How Secure is the Key Card?

[brkaus]

R ee

This has been posted a lot of times, but it seems appropriate to post again. A long password that takes a while to enter does not necessarily mean a password that is hard to remember.

Exactly! I do above.

For my kids, we came up with a phrase and took the first three letters from each word.

For their pin, they made up a 4 digit pin and mixed in my phone number. Side benefit - now they know my phone number! It was required to play their games

With 4 digits, half their friends had it figured out quickly and were accessing their devices (no Touch ID).

 

[Blissedout]

I think the answer to the question of this thread is : The Key Card is more secure than the phone app. The phone is susceptible to the same kind of "relay attack" that any walk-up unlocking system is. See Just Two of These $11 Gadgets Can Steal a Car But a key card which has a very short transmitting distance would be much less susceptible to this type of attack.

 

[Runt8]

I think the answer to the question of this thread is : The Key Card is more secure than the phone app. The phone is susceptible to the same kind of "relay attack" that any walk-up unlocking system is. See Just Two of These $11 Gadgets Can Steal a Car But a key card which has a very short transmitting distance would be much less susceptible to this type of attack.

It’s highly likely that the phone uses an encrypted communication channel and one of several techniques to prevent relay attacks. Since the initial pairing process requires the phone to have an internet connection, it’s more than likely downloading certificates to enable encryption.

 

[FlyingKiwi]

It's highly likely both are susceptible to that style attack, but the relay device for the card based system would need to be right in your personal space due to the minimal range.

 

[Runt8]

It's highly likely both are susceptible to that style attack, but the relay device for the card based system would need to be right in your personal space due to the minimal range.

I see what you did there...

Considering that it’s two high powered computers talking to each other (as opposed to a dumb device like a key fob), protecting against relay attacks is trivial. And since both the car and the key (phone) are capable of OTA updates, any problems can easily be fixed.

 

[FlyingKiwi]

I didn't do anything except point out that both are probably susceptible to relay attacks.

Your assumption that it's fixable in software is questionable, if the hardware doesn't support it ( high precision timing etc) then you are SOL. The fact the phone is running an operating system that may require clock cycles at anytime may make predictable/repeatable timing cycles difficult or impossible.

Also the assumption that the card can't also be updated may be false.

 

[Runt8]

I didn't do anything except point out that both are probably susceptible to relay attacks.

Your assumption that it's fixable in software is questionable, if the hardware doesn't support it ( high precision timing etc) then you are SOL. The fact the phone is running an operating system that may require clock cycles at anytime may make predictable/repeatable timing cycles difficult or impossible.

Also the assumption that the card can't also be updated may be false.

Only one side (the car) needs to care about timing. The only thing the phone needs to do is be able to quickly sign a message and send it back - not exactly rocket science. And we already know that proximity detection is supported in bluetooth in both the car and the phone.

As for updating the card - generally these types of cards are in the "cheap and replaceable" category and are not able to be updated, but I suppose anything is possible.

 

[FlyingKiwi]

Only one side (the car) needs to care about timing. The only thing the phone needs to do is be able to quickly sign a message and send it back - not exactly rocket science. And we already know that proximity detection is supported in bluetooth in both the car and the phone.

As for updating the card - generally these types of cards are in the "cheap and replaceable" category and are not able to be updated, but I suppose anything is possible.

 

[FlyingKiwi]

Timing on both sides is critical if you are using round trip time to determine distance. Radio signals travel at the speed of light, so if your phone takes 1/4 of a millisecond to finish what it is doing before servicing the received Bluetooth transmission that is the same time a relay attack transmission from 22miles away would add to the round trip time. A relay attack from a few hundred yards away would be more typical and you wouldn't be able to differentiate that from a slightly slower processor on the phone (1 millionth of a second), even if there was a non-variable delay between receiving the Bluetooth packet and starting to process it.

Bluetooth proximity detection appears to be based on signal strength, not time of flight, so turning up the transmit power on the repeater circuit is a simple way to appear closer.

The only quick way I can see to defeat some relay attacks is to use the phones GPS location in the encrypted response, but that's not super accurate or available at all times so would still leave large windows where a relay attack could still be successful.

 

[ModelNforNerd]

Timing on both sides is critical if you are using round trip time to determine distance. Radio signals travel at the speed of light, so if your phone takes 1/4 of a millisecond to finish what it is doing before servicing the received Bluetooth transmission that is the same time a relay attack transmission from 22miles away would add to the round trip time. A relay attack from a few hundred yards away would be more typical and you wouldn't be able to differentiate that from a slightly slower processor on the phone (1 millionth of a second), even if there was a non-variable delay between receiving the Bluetooth packet and starting to process it.

Bluetooth proximity detection appears to be based on signal strength, not time of flight, so turning up the transmit power on the repeater circuit is a simple way to appear closer.

The only quick way I can see to defeat some relay attacks is to use the phones GPS location in the encrypted response, but that's not super accurate or available at all times so would still leave large windows where a relay attack could still be successful.

you seem to know an awful lot about these attacks.

maybe YOU'RE the guy I don't want around me when I'm unlocking my car.