Modern comfort cars, which are currently on the market, may be equipped with a Passive Keyless Entry (PKE) system. In such a PKE system, approaching a car with an associated PKE key is enough to unlock the car, without the need to press a button that may be provided on the key. In PKE systems, the car (as an example of a base structure) incorporates a PKE base structure device, which is operable to act as a transponder and to interrogate the PKE key, which is operable to act as a mobile device (key, or key fob) and which may be associated to the base structure device. In PKE systems, the PKE base structure device uses low frequency radio (LF) electromagnetic fields, with 125 kHz being a typically value of the carrier frequency of the electromagnetic field, for interrogating the mobile device (i.e. the key).
A car incorporating a PKE base station device for providing a PKE service (or PKE functionality) is just one example of a use of a PKE system. Another use of a PKE system may be employed in a building as a PKE base structure device, where access to the building can be gained when approaching a door of the building with an associated door key as the mobile device.
PKE systems can be exploited with a so-called Relay Station Attack (RSA). A RSA simply extends the range of the radio signals that a car (as an example of a PKE base structure device) and its key (as the mobile device) exchange by using a relay device. The final goal of the RSA is to unlock the car with a key that is located out of the car's interrogation range, and to steal the car content and potentially the whole car.
An example embodiment of an RSA is illustrated in FIG. 3. A vehicle or car 112, as an example of a PKE base structure 110, which services PKE, incorporates a PKE base structure device, which comprises at least two base structure antennae 114 and 116. The second base structure antenna 116 is typically arranged in the PKE base structure 110 at a location that is different than the location of the first base structure antenna 114.
A relay system 300, which is operable to make an RSA, may be composed of two nodes 310, 320, i.e. a receiving node 310 and a transmitting node 320. The receiving node 310 comprises a receiving node receiving antenna 312, which simply reads the radio signal (i.e. the low frequency electromagnetic field) next to PKE base structure device 110 (for example the car) within the interrogation range of the PKE base structure device 110, and a receiving node relay antenna 314, which communicates the radio signal to the transmitting node. Both, the receiving node receiving antenna 312 and the receiving node relay antenna 314 may be combined in one single antenna. Correspondingly, in FIG. 3, the receiving node receiving antenna 312 and the receiving node relay antenna 314 are depicted as one single antenna referenced by the numerals 312, 314. The transmitting node 320 comprises a transmitting node relay antenna 322, which receives the radio signal communicated by the receiving node relay antenna 314, and a transmitting node transmitting antenna 324, which transmits the signal as-is to a mobile device (for example the car key 121). The transmission content is generally not sniffed, modified nor forged. Both, the transmission node relay antenna 322 and the transmission node transmitting antenna 324 may be combined in one single antenna. Correspondingly, in FIG. 3, the transmission node relay antenna 322 and the transmission node transmitting antenna 324 are depicted as one single antenna referenced by the numerals 322, 324. A result of the use of the relay system 300 is an extension of the range of the interrogating radio signal between the two devices (i.e. the PKE base structure and the mobile device) in one direction. Also bidirectional relaying may be performed between the PKE base structure device 110 and the mobile device 120.
One specific type of RSA is called unidimensional (1D). In this type of attack the radio signal is measured by the receiving node receiving antenna 312 provided on the receiving node 310 and transmitted by only one antenna, namely the receiving node relay antenna 314, to the transmitting node 320. Therefore, no matter what is the original magnetic field looks like (length, direction and sense of the field vector) at the point, where the receiving node 310 is located, the transmission node transmission antenna 324 will always create a field, which has the same shape (direction and sense of the field vector) and which may be variable only in the field strength (length of the field vector).
The latter characteristics of a 1D RSA, viz. that the relay antenna of the receiving node and the transmitting node antenna of the transmitting antenna each will always create a relay field, which has the same direction and sense of the radio field vector at the point of detection, is clearly illustrated in FIG. 3 by way of the two parallel arrows, which point from left to right starting at the receiving node antenna (the non-referenced left one antenna in FIG. 3) and pointing to the transmitting node antenna (the non-referenced right one antenna in FIG. 3), and by way of the other two parallel arrows, which point from transmitting node antenna to the 3D antenna 122 of the mobile device 120.
