For years, the vulnerability of wireless car key fobs to relay attacks has been a known issue among automakers and security experts. This clever technique, which involves spoofing the signal from a key fob to unlock and even drive away a vehicle, has been repeatedly demonstrated, and even resulted in real-world car thefts. Despite these warnings, many car models remain susceptible to this exploit. Now, researchers in China have not only showcased this attack once more but have also made it significantly cheaper and easier to execute, raising fresh concerns about automotive security.
Researchers at Qihoo 360, a security firm based in Beijing, successfully carried out a relay attack using equipment they assembled for a mere $22. This cost is substantially lower than previous iterations of key-spoofing hardware. These researchers, known as Team Unicorn, presented their findings at the Hack in the Box conference in Amsterdam, highlighting that their advancements have dramatically increased the range of the radio attack. This extended range enables thieves to target vehicles parked over a thousand feet away from the owner’s key fob, emphasizing the growing threat of Key Fob Interceptors.
The core of this attack lies in deceiving both the car and the legitimate key fob into believing they are in close proximity. The process involves two individuals: one hacker positions a device near the victim’s key fob, while a second thief stands close to the target vehicle with another device. The device near the car acts as a key fob interceptor, mimicking signals from the owner’s key. This intercepted signal prompts the car’s keyless entry system to transmit a challenge signal, expecting a specific response from the authentic key. Instead of attempting to decipher this complex radio code, the hackers’ devices cleverly capture and relay it. The key fob interceptor transmits the captured signal to the device near the key fob, which then relays it to the actual key. The key fob’s response is immediately transmitted back through the chain to the car, effectively convincing the vehicle that the key is within valid range, allowing unauthorized access and operation.
“The attack effectively uses two devices to extend the operational range of the key fob,” explains Jun Li, a member of Team Unicorn at Qihoo 360. “Imagine you are working in your office or shopping at the mall, with your car parked outside. Someone can discreetly approach you with a key fob interceptor, while another individual can simultaneously unlock and drive off with your car. It’s remarkably straightforward.”
image of a person holding a device near a car key, suggesting a key fob interceptor attack
Image alt text: Demonstration of a key fob interceptor attack, showing a device held near a car key to relay signals for vehicle theft.
Relay attacks targeting keyless entry systems are not a novel concept. They date back to at least 2011, when Swiss researchers initially demonstrated the technique using expensive software-defined radios costing thousands of dollars. In 2016, the German automobile club ADAC showcased similar results using equipment estimated at around $225. Their study revealed that 24 different car models remained vulnerable to this exploit. Given the widespread nature of the problem and the slow pace of security updates in the automotive industry, many vehicles from manufacturers like Audi, BMW, Ford, and Volkswagen, listed in the ADAC report, are likely still susceptible to these key fob interceptor attacks.
However, Team Unicorn’s research has pushed the boundaries of radio relay theft even further. Instead of simply recording and retransmitting the raw radio signal like a “tape recorder,” they engineered custom devices equipped with chips capable of demodulating the signal. This process involves breaking down the signal into its digital components (ones and zeros). This sophisticated reverse engineering allows them to transmit the decomposed signal bit by bit at a much lower frequency. This technique not only extends the attack range to 1,000 feet, significantly surpassing the 300-foot range achieved in the ADAC tests, but also reduces energy consumption and hardware costs. The Beijing-based researchers reported spending approximately 150 Chinese yuan, or about $11 per device, on components including chips, transmitters, antennas, and batteries.
Samy Kamkar, a renowned independent security researcher known for his own keyless entry hacks, finds the team’s signal reverse-engineering particularly noteworthy. “Previous attacks were like using a tape recorder to capture and replay the signal,” Kamkar explained. “These researchers, however, have deciphered the ‘language’ of the signal. It’s akin to understanding the words, writing them down, and then speaking them at the receiving end.” This deeper understanding of the communication protocol could pave the way for further research into vulnerabilities and potential countermeasures against key fob interceptor threats.
image of electronic components, possibly representing parts of a key fob interceptor device
Image alt text: Close-up of electronic components used in a key fob interceptor device, illustrating the low-cost nature of the attack hardware.
In their tests, the Qihoo researchers successfully unlocked and drove away two vehicles using their key fob interceptor: a Qing gas-electric hybrid sedan from Chinese automaker BYD and a Chevrolet Captiva SUV. However, they emphasize that the vulnerability extends beyond these specific models. They point to NXP, a Dutch chip manufacturer that supplies keyless entry systems for the Qing, Captiva, and numerous other vehicles, suggesting a wider industry issue. They also believe that NXP is not the only component manufacturer whose systems may be vulnerable to such attacks.
Birgit Ahlborn, a spokesperson for NXP, acknowledged the growing accessibility of relay attacks. “The industry is aware that the complexity and cost associated with mounting a relay attack has decreased in recent years,” Ahlborn stated. “Carmakers and car access system integrators are actively introducing solutions to counteract these attacks.” However, NXP directed inquiries about vulnerabilities in specific car models to the car manufacturers themselves. Neither BYD nor Chevrolet responded to requests for comment from WIRED.
Team Unicorn suggests that automakers and component suppliers like NXP could mitigate key fob interceptor attacks by implementing stricter timing constraints in the communication exchange between the key fob and the car. By enforcing tighter time limits for the call-and-response signals, relaying signals from distant devices could be prevented, as the fraudulent transmission would likely exceed the allowed time window and be rejected.
For car owners, a practical preventative measure is to store keys in a Faraday bag, which effectively blocks radio transmissions. Alternatively, a simple metal box, like a refrigerator, can serve the same purpose in a pinch. While storing keys in a Faraday bag might seem overly cautious, the research from Qihoo indicates that attacks on keyless entry systems, facilitated by devices like key fob interceptors, are becoming increasingly easier and more prevalent. This trend suggests that these attacks may become even more common before effective industry-wide fixes are implemented, making personal preventative measures increasingly important.
