CryptoDB
Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars
| Authors: | |
|---|---|
| Download: | |
| Abstract: | We demonstrate a relay attack on Passive Keyless Entry and Start (PKES) systems used in modern cars. The attack allows the attacker to enter and start a car by relaying messages between the car and the smart key. We build two attack realizations, wired and wireless physical layer relays, demonstrating that this attack is both practical and inexpensive. We further show that, for the attack to work, it is sufficient that the attacker's devices are placed within a meter from both the key and the car. Moreover, on the cars we tested, relaying the signal in one direction only (from the car to the key) is sufficient as the responses of the key are transmitted in UHF, which has a longer range. As the signals are relayed at the physical layer, the attack is completely independent of the modulation scheme, protocols, or the presence of strong authentication and encryption. We demonstrate the attack on recent car models from different manufacturers. Our attack works for a set of PKES systems that we evaluated and whose operation is described in this paper. However, given the generality of the relay attack, it is likely that PKES systems based on similar designs are also vulnerable to the same attack. In this work, we further propose simple countermeasures that minimize the risk of relay attacks and that can be immediately deployed by the car owners; however, these countermeasures also disable the operation of the PKES systems. Finally, we discuss countermeasures against relay attacks that were suggested in the open literature and we sketch a new PKES system that prevents relay attacks. This system preserves convenience of use, for which PKES systems were initially introduced. |
BibTeX
@misc{eprint-2010-23233,
title={Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars},
booktitle={IACR Eprint archive},
keywords={implementation / cryptographic protocols},
url={http://eprint.iacr.org/2010/332},
note={ capkuns@inf.ethz.ch 14774 received 4 Jun 2010, last revised 14 Jun 2010},
author={Aurelien Francillon and Boris Danev and Srdjan Capkun},
year=2010
}