Security Flaw in Automotive Keyless Entry

Recently there was a security exploit identified in automotive keyless systems. 

Normally, the car sends out an RF ping to the fob on a low frequency, to which the fob responds on UHF.  If the system determines that the fob is nearby AND a hand is detected by a capacitive sensor, the car unlocks.  Also, if the fob is inside the car AND the ignition button is pressed, the car will start. 

The fallacy of this system is that signal strength implies distance.  The exploit involves amplifying the ping from the car such that the fob will respond even at a large distance.  The UHF back-channel is very strong, and needs no further help up to 50 meters away, or so.

Others on the web have described the expolits in detail, but to me, the restaurant scenario is scariest.  The perpetrators observe the “mark” going in to a restaurant for dinner after parking his car.  Bad Guy A goes in and stands next to the mark with a briefcase.  Bad Guy B stands next to the car with another briefcase.  Briefcase contains... “electronic stuff”.  Open car and burgle. This has been demonstrated.

Steve Gibson covers this and provides pointers to resources at his site HERE, Episode #508.

You can also watch the video of his podcast at TWiT.tv HERE.

And finally, here is a video of a simple shield solution costing less than $2 that I tested....