Updated: Dec 31, 2020
Welcome back, my aspiring cyber warriors!
As automobiles become increasingly complex and digital, the opportunities for hacking these transportation vehicles increase exponentially. One of the many conveniences that these new cars offer is proximity door locking/unlocking and engine starting. This feature was first introduced in 1999 and is known as Passive Keyless Entry and Start (PKES). When the key fob holder is near the vehicle, the door automatically unlocks and the same is true for starting the car. Very often these cars start simply by pushing a button and only when the key fob is near. Without the key fob, the thief is stymied. These electronic measures were designed by safety and convenience, but since they are electronic they can--of course--be hacked.
These key fobs emit a low energy (LF) unique signal with the vehicle ID to the car that relays to the vehicle that the owner is near. What if we could amplify and relay that signal from the key fob and fool the car that the owner is nearby?
That is exactly what this hack does!
Signal Amplification Relay Attack (SARA)
Numerous ways have been developed to hack the keyless entry system, but probably the simplest method is known as SARA or Signal Amplification Relay Attack. In this hack, the attacker simply relays the RF signal across a longer distance. Normally, the key fob signals when the owner is in proximity of the vehicle and unlocks the car. In this hack, two transmitters are used. One picks up the signal from the key fob, amplifies it and then transmits it to another receiver near the vehicle. The receiver then copies the relayed signal and transmits it in proximity of the vehicle. The vehicle's controller unit detects the signal sensing the owner is nearby and opens the vehicle door.
The beauty of this hack is that although the signals between the vehicle and the key fob are encrypted, it is not necessary to decrypt the message, it is simply transmitted in its entirety. In some ways, its similar to the pass the hash attack, where the attacker simply presents the password hash without decrypting it.
Check out this video below of car thieves using this hack in the wild.
The Relay Attack
Let's take a look at this hack in a bit more detail.
In this attack, the signal from the key fob is relayed to a location near the vehicle to trick the keyless entry system that the key fob is near and open the door.
Step #1: Capture LF Signal from Vehicle
This hack relays the Low Frequency (LF) signals from the vehicle over a Radio Frequency (RF) link. Each RF link is composed of;
1. an emitter
2. a receiver
Step #2: Convert the LF to 2.5GHZ and Send to Receiver
The emitter captures the Low Frequency (LF) signal from the vehicle and converts to 2.5GHz. This signal is then sent over the air (up to 100m) to the receiver which converts it back to a LF signal.
Step #3: Amplify the Signal and Send to LF Antenna
The LF signal at the receiver is amplified and sent to a loop LF antenna which replicates the signal originally sent by the vehicle. A loop LF antenna is then used to transmit the signal to open the door and then start the engine.
I will be expanding upon this and other methods of hacking the keyless entry system (yes, there are others) in future tutorials. For more on automobile hacking, check out our Automobile Hacking LIVE course. For more on Radio Hacking, check out my series on SDR for Hackers.