Vehicles today are often equipped with electronic entry systems. Such systems allow entry into, and (in some systems) starting and operation of, the vehicle without using a conventional mechanical key or requiring any other overt unlocking action by the owner. In such systems, often referred to as ‘passive’ remote keyless entry (“RKE”) systems, a low frequency (“LF”) radio signal, typical around 125 KHz, is transmitted by the vehicle to a fob carried by the vehicle owner, and the fob responds by returning a radio frequency (“RF”) signal (e.g. 315 MHz or 434 MHz) back to the vehicle. Upon receipt of an RF signal from an authorized fob, the vehicle will unlock the doors to permit driver entry into the vehicle.
More specifically, when a driver approaches the vehicle and lifts the handle of the vehicle door, the driver contact with the door handle will be detected electronically at the vehicle (e.g. by tripping a mechanical switch when the handle is lifted, or by electrostatic detection of touch, or by the driver's fingers interrupting an optical beam). Upon detection of the driver contact with the door handle, the RKE controller at the vehicle will trigger an LF transmitter inside the controller. The LF transmitter will create an LF field in the vicinity of the vehicle door that will, in turn, be detected by an LF receiver inside the fob. Upon detection of a proper LF field, the fob will compose and transmit back to the vehicle a digital message (a datagram) modulated on an RF signal. The RF receiver inside the vehicle will demodulate and decode the digital message and, if the content of the message indicates that the message came from an authorized fob, will unlock the vehicle doors. Similar methods are sometimes used for enabling an “engine start” button on the dashboard of the vehicle, whereby the owner may even operate the vehicle without use of a mechanical key.
Identification codes and encryption are conventionally used to ensure that the communication link between the fob and the vehicle is secure. Such codes and encryption are very difficult to duplicate. Therefore, the fob message required to gain entry into the vehicle cannot readily be synthesized by a thief. Even with such codes and encryption, however, potential vulnerabilities still exist. One known vulnerability involves two thieves working in concert to intercept and immediately use a bona fide fob message to trick the vehicle RKE system into believing that the fob is near the vehicle, when in fact the person carrying the fob has walked away from the vehicle.
The two-thief scenario is depicted in FIG. 1. In this scenario, each thief carries an RF relay device. Radio signals received at one device are relayed to the other device via a different, device-to-device frequency channel. At the other device, the radio signals are returned to their original frequency channel and re-broadcast.
When the person carrying the fob leaves the vehicle and walks away, the first thief will position himself and his device near the vehicle. The second thief will follow the person carrying the fob, thereby keeping the second thief's device near the fob. The first thief will approach the vehicle and lift the door handle, triggering the LF transmitter inside the vehicle. The first theft's device will be designed to receive the LF signal transmitted by the LF transmitter inside the vehicle, to frequency-shift the LF signal to the different, device-to-device frequency channel, and to broadcast the frequency-shifted signal to the second thief.
The second thief's device will receive the frequency-shifted signal via the device-to-device frequency channel. The device will frequency-shift the signal back to its original LF channel and then re-transmit it. The fob, being in the vicinity of the second thief's device, will receive the LF signal and, so long as the device-to-device communication process has not corrupted the LF signal very much, will interpret it as a legitimate LF interrogation from the vehicle. The fob will thus respond by assembling a datagram for accessing the vehicle, including all of the associated security codes and encryption, and then transmitting the datagram as an RF message.
The second thief's device will be designed to receive the RF signal transmitted by the fob, to frequency-shift the RF signal to the different, device-to-device frequency channel, and to broadcast the frequency-shifted signal back to the first thief. The first thief's device will receive the frequency-shifted signal via the device-to-device frequency channel. The device will then restore (frequency-shift) the fob signal back to its original RF channel and re-transmit it. The vehicle, being near the first thief's device, will receive the restored RF signal and decode the included datagram. So long as the device-to-device communication process has not corrupted the RF signal very much and assuming that the associated security codes and encryption were generated by an authorized fob, the vehicle will recognize the RF signal as a legitimate RF response from the fob. The vehicle will thus respond by allowing access to the vehicle, unlocking the doors and (in some systems) allowing starting and operation of the vehicle.
Thus, in summary, through use of this technique the two thieves avoid the necessity of understanding and synthesizing the security codes and encryption used by the fob, instead triggering the fob to create a legitimate access message and then transporting the message back to the vehicle to gain access to the vehicle.