For years, the vulnerability of keyless entry systems in vehicles has been a known issue, with sophisticated attacks capable of exploiting the wireless signals between key fobs and cars. These so-called relay attacks allow thieves to unlock and even drive away vehicles by manipulating the radio waves intended for secure access. Despite repeated warnings and real-world instances of car theft using these techniques, many car models remain susceptible. Now, a team of researchers in China has not only reaffirmed the ease of this exploit but has also demonstrated a significantly cheaper and more accessible method, potentially involving a Frame Antenna Key Fob Interceptor, to carry out these attacks.
Researchers at the cybersecurity firm Qihoo 360 in Beijing recently showcased a relay attack achieved with self-built devices costing a mere $22. This price point is dramatically lower than previous iterations of key-spoofing hardware. Presenting their findings at the Hack in the Box conference in Amsterdam, the Qihoo team, known as Team Unicorn, revealed that their upgraded system also extends the range of the radio attack considerably. This enhanced range enables them to target vehicles parked over a thousand feet away from the owner’s key fob, highlighting the increased threat posed by these low-cost tools, which could be considered forms of frame antenna key fob interceptor devices due to their signal manipulation capabilities.
The core of the relay attack lies in deceiving both the car and the legitimate key fob into believing they are in close proximity to each other. The operation involves two individuals: one hacker positioned near the victim carrying the key fob, and another near the target vehicle. The device near the car acts as a frame antenna key fob interceptor, spoofing signals to the vehicle, making it believe a key is nearby. This prompts the car’s keyless entry system to transmit a signal back, seeking verification from the key fob. Instead of attempting to decipher the complex radio code, the hackers’ devices intercept and copy this signal. These copied signals are then relayed via radio transmission between the two hacker devices, effectively bridging the distance and reaching the actual key fob. Subsequently, the key fob’s response is transmitted back along the same chain, successfully convincing the car that the authorized key is within immediate range, thus unlocking the vehicle.
“The attack leverages two devices to extend the operational range of the key fob,” explains Jun Li, a member of Team Unicorn at Qihoo. “Imagine you are working in your office or shopping at the supermarket, with your car parked outside. Someone can simply approach you discreetly, while another individual can simultaneously unlock and drive off with your car. It’s that straightforward.” This ease of execution, facilitated by potentially simple devices acting as a frame antenna key fob interceptor, underscores the urgency of addressing this security flaw.
The Evolution of Keyless Entry Exploits
Relay attacks targeting keyless entry systems are not a new phenomenon, dating back to at least 2011 when Swiss researchers demonstrated the technique using expensive software-defined radios costing thousands of dollars. In 2016, the German automobile club ADAC illustrated similar vulnerabilities using equipment estimated at $225. Their study revealed that 24 different vehicle models were susceptible to this hack. Given the slow pace of implementing security upgrades in automotive software and hardware, it is highly probable that many vehicles on that list, spanning brands from Audi to Volkswagen, continue to be vulnerable to these attacks, especially with the advent of cheaper tools resembling a frame antenna key fob interceptor.
Team Unicorn’s innovation represents a significant advancement in radio relay theft. Rather than merely replicating the raw radio signal in its entirety, they engineered custom devices that incorporate chips to demodulate the signal, breaking it down into digital data. This reverse engineering feat allows them to transmit the decomposed signal bit by bit at a considerably lower frequency. This method achieves a greater range—1,000 feet compared to the 300 feet observed in the ADAC tests—while simultaneously consuming less energy. Furthermore, the cost of their hardware is significantly reduced. The Beijing-based researchers report spending approximately 150 Chinese yuan, or about $11 per device, on components including chips, transmitters, antennas, and batteries for both units of their frame antenna key fob interceptor system.
Samy Kamkar, a renowned independent security researcher with expertise in keyless entry hacks, finds the team’s reverse-engineering particularly noteworthy. “Previous attacks were akin to using a tape recorder to simply record and replay signals,” Kamkar observes. “These researchers, however, have deciphered the language of the signals. They are essentially writing down the words and then speaking them at the other end.” This deeper understanding of the communication protocol, potentially through the use of a frame antenna key fob interceptor to analyze and manipulate signals, could pave the way for further research into protocol vulnerabilities and more robust countermeasures.
Low Cost, High Risk
During their tests, the Qihoo researchers successfully gained unauthorized access to and drove away with two vehicles: a Qing gas-electric hybrid sedan from BYD, a Chinese automaker, and a Chevrolet Captiva SUV. However, they emphasize that the vulnerability extends beyond these two specific models. Their findings point towards NXP, a Dutch chip manufacturer that supplies keyless entry systems used in the Qing, Captiva, and numerous other vehicles, suggesting a widespread issue affecting many makes and models. They also suggest NXP is likely not the only component manufacturer whose systems are vulnerable to attacks employing techniques similar to a frame antenna key fob interceptor.
Birgit Ahlborn, a spokesperson for NXP, acknowledged the growing accessibility of relay attacks. “The industry is aware that the complexity and cost associated with mounting a relay attack has decreased in recent years,” she stated. “Carmakers and car access system integrators are actively introducing solutions to counter these attacks.” However, NXP directed inquiries regarding vulnerabilities in specific vehicle models to the car manufacturers themselves. Neither BYD nor Chevrolet has provided comments in response to requests from WIRED.
Team Unicorn suggests that automakers and component suppliers like NXP could mitigate relay attacks by implementing stricter timing constraints in the communication exchange between the key fob and the vehicle. Introducing tighter time limits for the call-and-response signals could prevent fraudulent transmissions originating from a distance, such as those facilitated by a frame antenna key fob interceptor, from being accepted by the vehicle.
An alternative method to protect against these attacks rests with the car owner: storing key fobs in a Faraday bag, which effectively blocks radio transmissions. In situations where a Faraday bag is unavailable, a metal box, such as a refrigerator, can serve a similar purpose. While safeguarding keys in what might seem like a high-tech tinfoil hat may appear overly cautious, the research from Qihoo indicates that attacks on automotive keyless entry systems are poised to become significantly simpler and more prevalent before effective widespread fixes are implemented. The threat of a cheap frame antenna key fob interceptor making car theft easier is a growing concern for vehicle security.
