Skip to main content
SpringerLink
Log in

Frequency Hopping Spread Spectrum to Counter Relay Attacks in PKESs

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12528))

Included in the following conference series:

  • 1207 Accesses

Abstract

Passive keyless entry and start systems (PKESs) have been widely deployed in modern cars. These systems have brought many advantages over their predecessors and are considered more secure. However, they are subject to a new type of attack, known as relay attack. Due to this attack, hundreds of cars have been stolen in many countries. Since then, car manufacturers as well as insurance companies have been experiencing an endless nightmare. Researchers have also been working into proposing solutions, mainly based on distance-bounding protocols and sensing technologies, to counter relay attacks but none of the solutions came out with a fundamental mitigation. In this paper, we apply FHSS (Frequency Hopping Spread Spectrum) transmission technique as a physical-layer countermeasure to mitigate relay attacks. By hopping from one frequency to another, within a wide bandwidth, and following a per-session secret-shared frequency hopping sequence, the communication between the car and its associated keyfob can be hidden from the attackers as long as the latter are not aware of the hopping sequence.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Breaching car security is not limited to stealing the car itself but also includes breaking into the car to grab anything valuable inside, placing a remote controllable ODB (On-board diagnostics) adapter on the car’s ODB port, or taking off any part needed by the thief, such as car’s doors, bonnet, or any expensive engine’s part.

  2. 2.

    For security purpose, certain car models get automatically locked after some seconds, if the driver walks away without locking the car.

  3. 3.

    Toyota 4Runners, Highlanders, Tacoma pickup trucks and Lexus GX460.

  4. 4.

    See ADAC: https://www.youtube.com/watch?v=0AHSDy6AiV0.

  5. 5.

    Certain car manufacturers, such as Ford and Lincoln, have started adopting the UHF frequency band between 902.375 MHz and 903.425 MHz.

  6. 6.

    MSC (Message Sequence Chart) is a graphical language for the description of the interaction between different components of a system. This language is standardized by the ITU (International Telecommunication Union).

  7. 7.

    HackRF One is a transmit and receive capable SDR. It has a 10 MHz to 6 GHz operating range and up to 20 MHz of bandwidth. It costs around $300.

  8. 8.

    See Hack5: https://www.youtube.com/watch?v=k8rNQ3mBZQ4&ab_channel=Hak5.

  9. 9.

    In some keyless entry systems, the RFID communication is asymmetric. The communication from the car to the keyfob is performed over LF 125 kHz band (shorter range), whereas the communication from the keyfob to the car is over UHF band with a frequency of 315 MHz, 433.92 MHz, 868 MHz, or 915 MHz for a longer range.

  10. 10.

    In some car models, the driver has to either press a button or touch a motion sensor on the door handle which lets the car know that the keyfob is around. The car starts broadcasting the signal that supplies power to the keyfob.

  11. 11.

    The mechanism that a passive RFID-tag uses to respond to an RFID-reader by using the reader’s carrier as a power-supplying source is called backscattering.

  12. 12.

    In certain relay attacks, attackers relay the LF signals that are sent from the car to the keyfob (short range signal) and leave the UHF signals that are sent from the keyfob to the car (long range signal \(\approx \)100 m) [3].

  13. 13.

    EPCGlobal industry association defines four classes of UHF RFID tags. Class 1 is for passive tags, Class 2 enriches Class 1 with more memory and add cryptography, Class 3 is semi-passive tags, and Class 4 is for active tags.

  14. 14.

    FCC (Federal Communications Commission) is the radio frequency regulation agency in the United-States of America.

References

  1. Lounis, K.: Stealing High-end Cars Using Relay Attacks, related-articles collected from different sources (2020). https://www.docdroid.net/AUPx0XU/ar-pdf

  2. CBC News: Toyota, Lexus Owners Warned About Thefts That Use Relay Attacks (2019). https://www.cbc.ca/news/canada/ottawa/toyota-lexus-relay-attack-1.5380947

  3. Francillon, A., Danev, B., Capkun, S.: Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. IACR Cryptology ePrint Archive 2010(332), 1–15 (2010)

    Google Scholar 

  4. Zeng, Y., Yang, Q., Li, J.: Chasing cars: keyless entry system attacks. HITBSecConf Amsterdam (2017)

    Google Scholar 

  5. Hancke, G.P., Mayes, K., Markantonakis, K.: Confidence in smart token proximity: relay attacks revisited. Comput. Secur. 28(7), 615–627 (2009)

    Article  Google Scholar 

  6. Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In :Proceedings of 16th USENIX Security Symposium, USENIX Association (2007)

    Google Scholar 

  7. Hu, Y.-C., Perrig, A., Johnson, D.B.: Wormhole attacks in wireless networks. IEEE J. Sel. Areas Commun. 24(2), 370–380 (2006)

    Article  Google Scholar 

  8. Hancke, G.: Practical attacks on proximity identification systems. In: Proceedings of the 27th IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  9. Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard. In: the 1st International Conference on Security and Privacy for Emerging Areas in Communications Networks, pp. 47–58 (2005)

