[mcpherrinm]

That doesn't fix this exploit at all: This is merely an analog device amplifying other radio waves.

The only way to secure against the described exploit is to measure round-trip-time from the car -> key -> car and ensure it's under, say 5 light-meters: aka 16 nanoseconds, plus the carefully calibrated time it takes the key to compute its response.

16 nanos is a very short amount of time, and it'll be tricky to measure that reasonably accurately.

The real solution is to require the user to interact with the key in some way, like pressing a button, or perhaps moving it around (as would happen as you walked with it in your pocket).

[MertsA]

>perhaps moving it around (as would happen as you walked with it in your pocket).

One attack vector is stealing cars out of a supermarket parking lot. You just wait for someone to drive up in the model car of your choice and have your accomplice discreetly follow them into the store. When your accomplice texts you that they are at the bread aisle/back of the store you can just steal with impunity knowing that a bystander will see no difference between the actual owner who has the key in his pocket and you with your relay device in your pocket. You also know that your victim is in the back of the store and that they can't get within sight of you before you're already long gone.

[pandaman]

My car seems to be able to tell if the key is inside or outside pretty accurately so I think it can already figure out the distance to the key (though might be using something like RFID for that, which is not very secure).

[csours]

The whole point is the the car is using signal strength as a proxy for proximity, which is unreliable when you can use an transceiver and/or amplifier to boost the signal strength from a remote key.

[pandaman]

Not sure if you've miss-replied, but in case you imply the key location works on signal strength I doubt that very much.

[csours]

Do you have a source for your doubt? It would be more technically accurate to say that the car is dependent on signal fall-off than signal strength, but that seems to be a distinction without a difference to me.

>A PKES car key uses an LF RFID tag that provides short range communication (within 1-2 m in active and a few centimeters in passive mode) and a fully-fledged UHF transceiver for longer range communication (within 10 to 100 m). The LF channel is used to detect if the key fob is within regions Inside and Outside of the car. Figure 2(b) shows the areas in proximity of the car that must be detected in order to allow a safe and convenient use of the PKES system. The regions are as follows. [1]

1. http://www.syssec.ethz.ch/content/dam/ethz/special-interest/...

[pandaman]

As you can see on the picture yourself, the inside/outside zones are very close to each other. Locating a key with such a precision based on the signal strength alone does not seem possible for following reasons: the key's transmitter is too small to provide stable signal level, the key is located in very anisotropic environment, the car itself changes its shape and hence RF loss from different directions.

[csours]

Let's assume that each of us knows what we are talking about.

Yes, the actual key itself is located by the car based on Low Frequency RFID.

The attack described is a relay attack, which means that the key can be spoofed in real time by relaying short range radio transmissions to two locations.

The mistaken assumption of the security system is that the short range communication protocol used by the car and the key requires the key to be in close proximity to the car.

Since the communication may be relayed, the range assumption is invalid. The main suggestion is to use high precision timing to determine the range, as it is very difficult to cheat on the speed of light.

I agree that "signal strength" is not the best way to phrase the above in a technical discussion.

I have not seen any indication that triangulation or any other physical location system is used in vehicle PKES.