 20 cars, most of which are available in the United States. A full list of cars the club opened and drove away appears below.
Once the car is running, thieves can drive it away as far as a tank of fuel will take them, according to ADAC. “[I]t runs without a key as long as fuel is in the tank, or until the engine stalls or off. Even refueling with the engine running is possible,” extending the range of a stolen car indefinitely.
According to Aurelien Francillon, Boris Danev, and Srdjan Capkun, who authored the study Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars, Smart Key systems on all modern automobiles work in similar ways. The car uses a low frequency radio-frequency identification (RFID) tag that provides short range communication (one to two meters in active mode, and just a few centimeters in passive mode) to allow the key and the car to communicate, verify that the key is the right one for that car, and allow the car to start.
The systems also use a “fully-fledged UHF transceiver” for longer range communication — usually between 10 and 100 meters.That allows the key fob to communicate with the door lock, unlock and panic functions when the user is further away, allowing them to lock and unlock the car from inside the house, for example. It also allows remote start functions from your office to the parking lot.
What most people don’t realize is that the system is always on, always working, and always communicating. The car sends short beacons via the low-frequency channel. These beacons are short “wake-up” messages that simply verify that the key and the car are capable of communicating. More complicated “challenge messages” go back and forth when someone tries to operate the door handle, which is where the system’s security begins to break down.
In older remote lock and unlock features, you pressed a button to unlock the door. If you didn’t have the button to press, the door wouldn’t unlock. End of story. Yes, it was possible for thieves to unlock the door by or storing a code, but it meant a thief would need to be near the car when the key was operated.
With modern Smart Key systems, though, pressing a button isn’t necessary. The key just has to be within a certain proximity to allow someone yanking on the door handle to enter.
No problem, right? The key is safely hanging on your key hook inside the house, 50 meters past the maximum range, and even if thieves gain entry, the key would need to be within a couple of meters of the start button to start the car.
Not so fast. What Francillon, Danev, and Capkun discovered in their study was that a relatively small electronic amplifier could not only increase the range of the key allowing entry, but increase the range of the key allowing it to start. “Our attack does not need to interpret, nor to modify the signal,” reads the study. “It is completely transparent to most security protocols designed to provide authentication or secrecy of the messages…Even if a PKES system uses strong cryptography…it would still be vulnerable.”
The study describes two different types of attack The first is “Relay-Over-Cable”: “In order to perform this attack, we used a relay composed of two loop antennas connected together with a cable that relays the [low frequency] signal between those two antennas. An optional amplifier can be placed in the middle to improve the signal power. When the loop antenna is presented close to the door handle, it captures the car beacon signal as a local magnetic field. This field excites the first antenna of the relay, which creates by induction an alternating signal at the output of the antenna. This electric signal is then transmitted over the coaxial cable and reaches the second antenna via an optional amplifier. The need for an amplifier depends on several parameters such as the quality of the antennas, the length of the cable, the strength of the original signal and the proximity of the relaying antenna from the car’s antenna.
“When the relayed signal reaches the second antenna of the cable it creates a current in the antenna
which in turn generates a magnetic field in the proximity of the second antenna. Finally, this magnetic field excites the antenna of the key which demodulates this signal and recovers the original message from the car.”
Obviously, toting two antennas, a cable and an amplifier around might be cause for suspicion, so the team also developed a “Relay-Over-Air” attack that “allows the attacker to reach larger relay distances, while at the same time it keeps the size, power consumption and price of the attack very low,” down to about $17 dollars by some estimates.
In every Passive Keyless Entry and Start system the team evaluated, their method was enough to make the key send an open or start message via the UHF channel.
The insidious scenario posited by the scientists happens when an unsuspecting driver parks his car in a garage. The driver exits the garage and presses the “Lock” button and gets an audible or visual confirmation that the car is locked. The driver then walks past an antenna, which relays an amplified signal to the car that the key is in range. A thief with a second antenna simply pulls the door handle, enters the car, pushes the start button and drives away.
The video below is in German, but it gives you an idea of how ADAC completed its study:
For safety reasons, once the car is running, it won’t shut off even if the key is out of proximity, for a lot of reasons. It’s conceivable, for example, that the driver could start the car with the door open and drop the key in the driveway, out of a jacket pocket. It’s even more logical that the battery in the key fob could die while the car is in motion. Rendering the car inoperable in traffic is highly undesirable.
ADAC’s study included 24 models. Some are not available here in the United States, but 14 are. ADAC researchers were able to unlock and drive off in the following cars:
The study also entered and started models specific to Europe that have identical models in the US:
Nissan Qashqai (twin to the Nissan Rogue)
The countermeasures for such an attack are inconvenient at best, and ineffective at worst. The scientists suggest that removing the battery from the key will render an attack harmless, but it’s also the most inconvenient solution for the user.
Some reporters have suggested storing the key in a freezer, but that countermeasure is ineffective, since the signal amplification is sufficient to overcome the attenuation provided by a metal box. “We note that designing a good Faraday cage is challenging,” the study concludes.
You do probably have at least one Faraday Cage in your home. It’s called a “microwave oven,” which has one as a means of keeping radiation inside. The problem is that leaving a metal key in the microwave with other people in the house could result in frying the key to oblivion when somebody goes to heat up a corn muffin. (Don’t try this at home, dummies).
You can buy an 8″x8″ Faraday bag for about seven bucks.