HOW CAR THIEVES USE KEY FOB RELAY ATTACK TO STEAL A VEHICLE
While car keys and overall security are becoming more advanced and sophisticated over time, so are car thieves and the technology to circumvent emerging security improvements. One popular security feature in modern cars is doing away with conventional keys in favour of key fobs.
While key fobs are significantly more secure than conventional keys, particularly for key-less push-button start vehicles, as potential car thieves need the key fob for the car to respond, key fobs can still be used against the vehicle owner with a bit of ingenuity.
For cars with key fobs, the biggest risk comes from unauthorized key fob duplication or cloning, where a potential criminal is able to clone or duplicate the vehicle’s original key fob and use it to gain access to the vehicle.
What is key fob hacking?
Also known as relay theft, key fob hacking is where an individual can copy the signal being transmitted by the key fob using an RF transmitter and use it to unlock a car, which they can drive off or steal valuables from. This method is way more effective for car thieves as it can be discreet, unlike traditional methods of breaking and entering or lock picking.
Depending on the type of vehicle and fob technology used, some are harder to intercept and manipulate than others. More secure key fobs use rolling codes, a technique where the code changes every time the fob is used. This makes the intercepted or captured code useless when relayed to a device close to the car, as it would register as a used code.
How it Works
A car’s key fob and the particular car are passively communicating with each other constantly, in readiness for an active signal from the fob to lock, unlock, or activate the car for ignition. Potential thieves can intercept the signal from the fob, amplify it, and use it to access the car.
In a typical situation, when a vehicle is parked in the driveway, the driver or owner, once in the house, drops or hangs the car keys by the door out of habit and for convenience. This is where potential car thieves come in with a relay device and station themselves by the front door, where the probability of intercepting electromagnetic signals being constantly emitted by the key fob is higher.
Once the first individual manages to capture the signal, they relay it to an accomplice stationed closer to the car in the driveway or parking lot. The relaying is needed since a car can’t be unlocked unless the key fob is in close proximity. The second accomplice, once they’ve received the signal from the relay device, replays it, and the car is tricked into believing the key fob is right next to it since the signal is strong enough to signal close proximity. The doors can be unlocked and the ignition activated.
This scenario can also be replicated elsewhere, for instance, at the workplace or restaurant, where an individual with a relay device gets close enough to the vehicle owner to capture the signals being transmitted by the key fob. The signal is then boosted and relayed to the second accomplice lurking next to the target vehicle.
Rolling-Pwn Attack & PRNG
A Rolling-pwn attack is where an intercepting device intercepts codes from a key fob to the car and can then use them to open and even start the car.
Older vehicles are more vulnerable as they use static codes for keyless entry, and these codes, when captured once, can be used to unlock and access the vehicle at will.
In modern keyless entry and push-button start cars, the keyless entry system uses rolling codes produced by a pseudorandom number generator (PRNG) algorithm. Each time the key fob is pressed, a different code is sent to the vehicle. The vehicle then verifies the received codes against a database of PRNG-generated codes. If the code is valid, the car is activated for lock, unlock, or ignition.
This helped to reduce man-in-the-middle relay attacks, where an individual might intercept a signal and relay it to an accomplice with a device next to the car.
The counter in the vehicle checks the chronology of the codes generated and increases the count upon receiving new codes. An attacker, with the help of appropriate equipment, can eavesdrop on and capture a consecutive sequence of codes from a previous lock/unlock command session and replay them at a later time to unlock and activate the vehicle, reusing codes that should actually be invalid. This can even happen weeks or months after the codes have been captured.
How to protect your car against key fob related theft
While vehicle manufacturers are coming up with more robust security measures to protect vehicle owners and make key fob hacking even more difficult, the phenomenon is still common enough to cause concern for vehicle owners.
Depending on manufacturers to provide complete vehicle security might be naïve, and vehicle owners can take other proactive and defensive measures to protect themselves.
One popular method of securing the key fob and making it invulnerable to copying and duplication is by storing it in a special pouch known as a Faraday pouch or Faraday bag. This works to block electromagnetic signals being emitted by the key fob from leaving the pouch and possibly being intercepted by a nearby device. This would be especially ideal in public places like at work or restaurants. A rudimentary but still effective solution might be to wrap the key fob in aluminium foil, which has the same working principle as the faraday pouch, which is to block the electromagnetic signals emitted by the key fob.
In most cases, car keys are kept close to the front entrance of the house for easy access, and while this might be for convenience, it’s also a big security risk. Potential car thieves working in concert and lurking by the front door can intercept the radio frequency signals from the key fob on the other side of the wall, amplify the signal, and relay it to a second device next to the car, thereby accessing it. Key fobs can be placed further away from the door or windows as a measure.
For models with the option, deactivating the keyless feature is also a measure to consider.
Even when locking the car doors, it would be a good idea to physically inspect that the car doors are actually locked. An individual with a car key scanner lurking close by can jam the signal from the key fob to the car, and the driver might hurry away assuming the car is locked, especially in cases where there is no beep notification.
Keeping the car inside a locked garage if possible. This increase the number of barriers for a potential criminal.
Parking the car in a well-lit area, ideally with security cameras in place where a potential thief lurking might be easily spotted, or even better, make them uneasy being in full view of the public or security cameras.
Still, the old, tried-and-tested methods still suffice, like steering wheel club locks and GPS/GSM vehicle immobilizers.
More Resources
https://www.youtube.com/watch?v=D_3lgxMwrWI : Keyless Car Theft Explained – Protect Your Car from Keyfob Relay Attacks.
Rolling codes: https://en.wikipedia.org/wiki/Rolling_code
Great