Exactly how does the attack work and is it expensive to create? The attack, while seeming to be technology voodoo, is actually rather simple. It requires a transmitting relay near the key and a second relay near the car to receive the relayed signals and mimic the key.
Are you lucky enough to have a keyless car, motorbike or front door? If you are then you probably appreciate the convenience of being able to walk up to a door or vehicle, have it recognize the key in your pocket and automatically unlock the doors or allow you to start the vehicle.
The conceptual crime of being able to steal a car by relaying a contactless key’s signals is not new, but a video of the crime actually happening does make it real. West Midlands Police in the UK have released CCTV footage of just that, a pair of audacious thieves taking a Mercedes car from outside a home.
Security experts have repeatedly warned that there is a risk of key signals being relayed from the key to the car. To a consumer the concept may sound a little far-fetched. Technically-aware criminals carrying sophisticated technology that allows them access to vehicles or houses is probably something that still belongs only in Hollywood movies.
Manufacturers of vehicles have addressed the issue, in part: the key has to be within a certain distance from the vehicle. For example, to start the car the key may need to be in the vehicle. Limiting the range at which the antenna can read the key means the key holder is present and therefore it’s safe to allow access and starting. However, if a relay is used then the key may only appear to be in the car, as the video demonstrates.
Exactly how does the attack work and is it expensive to create? The attack, while seeming to be technology voodoo, is actually rather simple. It requires a transmitting relay near the key and a second relay near the car to receive the relayed signals and mimic the key. In 2011 the Department of Computer Science at ETH in Zurich published a paper detailing how to relay signals with equipment that cost just US$225. As technology becomes less expensive over time so does the equipment to relay ‘keyless’ signals, in April 2017 Wired published an article with details of devices as low as $22.
As the thieves demonstrate in the video, it is a matter of getting near the key (many of us leave keys near a door) and of having an accomplice near the vehicle. The relay transmits the signals to unlock the doors, the thieves then make the mistake of thinking the car will start but, as you will have seen, they need to play the process for the car to read the key a second time.
“Manufacturers of vehicles have addressed the issue, in part: the key has to be within a certain distance from the vehicle”
Why write a blog about a known attack that’s not new? Well, the video published this week sparked my interest: I own a motorbike that has a keyless system and I am always amazed at being able to walk up, press the start button, and ride off. However, there are limitations. The key needs to be in a different pocket from my phone for signal and battery purposes. If the phone and key are together the bike does not see the key and the key loses battery power quickly, as the key thinks the phone is trying to read the RFID chip and activates the distance technology designed to make sure it’s near the reader. Thus, I end up with a dead battery in the key and having to use the backup system to start the bike.
I also have an RFID enabled passport. It’s this technology that allows you to go through the electronic passport check and is common in today’s passports. To add to this I have a credit card that allows contactless payments, and I’m sure that, if I looked further through my everyday items, I would find more.
The British passport I carry has an RFID chip that is readable within a certain distance. For example, if I put my passport down on the counter in a shop then a reader could be placed under the counter to read passports placed on it. The content is of course encrypted, but a talented cybercriminal may take the time to attempt to decrypt the data. If you hold a US passport the same issue does not apply: there is an RFID chip but the cover of the passport is shielded to stop ad hoc reading of the data.
By now I hope you are wondering just how many RFID devices you have in your wallet and life. There is a risk of devices oversharing or sharing at a time that you don’t want them to, as with the car key. There are solutions to shield your stuff: for example I have an RFID-blocking wallet, which protects my credit cards unless I remove them from the wallet to use them. There are similar wallets or covers for passports which in basic terms wrap their contents in a material that blocks radio signals.
The keyless car fob can also be protected with a wallet, but it may feel wrong to hide the key of your new Mercedes in a wallet. I would go for the simpler and cheaper option and place the car keys in a tin while I am at home – a small mint or candy tin will create enough of a block to stop you being the next victim. For those that want to go all out and create a Faraday cage you can find some helpful instructions here.