By contrast, in the PKE system 100, which is illustrated in FIG. 1 and in which no RSA attack is being performed, the first base structure antenna 114 emits a first radio field (or first electromagnetic field (not referenced in FIG. 1)), a portion of which propagates in the direction towards the mobile device 120, such that it arrives at a 3D antenna 122 of the mobile device 120 with a first angle of arrival and has a first magnetic field vector H1 (not referenced in FIG. 1). The second base structure antenna 116 emits a second radio field (or second electromagnetic field (not referenced in FIG. 1)), a portion of which propagates in the direction towards the mobile device 120, such that it arrives at a 3D antenna 122 of the mobile device 120 with a second angle of arrival and has a second magnetic field vector H2 (not referenced in FIG. 1). The second angle of arrival differs from the first angle of arrival by an angle of arrival difference, which is greater than a definable threshold angle, the size of which depends on the distance between the first and the second base structure antennae 114 and 116 and the interrogation range of the base structure device 110, i.e. the range of the low frequency electromagnetic field as emitted from a base structure antenna 114 or 116, within which range the emitted electromagnetic field can be clearly detected.
Consequent to the angle of arrival difference experienced at the point of the sensing 3D antenna 122 of the mobile device 120 in FIG. 1, the first and the second magnetic field vectors H1 and H2 enclose an angle α=∠(H1, H2), which is greater than a definable threshold angle αt, the size of which also depends on the distance between the first and the second base structure antennae 114 and 116 and the interrogation range of the base structure device 110.
Accordingly, one approach to determining, whether a RSA is being performed, is to measure the first and the second magnetic field vectors H1 and H2, i.e. the lengths, the directions and the senses of the first and the second magnetic field vectors H1 and H2, to determine the angle between the first and the second magnetic field vectors H1 and H2, and to compare the determined angle α=∠(H1, H2) to the defined threshold angle αt. On this basis, it can be determined that a one-dimensional Relay Station Attack (RSA) has occurred, if the determined angle α is equal to or smaller than the threshold angle αt, i.e. α≤αt. By contrast, it can be determined that a regular wireless connection, without intermediate of a RSA system, has been established between the PKE base structure (110) and the associated mobile device (120), if the determined angle α is greater than the threshold angle αt, i.e. α>αt.
DE 10 2011 079 421 A1 discloses a PKE system and method for authentication of access to a car and/or authentication for starting the car, involving the use of mobile device acting as a mobile identification provider with respect to an associated car. At least two antennae, which are arranged in the car at a mutual distance to each other, transmit independently in time respective electromagnetic signals. The spatial components of the field vectors (and hence the field vectors including the lengths, directions and senses) of the electromagnetic fields emitted from the first and at least a second antennae in the car are measured by the mobile identification provider, wherein the spatial components are defined with respect to a Cartesian coordinate system, which is in a fixed spatial relation (or posture) to the mobile identification provider. Then, the measured spatial components of the two measured field vectors are combined and interrelated, in order to check the degree of parallelism of the two respective field vectors. The mobile identification provider is determined to be recognized properly, if the degree of parallelism is below a predetermined threshold value.
The Applicant of the initial filing of the present patent application is marketing mobile devices for use in PKE systems, which are designed to measure the magnitude of the magnetic field vector, i.e. the length of the field vector, which is sensed locally at the position of the mobile device. These known industry solutions from the Applicant comprise a family of PKE keys, which were not designed for sign detection of the vector components. These PKE keys operate by measuring the X, Y and Z components of the field sequentially with one electronic measurement chain. The resulting value for each component is the maximum magnitude of that component in absolute value, i.e. without the sign of that component. The vectors measured by such a PKE key may be denoted {right arrow over (m1)} and {right arrow over (m2)}. They resemble a projection of the real magnetic field vectors  (herein also designated H1) and  (herein also designated H2) in the positive octant of the R3 space:{right arrow over (m1)}=(max |x1|,max |y1|,max |z1|){right arrow over (m2)}=(max |x2|,max |y2|,max |z2|)
A vector measured in a PKE system involving such a PKE key has a known maximum magnitude, which is the amplitude of the magnetic field, but an unknown direction and sense. By not knowing the real directions of the measured vectors {right arrow over (m1)} and {right arrow over (m2)} with such a PKE mobile device, such as the known industry solutions from the Applicant comprising a family of PKE keys, which were not designed for sign detection of the vector components, it is not possible to measure the real angle α between the real magnetic fields  and . Hence, such PKE mobile devices, as marketed hitherto, cannot be used to discriminate and/or recognize a 1D RSA, and cannot be used as a 1D RSA countermeasure.