Car Keyless Entry Systems May Invite Relay Attacks

Many car owners are keeping their keys in their freezers overnight, here's why.

You just bought a beautiful new car with a keyless entry system and keyless ignition. You park it in your driveway, toss your keys onto a table near the front door, and settle in for a good dinner and a night of watching TV.

In the morning, you kiss your loved ones goodbye, stride out onto the driveway and . . . no car. Congratulations, you've been the victim of a relay attack.

RELATED: TESLA SUES FORMER EMPLOYEES, SELF-DRIVING START-UP ZOOX CLAIMING THEFT

Keyless entry fobs differ from regular remote fobs in that you don't have to push a button on the fob in order to open the car's doors. Keyless entry requires only that the key fob and the car be close to one another. To prevent potential abuse, car manufacturers have limited that distance to around two meters.

What is a relay attack?

One thief holds a relay attack device near to a home's front door, searching for a radio signal from the key fob. Once the device gets that signal, it relays it to an accomplice standing near to the car's doors and holding an identical device.

The car is fooled into thinking the owner is within the defined range, and obligingly opens the door. If the car has push-button ignition, the thieves are good to go. If not, they merely repeat the relay attack process and they're off — along with your car.

In the video below, we see thieves using the relay attack process to first unlock a car, then repeating the process to start the vehicle and drive away.

Relay attacks go all the way back to 2011, when Swiss researchers demonstrated it using devices costing several thousand dollars.

In 2016, researchers with the German car-owners group ADAC demonstrated a relay attack with just $225 in equipment.

By 2017, researchers at Beijing security firm Qihoo 360 demonstrated a relay attack that used just $22 in equipment and, more worringly, extended the range of the attack to cars parked as much as 1,000 feet from the owner's key fob.

Ways to combat relay attacks

Over the last five years in the UK, car thefts have increased by 50%. During 2017 and 2018, 112,174 vehicles were stolen from UK owners, or 307 cars every single day.

To counter these attacks, car manufacturers have started issuing motion-detector key fobs. If the fob hasn't been moved within a period of time, such as five minutes all the way up to half an hour, and is then accessed, it will automatically shut down.

The thinking is that when you grab your keys to go to your car, the fob will be in motion, and its motion detector will detect that movement.

Advertisement

Rankings were recently released by Thatcham Research in the UK that showed that the motion-detector key fobs from Audi, BMW, Ford and VW fared the best against relay attacks. In particular, Thatcham praised the Audi A6 Allroad, BMW 1 Series, BMW 8 Series and BMW X6, Ford Puma and Volkswagen Passat.

The Daily Mail article quoted Thatcham Research chief technical officer Richard Billyeals as saying, "The motion sensor fob is a good short-term option, but the goal for carmakers must be to design out the vulnerability entirely. Until then, a fundamental security flaw remains."

Owners who bought their keyless entry and keyless ignition cars before motion-detector fobs were issued, and those whose manufacturers don't offer the technology are in a tough spot.

They can try putting their key fob in a Faraday pouch, which blocks radio transmissions. Putting the fob in a metal box, such as a refrigerator or freezer can also work. Owners can also check their car's owner's manual to see if the key fob can be switched off entirely.

Advertisement
Faraday pouch
Faraday pouch Source: Amazon

At a minimum, it's a good idea to place your key fob and any spares as far away as possible from your home's doors.

Other security features that many auto insurers either require or else desire are car alarms, double locking systems and immobilizers.

Cars having keyless entry

Cars with keyless entry include:

  • Nissan Versa - comes standard on the Versa SL
  • Jeep Renegade - available on all models at $125
  • Toyota Tacoma - standard on the Tacoma TRD Sport, TRD Off-Road and Limited
  • Mazda MX-5 Miata - standard equipment on all automatic Miatas, $130 for manual transmission
  • Chevrolet Malibu - available with all trim levels
  • Toyota Prius - one of the first to feature keyless entry and ignition
  • Kia Sedona - standard on the EX, SX and SX-L
  • Dodge Durango - standard on all Durangos including the base model
  • Ford F-150 - standard on the Lariat, King Ranch, Platinum and Limited
  • Audi A4 - with the fob on you, it allows the trunk to be opened with a wave of your foot under the car's bumper.
Advertisement