The passive keyless entry and start (PKES) systems supported by many modern cars are susceptible to attacks that allow thieves to relatively easily steal the vehicles, say security researchers at Switzerland's ETH Zurich University.
In demonstrations using 10 cars from eight makers, the researchers showed how they were able to unlock, start and drive away the cars in each case, by outsmarting the smart key system.
The break-ins were carried out using commercial, off-the-shelf electronic equipment available for as little as $100, the researchers said in a paper describing their exploits.
Although the possibility of such attacks on keyless systems has been discussed previously, it has not been clear before if they would be feasible on modern cars, the researchers said. "In this paper, we demonstrate that these attacks are both feasible and practical," they said.
The keyless systems exploited in the Zurich demonstrations are designed to let car owners lock, unlock and start their vehicles without having to take the key fob out of their pockets. They allow car doors to unlock when the person carrying the key approaches the vehicle, and to lock them when the person walks away from the vehicle.
To start the keyless vehicle, the user needs to be inside the car with the key on their person or within the car. There is no need, however, for the key to be inserted physically into the ignition lock to start the vehicle.
The car and the key fob communicate with each other using a combination of both Low Frequency and Ultra High Frequency radio signals. The door lock and unlock functions, asw well as the engine start functions, are activated by the proximity of the key fob to the car. When the key is brought close to the car, it issues a command to open the car and turn on the ignition.
For the experiment, the researchers used a pair of commercially available loop antennas for capturing beacon signals from the car and relaying it to the key fobs. The antennas were used to fool the car into believing the key fob was in closer proximity to the vehicle than it actually was.
First, one of the antennas would be placed on the exterior of the car, close to the door handle, to pick up signals from the vehicle and relay it to the second antenna located some distance away. Signals received by the second antenna would then be picked by the key, which would relay instructions back to the car to unlock the doors.
Once the door was unlocked, the researchers would bring the first antenna inside the vehicle and either press the brake pedal or the start engine button, to cause the car to send a 'start engine' message to the key. The key would then respond with a command to start the car in each case, the researchers said.
Two sets of tests were conducted. In one, the researchers linked the two antennas using standard co-axial cables; in the second, the antennas were linked wirelessly.
They said the tests demonstrated more than just a theoretical threat. For example, the equipment used for the test could be used in a parking lot to steal keyless-enabled vehicles.
In this scenario, the attackers could place one relay antenna close to a corridor, a payment machine, or an elevator, the researchers said. When a user parks and leaves a car with a keyless system, an attacker could quickly place a second antenna to the door handle of the vehicle. This antenna would then begin communicating with the previously placed relay antenna.
"When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the car and will send the 'open' command to the car," the researchers said. "Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the 'allow start' message," they said.
One immediate countermeasure that drivers can take is to put their keys within a protective metallic envelope to prevent it from emitting signals.
Removing the battery from the key fob can also disable the active wireless communications, the paper noted. It also discussed hardware and software modifications that manufactures can take to mitigate the threat.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.