It's hard to see how it could be fixed. Fundamentally, what is different about a local key fob, and a relay connected to a remote key fob? It seems fundamentally impossible to tell the difference.
The one thing that I could see working in theory would be detecting the roundtrip transmission time with a strict ceiling on it. No matter how good your relay is, it can't relay data faster than the speed of light, so you can enforce the fob being close by only listening to it if it responds fast enough.
The problem with this is that light moves pretty fast, and internal delays within the fob will dominate. If you want to put the range limit at, say, 30ft, that means your response time ceiling is a mere 60ns. Can you build a fob that responds anywhere close to that fast?
Edit: one other possibility is if the fob knows where it is. A GPS receiver on the fob, for example, would allow the fob and the car to securely confirm proximity (absent GPS spoofing). Getting a GPS receiver to run on a wireless fob's battery is left as an exercise for the reader.
The implied context here was "while keeping wireless keyfobs."
Yes, the problem becomes substantially easier if you require a direct physical connection, but that's not such an interesting problem.
Also, given that modern cars are vastly more difficult to steal, I object to your characterization of "traded too much security for convenience." If the current state is too insecure, then you must think that cars from 20+ years ago are absolutely appalling.
I think he was not saying a physical connection was necessary, only that a physical button on the key fob was necessary to start the car. Still wireless, it just requires interaction from the driver who must physically have the key fob.
Oh yes, that would obviously work, but of course you're changing the nature of the device. There are some easy ways to prevent relaying if you're open to that. It's more interesting to me to think about how you might solve the problem without changing anything from the user's perspective.
Ah yeah, I'd like that more as well because I really like driving without ever taking the keys out of my pocket :P I was mostly clarifying for the person you responded to.
Although from what I was seeing in the rest of the thread it seemed that preventing relaying may be more difficult than expected (as most methods relied on timing the signal response). I don't expect it to be impossible though.
Really old cars have very simple electronics. Even after computers started showing up in cars, they were pretty simple and didn't interact much with the security aspect of things. When you start a car like this, you're just making a connection between two wires to power up the electronics, and briefly making a connection between another two wires to run the starter motor. The only security in the whole system is provided by the fact that the connection is made by a switch that requires a key to turn it. If you don't have the right key, you can't turn the switch, and that means you can't connect the wires.
The trouble is that the wires must be fairly exposed to the occupants of the car, since the switch has to be accessible. That means you can just bypass the switch entirely by removing the appropriate covers and attacking the wires directly. This is "hotwiring."
Physical locks are also not all that difficult to defeat directly. You can pick an ignition switch much like you might pick any other lock.
Starting around the late 90s or so, car manufacturers started adding more robust security measures. These include things simple like locking the steering column when the ignition switch is off (thus preventing you from driving the car after hotwiring it), all the way up to authenticating the key with a relatively sophisticated protocol, and having the engine computer refuse to run the car unless it can sense a real key.
As a result of these changes, the list of most stolen car models is still topped by cars manufactured in the late 90s. Low-end Hondas from around 1998 are right at the top of the list, because they occupy a sweet spot of being relatively valuable and still fairly easy to steal. Modern cars are stolen literally orders of magnitude less frequently; about 100,000 older Hondas stolen per year in the US, whereas new cars are stolen at a rate of hundreds per model per year at worst. Also as a natural result of these changes, car theft is way down in the US. About 700,000 cars were stolen in the US in 2013, compared to almost 1.7 million in 1991. Pretty much the only way to steal a newer car is to either tow it away or steal the owner's keys. (A common scenario for car thefts is a burglary turned into auto theft when the burglars find car keys in the house.)
It's easy to get into many older cars. Slim jim past the window is the classic example (and I opened my 80s Toyota with a coathanger multiple times when I locked myself out), but many times the locks could be opened by keys to other cards from the same manufacturer as well, they just didn't seem to be that precise. And of course, smash the window as a last resort, that wouldn't set off an alarm in the past. Nowdays cars have recessed lock things in the door panels (or button-controlled-locks that can't be as easily manipulated with a coathanger, or even that don't work at all if the car was locked from outside) to help prevent this, and the interior of the doors has more protection built around the lock mechanism so you can't easily fish through there and hook onto the right lever.
