Car theft, especially expensive cars, is at an all-time high because it's just so easy. Edited out, as it seems to divert a technical discussion into an emotional, opinionated one. My mistake.
"Keyless-Go" systems for unlocking and starting cars (the ones where you can leave the key fob in your pocket at all times) are very popular, and a lot of marketing have been invested in them (foot under the rear of the car to open the trunk etc.).
Problem is, they have a catastrophic security flaw by design that can only be addressed by means that eliminate all perceived advantages.
The classic remote control key fob is unproblematic, simply due to fact that it needs to be in the hand of the person unlocking the car. He/she needs to press a physical button on the fob. It's a one-way system, where the fob just contains a UHF transmitter and code generator, plus a passive RFID tag for starting the engine.
Sniffing and replaying the UHF signal doesn't work, as it's rolling code based. In short, it's very secure.
The "Keyless-Go" or RKE system (every car brand has its own name, but they're all the same) is a different story.
Why? Because the fob can be activated from a distance. It no longer needs to be in the hand of someone pressing a key.
How does RKE work?
Architecturally, it's simple.
The key fob has a UHF transmitter for sending the authentificaton code, the car has a corresponding receiver (just like the old-fashioned remote fob).
New is, that the car has a 125 kHz transmitter for activating/challenging the fob and initiating the unlock process. The fob has an active (battery powered) 125 kHz RFID receiver for receiving the car's challenge. This extends the RFID operating range from a couple of centimeters (1") to a couple of meters (6').
The whole process is started by someone touching the door handle (or a certain spot, whatever, depends on car brand) or putting a foot under the trunk, or...
Same thing when starting the car. You press the "Start" button, the 125 kHz challenge is sent to the fob with the UHF transmitter responding.
Sounds hunky-dory, right? The very limited range of the 125 kHz transmission (it's not really radio, but an electromagnetic field) ensures that the person touching the door handle is also holding the key fob (or someone else standing next to him/her). All within view, nice and secure.
So where's the fatal flaw?
If the key fob is a distance away from the car, the 125 kHz electromagnetic field is non-existent and everything is fine. Or is it?
What happens if you range-extend that signal? You'll need a 125 kHz receiver next to the car (easy). And a 125 kHz power transmitter next to the fob (not quite as easy, and you need to know where the fob is). And you'll need a link between the the two (easy, AM-modulated VHF/UHF Tx/Rx off-the-shelf modules).
The UHF signal from the fob also needs to be range-extended, but that's super-easy. Again, off-the-shelf module(s).
The attack itself needs two persons: one next to the car with the 125 kHz receiver, grabbing the door handle. And one next to the fob with the 125 kHz power transmitter.
Done. The person next to the car jumps in, starts the engine and is gone.
Can I protect myself against this?
Two options:
1: always store the fob in a Faraday pouch when not in use. This does not disable 125 kHz reception, but it will block UHF transmission, which is almost as good.
2: some newer cars have an option for turning off 125 kHz reception on the fob. Usually by pressing the "Lock" button three times in quick succession. Unfortunately, the "Look, Mom! I can unlock and start my car without a key!" effect goes away.
But both options completely defeat the "comfort" aspect of the dumbest feature ever invented.
I attach a Product Brief of the NXP PCF7953 IC for your reference. That's the key fob IC used by most major car manufacturers.
Home
Help
Search
Login
Register