    Google Scholar 

  10. Desmedt, Y., Goutier, C., Bengio, S.: Special uses and abuses of the fiat-shamir passport protocol. In: Advances in Cryptology 1987, A Conference on the Theory and Applications of Cryptographic Techniques, pp. 21–39 (1987)

    Google Scholar 

  11. Desmedt, Y.: Major security problems with unforgeable(ferge)-fiat-shamir proofs of identity and how to overcome them. In: Worldwide Congress on Computer and Communications Security and Protection, pp. 15–17 (1988)

    Google Scholar 

  12. Carluccio, D., Lemke, K., Paar, C.: Electromagnetic side channel analysis of a contactless smart card: first results. In: ECryptWorkshop on RFID and Lightweight Crypto (2005)

    Google Scholar 

  13. Lounis, K., Zulkernine, M.: Attacks and defenses in short-range wireless technologies for IoT. IEEE Access 8, 88892–88932 (2020)

    Article  Google Scholar 

  14. Brands, S., Chaum, D.: Distance-Bounding Protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_30

    Chapter  Google Scholar 

  15. Kamkar, S.: Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars. DEF CON 23 (2015)

    Google Scholar 

  16. Collins, D.: How to Program a Car Key (2019). https://www.carbibles.com/how-to-program-a-car-key/, CarBible

  17. EPCGlobal: EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communication at 860 MHz-960 MHz Version 1.2.0 (2008)

    Google Scholar 

  18. EPCGlobal: EPC Radio-Frequency Identity Protocols Generation-2, UHF RFID Specification for RFID Air Interface Protocol for Communication at 860 MHz-960 MHz Version 2.0.0 Ratified (2013)

    Google Scholar 

  19. Banks, J., Pachano, M., Thompson, L., Hanny, D.: RFID Applied. Wiley, New York (2017)

    Google Scholar 

  20. Valko, A.: Relay attack resistant passive keyless entry: securing PKE systems with immobility detection," B.Sc. thesis, TRITA-ITM-EX 2020:48, KTH, School of Industrial Engineering and Management, pp. 1–90 (2020)

    Google Scholar 

  21. Choi, S.K., Kim, S.S., Kim, G.H.: Method for preventing relay-attack on smart key system. Patent No. US9210188B2, p. 12 (2015)

    Google Scholar 

  22. Wang, J., Lounis, K., Zulkernine, M.: Security features for proximity verification. In: 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), pp. 592–597 (2019)

    Google Scholar 

  23. Aanjhan, R., Capkun, S.: Are we really close? Verifying proximity in wireless systems. IEEE Secur, Priv. 15(3), 52–58 (2017)

    Article  Google Scholar 

  24. Choi, W., Seo, M., Lee, D.H.: Sound-proximity: 2-factor authentication against relay attack on passive keyless entry and start systems. J. Adv. Transp. article 1935974 (2018)

    Google Scholar 

  25. Kumar, S.S., Pandharipande, A.: Secure indoor positioning: relay attacks and mitigation using presence sensing systems. In: IEEE 13th International Conference on Industrial Informatics (INDIN), Cambridge, pp. 82–87 (2015)

    Google Scholar 

  26. Frank Stajano, F.-L.W., Christianson, B.: Multichannel protocols to prevent relay attacks. In: Financial Cryptography (2010)

    Google Scholar 

  27. Wang, J., Lounis, K., Zulkernine, M.: CSKES: a context-based secure keyless entry system. In: 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), pp. 817–822 (2019)

    Google Scholar 

  28. Kim, H., Dabak, A.G., Ren, J., Goel, M.: Relay Attack Countermeasure System. Patent No. US2015/0222658A1, pp. 1–11 (2015)

    Google Scholar 

  29. Mutti, C.S., Spedaliere, D.: Solutions for relay attacks on passive keyless entry and go. Patent No. W02013050409A1, p. 4 (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Queen’s Reliable Software Technology Lab, School of Computing Queen’s University, Kingston, ON, Canada

    Karim Lounis & Mohammad Zulkernine

Authors
  1. Karim Lounis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Zulkernine
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karim Lounis .

Editor information

Editors and Affiliations

  1. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. Telecom Paris, Palaiseau, France

    Jean Leneutre

  3. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  4. IRT SystemX, Palaiseau, France

    Reda Yaich

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lounis, K., Zulkernine, M. (2021). Frequency Hopping Spread Spectrum to Counter Relay Attacks in PKESs. In: Garcia-Alfaro, J., Leneutre, J., Cuppens, N., Yaich, R. (eds) Risks and Security of Internet and Systems. CRiSIS 2020. Lecture Notes in Computer Science(), vol 12528. Springer, Cham. https://doi.org/10.1007/978-3-030-68887-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-68887-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-68886-8

  • Online ISBN: 978-3-030-68887-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation