Car Relay Theft

Car Relay Theft

Someone brought this up and it got me curious, with these passive entry systems, it is super convenient to walk up to a Tesla with your phone in your pocket and just have the doors open.

Or if you have a luxury car like a BMW to be able to walk up and have the doors open for you, Unfortunately, this is vulnerable to an easy hack, called a relay attack, get a retransmitter for a key fob which typically transmits in the 315Mhz range and then have the fob in your office then move to open your car.

Note this does require that the thief know where you are and where your car is. They can’t just create a signal like the early days of garage openers. This isn’t a replay attack. Nor is it a man-in-the-middle attack where someone injects things into an encrypted conversation. This is much simple, you are simply extending the range of an existing signal.

So what are the mitigations and what’s the right long term fix/ Well, there seem to be two major mitigations. The first is not really a fix, but it is to disable the passive entry. That is to stick your key fob into an RF proof bag or disable it so that it requires you click on it. The second mitigation which at least keeps the car from getting stolen is to require a PIN to drive your car. Of course, this also keeps kids and anyone else who gets the keyfob from driving away, but it adds more work each time.

Also you probably want to rotate the pin as you can tell from the fingerprints on a touchscreen the buttons. It is also inconvenient because, who doesn’t want to just walk up to a car and then have it drive away from you.

The long term complete mitigation is to basically sense where the key fob is physically located. This doesn’t seem to be any current cars. The closest is with the Tesla Model X, it has multiple bluetooth receivers and uses triangulation to figure out that you are approaching the door and then opens it for you automatically. It actually works incredibly well and is convenient. However, this is not a complete fix as the relay point looks to the car like the keyfob.

The best approach seems to be what Apple has taken for it’s unlock of your Mac from your Apple Watch. It actually sense the watch is there with bluetooth and then uses Wifi to figure out the “time of flight”, that is, it can tell the distance from the actual watch and not from some relay. It uses a protocal called 802.11v which allows Wifi networks to discover their topology. So it can tell how far away the watch it.

Unfortunately, no current car does this, so in the mean time, if you are worried about this and park your cars on city streets, then turn on Pin-to-drive or disable the passive entry either physically with an RF pouch or in software. Sorry!

Share

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: