Passive keyless entry is a generic term for an automotive technology that allows a vehicle driver to lock and unlock a vehicle without using the corresponding SmartKey buttons. Once a driver enters a vehicle with an equipped Keyless Go SmartKey or Keyless Go wallet size card, they have the ability to start and stop the engine, without inserting the SmartKey (i.e. ignition key). A transponder built within the SmartKey allows the vehicle to identify a driver. In some cases, an additional safety feature is integrated into the vehicle, making it impossible to lock a SmartKey that has a Keyless Go feature inside a vehicle. After a few years on the market, this technology is being used ever more extensively, evolving down from luxury car manufacturers to some economy car brands.
Referring now to FIG. 1, a simplified block diagram of a known PKE system 100 is illustrated. The passive keyless entry system 100 includes a vehicle 110 that has a number of vehicle access and security control and communication points. The vehicle access and security control and communication points include a radio frequency (RF) receiver 117, a number of ultra-wideband (UWB) communication transceivers 116 (where UWB is a radio technology that can use a very low energy level for short-range, high-bandwidth communications over a large portion of the radio spectrum), and a low frequency (LF, e.g. 125 kHz) transmitter with several antennas 118. The vehicle also includes an immobilizer point 113. A body control unit (BCU) 112 is located in the vehicle and is arranged to control communications to an external, removable associated vehicle key 120.
The key 120 includes a PKE integrated circuit (IC) 130, which is typically powered by a 3V Li battery and includes a PKE LF receiver (RX) IC 132, a radio frequency (RF) transmitter (Tx) IC 134 and an immobilizer IC 136. The key 120 also includes a UWB IC 150 that includes a transceiver (TRX) IC 152 that is configured to operate in the GHz frequency range and is coupled to the PKE IC via a serial-parallel interface 140. Typically, the key 120 will also include a DC-DC power management circuit 160.
The PKE system 100 works by having a series of low frequency (LF, e.g. 125 kHz) antennas 118, located both inside and outside the vehicle. The external antennas are typically located in the door handles. When the handle is pressed, an LF signal is transmitted from the LF transmitter via the LF antennas 118 to the key 120. In this manner, the key 120 becomes activated by a person pulling or touching the vehicle door handle, lithe key 120 is located sufficiently close to the vehicle 110. This location is done via measurement of the received signal strength in the PKE LF receiver 132 and knowledge of the magnetic field strength generated by the LF antennas 118. The key 120 transmits its identifier (ID) back to the vehicle 110 via RF, e.g. >300 MHz, to the RF receiver 117 located in the vehicle 110. If the key 120 has the correct ID, a PKE module (not shown) located inside the vehicle unlocks the vehicle 110.
It is important that the vehicle cannot be started when the user/driver, and therefore the smart key, is away from the vehicle. This is especially important at, say, fuelling stations where the user is outside of, but very close to, the vehicle and is likely to be sufficiently close for the unlocking and automatic vehicle starting processes to work.
Known countermeasures to prevent a thief accessing the car in such a situation include the addition of a precise distance measuring operation (e.g. a time-of-flight measurement via ultra-wideband (UWB) infra-red (IR) or RF means) in order to overcome this problem of a user and the key being located external to, but near, the vehicle. Such a distance measuring operation approach introduces complexity and high cost, since the existing PKE system 110 (of a LF transmitter, with multiple LF antennas 118 in the car plus a PKE LF receiver 132 in the key 120 (in order to comply with ultra-low power consumption) is maintained, but additional distance measuring circuit is added.
Referring now to FIG. 2, a flowchart 200 of a known opening a car that employs a PKE system, such as the PKE system of FIG. 1, is illustrated. At 205, the user pulls the vehicle door handle. In response, at 210, the ECU of the vehicle, such as ECU 112 of FIG. 1, is woken up. The waking up of the ECU triggers, at 215, a LF transmission (sometimes referred to as a ‘PKE telegram’) to wake up the PKE IC, such as PKE IC 130, of the key 120 of FIG. 1 (which checks, in PKE Rx LF 132 of FIG. 1, as to whether it has received a correct message from the associated vehicle 110). At 220, the key's PKE IC powers up the on-board RF transmitter (e.g. UHF, 300-400 MHz), and sends an acknowledgement message back to the vehicle 110.
