pkes

The the evolution of user convenience with passive keyless entry (PKES) for cars, unfortunately has come at the expense of security.

With this key in your picket, you can unlock your car, enter and push the start button to start the car. These car security systems are getting bypassed.

A recent CBS This Morning news segment suggested storing car fobs in a shielded box (your fridge).

So all of the systems used the same radio architecture. They all used advanced challenge-and-response crypto, meaning that all was done right.

So the car periodically sends out a ping. In some cases the ping is just a wakeup for the key. If the key acts, acknowledges the ping,

then the car will send the cryptographic challenge, which the key will respond to, to prove that it's the correct key. So that's a four-way handshake.

However, some of the designs just used a simpler two-way, where a cryptographic challenge was constantly being sent, and only when it was received was the key acknowledged.

Now, a big part of the problem with this is range. The assumptions made with RFID tags, that they only have a certain distance. But then we see that,

if you use a high-gain antenna, oh, what do you know, you can ping somebody's RFID tag in their car a hundred feet away, even though RFID is supposed to be a few centimeters.

The car emits a low-frequency, inherently short-range, RFID-style ping. And that's in the region of 120 to 135 KHz. So the car emits low-frequency, short-range.

It requires a relatively large amount of power to generate a low-frequency, short-range signal. You need a larger antenna and/or more power.

But cars have monster batteries and lots of power compared to, for example, the battery that can fit in a key fob. So the key fob uses - whereas the car

generates a short range, low-frequency query, the key fobs universally use a UHF, as opposed to LF, low frequency, these use a UHF ultra-high frequency which

is inherently longer range, like on the order of a hundred meters transmitter in order to respond.

It has been reported : "We note that the main reason why relay attacks are possible on PKES systems is that, to open and start the car, instead of verifying that

the correct key is in its physical proximity, the car actually verifies that it can communicate with the correct key, assuming that the ability to communicate implies proximity."

For example, somebody parks a very nice luxury car in a restaurant parking lot. And they go into the restaurant. The bad guys are seeing this. They know the make and

model of the car, and that it's got the fancy PKES keying system. So one of them has a briefcase which has the receiver and re-broadcaster in it. That person simply

follows the owner of the fancy car into the restaurant and arranges to stand near them. That briefcase receives the car's ping over the extended high-frequency link,

which then pings the key, even though it is a long distance away. The key doesn't know that it's not right next to the car. So it uses its UHF transmitter to go that,

as we know, about up to 150 feet to say, oh, unlock the door. The moment that happens, the bad guy gets in the car. Now his transmitter is sending the inside-the-car signal,

which the key receives and responds with its challenge response.

Notice that the crypto doesn't have to be broken. They've simply extended the range because range was the only assumption that all of the security of this system was based upon.

They extended the range. The key, operating at a much greater distance, responds to the inside-the-car signal. The bad guy presses the start button and drives away.