Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Modern cars embed complex electronic systems in order to improve driver safety and convenience. Areas of significant public and manufacturer interest include access to the car (i.e., entry in the car) and authorization to drive (i.e., start the car). Traditionally, access and authorization have been achieved using physical key and lock systems, where by inserting a correct key into the door and ignition locks, the user was able to enter and drive the car. In the last decade, this system has been augmented with remote access in which users are able to open their car remotely by pressing a button on their key fobs. In these systems, the authorization to drive was still mainly enforced by a physical key and lock system. Physical keys also often embedded immobilizer chips to prevent key copying.

Sasa, in this full document is a demonstrate of relay attacks on Passive Keyless Entry and Start (PKES) systems used in modern cars. We build two efficient and inexpensive attack realizations, wired and wireless physical-layer relays, that allow the attacker to enter and start a car by relaying messages between the car and the smart key. Our relays are completely independent of the modulation, protocol, or presence of strong authentication
and encryption. We perform an extensive evaluation on 10 car models from 8 manufacturers. Our results show that relaying the signal in one direction only (from the car to the key) is sufficient to perform the attack while the true distance between the key and car remains large (tested up to 50 meters, non line-of-sight).