People everywhere are reporting that even though they swear they locked their car, they came back to it to find things missing. Even in their own driveway! Some surveillance video shows people walking up to locked cars and just lifting the door handle – no forced entry. How is this happening? And how can you prevent it from happening to you?
New research from Zurich shows just how easy it is for bad guys to gain access to your new car. All cars using the Passive Keyless Entry System (PKES), which is just about every new car, have a fatal security flaw that allows attackers to just open your door and potentially even drive away.
PKES is the system that allows you to get really close to your car door and unlock it without pushing any buttons on the fob. It certainly is convenient, but as we’ll see, it certainly won’t keep your car locked for the bad guys. Let me show you how PKES works, the simple way bad guys can defeat it, and what you can easily do to protect your car and your valuables against this type of attack.
The PKES Design
Here’s how your PKES system works: Your car emits a short-range radio ping heard by your keyfob. The keyfob uses its long-range radio to securely exchange codes that let your car know that you have the right keyfob to open it. Your car receives the correct codes and opens the car door for you.
Your keyfob purposefully emits long-range signals because you want to be able to open your trunk or unlock your door or push the PANIC button from far away. You might be halfway across the parking lot when your kid says they forgot their phone, so you push the button and unlock the car while they run back and get it. In each case you are Actively pushing a button – not Passively unlocking the door.
The car purposefully emits short-range signals because it needs to make sure you are very close before it allows the car door to be unlocked. It does not broadcast long-range signals because it doesn’t want to allow random people to open your car door when you are far away.
So it’s the long range and short range that are the key to the design, and the problem:
Car emits short-range signals to know that you are close enough to open the door and start the car
Keyfob emits long-range signals so you can purposefully push a button to open the car from across the parking lot
The problem is that the security of the Passive system RELIES on the short-range proximity of the car transmitter. In other words, the car realizes it can’t transmit very far, so if it successfully exchanges codes with the correct keyfob, it assumes that keyfob must be very close.
Bad assumption. All a thief has to do is amplify the car’s radio signal to extend its transmission distance, and they are in your car stealing its contents or driving away. And that’s what thieves are doing all over the world!
How the Attack Works
A thief needs only to stand next to your car with a low-frequency amplifier. This extends the range of the car’s pings without the car realizing it. The thief’s amplifier will broadcast your car’s signals a greater distance. Remember your keyfob already has a long-range transmitter, so as long as it isn’t too far away it needs no enhancement to complete the code exchange.
You could be sitting in a restaurant, your keyfob in your purse or pocket. A thief walks up to your car, his amplifier now extending the car’s inherent short-range keyfob pings beyond just a couple of feet and all the way into the restaurant. All he needs to do is lift the door handle.
Same thing if your car is parked in your driveway and your keys are “safely” inside the house in a desk drawer. As long as the thief’s transmitter is strong enough, and as long as your keyfob isn’t too far away, gaining entry to your car is a snap.
What You Can Do About It Now
This is happening all over the world today, so you need to take action. Luckily there are several things you can do, all of which have trade-offs.
Check your car’s owner’s manual. There might be a special combination of fob keypresses that disables PKES. You can disable it when you lock your car, then enable it when you return.
Purchase a faraday cage for your keyfob. This is a simple metallic mesh bag you put your keyfob into when you leave your car. The metallic bag prevents radio transmission and reception, which means the thief’s amplifier will be falling on deaf ears and the attack will not work. Additionally you can put your cellphone in the bag if you don’t want to be tracked. What you lose is the passive entry convenience: you will have to take your keys out of the pouch every time you want to get into or start your car, an inconvenience we suffered with only a few years ago.
Experiment with your own faraday cage. I know those electronics anti-static bags will work, but they have to be completely sealed off. Roll the opening closed a couple of times. A metal box such as an Altoids tin might be all it takes. To make sure it works, put your keyfob in the tin and walk right up to your car. It shouldn’t unlock, it shouldn’t start.
Try taking the battery out of the keyfob. You’ll need to experiment with this, because it may not work with all fobs. Some car manufacturers realize that you shouldn’t be stranded if your keyfob battery is dead, so there should be some provision to allow entry and ignition of your car if you really are right next to it. Note that if you do remove the battery from the keyfob, you will lose the ability to open/panic your car from even relatively short distances.
Long term, this needs to be fixed by the car manufacturers. The problem is widespread enough where a total recall should be in order. It can be fixed relatively cheaply by issuing new fobs that remove the passive entry option and go back to you needing to push buttons to get into your car. Or they can redesign the system such that they do not assume any knowledge about distance – they must actually measure it using speed of light calculations.