0

Following the theft of my brother's car (a modern Audi Q-something), I got interested in how contemporary cars are protected.

The authentication of the key to the car is dreadful (I work in information security and how certificates are handled is painful to read) but even if that part was done right, an amplification attack would be possible.

The idea is that someone triggers on the car a request for the key presence (by pulling the handle for instance) and that request is amplified so that it reaches the key which is in the nearby house. That way the car is tricked into believing that the key is close and the doors / ignition are unlocked).

The paper Are We Really Close? Verifying Proximity in Wireless Systems from 2016 explains the attack quite well. The basic approach to protection is to measure the time the signal traveled to compute the real distance.

Let's say that the appropriate range for a key to be "close" to the car is 0 to 1 meter. 2 meters and above is "away". This means that the electronics of the car needs to distinguish a round trip for a key close to the the car of

$$t_{close}=2 \times \frac{1}{3 \times 10^{8}} \approx 6 \text{ns}$$

from a "far away" one

$$t_{away}=2 \times \frac{2}{3 \times 10^{8}} \approx 12 \text{ns}$$

This is about 5 to 10 nanoseconds of difference minimum.

Is this a realistic timing for consumer devices? (consumer in the sense that they are mass produced in cars and need to be accurate within this timeframe)

The calculation is done in the car, so miniaturization and power does not matter.

WoJ
  • 517
  • 1
  • 6
  • 14
  • Thieves come into the car and they stay in close vicinity when they open the door, so this is not a valid countermeasure. – Marko Buršič Feb 17 '20 at 15:17
  • Devices are able to do that, however most operating systems aren't able to do it since they aren't real-time. You'll need an RTOS on a RPi or similar. AFAIK there aren't any microcontrollers yet above the 1GHz clock frequency. – Swedgin Feb 17 '20 at 15:18
  • 1
    @MarkoBuršič: I am not sure I understand what you mean: the key is in the house, thieves do not have it with them. – WoJ Feb 17 '20 at 15:19
  • If you mass manufacture anything enough you can invest as much as you want to make something difficult happen in semiconductor manufacture. That is your smartphone or WiFi router...or any microcontroller. Not really possible with off-the-shelf parts though. Lots of processing in those few ns. Basically radar. – DKNguyen Feb 17 '20 at 15:21
  • 1
    Intervals of a few nanoseconds aren't particularly hard to measure. Things get more expensive when you want to measure tens of picoseconds or below. – user1850479 Feb 17 '20 at 15:22
  • 1
    @user1850479 Intervals aren't, but you are doing more than just measuring a pulse in that interval. – DKNguyen Feb 17 '20 at 15:25
  • @DKNguyen: wouldn't it be enough to reject longer round trips, and then take the needed time to process the actual content of the signal? (certificates, ...) – WoJ Feb 17 '20 at 15:46
  • @WoJ You'd still need to decode all the junk in the air on-the-fly wouldn't you? And if you were close enough you would need to do it fast enough to catch it as it if it comes in from 1 meter but not take so long you miss it if its actually coming in at 4 meters. – DKNguyen Feb 17 '20 at 15:48
  • 2
    Voting to close as opinion-based -- "realistic" is opinion-based, as are the limits of what constitutes a "consumer device". For all that one's car is usually the second most expensive thing that one owns next to a house (or the most expensive if you rent), car manufacturers are exceptionally cheap, in the "skinflint" sense. Just as one example of the difficulty, AFAIK, the radios used in key fobs are still superregenerative receivers, even -- any scheme that could make the key's response time reliable would take more than a superregen. – TimWescott Feb 17 '20 at 15:54
  • 1
    @DKNguyen The the type of attack the OP describes no decoding is needed. A relay system simply makes the key think it is near the car and vice versa. Then the signals are relayed back and forth through the relay without any decoding. On the simple side, the relay is just some antennas and amplifiers. One the more complicated side, the relay passes the signal via some other wireless means like cellphones. – vini_i Feb 17 '20 at 16:56
  • @vini_i The OP's not talking about the attack system though. He's talking about the defense to the attack which does have to understand what is going on. – DKNguyen Feb 17 '20 at 16:58
  • @DKNguyen Correct, your comment "You'd still need to decode all the junk in the air on-the-fly wouldn't you?" makes it seem like the attack you're referencing refers to decoding the signal not just relaying it. I think the jist you were trying to convey is that the FOB would have a processing time internal to it that needs to be accounted for. The processing time would most likey be fixed or nearly fixed and could be accounted for. – vini_i Feb 17 '20 at 17:04
  • @vini_i By "on-the-fly" I you have to be able to filter, decode and measure the timings it as fast as it comes in. (i.e. You can't save a snapshot of the all the RF in your bandwidth and then analyze it at your own leisure.) – DKNguyen Feb 17 '20 at 17:08
  • @DKNguyen That is correct but, there is dedicated circuitry that is looking for the preamble. The timing can be established from when message is sent to when the preamble is captured. – vini_i Feb 17 '20 at 17:56
  • @vini_i Hence the VLSI and mass manufacture thing. – DKNguyen Feb 17 '20 at 18:45
  • Many low-cost WiFi chipsets already incorporate time of flight measurement capability to nanosecond resolution. – Kevin White Feb 17 '20 at 19:03
  • @TimWescott - the car to fob link is usually at 125kHz where they can use lower power circuitry, not usually super-regen. The receiver in the car these days won't be a super-regen because of its radiation and wide bandwidth - low IF receivers are available @ sub dollar prices these days: eg https://img.ozdisan.com/ETicaret_Dosya/453934_1928180.pdf. – Kevin White Feb 17 '20 at 19:09
  • 1 meter is 1/2400 of a wavelength at 125kHz. There's no way you're going to measure that small of a change with a consumer-grade device. – TimWescott Feb 17 '20 at 19:31
  • "Time of flight" measuring ICs are available that are used to detect gestures that cellphone users make in front of the phone. Given that these are sold at a price that adds one more feature to a mass market consumer item, the cost of achieving something simpler in TOF measurement at very low cost seems highly doable. | ST VL6180X - https://www.st.com/en/imaging-and-photonics-solutions/vl6180x.html | $2.18.5000 Digikey https://www.st.com/content/ccc/resource/technical/document/datasheet/c4/11/28/86/e6/26/44/b3/DM00112632.pdf/files/DM00112632.pdf/jcr:content/translations/en.DM00112632.pdf – Russell McMahon Feb 17 '20 at 19:57

