Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

But it still doesn't explain how the LF relay gets to the fob, unless the attacker gets very close to the person carrying the fob. Transmitting LF over long distances requires a very large antenna, which is not something practical to set up in a parking lot. Lacking the large antenna array, you can do as you suggest, which is to up convert and then down convert close to the fob, but this approach requires someone to shadow the person carrying the fob. The newly down converted LF needs to be within a few feet of the fob. It could be done, but it's not very practical, and more likely to arouse suspicion than hauling the car away on a flatbed.

Unless we can come up with a better explanation, it still seems likely that these relay attacks were with less sophisticated fob systems lacking encoded LF position sensing.

Tom

 

At first, I was skeptical about why my dealership added a KARR alarm system to my Prius since there was already one from the factory. The cost was $700, which I thought was steep, but the KARR system goes beyond Toyota's system in several ways:

1) If triggered, the fuel delivery system is shut down
2) KARR has a shatter and motion sensor so if you bump the car or smash the window, it will go off
3) The KARR system has "rolling code" technology much like garage door openers

I rarely quote Wikipedia, but here's and explanation on rolling codes:

 

I think we all understand how rolling code systems work, but that doesn't apply to this discussion. The whole purpose of using a relay attack is to avoid having to crack the rolling code. Properly designed, rolling code systems are very difficult to crack. Earlier systems used short keys, which is akin to putting a weak lock on your house. The new fob systems are much more robust.

That brings us back to the relay attack. A relay attack avoids having to deal with rolling codes by letting the fob work as intended, but from a long distance and unassisted by the person carrying the fob.

My original question stands: how do they manage to spoof the LF localization in a system like the one on the Prius? I'm not saying it can't be done, but I don't see how in a practical manner.

Tom

 

The range of the LF signal could be extended quite a bit by using a better antenna and higher power at the keyfob end of the relay. Like a ferrite core with a coil tuned to the LF frequency. Run it at, say, 10 watts instead of the 0.1 watt that the standard oscillator puts out. It's still going to be limited range, but a lot more than 3 feet.

 

That makes sense. The key is to be able to physically localize the fob. If it were just RF, you could spray the whole area and get the job done. With the added LF, you need to do something like the door trick. Either that or walk around with a really big antenna.

You would also have to work pretty fast, otherwise the fob would be out of range for the second activation. You need to trigger the fob twice: once to open the driver's door, and a second time to start the car. A moving fob (walking person) and a fixed antenna make for a limited amount of contact time.

Tom

 

If anyone here thinks the 'key' transmitted to unlock/start the car is simple rolling codes - i suggest a bit more research on the 3DES algorithm - as it related to DUKPT (derived unique key per transaction).

There is a reason only the dealer can program a used FOB - and this process is done in a secured environment.

None of the above is a fact - as I have no direct knowledge - but indirectly dealing with more secure RFID systems, 3DES etc, and having to deal with getting a dealer to reprogram a used FOB - all suggests the above is true.

Dealers on their own cannot program a used FOB (they have to call a secure Toyota specific number).

Dealers cannot program a new FOB without a currently active one.

 

Or you have the Key code that came with the Prius at purchase time (for the 2nd Gen). Not sure if it would be different for the 3rd. They use similar SKS system.

 

Well the best measure is prevention. You can buy a Anti-Radiation Bag/Pouch for $4 on Ebay. Or make your own by lining the inside of a bag or pouch with aluminum foil. I use the aluminum packaging from my Harney's and Son Organic tea bags. Fits perfectly and works. I couldn't open my door or start my Prius while my keyfob was in the tea bag packaging.

 

You can also add protection by installing a hidden kill switch. Little more complicated on a Prius, but I'm sure it can still be done.

 

Did you mean adding a switch to disable the SKS like on the 2nd Gen? Or the a bypass for the Start Button? Or a bypass for the 12V battery?
One likely place to put the kill switch is at the Jumping Post in the hood. Toyota recommends undoing the jumping terminal on the 3rd when storing more than 10 days. Weird thing is that the connection(I believe is + post) should not be removed unless you undo the negative from the battery or else you should be careful of some serious arcing, shorting and blown fuses.
Too Complicated. Plus if you disable the 12V, you'll lose the radio presets and other customizations on your Prius.
Just buy or make a anti-radiation(metal such as aluminum) lining for your purse or pockets. I don't think it such a big deal for me unless I have something value inside my Prius.

 

I was thinking something simpler, like cutting out the brake light switch so you can't put it into READY and drive off.

 

Good idea! Where would you put the switch so it's hard to find but easily accessible by the owner?

 

I believe the key code only applies to the mechanical key in the fob, not the electronic portion.

 

Anywhere. Center console under the cup holder. Under the front of the driver's seat. Get an old-school foot dimmer switch and mount it under the carpet behind the brake pedal. Lower glove box ceiling. Get a push-on-push-off type button and mount it under the headliner somewhere, where only you know where to feel for it.

The point is that the thief will know his key is working because it powers up when he presses the power button, but it won't go READY or come out of park. He'll give up before he starts tearing it apart looking for a killswitch that might not even be there..