For years, the vulnerability of keyless car entry systems to relay attacks has been a known issue within both the automotive industry and the hacking community. This clever technique allows thieves to intercept and amplify the signal from a wireless key fob, effectively tricking a car into unlocking its doors and even starting the engine. Despite repeated demonstrations and documented real-world car thefts using this method, many car models remain susceptible. Now, a team of researchers from China has not only showcased this attack once again but has also made it significantly cheaper and easier to execute, raising fresh concerns about vehicle security.
Researchers at Qihoo 360, a security firm based in Beijing, successfully carried out a relay attack using easily constructed gadgets that cost a mere $22 to build. This is a stark contrast to the more expensive hardware previously required for such exploits. The Qihoo team, presenting their findings at the Hack in the Box conference in Amsterdam, highlighted that their advancements have also dramatically increased the range of these radio attacks. This extended range enables thieves to target vehicles parked over a thousand feet away from the owner’s key fob, making it even more challenging for car owners to protect their assets.
The core of the relay attack lies in deceiving both the car and the legitimate key fob into believing they are in close proximity to each other. One attacker positions a device near the victim’s key fob, while a second thief stands close to the target vehicle with another device. The device near the car then mimics a signal from the key fob. This prompts the car’s keyless entry system to transmit a radio signal, seeking a specific response from the key fob to authorize unlocking. Instead of attempting to decipher this complex radio code, the hackers’ devices simply capture and relay it. The signal is transmitted from the device near the car to the device near the key fob, and subsequently to the actual key fob. The key fob’s response is then immediately relayed back along the same chain, effectively convincing the car that the key is within immediate range.
“The beauty of this attack is how it uses two simple devices to extend the operational range of the key fob,” explains Jun Li, a member of Team Unicorn, the Qihoo research group behind this demonstration. “Imagine you are working in your office or browsing in a supermarket, your car parked outside, seemingly secure. An accomplice simply needs to get close to you with a device, while another can then effortlessly unlock and drive away your car. It’s alarmingly simple.”
[Placeholder for image of key fob and antenna – if original article had one]
This type of relay attack on keyless entry systems is not a new phenomenon. Its origins trace back to at least 2011, when Swiss researchers first demonstrated it using sophisticated software-defined radios costing thousands of dollars. In 2016, the German automobile club ADAC further highlighted the issue, showing that similar attacks could be achieved with approximately $225 worth of equipment. Their study revealed that 24 different car models were still vulnerable to this type of exploit. Given the slow pace of automotive security updates, it is highly probable that many vehicles from manufacturers like Audi, BMW, Ford, and Volkswagen, identified in the ADAC study, remain vulnerable to this attack today.
However, Team Unicorn’s research has pushed the boundaries of radio relay theft even further. Instead of merely recording and replaying the raw radio signal, their custom-built devices incorporate chips designed to demodulate the signal, breaking it down into digital data. This sophisticated reverse engineering process allows them to transmit the decomposed signal bit by bit at a significantly lower frequency. This lower frequency transmission is key to achieving a greater range—up to 1,000 feet, compared to the 300-foot range observed in the ADAC tests—while simultaneously consuming less power. Furthermore, the cost of the hardware has plummeted. The Beijing-based researchers reported spending only around 150 Chinese yuan, or approximately $11 per device, on components including chips, transmitters, frame antennas, and batteries. You might even find similar frame antennas on Amazon or other online retailers, making this type of attack accessible to a wider range of individuals.
Samy Kamkar, a renowned independent security researcher with his own history of keyless entry system hacks, finds the team’s signal reverse-engineering particularly noteworthy. “Previous attacks were like using a tape recorder to capture and replay the signal,” Kamkar explains. “These researchers, however, have effectively learned the language of the signal. They are decoding and re-encoding it, allowing for much greater control and efficiency.” This deeper understanding of the communication protocol could pave the way for even more sophisticated attacks and further research into system vulnerabilities.
In their practical tests, the Qihoo researchers successfully unlocked and drove away two vehicles: a Qing gas-electric hybrid sedan from BYD, a Chinese automaker, and a Chevrolet Captiva SUV. However, they emphasized that the vulnerability extends beyond these specific models. They pointed to NXP, a Dutch chip manufacturer that supplies keyless entry systems for the Qing, Captiva, and numerous other vehicles, as a key component in the widespread vulnerability. They also suggested that NXP is likely not the only component manufacturer whose systems are susceptible to such attacks.
“The automotive industry is increasingly aware of the decreasing complexity and cost associated with executing relay attacks,” acknowledges Birgit Ahlborn, a spokesperson for NXP. “Carmakers and car access system integrators are actively developing and implementing solutions to counteract these evolving threats.” However, NXP directed inquiries regarding specific vulnerabilities in existing car models to the car manufacturers themselves. Neither BYD nor Chevrolet has issued a public response to requests for comment on this issue.
Team Unicorn suggests that car manufacturers and component suppliers like NXP could significantly mitigate relay attacks by implementing stricter timing constraints in the communication exchange between the key fob and the car. By enforcing tighter time limits for the call-and-response signals, any relayed signal originating from a distance could be rejected as fraudulent.
For car owners, a practical preventative measure is to store key fobs in a Faraday bag, which effectively blocks radio transmissions. In a pinch, a simple metal box, such as a refrigerator, can serve the same purpose. While storing keys in what might seem like a “tin-foil hat” may sound extreme, the research from China underscores that attacks on keyless entry systems are becoming increasingly accessible and potentially more prevalent. Taking proactive steps to shield your frame antenna key fob signal is becoming a crucial aspect of modern car security.