1 Answers1

4

If your question is: is there a way with a low cost product to reliably measure a difference of 6 ns?

Then the answer is yes. There are for example time to digital converters which cost less than 1$ which are able to measure time with a resolution of 55 ps.

They are based on standard CMOS technology I don't think it would be too much trouble to integrate the time measurement into a system.

However I cannot answer the question if that would actually be enough of a safety gain to render the relay attack harmless. The paper you linked suggests, that this might help.

If the next question you ask: why isn't it done then? Because of cost. If something costs a cent more and the risk is not deemed high enough, it won't be done (that's at least my gathering on automobile industry).

Arsenal
  • 17,674
  • 1
  • 34
  • 60
  • "If something costs a cent more and the risk is not deemed high enough" - It does look like the car industry misjudged that though; keyless relay attack thefts are becoming pretty commonplace. Then again, it affects the car owner more than the car manufacturer... – marcelm Feb 17 '20 at 16:50
  • @marcelm yeah I guess they thought it would require much more expensive equipment than it does now. There are cars which are immune to relay attacks, so they are catching up. – Arsenal Feb 17 '20 at 16:59
  • Do you know any models that are immune to relay attacks? I'm interested in how this develops. – marcelm Feb 17 '20 at 17:11
  • Measuring a few ns when you have nice, reliably clean edges to measure between is cheapish these days, doing it when there is a pair of cheap arsed radio links in play (One of which has a rather flat battery, but is 40c warmer then the other) is MUCH harder. The right answer is probably a button on the keyfob that arms the keyless entry for 5 minutes when pressed. – Dan Mills Feb 18 '20 at 01:50
  • 1
    @marcelm there is this list published by the German ADAC. They have tested a lot of cars. First column is keyless entry, second column is keyless start. Only a few are not vulnerable for a simple relay attack (which is what was used in my understanding). – Arsenal Feb 18 '20 at 07:36
  • @Arsenal Very informative list, thanks! Sad state of affairs though :( – marcelm Feb 18 '20 at 13:06