Concurrently, at 225, the PKE IC powers up the key's UWB IC and prepares to respond to a distance measurement, e.g. a so-called ‘time-of-flight’ measurement. At 230, the RF receiver 117 in the vehicle 110 receives and identifies the correct acknowledgement message from the key 120 and powers up the UWB circuits in the vehicle 110. At 235, the key UWB IC and the vehicle UWB IC execute a distance (e.g. time-of-flight) measurement in order to calculate a distance between the vehicle and the key. At 240, if the determined distance is within a desired range (e.g.: the key 120 is within, say, 2 m distance to the vehicle 110), the ECU 112 commands the vehicle door latch to release.
Referring now to FIG. 3, a flowchart 300 of a known starting of a vehicle that employs a PKE system, such as the PKE system 100 of FIG. 1, is illustrated. In this regard, the vehicle must be able to determine if the vehicle's key is located within or outside the vehicle. At 305 the user/vehicle driver pushes the start button, and in response, at 310, the BCU 112 of the vehicle is woken up. The waking up of the ECU at 310 triggers, at 315, a LF transmission (sometimes referred to as a ‘PKE telegram’) to wake up the PKE IC, such as PKE IC 130 of the key 120 of FIG. 1 (which checks, in PKE Rx LF 132 of FIG. 1, as to whether it has received a correct message from the associated vehicle 110). At 320, the key's PKE IC powers up the on-board RF transmitter (e.g. UHF, 300-400 MHz), and sends an acknowledgement message back to the vehicle 110. At 325, the vehicle LF transmitter sends out an LF telegram from different locations of the LF antennas 118 within the vehicle, with dedicated field strengths. Concurrently, the key's PKE IC measures the received field strength indication (RSSI) and transmits this measurement back to the vehicle via the key's RF transmitter. At 330, the vehicle BCU 112 calculates from the vehicle LF transmitter antenna current, and the measured and reported RSSI, a triangulated position of the key 120. From this calculation, the ECU 112 is able to determine whether (or not) the key 120 is located inside or outside of the vehicle 110. At 335, if the key is located inside the vehicle 110, the ignition and engine management functions are ‘released’, and the engine is allowed to start.
It is known that today's PKE systems suffer from relay station attacks (RSAs) where the communication between a car and a car key may be intercepted and relayed (lengthened) by an unauthorised person (e.g. a thief), in order to unlock or start a car without notifying the key holder. The unauthorised person attempts to gain access to a target car by making the vehicle believe that a legitimate, registered key is within the vicinity of the car, when actually it is not. This is attempted by relaying back and forth the messages between the car and the key sent on LF and RF frequencies, respectively. In order for this type of attack to succeed the unauthorised person has to be within the vicinity of the car and, from a reasonable distance, has to have wireless, remote access to a legitimate key, which will typically be outside of the ‘vicinity’ range of the car.
Often, two relay stations will be needed to achieve this unauthorised access and/or vehicle start, as illustrated in the example 400 of a known relay attack of a vehicle 110 that employs a PKE system of FIG. 4. A first relay station 430 is located near the vehicle 110 and the second relay station 420 is located close to the key 120 or the key holder. The unauthorised person touches the door of the vehicle 110, which sends a LF wake up message 440. This is picked up by the first relay station 430 and routed via a bi-directional wireless relay link 425 to the second relay station 420. The second relay station 420 routes the LF wake up message 445 to an unsuspecting key holder 410 that has the key 120, which responds with the authentic RF response 415. The second relay station 420 routes the authentic RF response via the bi-directional wireless relay link 425 to the first relay station 430, which sends the authentic RF response 435 to the vehicle 110 to unlock it.
In this manner, it appears to the vehicle that the vehicle's keyless entry/Go electronic control unit (ECU) and the key 120 are communicating directly with one another over a short distance, i.e. within the a distance threshold of the vehicle, and the vehicle will thereafter execute the desired PKE functions. The unauthorised person does not have to have any knowledge about the protocol data being sent between the two devices, car and key, nor does he require any knowledge of any secret encryption keys or the agreed response to the challenge presented by the car to the key. Also, the owner of the car key is not required to press any buttons. Indeed, the owner may well be completely unaware of the attack being executed, while he or she is in full possession of his or her car key. This security risk is an undesirable consequence of the simplicity of known PKE systems.