Many of today’s cars have upgraded from the old RKE (remote keyless entry) keyfob to PKE (passive keyless entry) system making it more convenient for end users. A car equipped with the PKE system allows the driver to unlock the car by being in proximity of the vehicle or by touching the handle of the door while in possession of the keyfob. In addition, PKE equipped vehicles can be started and driven without the driver inserting the key into the keyhole manually. (For a better understanding of PKE systems, have a read through these papers: http://www.nxp.com/documents/leaflet/75017275.pdf and https://eprint.iacr.org/2010/332.pdf)
PKE systems use both low frequency and high frequency radio links to perform two-way authentication. We have implemented a relay attack using two very low cost radios and have extended the range further than any previous research. We have already extended the attack range to a few hundred meters and can unlock your car in the parking lot while your keyfob is your pocket on the top floor of your office building, or drive your car away while you are in the mall. We are currently exploring the ability to further extend this attack by relaying the signals across the Internet.
Our talk will cover the methodology we used in developing the attack, the hardware we built and code we wrote for it.