For anyone else who didn't know, I looked up what this is [1].
Essentially it boosts the search range for vehicles from a few feet to something more like 100 meters, when searching for wireless key devices. Then the car will unlock as if the device were very close.
The devices are very inexpensive and starting to see increased use.
Just to clarify, this is a vulnerability for cars with keyless entry. IE when you approach close enough to the car, it unlocks automatically if you have the key on your person, and you can start the car with the pushbutton without inserting a key. This attack makes the car consider "close enough" to be 100m instead of a few feet. If the key is inside your house a couple dozen meters away, the car unlocks automatically and you can drive it away.
Most smart key systems will let the car run indefinitely, or until it runs out of gas, etc, once the smart key is removed from range, provided you don't turn the car off.
This is done for obvious safety reasons. Imagine for example if a car just suddenly turned off while you were going over a major highway bridge with no shoulders, etc.
While I was driving a friends keyless car (he had the key) he stepped out to get something and the car flashed some lights to inform me I was driving without the key. It didn't turn off (thankfully). This is the correct behavior.
I once watched a friend's girlfriend throw his cell phone out of the car while on the freeway. Had this been his car keys I would hope that the car would not immediately power off (especially since I was in the car).
You don't even need to buy an amplifier. You can stick the key against your head and the water in your brain will amplify the signal. Bonus points for taking a plastic container of water for even further extension of the range!
That is if you want to amplify the signal. But if it's an adversary, they need to do a sort-of MITM to take the car's signal, amplify it, and then turn around and take the key's response and forward it to the car.
I don't think the problem is that people in possession of the vehicle's key can open it from too far away. The problem is that people who don't have possession of the key can open the car and drive off with it.
Couldn't it exchange a few messages with the key and precisely measure the time? I'm not sure if such precise measurement is possible, but given that light travels ~ 1 feet per second with 10Mhz clock you could theoretically test if it was more than 50 feet away (many approximations here, but I guess within an order of magnitude)
HDMI already does this for DRM (it won't cough up device keys if it thinks the TV is too far away), so it's possible to measure with the right precision.
That said, signals in twisted pairs propagate at about .6c whereas signals in air propagate at speeds very close to c, so this use case is a little more challenging.
You could attempt to time round-trip signal latency directly or via interference patterns, but it's a much shorter timescale. Light travels just shy of 1 billion feet per second, so we're talking differentiating in the 10s of nanoseconds, which requires nontrivial components.
I already posted this link in the epic nope thread that is a sibling to this one, but the paper linked from Wikipedia speaks of an experimental implementation with a return time of 1 ns:
There are papers going back to at least 2005 (this one, a top search result, is cited 390 times: http://www.cl.cam.ac.uk/~mgk25/sc2005-distance.pdf ), so it would not be all that surprising if there are some existing commercial implementations. The current rash of thefts seem to come down to the systems being completely naive to amplification attacks though.
Maybe the next escalation will be keys with GPS, which sends its encrypted position as part of the protocol. The car compares to its own GPS, or, in lieu of signal, it remembers its GPS stopping position. If the key has no signal, you have to insert it in the car.
The escalation just after that, of course, is GPS spoofing.
Wouldn't be the first time someone did this... For years trains arriving at London Victoria and a few other stations where the concourse was too well covered took 30+ seconds to open the doors because the driver had to override safety systems to unlock the doors after a new system was put in place that automated which doors to open based on GPS location (there's a lot of variation in how long the stations are, and some long distance trains will operate with up to 12 carriages even though they may stop at stations with space for possibly as little as 4 on the platform, and the platform may be on either side)
Essentially it boosts the search range for vehicles from a few feet to something more like 100 meters, when searching for wireless key devices. Then the car will unlock as if the device were very close.
The devices are very inexpensive and starting to see increased use.
[1] http://www.networkworld.com/article/2909589/microsoft-subnet...