This application claims foreign priority benefits under 35 U.S.C. § 119(a)-(d) to DE Application 10 2017 200 378.2 filed Jan. 11, 2017, which is hereby incorporated by reference in its entirety.
The disclosure relates to a method to secure a system for passive unlocking of a vehicle system, particularly a vehicle unlocking system, against a relay station attack.
A keyless entry system is a system to unlock a vehicle without actively using a car key, and to start a vehicle by merely operating the starter button, namely using a radio key that the vehicle driver carries. If only passive vehicle unlocking is possible, this is referred to as keyless entry.
When the user approaches the vehicle or e.g. touches the door handle of the vehicle, the device installed in the vehicle is woken and sends, to the radio key, a radio signal at a first frequency, preferably (but not necessarily) more likely at a low frequency of typically <300 kHz, which radio signal includes an encoded enquiry signal. The radio key decodes the enquiry signal, provides it with a new coding and transmits it again as a response signal on a second, preferably higher, frequency, for example one in the UHF band, as illustrated in
A range of the radio signal at the first, preferably lower, frequency is restricted to a few meters, for the most part approximately 3 meters, so that only a radio key situated close to the vehicle can be woken or activated by the vehicle-based device.
A relay station attack (RSA) primarily extends the range of the radio signal at the preferably lower frequency using two relay stations, a first in proximity to the vehicle door and a second in proximity to the person who carries the radio key, as described below with reference to
An attacker who carries the first relay station wakes the vehicle-based device, e.g. by touching the door handle, so that it sends the radio signal at the first frequency. This radio signal is received by the first relay station and sent thereby on the second (normally, but not necessarily, much higher) frequency to the second relay station, which converts it back into the original radio signal of the first frequency and sends it to the radio key.
The response signal of the radio key is normally strong enough to span the distance back to the vehicle, and opens the vehicle (what is known as the minor variant of the RSA). If the response signal of the radio key is not strong enough, the relay stations can provide a return channel that extends the range of the radio signal at the higher frequency (what is known as the major variant of the RSA).
DE 103 01 146 A1 discloses a method to secure a system for passive vehicle unlocking against relay station attacks. The vehicle-based device regularly monitors the natural RF signal level received by it and identifies a relay station from interference in the natural RF signal level, which interference is identified by a noise test.
US 2016/0200291 A1 discloses a method to secure a system for passive vehicle unlocking against relay station attacks insofar as a low-frequency unidirectional and a high-frequency bidirectional radio link are provided. It is thus possible for noise signals to be identified that any relay stations have added to the radio signals.
US 2013/0078906 A1 describes a method to secure a radio link between a transmitter and a receiver, also for remote-controlled opening of a vehicle, against relay station attacks, the intervention of relay stations being identified on the basis of the effect thereof on the noise in the signal received by the receiver. To this end, characteristic noise parameters are extracted and compared with a reference noise signal.
The known methods for preventing relay station attacks are not invulnerable, and therefore the disclosure is based on the object of specifying a more reliable method to secure a system for passive vehicle unlocking against relay station attacks.
This object is achieved by a method and an apparatus to secure a system for passive vehicle unlocking against relay station attacks.
According to the disclosure, two devices each receive an ambient noise signal on a radio frequency on which they both receive. One of the two devices sends the ambient noise signal received by it to the other device, where the ambient noise signal is compared with the ambient noise signal received here. A current situation is deemed safe if the ambient noise signals received by both match in terms of prescribed features, because in this case a distance between a vehicle and a radio key is actually small, and a current relay station attack is pointless or barely possible, and the vehicle is unlocked.
The disclosure is based on there being sufficient, multifrequency, ambient noise from radio waves practically everywhere, which ambient noise for the most part comes from a multiplicity of technical sources, but may also have natural causes.
In a frequency band in which the vehicle-based device and the radio key both have appropriate receivers, this ambient noise can be received by both devices, and one of the devices, preferably the radio key, can send the ambient noise received to the other device, preferably to a vehicle-based device, where the ambient noise is compared with the ambient noise received here.