Once inside an old car, starting it is usually just a matter of shorting the right pair of wires. Or using brute strength to turn the ignition cylinder even if they key isn't an exact match (or maybe with a screwdriver, as another poster mentioned doing in the past in this thread). Modern cars have chips in the keys so that it's not just a matter of closing a circuit, the key has to be coded to the car.
Or just tow the car somewhere and work on picking the lock later at your leisure. Overkill for a common car, but for something really nice it could be practical. Nowdays your more expensive cars have tilt and motion sensors that'll set off the alarm if you locked it, left it, and someone else comes up and tries to tow it. Possibly GPS tracking or similar as well, IIRC, on some fancy stuff.
The fob-in-pocket entry/pushbutton start stuff gives up some of those improvements given an exploit like this, but overall I'd say is still much more secure. You need specialized hardware (that's only useful for breaking into someone else's car) and it wouldn't work to, say, steal cars from an airport parking lot or somewhere else where they were left and the owner wasn't in range. Keeping your car in a garage at home seems to mitigate a lot of the easiest vectors for this attack.
To add to the comments about immobilisers, in a number of countries (UK and Germany, amongst others), from 1998 all new cars were required to have an engine immobiliser. Most manufacturers simply made them standard for all countries, so nearly all cars built since 1998 have had them fitted.
It's important to look at this in the context of overall auto theft trends. Auto theft has dropped by more than 50% over the past decade, driven mostly by the broad use of smart keys. (http://www.iii.org/issue-update/auto-theft). The lion's share of the thefts are of older cars (mentioned in the above cite) -- thefts of 2013 vehicles number in the hundreds.
Further, a Tesla has a GPS, sophisticated processor, and a 4G WAN. It would be easy enough to have the car report back to the owner if it's being driven without sensing the key, and give the owner the option to route a theft report and live location of the vehicle to police with one click. That's something I wished for in my revenge fantasies when my car was stolen a decade ago.
We could do more, sure -- but it's hard to argue that we are making cars less secure, or even that car security should be a major care-about for the buyer.
1. Use a modified form of triangulation. Have multiple transceivers in the car (At the front and back) and make the remote directional aware. Then have the remote and transceivers ask each other if the angles they are seeing are the same. The only way for the thieve to bypass this would be two remote amps set at almost 180 from each other.
2. stick an ultrasonic speaker in the key fob and have the car send it a random sequence to play back. For those worried about battery life use a wireless charging system.
Both of these assume that the transmission is encrypted and the thieves are just boosting the signal.
the attacker has two devices communicating by radio. Device A is near the keyfob, and device B is near the car. Each is a repeater for the other: Whatever the car sends is picked up by device B and repeated by device A. Then the keyfob's response is picked up by device A and repeated by device B.
This type of setup will defeat both of your proposals. Triangulation won't detect anything out of the ordinary, because device B can be right next to the car. And the ultrasonic challenge/response can be defeated just like a radio challenge/response, using microphones and speakers on the repeaters.
Ultrasound helps because the speed of sound in air is much lower than the speed of radio waves. This makes it massively easier to do distance measurements.
Rather than put an ultrasonic speaker in the fob, I'd put a microphone. The car would send an ultrasonic signal, and the fob would send a radio response indicating it heard it. The car could then calculate how far away the fob is.
Ultrasound also makes it massively easier to spoof distance measurements, because there's nothing that requires the attacker to use ultrasound for his own transmissions.
The speed of sound in air is about 1ms/foot, so if you're trying to measure proximity within 30ft, you're looking for a 60ms roundtrip delay, or 30ms for one-way. If the attacker has ultrasonic microphones and speakers connected with radio waves, that means he can spoof your fob from up to 9,000km away for roundtrip ultrasound, and 4,500km away for one-way, under ideal conditions.
The speed of light imposes difficult constraints in terms of how fast you have to respond, but at least the attacker can't outrun it (as far as anyone knows).
The description I saw of the amplifier attack said that the attacker put an amplifier near the car. This amplified the car's weak signal so it could reach the fob, which would then respond. The attacker does not have any equipment near the fob (and may not even know where it is).
If the car then did an ultrasonic distance check by emitting a coded ultrasonic signal that the fob had to receive, and then relay the code back to open the door, I don't see how the attacker would spoof that. Even if he has an ultrasonic microphone near the car, and an ultrasonic transmitter somewhere else, with a radio link to tell the transmitter what the send...how does he place the transmitter so that your fob will hear it?
