Table of Contents
Fetching ...

SoK: Stealing Cars Since Remote Keyless Entry Introduction and How to Defend From It

Tommaso Bianchi, Alessandro Brighente, Mauro Conti, Edoardo Pavan

TL;DR

The paper addresses the security of Remote Keyless Entry and Passive Keyless Entry systems by systematically surveying historical and modern attacks and defenses. It adopts a comprehensive methodology across major security venues to map cryptanalytic, relay, and web-based threats to current and emerging technologies (NFC, BLE, UWB, APIs). The key contributions include a consolidated taxonomy of attacks and defenses, an assessment of their deployability in real-world vehicles, and guidance for future work, emphasizing open standards and auditing. The findings reveal that while cryptographic hardening has reduced some risks, relay and RollJam attacks persist, and the expanded attack surface from web connectivity and new keys technologies necessitates robust, standards-driven defenses with industry collaboration.

Abstract

Remote Keyless Entry (RKE) systems have been the target of thieves since their introduction in automotive industry. Robberies targeting vehicles and their remote entry systems are booming again without a significant advancement from the industrial sector being able to protect against them. Researchers and attackers continuously play cat and mouse to implement new methodologies to exploit weaknesses and defense strategies for RKEs. In this fragment, different attacks and defenses have been discussed in research and industry without proper bridging. In this paper, we provide a Systematization Of Knowledge (SOK) on RKE and Passive Keyless Entry and Start (PKES), focusing on their history and current situation, ranging from legacy systems to modern web-based ones. We provide insight into vehicle manufacturers' technologies and attacks and defense mechanisms involving them. To the best of our knowledge, this is the first comprehensive SOK on RKE systems, and we address specific research questions to understand the evolution and security status of such systems. By identifying the weaknesses RKE still faces, we provide future directions for security researchers and companies to find viable solutions to address old attacks, such as Relay and RollJam, as well as new ones, like API vulnerabilities.

SoK: Stealing Cars Since Remote Keyless Entry Introduction and How to Defend From It

TL;DR

The paper addresses the security of Remote Keyless Entry and Passive Keyless Entry systems by systematically surveying historical and modern attacks and defenses. It adopts a comprehensive methodology across major security venues to map cryptanalytic, relay, and web-based threats to current and emerging technologies (NFC, BLE, UWB, APIs). The key contributions include a consolidated taxonomy of attacks and defenses, an assessment of their deployability in real-world vehicles, and guidance for future work, emphasizing open standards and auditing. The findings reveal that while cryptographic hardening has reduced some risks, relay and RollJam attacks persist, and the expanded attack surface from web connectivity and new keys technologies necessitates robust, standards-driven defenses with industry collaboration.

Abstract

Remote Keyless Entry (RKE) systems have been the target of thieves since their introduction in automotive industry. Robberies targeting vehicles and their remote entry systems are booming again without a significant advancement from the industrial sector being able to protect against them. Researchers and attackers continuously play cat and mouse to implement new methodologies to exploit weaknesses and defense strategies for RKEs. In this fragment, different attacks and defenses have been discussed in research and industry without proper bridging. In this paper, we provide a Systematization Of Knowledge (SOK) on RKE and Passive Keyless Entry and Start (PKES), focusing on their history and current situation, ranging from legacy systems to modern web-based ones. We provide insight into vehicle manufacturers' technologies and attacks and defense mechanisms involving them. To the best of our knowledge, this is the first comprehensive SOK on RKE systems, and we address specific research questions to understand the evolution and security status of such systems. By identifying the weaknesses RKE still faces, we provide future directions for security researchers and companies to find viable solutions to address old attacks, such as Relay and RollJam, as well as new ones, like API vulnerabilities.
Paper Structure (39 sections, 3 figures, 3 tables)

This paper contains 39 sections, 3 figures, 3 tables.

Figures (3)

  • Figure 1: Basic example of Rolling Code usage, where the two parties updated the expected code at each iteration.
  • Figure 2: Relay attack representation where the two bad actors intercept the signals from the vehicle and the key fob, tricking them into thinking they are in close range.
  • Figure 3: Rolljam attack steps representation, in which an attacker jams and sniffs the two signals from the victim while sending the first capture during the second jamming.