Ultra-Wideband Key Fobs Close a Loophole That Car Thieves Exploit

Car thieves are getting better and better at exploiting security gaps in hands-free unlocking and keyless start systems. According to recent statistics from the U.K. , in fact, criminals hack cars’ keyless entry today more often than resorting to the old-fashioned, physical lock-picking (a.k.a. slim jim ) method. And now a new generation of key fob and car security chip systems are being developed to stop tech-savvy car thieves cold. STMicroelectronics , based in Plan-les-Ouates, Switzerland, is one of several suppliers developing upgraded security chips for cars, smart locks, and other products. Last month the company released its ST64UWB line , designed in part to patch an exploit that thieves had previously used. The weakness in previous-generation systems concerns car locks that verify a key’s identity only, not the distance to that key as well. Even when automakers add ultra-wideband (UWB)—a secure, short-range wireless communication technology using high-frequency pulses to measure distance—the automakers often treat UWB tech as optional. When UWB distance measurements become unreliable, such as when a key is buried in a bag or in a pocket alongside other items, the security systems neglect distance data altogether. Enforcing Distance as a Security Signal Automakers and chipmakers are now trying to remove that loophole. Because while ultra-wideband chip technology is not new, what is changing is how reliably it works in real-world conditions—and whether vehicles can depend on UWB every time. Car thieves have developed exploits that rely on the loophole. One way to do so involves using two cheap transmitter-receiver radios that act as signal repeaters. A common scenario: A pair of crooks spies out a vehicle parked on a driveway and decides to take it. One stands right outside the front door, guessing that the car owner’s key ring is hanging on a wall near the entrance. His partner in crime stands near the vehicle. What makes this attack possible is that the key fob never goes silent—it regularly broadcasts a low-power radio signal, even when it’s sitting on a hook inside the house, because the car is always quietly asking whether a valid key is nearby. The thieves exploit that constant chatter between car and key fob: their radios pick up the fob’s signal leaking through the wall and amplify the signal to a level that the car can pick up. The car receives what seems like a valid key right outside its door. And no button is ever pressed. No glass is broken or lock jimmied. The car accepts the relayed signal as proof of the key fob’s presence—although the fob is still just hanging on the hook inside the house. As the above example shows, signal strength can be manipulated with amplification or directional antennas . But the advantage of the new UWB system is that signal timing is much harder to spoof. Neal Patwari , a University of Utah professor of electrical and computer engineering who studies wireless networks and statistical signal processing , explains that attackers cannot make a signal transmitted from a key fob to a car’s security chip arrive sooner than the laws of physics allow. The thieves can only delay the signal—and delay makes the key fob appear farther away, not closer. That constraint is what allows automakers to treat proximity as a security check. “This moves security from ‘Is the key valid?’ to ‘Is the valid key physically close enough?’” says Rene Wutte , STMicroelectronics head of marketing for the company’s ranging and connectivity division. Instead of inferring distance from signal strength, ultra-wideband technology key fobs and car locks provide higher-security access to a vehicle based on signal travel time. STMicroelectronics What UWB Does—and Does Not Solve The new ultra-wideband chips make it difficult to fake proximity, but UWB does not eliminate all wireless vulnerabilities. Attackers can still jam the radio channel. As Patwari points out, interference can block a lock command when a driver presses the button, leaving the vehicle unlocked because it never receives the signal. That attack does not grant access. It prevents a security action from completing. “But if my headlights don’t flash [indicating that the car has locked the doors], I’ll just push the button again,” says Patwari. “I won’t leave the car until I get that confirmation.” The scale of the problem is now visible in official data. As noted above, according to Crime Survey for England and Wales data published by the Office for National Statistics , 58 percent of vehicle thefts there involve keyless entry methods, including relay attacks. The Association of British Insurers corroborates that finding, linking a rising proportion of motor theft claims to exploitation of keyless systems. Thatcham Research , which performs automotive risk analysis, and Tracker , which specializes in stolen vehicle recovery, also identify relay-style attacks as a leading method in modern vehicle theft. Mark Rose , managing director at Tracker, recently told the Insurance Times that, “As technology advances, organized criminal gangs develop increasingly sophisticated techniques to overcome existing vehicle security.” The remaining challenge is enforcement. If vehicles require distance verification every time, relay attacks become far harder to execute. If the systems still allow fallback—relaxing the physical proximity requirement that the improved UWB chips can enable—the vulnerability remains. Chipmakers like STMicroelectronics and their competitors are betting that improved reliability and increased security will make that choice easier.