If the attack is targeted against a specific individual, where the attacker knows both where the car is parked and where the individual is when away from the car, and the attacker can place equipment at both locations, then yes, I see that the attacker can get around ultrasonic distance measurement.
But for the most common case, where the attacker is at the car and has no idea where the owner is, it seems workable to me.
Right, I see, that makes sense and your idea would definitely help there. It wouldn't defeat a more targeted attack, but just defeating a simpler one could be worthwhile.
It took a few minutes for the 'relay' portion of what you just wrote to click.
So, in theory, if you wanted to steal a REALLY expensive keyless car you could have two devices connected over a mobile data connection that just relays communication with the keyfob. You put one device near the owner of the fob, so in his office, and you keep the other. Then you can just walk off with the car.
You can try to detect the amplified signal, and if you put an accurate timer in the fob you can make it take exactly 5000ns to process and then require a signal back within 5020ns.
Detecting the amplified signal won't work. There are these things known as directional antennas...
The timer idea is a good one, although a ns-accurate timer is starting to get a bit much for something to put into a key fob. Especially give it's run off of a watch battery (power requirements) and often exposed to heat / cold (thermal drift).
Dylan's comment requires a timer in both the key fob and in the car. The key fob to delay transmission of the challenge response, the car to check if there isn't too much delay in the challenge / response pair.
You really need a timer in the key fob, as the processor in the key fob is often so slow (for battery / cost reasons) that an extra couple clock cycles somewhere would throw off the timing enough to make it fail.
Cool trick in that one, the Prover(i.e. the key fob) does the distance measuring part of the challenge response protocol using analog only components. This means its response time is <1 nano second.
So you can do it with only the car having a good timer.
Well for the example timing I gave you only need 1 part per thousand accuracy, and it's easy to get 10ppm or much better. It only needs to run during communication, anyway.
I can't edit anymore, but expanding on the GPS idea: I just realized that we pretty much all carry around a GPS-enabled "fob" these days. If you switched away from using a dedicated fob and instead authenticated against a person's phone, you could double-check proximity that way. It would only need a quick check before opening the car, so battery life shouldn't be affected too much.
If you put the car's public key on the fob, the fob can validate that it is talking directly to the car over a secure connection and then the car can validate the fob's secret.
Please elaborate as to how the fob or car would detect the MITM:
1. You place device A near car and device B near fob.
2. Device A relays all Rf transmissions in the target frequency range(s) to device B, which rebroadcasts, and vice versa.
Public-key encryption / authentication only ensures that no-one in the middle is reading or editing your connection. It does not prevent someone from relaying your communication. (And a good thing too, else the entire encrypted web wouldn't work.)
Well, there may be one way. But it's not user friendly at all.
When the driver presses lock/unlock on the fob, the car first sends a signed message with a session secret. The fob checks the signature, takes the secret and creates a _single use_ auth token and signs it with the private key stored on the fob. That signed auth token is then sent from the fob to the car to lock/unlock the car.
To check if there was a MITM you would have to pull the door handle to see if your keypress was successful. If it was successful, you don't need to worry if the key was grabbed by a MITM, they can't use it even if they tried. If it was unsuccessful for some reason (e.g. the MITM knew it was single use auth token so they didn't pass the token onto the car in hopes you might not be paying attention and will press the button a second time) then there should be a manual override outside and inside the car that clears the valid auth tokens and allows you to lock/unlock/start the vehicle without sending any RF transmissions. A slot that you insert the key would work.
Signatures do nothing to prevent blind relaying. Transmitting through an amplifying relay in this attack looks identical to transmitting through free space, aside from the received power level and propagation delay.
The amplifier relays that signed signal to the fob. The fob receives it and its unlock signal is relayed back to the car.
No matter what tricky message protocol you come up with, it won't matter. The car and the fob can't detect the difference between being next to each other, and being next to a set of relays rebroadcasting their signals. Not by reading and transmitting radio signals at least.
You can't think about this like internet security. Normal encryption doesn't care how long the network cord is. Opening your car door does. This attack lengthens the cord between client and server without touching the data on the cord so that you are genuinely logged in from an encryption standpoint, but from a world standpoint you are sitting at your office desk unable to see your car.
