"Passive" electronic keys for cars - not very serious protection

Direct proof of this is the work of a team of security systems experts from the University of Zurich. The research team proved that passive car security systems are very easy to crack (it’s easy, of course, for security experts, and not for the schoolboy Petya, but Petya, with $ 100 and some knowledge, will be able to steal such a car). Maybe it’s too early to talk about the possibility of hijacking cars with a PKES protection system, but experts were able to overcome various protection systems for different cars using publicly available equipment. The cost of equipment necessary for car theft of various models ranges from 50 to 1000 dollars.

How is all this going on? The principle is very simple - a system of signal repeaters is used, which transmit the signal of the electronic key located in the pocket of the car owner to the door opening system and engine plant. Signal transmission through such a system is possible over long distances - hundreds of meters, if not kilometers. In principle, it all depends on the number of repeaters and the reliability of the signal transmission system.

Experts were able to crack PKES of ten car models from eight different manufacturers. It is worth noting that the possibility of hijacking cars protected by PKES is a very attractive opportunity for car thieves. There are difficulties here, for example, if the engine is turned off, the second time the hijacker will no longer be able to start it. Why? Let's see how it all works.

As already mentioned, the system is simple. Almost all PKES systems open the car door when the owner approaches, plus the engine starts. Conveniently? Of course, you don’t need to get the key out of your pocket or press a button. But the drawback of such a system is the constant broadcasting of a signal, which is enough to pick up, perhaps strengthen, and direct to the door opening system in the car.

Researchers used ring antennas for hacking, one of which was located closer to the door lock opening system, while the second was located close to the electronic key. The first antenna picks up and transmits a car signal, which is then transmitted to a second antenna located next to the key. That, in turn, reacted to the "native" signal, transmitting a response signal. Now, the second antenna picks up the key signal, transmitting to the first antenna, located next to the door opening system. The latter, having received a familiar signal, opens the door and starts the engine (for the engine plant, the first antenna moved directly to the car interior, and the hijacker pressed the start button).

That's all - the car is hacked and ready to travel any distance. A small problem for the hijacker is that some cars, having moved a decent distance from the key, start to respond, an appropriate signal is heard in the cabin. But since the car is in motion, the car’s security system does not allow it to stop, and the hijacker can steer wherever you like. Other car models did not react at all to removal from the key. Of course, if you turn off the engine, it will not go anywhere. But the hijacker is unlikely to turn off the engine - after all, you usually need to deliver the car to a known address, where the hijacker's partner team will already receive it.

Researchers claim that this method of hacking a security system is very simple, and car manufacturers should pay attention to this problem. Otherwise, PKES will not get much distribution - who needs a car that anyone can steal, who has the necessary equipment and a little technical knowledge?

Via ieee