A Safety Issue; Keyless Entry Vehicle Thefts are more common than you think!
Regardless if it is a fleet vehicle or the ones you drive at home, keyless vehicle theft involves motor vehicles being stolen without use of the owner's key. This can be done in a number of ways, such as towing the vehicle away or hot-wiring it. However, an increasing number of electronically-controlled vehicles are being taken by organized criminals exploiting their electronics.
They break into the vehicles a number of ways, from using a device to block the radio signals when a victim uses their electronic key to lock the vehicle, to smashing the driver’s side window.
Once inside the vehicle, they plug a device into the on-board diagnostic port (OBD) which allows them to download the vehicle's electronic information onto a blank key. This key is then compatible with the car, allowing them to drive the vehicle away. This process can take just seconds. Traditional keyed ignition systems work by inserting a physical key into an ignition cylinder and rotating it to start the car. Modern vehicles with keyed ignition systems provide another layer of security by utilizing immobilizer systems that look for a unique RFID chip before allowing a vehicle to be started. Keyless-ignition vehicles work in a similar manner, but instead allow the vehicle to be started by pressing a button on the dash. Many of the keyless systems use the same type of RFID chips to authenticate the key and allow the vehicle to be started.
So how is this so in this vehicle standard? Federal Motor Vehicle Safety Standard 114 are intended to prevent vehicle theft and the unintended rolling of unoccupied vehicles. Two specific provisions of Standard 114 are commonly known to all drivers. One requires that an automatic transmission vehicle must be placed in the "park" position before the key can be removed from the vehicle. This prevents vehicles from accidentally being left in "drive" and rolling after the driver exits. The other provision requires that a vehicle cannot be operated after the key is removed from the starting system. These are both common sense and effective solutions to common safety hazards.
As a matter of fact, out of 24 different cars, from 19 different manufacturers, all have been easily hacked through a method of amplifying the signal from the key fob in the house.
Not only can thieves unlock your car, but they can also drive it away, apparently.
"This clear vulnerability in wireless keys facilitates the work of thieves immensely",. "The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner".
These are the cars that were successfully hacked: Audis A3, A4 and A6, BMW 730d, Citroen DS4 CrossBack, Fords Galaxy and Eco-Sport, Honda HR-V, Hyundai Santa Fe CRDi, KIA Optima, Lexus RX 450h, Mazda CX-5, MINI Clubman, Mitsubishi Outlander, Nissans Qashqai and Leaf, Opel Ampera, Range Rover Evoque, Renault Traffic, Ssangyong Tivoli XDi, Subaru Levorg, Toyota RAV4, and Volkswagens Golf GTD and Touran 5T.
In contrast, most smart key system designs allow an engine to run indefinitely after the key fob is removed from the vehicle and leaves the transmittal range. The car can be driven until is runs out of gas, provided it is not shut down. Likewise, a car can be shut down while still in the "drive" position and the key fob removed from the range of the vehicle, making the vehicle susceptible to unintended rolling.
The electronic key fob is operable without ever leaving the pocket or purse. The result? Carbon monoxide related deaths and injuries reported when cars either failed to shut down or were accidentally left running when the driver and key fob left the vehicle. Likewise, vehicles are inadvertently being left in gear after the driver leaves with the fob, allowing cars to roll and causing severe injuries and property damage.
A growing number of reports and complaints to the National Highway Transportation Safety Administration (NHTSA) show that this is a growing problem which requires substantial and immediate industry-wide corrective action by manufacturers or intervention by the federal government.
Keyless Go (also: Keyless Entry / Go; Passive Entry / Go) is a generic term for an automotive technology which allows a driver to lock and unlock a vehicle without using the corresponding SmartKey buttons. Once a driver enters a vehicle with an equipped Keyless Go SmartKey or Keyless Go wallet size card, they have the ability to start and stop the engine, without inserting the SmartKey. A transponder built within the SmartKey allows the vehicle to identify a driver. An additional safety feature is integrated into the vehicle, making it impossible to lock a SmartKey with Keyless Go inside a vehicle. After a few years on the market, other luxury car manufactures have mimicked the technology, along with some economy brands.
The system works by having a series of LF (low frequency 125 kHz) transmitting antennas both inside and outside the vehicle. The external antennas are located in the door handles. When the vehicle is triggered, either by pulling the handle or touching the handle, an LF signal is transmitted from the antennas to the key. The key becomes activated if it is sufficiently close and it transmits its ID back to the vehicle via RF (Radio frequency >300 MHz) to a receiver located in the vehicle. If the key has the correct ID, the PASE module unlocks the vehicle.
The hardware blocks of a Keyless Entry / Go Electronic control unit ECU are based on its functionality:
· transmitting low frequency LF signals via the 125 kHz power amplifier block
· receiving radio frequency RF signals (> 300 MHz) from the built-in ISM receiver block
· encrypting and decrypting all relevant data signals (security)
· communicating relevant interface signals with other electronic control units
· microcontroller
t is important that the vehicle can't be started when the user and therefore the smart key is outside the vehicle. This is especially important at fueling stations where the user is very close to the vehicle. The internal LF field is allowed to overshoot by a maximum of 10 cm to help minimise this risk. Maximum overshoot is usually found on the side windows where there is very little attenuation of the signal.
Relay Station Attack
A second scenario exists under the name "relay station attack" (RSA). The RSA is based on the idea of reducing the long physical distance between the car and the regular car owner's SmartKey. Two relay stations will be needed for this: The first relay station is located nearby the car and the second is close to the SmartKey. So on first view, the Keyless Entry / Go ECU and the SmartKey could communicate together. A third person at the car could pull the door handle and the door would open. However, in every Keyless Entry / Go system provisions exist to avoid a successful two-way communication via RSA. Some of the most known are:
· measuring group delay time to detect illegal high values
· measuring third-order intercept point to detect illegal intermodulation products
· measuring field strength of the electric field
· measuring response time of 125 kHz LC circuit
· using a more complex modulation (i.e. quadrature amplitude modulation) which can't be demodulated and modulated by a simple relay station
Furthermore, Keyless Entry / Go communicates with other Control Units within the same vehicle. Depending on the electric car architecture, the following are some Control Systems that can be enabled or disabled:
· ESCL Electric Steering Column Lock
· EIS Electronic Ignition Switch
· Central door locking system
· Immobiliser
· Engine Control Unit (Motor management system)
· BCU Body control unit