Have the key fob beep or buzz when it gets used, along with a panic button that the user could hit on the fob to force the car off and set off the alarm. To defeat against the attacker cuts off the amplifier just after getting the car started, have the car shut off if it loses contact with the key fob within the first 15 seconds.
Edit: just thought of another possibility -- use spread spectrum. An amplifier would have to be tuned to a specific frequency. With spread spectrum, the car and key fob switches frequencies every second based on a cryptographic function, therefore defeating the amplifier.
I think including a keyfob buzzer would be a hard sell. The whole purpose of these keyless entry systems is convenience and asking buyers to hover over their keyfob like a baby monitor is not convenient (nor cheap).
You're assuming omnidirectional amplification. It's easy enough to amplify without leaking more signal back to the source than, say, a metal-faced wall would.
- If the car was inductively powering the key, that might be harder/more dangerous to amplify.
- The car or house could send a false key signal, which would also be amplified, and refuse to open when receiving it. (New attack: lock rich people out of their car with 17$ of equipment!)
- If your house/public-buildings/phone+gps could track the key, they could tell the car to disable the system.
- Sending the signal with audio or visible light? Something that doesn't pass through walls.
- Use a pedometer to deactive the key when it's at rest.
- Use a really long key (like... 2 metres long) with transmitters at each end, use crypto and frequency hopping, and use multiple receivers on the car to triangulate both ends. If both transmissions are coming from the same spot, it's an amplifier.
The root of the problem isn't encryption or communication but rather than the key fob's location is data in the clear and easily tampered with. That data is the signal strength and/or triangulation of the fob's signal.
The fob has no knowledge of it's own location, so the car must figure it out on it's own, allowing the attack to occur. If you gave the key fob some way of calculating it's position relative to the car, you may be able to transmit that to the car over the existing communication channel and have the car verify it.
The question then becomes: how can one give the tiny computer in a key fob independent access to it's location relative to a car? An inertial navigation system[1] would probably be cheapest and most power-efficient. Though they suffer from inertial drift, that could be mitigated by periodic re-calibration while the car is driving and then parks (and the occasional non-keyless entry). The key fob then only transmits a signal when it detects that it's close enough, and the problem is "solved".
Now you just need to replace the batteries on your keys every few weeks...
Perhaps moving to a shorter distance transmission method would work. You could use NFC and then touch the fob against a portion of the door, placing the key in a cup holder (or something similar in the center console) with NFC support when you want to start the engine? It's not the exact same functionality, but is close.
But if we are going over a very short distance like NFC does then their amplifier is going to have to be close to the key. If my NFC key only works when it is within two inches of the door lock, your amplifier is going to have to be within two inches of my pocket to pickup the signal to amplify it.
Well... they might have a better antenna or just a bigger amplifier than your car does. And if they can just walk past you to unlock your car, that's still pretty unnerving.
Against this attack? Yes. Against a trivial modification of this attack? No.
(Trivial modification: you have two transceivers. Each transceiver encodes and encrypts everything in the frequency range, and sends it to the other one, which decrypts it and rebroadcasts it.)
Think of the original attack as being the equivalent of placing a megaphone up against the guy whispering, and this attack as being the equivalent of placing a cell phone up against the guy whispering and another cell phone that's connected to the first one up against the guy waiting to hear something.
Not to mention that triangulation has... problems. You really don't want your car to not open because there was a stray reflection off of something nearby.
This is more of a question . Is it not possible to "listen" for your reflected (there will be some always right?) search pings, and conclude that there is some amplifier attack happening if the signal is much stronger than usual. Even if there is no signal reflected usually, wouldn't this amplifier be more or less omnidirectional (they don't know where your key is right now). If so, a stronger than expected "reflected" ping can still be recognized. What am I missing?
You can relatively easily set up an amplifier with a directional antenna. Also, that will easily false positive - there are a lot of things that reflect RF in weird ways.
A lot of things will reflect RF in weird ways, and that is precisely what I was counting on. Surely an amplifier that changes the detection range from 1 feet to 100 feet will be emitting much much higher energy than what is usually experienced under normal operation. I guess, the antenna does not have to be omnidirectional as long as the attacker can search around the direction the key is likely to be.
It should be able to triangulate the response and normalize for signal strength at a known distance with standard hardware. Of course on could still make an amp to do full emulation but it would become at least more expensive.
