[LINK] Thieves using a $17 power amplifier to break into cars with remote keyless systems

David Lochrin dlochrin at d2.net.au
Wed Apr 22 14:55:20 AEST 2015

On 2015-04-22 13:31 Jim Birch wrote:

>> However I could imagine a break-in device which simply recorded the response when the owner was nearby and played it back when they were away, a form of man-in-the-middle attack.
> Does that mean there is no challenge/response protocol in this system?
> Hard to believe - except that even more pissweak security mechanisms seem to be regularly attempted by people who should know better.  I guess nothing happens until the proximity sensor changes from a selling feature to do-not-buy feature.

A challenge-response scheme would require the owner to get out the key and do something ("what you know") which would defeat the whole purpose.

There's a good Wikipedia article at  http://en.wikipedia.org/wiki/Smart_key  if anyone has the time & interest.

In 2005, the UK motor insurance research expert Thatcham introduced a standard for keyless entry, requiring the device to be inoperable at a distance of more than 10 cm from the vehicle.[2]  In an independent test, the Nissan Micra's system was found to be the most secure, while certain BMW and Mercedes keys failed, being theoretically capable of allowing cars to be driven away while their owners were refuelling.[3]  Despite these security vulnerabilities, auto theft rates have decreased 7 percent between 2009 and 2010, and the National Insurance Crime Bureau credits smart keys for this decrease. [4] [5]

But the article does confirm that malfeasance of the sort described in the original report must have been a "relay station attack" which needs two devices, one close to the key and another close to the car, as I suspected.

> It might be possible to develop signalling strategies that detect a repeater signal.  It might also be possible to backrev a good old entry button (or an off switch) into the key.

The Prius-C key thingy has the usual manually operated wireless lock-unlock buttons, as well as a mechanical key if all this modern-type technology becomes too much or even fails.  I've also noticed the key is detected at a much greater range than 10cm, but still only in close proximity to the car.

A number of default settings for the Toyota Prius-C (at least) can be customised, and that allows the manual lock-unlock feature and/or the smart entry feature to be switched off altogether.

David L.

More information about the Link mailing list