CCCAC :: Keyless Gone

Chaos Computer Club Aachen

The English article is heavily under construction. For more details please visit the German version.



Keyless Go and Keyless Entry Systems allow a driver to open and start a vehicle without his or her interaction. In theory this should only be possible if the key is in a very close range to the the car's sensors, for example in the driver's pocket or handbag. Unfortunately the distance “measurement” is often if not always based on the strength of low frequency (LF, in our test case 125kHz) probing signals from the car, that can easily be relayed over long distances.

This is a well kown but broadly ignored security flaw. To spread the knowledge and increase the manufacturer's motivation to fix this problem, we built a practical ~90€ attack tool on Keyless Go / Keyless Entry Systems. It allows the attacker to easily open and start the car, even if the key is out of range, by relaying the LF signal.