Known authentication systems for vehicles such as “passive keyless systems” or “hands-free entry/go systems” or “keyless entry systems” do not require an authentication tool or a key to be used to activate certain actions.
Thus, it is possible with such systems, for example, to unlock a vehicle without active use of an authentication tool or car key and to start the vehicle by merely pressing a start button. This is made possible by the authentication tool or a keyless entry key with a chip that the user keeps on hand.
When systems known from the state of the art are used, the vehicle sends a weak signal with a range of a few meters, which is received by the authentication tool. The authentication tool then sends a signal to the vehicle, which the vehicle uses to determine whether the authentication tool is authorized and then, based on that determination, whether access or driving authentication commands can be implemented.
Thus, such authentication systems no longer require a deliberate user interaction on the authentication tool. Instead, they merely check whether the authentication tool is in the immediate vicinity of the car (in the case of access) or inside the car (in the case of driving authentication) at the moment when an authentication check is supposed to take place.
In the context of these authentication or keyless entry systems, attack scenarios relying on special properties of the technologies associated with these systems are brought to the foreground.
Thus, attack scenarios are currently known which extend the associated transmission path of the authentication system or the transmission path between the key and the vehicle. These scenarios are known as relay station attacks (RSAs).
When this type of relay station attack is carried out, the signal of the vehicle to the authentication tool is forwarded or extended via a pair of antennas. An antenna/relay station must be close to the vehicle (typically fewer than 2 meters away) and the other antenna/relay station must be close to the authorized authentication tool (typically fewer than 2 meters away). The distance between the two relay stations (wireless transmission extension stations) can be very large here and is merely dependent on the specific implementation of the relay stations, whose objective is typically criminal in nature and on which it cannot be assumed that regulatory provisions have a limiting effect.
Consequently, the vehicle can be opened or started through a relay attack, even though the associated authentication tool is located outside of the usual distance for opening the vehicle or for driving authentication.
There are a wide variety of technological approaches that make an RSA on keyless entry systems more difficult or even impossible. However, up to this point, these observations have been focused on the hands-free function and no one has considered the fact that there is a fallback solution for the actual convenience-driven hands-free function and the driving authentication function: an emergency start. This is designed to ensure that a vehicle is still able to start if an authentication tool has a power supply that is weak, defective or there is no power supply at all, or if it has any other defect.
This fallback solution is typically implemented in a configuration that requires the driver to hold the authentication tool at a specific position inside or outside the vehicle where a vehicle RFID transponder read coil is attached.
This coil supplies power to the authentication tool over a transformer coupling, which allows challenge-response communication to be conducted between the vehicle and the authentication tool. This process checks whether the authentication tool is authorized for the respective vehicle.
This emergency function involving supplying the authentication tool with power and communication for the purpose of authentication between the authentication tool and vehicle is also known as transponding. In the case of keyless entry systems, this is a fallback solution or emergency start.
Consequently, in addition to the actual keyless entry (hands-free function), there is a second, parallel path for acquiring driving authentication. This second path guarantees an emergency start function that has the purpose of ensuring the availability of functions such as the driving authentication function. Therefore, the aforementioned emergency start function can be used for tasks such as gaining access to a vehicle and starting it using an RSA.