Hold the Door! Fingerprinting Your Car Key
to Prevent Keyless Entry Car Theft
Kyungho Joo*
Korea University
khjoo0512@gmail.com
Wonsuk Choi*
Korea University
wonsuk85.choi@gmail.com
Dong Hoon Lee
Korea University
donghlee@korea.ac.kr
remote key fob at a distance. In the PKES system, car doors
are automatically unlocked as the user makes physical contact
with a button on a door when the key fob is in the vicinity. This
implies that drivers no longer need to remove their key fobs
from their pockets or bags. We note that the PKES system
is mostly designed to include the remote lock and unlock
functions provided by the RKE system. However, as keyless
entry systems are becoming commonplace on modern vehicles,
cyber security attacks are also on the rise. Vehicle manufactur-
ers, therefore, have applied their own security mechanisms to
verify either the remotes or key fobs. In particular, encryption
with a pre-shared, long-term secret key and rolling codes [37],
[64] are common methods used to verify a legitimate key fob.
Despite these security mechanisms, several vulnerabilities
with keyless entry systems have been discovered. In 2010, the
authors of [38] demonstrated a relay attack on PKES systems,
in which vehicle doors were unlocked. In the relay attack,
two colluding adversaries would work in concert to extend
the original range of RF communication between a vehicle
and its key fob. One adversary must be close to the target
vehicle and the other must be close to its key fob. They
cooperate with each other to relay signals from the vehicle
to the key fob side. As a consequence, even outside of the
pre-defined communication range, the vehicle and its key fob
interact with each other, which leads to the unlocking of
the doors. In Germany and the United Kingdom, automotive
thieves successfully carried out these types of signal-relaying
attacks, which were captured on security cameras [10], [19]. In
addition, an adversary could exploit a particular vulnerability
of a cryptographic algorithm used in the remote keyless entry
system to extract a pre-shared secret key between the vehicle
and its key fob, thereby creating and transmitting a malicious
message for a door unlock command [22], [40], [45], [47],
[61]. Furthermore, recent studies have shown that long-term
secrets can be compromised not only in the RKE system but
also in the PKES system [66].
The underlying reason of the cyber security attacks on
the keyless entry system is that radio frequency (RF) signals
emitted from key fobs can be relayed or replayed regardless
of active security methods like encryption or authentication.
Since the keyless entry system accepts any request for authen-
tication as long as valid signals are within the communication
range, extension of the communication range by relaying or
forwarding a signal ultimately enables an attacker to unlock car
doors. One approach to resolve this issue might be the use of an
RF distance-bounding protocol that verifies the actual physical
proximity of a request [25], [44]. However, RF distance-
Abstract—Recently, the traditional way to unlock car doors
has been replaced with a keyless entry system which proves more
convenient for automobile owners. When a driver with a key fob
is in the vicinity of the vehicle, doors automatically unlock on user
command. However, unfortunately, it has been shown that these
keyless entry systems are vulnerable to signal-relaying attacks.
While it is evident that automobile manufacturers incorporate
preventative methods to secure these keyless entry systems, they
continue to be vulnerable to a range of attacks. Relayed signals
result in valid packets that are verified as legitimate, and this
makes it is difficult to distinguish a legitimate door unlock request
from a malicious signal. In response to this vulnerability, this
paper presents an RF-fingerprinting method (coined “HOld the
DOoR”, HODOR) to detect attacks on keyless entry systems -
the first attempt to exploit the RF-fingerprint technique in the
automotive domain. HODOR is designed as a sub-authentication
method that supports existing authentication systems for keyless
entry systems and does not require any modification of the main
system to perform. Through a series of experiments, the results
demonstrate that HODOR competently and reliably detects attacks
on keyless entry systems. HODOR achieves both an average false
positive rate (FPR) of 0.27% with a false negative rate (FNR)
of 0% for the detection of simulated attacks, corresponding to
current research on keyless entry car theft. Furthermore, HODOR
was also observed under environmental factors: temperature
variation, non-line-of-sight (NLoS) conditions, and battery aging.
HODOR yields a false positive rate of 1.32% for the identification
of a legitimated key fob even under NLoS conditions. Based on
the experimental results, it is expected that HODOR will provide
a secure service for keyless entry systems, while remaining
convenient.
I. INTRODUCTION
Recently, keyless entry systems have been developed and
installed in modern vehicles for the convenience of drivers.
Before the keyless entry system, it was necessary to physically
insert a key into the key hole to unlock the doors of a vehicle.
This traditional way to unlock doors was inconvenient as well
as vulnerable to physical key copying leading to relatively
easy automotive theft or break-ins. The keyless entry system
enables a driver to unlock doors without inserting anything, via
two distinct systems: the remote keyless entry (RKE) system
and the passive keyless entry and start (PKES) system. The
RKE system unlocks doors with the press of a button on a
* Co-first Authors
Network and Distributed Systems Security (NDSS) Symposium 2020
23-26 February 2020, San Diego, CA, USA
ISBN 1-891562-61-4
https://dx.doi.org/10.14722/ndss.2020.23107
www.ndss-symposium.org
