For years, a concerning vulnerability has lingered in modern vehicle security: the key fob relay attack. This sophisticated yet surprisingly simple method allows criminals to bypass your car’s keyless entry system, unlock the doors, and even drive away, all without physically touching your keys. While automakers and security experts have been aware of this threat, recent advancements have made these attacks cheaper, easier to execute, and more potent, thanks to devices that essentially act as Key Fob Signal Amplifiers.
Security researchers at Qihoo 360, a Chinese security firm, have demonstrated a new iteration of this relay attack using hardware costing a mere $22. This is a significant decrease from previous setups, which could cost hundreds or even thousands of dollars. Furthermore, their refined technique dramatically extends the range of the attack, enabling thieves to target vehicles parked over 1,000 feet away from the owner’s key fob. This expanded range, coupled with the affordability of the equipment, makes the threat of keyless car theft more pervasive than ever.
Understanding the Relay Attack: Amplifying the Vulnerability
The core of the relay attack lies in deceiving both the car and the legitimate key fob into believing they are within close proximity of each other. Imagine two individuals working in tandem. One, positioned near the car owner (perhaps in a public place like an office or shopping center), carries a device designed to capture and relay key fob signals. The second individual, the actual thief, stands near the targeted vehicle with another device.
The process unfolds as follows: The device near the car transmits a signal, mimicking the car’s challenge to the key fob. This “challenge” signal prompts the real key fob, even if it’s inside a house or pocket, to respond. This response signal is then intercepted by the first device, amplified, and relayed to the second device positioned at the car. Effectively acting as a key fob signal amplifier, this chain of devices extends the working range of the key fob far beyond its intended limit. The car, upon receiving the relayed and amplified signal, is tricked into thinking the legitimate key is nearby and unlocks the doors, often even enabling the ignition.
Jun Li, a researcher from Team Unicorn at Qihoo 360, explains it simply: “The attack uses the two devices to extend the effective range of the key fob… Someone slips near you and then someone else can open up and drive your car. It’s simple.”
Cheaper, Longer Range, and More Sophisticated Signal Amplification
While the concept of relay attacks isn’t new – dating back to at least 2011 – Team Unicorn’s advancement lies in making the attack significantly more accessible and effective. Earlier demonstrations relied on expensive software-defined radios. More recently, the German car-owners group ADAC showed similar results with around $225 of equipment.
However, the Qihoo 360 team has taken a leap forward by reverse-engineering the key fob signal. Instead of simply recording and replaying the raw radio signal, their custom-built devices demodulate the signal, breaking it down into digital data. This sophisticated approach allows them to retransmit the signal at a much lower frequency and more efficiently, achieving a 1,000-foot range compared to the 300 feet seen in ADAC tests. Furthermore, by using readily available and inexpensive chips, transmitters, and antennas, they drastically reduced the cost to around $22 for the pair of devices.
Samy Kamkar, a respected security researcher, highlights the significance of this reverse engineering: “The original attacks took a tape recorder and hit record, and then played it back… These guys understand the language: It’s like they write down the words and speak it on the other end.” This deeper understanding of the signal protocol opens doors for further exploitation of vulnerabilities.
Real-World Vulnerabilities and Industry Response
In their tests, the Qihoo researchers successfully unlocked and drove away with a BYD Qing hybrid and a Chevrolet Captiva SUV. They emphasize that the vulnerability extends beyond these specific models, pointing to NXP, a Dutch chipmaker whose keyless entry systems are used in numerous vehicles, including the Qing and Captiva. It’s likely that many other car manufacturers relying on similar keyless entry technology are also susceptible to these amplified relay attacks.
NXP acknowledges the increasing ease and decreasing cost of relay attacks. A spokesperson stated that carmakers and system integrators are working on solutions to counter these threats. However, they deferred questions about specific car vulnerabilities to the car manufacturers themselves. As of now, neither BYD nor Chevrolet has publicly commented on this issue.
Protecting Yourself from Key Fob Signal Amplification Attacks
While automakers work on long-term solutions, there are immediate steps car owners can take to mitigate the risk of key fob relay attacks. Qihoo’s researchers suggest that manufacturers could implement stricter timing constraints in the communication between the key fob and the car. This would make it harder for relayed signals, which inherently introduce delays, to be accepted.
For car owners, the most effective preventative measure is to block the radio transmissions from your key fob when it’s not in use. Storing your keys in a Faraday bag, specifically designed to block electromagnetic fields, effectively prevents your key fob from responding to relay attack devices. In a pinch, a metal box, like a refrigerator or even a tin, can offer similar, albeit less convenient, protection.
While carrying your keys in a signal-blocking pouch might seem like an extreme measure, the increasingly sophisticated and accessible nature of key fob signal amplifier attacks suggests that such precautions are becoming increasingly necessary to safeguard your vehicle from theft. As technology advances, so too must our security measures to stay one step ahead of potential threats.
