For years, the vulnerability of keyless car entry systems to signal relay attacks has been a known issue within both the automotive industry and the hacking community. This sophisticated technique allows thieves to exploit the wireless signals from car key fobs, effectively tricking a vehicle into unlocking its doors and even starting the engine. Despite repeated demonstrations of this exploit and actual instances of car theft using this method, many car models remain susceptible. Now, a team of researchers in China has not only showcased the effectiveness of this attack once again but has also made it more accessible than ever by significantly reducing the cost and complexity involved.
Researchers at Qihoo 360, a security firm based in Beijing, successfully executed a relay attack using equipment they assembled for a mere $22. This is a stark contrast to the much higher costs associated with previous iterations of key-spoofing hardware. These researchers, known as Team Unicorn, presented their findings at the Hack in the Box conference in Amsterdam, highlighting that their advancements have also dramatically increased the range of these radio attacks. This extended range enables thieves to target vehicles parked over a thousand feet away from the owner’s key fob, posing a significant security risk.
The core mechanism of this attack relies on deceiving both the car and the legitimate key fob into believing they are in close proximity to each other. The process involves two individuals working in tandem. One person, positioned near the car owner carrying the key fob, uses a device to capture and relay the key’s signal. Simultaneously, a second thief stands near the target vehicle with another device that spoofs the signal, making the car think the key is nearby. When the car’s keyless entry system anticipates a signal from the fob to unlock, the relay device intercepts this signal. Instead of attempting to decipher the complex radio code, the devices simply copy and transmit it. The signal is then relayed from the device near the car to the device near the key, and subsequently to the key fob itself. The key fob, responding as if it were in close range of the car, sends a response signal back through the chain of devices, ultimately reaching the car and falsely confirming the key’s presence. This orchestrated exchange tricks the car into unlocking and potentially starting, even though the actual key fob is far away.
Jun Li, a member of Team Unicorn at Qihoo 360, explains, “The attack leverages two devices to effectively extend the operational range of the key fob. Imagine someone is at their workplace or shopping, with their car parked outside. A thief can discreetly approach the car owner, while another can proceed to unlock and drive away with the vehicle. It’s surprisingly straightforward.”
The concept of relay attacks targeting keyless entry systems is not new, dating back to at least 2011 when Swiss researchers demonstrated it using expensive software-defined radios costing thousands of dollars. In 2016, the German automobile club ADAC further illustrated the vulnerability, showing that they could achieve the same outcome with equipment costing approximately $225. Their study also revealed that this type of attack was still effective against 24 different car models. Given the slow pace of automotive security updates, it’s likely that many vehicles from manufacturers like Audi, BMW, Ford, and Volkswagen, identified in the ADAC study, remain vulnerable to these Car Key Signal Scanner attacks.
However, Team Unicorn’s research has advanced relay theft techniques significantly. Instead of merely replicating the raw radio signal, their custom-built devices incorporate chips that demodulate the signal, breaking it down into digital data. This reverse engineering capability allows them to transmit the decomposed signal in segments and at a lower frequency, resulting in a much greater operational range of 1,000 feet, compared to the 300 feet achieved in the ADAC tests. This is accomplished with less energy consumption and at a substantially lower hardware cost. The team estimates their total expenditure on components, including chips, transmitters, antennas, and batteries for both devices, to be around 150 Chinese yuan, or about $11 per device.
Samy Kamkar, a respected independent security researcher known for his own keyless entry system exploits, acknowledges the significance of Team Unicorn’s signal reverse-engineering. “Earlier attacks were akin to simply recording and replaying a signal. These researchers, however, have deciphered the ‘language’ of the signal. They are essentially decoding and re-encoding the communication, which represents a deeper understanding and sophistication,” Kamkar notes. This level of understanding could stimulate further research into protocol vulnerabilities and more effective countermeasures.
In their practical tests, the Qihoo researchers successfully unlocked and drove away with two vehicles: a BYD Qing, a Chinese plug-in hybrid sedan, and a Chevrolet Captiva SUV. However, they emphasize that the vulnerability is not limited to these specific models. They point to NXP, a Dutch semiconductor manufacturer that supplies the keyless entry systems used in the Qing, Captiva, and numerous other vehicles, suggesting a broader industry-wide issue. They also indicate that NXP is likely not the only component manufacturer whose systems are susceptible to this type of attack.
According to Birgit Ahlborn, a spokesperson for NXP, “The automotive industry is aware of the decreasing complexity and cost associated with relay attacks over recent years. Car manufacturers and car access system integrators are actively developing and implementing solutions to mitigate these attacks.” However, NXP directs inquiries about specific vehicle vulnerabilities to the car manufacturers themselves. Neither BYD nor Chevrolet have provided comments on the matter when contacted by media outlets.
Qihoo’s researchers propose that car manufacturers and component suppliers like NXP can enhance security against relay attacks by implementing stricter timing constraints in the communication exchange between the key fob and the car. By enforcing tighter time limits for valid responses, excessively delayed signals caused by relay attacks over long distances could be rejected.
For car owners, a practical preventative measure is to store key fobs in a Faraday bag, which blocks radio transmissions, effectively isolating the key from signal scanners. Alternatively, in a less elegant but functional approach, a metal box, such as a refrigerator, can serve the same purpose by acting as a Faraday cage. While keeping keys in what might seem like a “tin-foil hat” might sound excessive, the research from China suggests that attacks on keyless entry systems are becoming increasingly easier and potentially more prevalent before robust fixes are widely adopted. Taking proactive steps to shield your key fob from signal scanners is becoming a more relevant consideration for vehicle security.
