Vehicles, in particular cars, currently on the market may be equipped with a Passive Keyless Entry (PKE) system, where approaching the car with the key is enough to unlock it, without the need to press the buttons on the key. Such type of key system is subject to security threats.
In particular, PKE systems based on low frequency radio (LF), typically 125 kHz, can be exploited with a Relay Station Attack (RSA). A RSA simply extends the range of the radio signals that a car and its key exchange. The final goal of the RSA is to unlock the car with a key out of the car's range, steal the car content and potentially the whole car.
A relay station is composed of two nodes: a receiving node that simply reads the radio signal next to one device (usually the car) and communicates it to the transmitting node, which transmits the signal as-is the other device (usually the key). The transmission content is not sniffed, modified nor forged. The result is an extension of the range of the radio signal between the two devices in one direction. Often bidirectional relaying is performed.
One specific type of RSA is called unidimensional (1D). In this type of attack the radio signal is measured by an antenna on the receiving relay node and transmitted by only one antenna on the transmitting relay node. Therefore, no matter what is the original magnetic field looks like (length, direction and sense of the field vector in the measured point) on the receiving node, the transmitting node will always create a field with the same shape (direction and sense of the field vector), variable only in the field strength (length of the field vector).
A simple countermeasure against a 1D RSA is to measure the angle between multiple fields. The key is usually equipped with a 3D LF receiving antenna with three coils oriented as in a right-handed 3D reference system (X, Y, Z) as it must receive in every possible orientation. Supposing that the key does not move or moves for a small enough distance during the whole process, the car activates two different LF antennas on its body in sequence, let's call them antenna A1 and antenna A2, which generate two different fields H1 and H2, being H1 and H2 two vectors. In any point around the car, the key would measure a vector H1=(x1, y1, z1) composed of the X, Y, and Z voltages (or RSSI values or magnetic field units) obtained from each coil of its 3D antenna and then H2=(x2, y2, z2).
The angle α between H1 and H2 could be computed with the following Formula A obtained by reversing the geometrical definition of the scalar (dot) product:α=arccos((H1·H2)/(∥H1∥∥H2∥))where ∥H1∥ and ∥H2∥ are respectively the modules of H1 and H2.
When the fields H1 and H2 are relayed with a 1D RSA, the relayed fields R1 and R2 will have the same shape and the measured vectors of the relayed fields will match in direction and sense. Consequently, the angle between R1 and R2 will be zero (in theory) or very small (in practice).
The above principle is used in DE 102011079421, disclosing a method and arrangement for the access and/or start-authentication. In such document a process for the access and/or start-authentication of a mobile identification sender with respect to a vehicle combines the measured components to verify the degree of parallelism of the respective field strength vectors, i.e. to verify if the angle between such vectors is zero.
Similarly, in WO 2015/084852 a passive entry system for an automotive vehicle is configured to prevent relay attacks by analyzing magnet vectors and angles created by a plurality of antennas mounted on the vehicle.
The above disclosed system and methods are therefore based on a measurement of the magnitude of the field (length of the vector) and of the orientation of the two magnetic field vectors H1 and H2 in an R3 space. However, some PKE systems are designed mostly to measure the magnitude of the magnetic field (length of the vector), but not its orientation. The resulting value for each component of each magnetic field is the maximum magnitude of that component in absolute value, so without sign. In such systems, the measured vectors resemble a projection of the real field vectors H1 and H2 in the positive octant of the R3 space.