The transmission of the ambient noise signal can either comprise transmission of a complete ambient noise signal sequence, or, to shorten the transmission times or the data volumes, it is possible for just one or more characteristic features of the ambient noise signal, e.g. particular amplitudes at particular sample times etc., to be transmitted.
To shorten the communication times, it is further conceivable for the ambient noise signals to be “preventively” captured both by transmitter and by receiver continually or at particular intervals of time before the actual key activation, and for it to be possible to resort to the already collected ambient signal patterns in a matching time period when the key signal is present.
In a preferred embodiment of the disclosure, ambient noise signal sequences received at different locations are compared with one another using cross-correlation, which describes the correlation between two time-shifted signals. An unlock command from the radio key is complied with by the vehicle only if the cross-correlation is both strong, and thus exhibits a high level of similarity between the two ambient noise signal sequences, and exhibits only a small phase shift, which indicates that the radio key is close to the vehicle and the current situation is clearly safe.
On the other hand, the current situation is deemed unsafe if the cross-correlation is weak or if the cross-correlation is strong and its phase shift is large, because in this case a distance between the vehicle and radio key is great, and it is possible for a relay station attack to take place right now, and the vehicle remains locked.
Preferably, the second radio frequency is chosen to be higher than the first radio frequency. Lower frequencies—at least at comparable transmission powers—normally result in a shorter range, which is why the first radio signal has limited range per se, as is desired in certain embodiments, as a result of use of the low frequency, whereas the second radio signal at higher frequency (typically in the UHF band) has a longer range and thus provides a more secure and more powerful transmission link.
The use of these different frequency bands is by no means mandatory for the actual disclosure, however. Fundamentally, the first and second frequencies may also be the same or almost the same (e.g. as part of a bidirectional radio transmission protocol), in which case differently desired ranges can be achieved through different transmission powers, for example.
However, it is also possible to dispense with different ranges entirely if need be, since the inventive concept of comparison of the ambient noise patterns may already allow sufficiently secure verification of whether or not the radio key is in physical proximity to the vehicle.
Further, in a preferred embodiment, an at least one ambient noise signal sequence can be sent to the other device on the second radio frequency.
The disclosure provides information, independent of any attackers, about an actual distance between the vehicle and radio key that cannot be determined using known methods, which is why the system for passive vehicle unlocking equipped therewith is particularly secure.
There follows a description of exemplary embodiments with reference to the drawings, in which:
As required, detailed embodiments of the present disclosure are disclosed herein; however, it is to be understood that the disclosed embodiments are merely exemplary of the disclosure that may be embodied in various and alternative forms. The figures are not necessarily to scale; some features may be exaggerated or minimized to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the present disclosure.
In the event of a relay station attack on a system as in
One option is for two ambient noise signal sequences to be very different, as depicted as noise 1 and noise 2 in
Alternatively, a radio key 2 and a device 1 installed in the vehicle will both receive a dominant signal, as a result of which the cross-correlation is high. However, there will be a phase shift between them that is substantially larger than can be expected without a relay station attack.
The method to secure a system for passive vehicle unlocking is now described in steps with reference to
When the user approaches the vehicle, the radio key 2 is woken (S1) by the device installed therein, with the device sending to the radio key 2, a relatively low-frequency radio signal with an encoded enquiry signal (S2) that is decoded (S3) by the radio key 2.
The device 1 installed in the vehicle and the radio key 2 now both sample the noise in their surroundings (S4), each obtaining and recording one or more ambient noise signal sequences. The sampling rate naturally needs to be the same and will, in practice, more likely be the UHF frequency used for keyless entry, but it may also be the lower frequency on which the enquiry signal is sent if both devices have appropriate receivers. Ultimately, it is also possible to use a frequency (a frequency band would also be conceivable) that differs from the prescribed frequencies; this frequency (or this frequency band) merely needs to be samplable by the given hardware on the vehicle and on the radio key 2.
The radio key 2 now computes a response signal (S5) and returns the response signal to the device 1 installed on the vehicle together with one or more sampled ambient noise signal frequencies on the UHF frequency, not only a response signal being encoded but also, expediently, ambient noise signal sequences being encoded (S6 and
The device 1 installed in the vehicle receives the response signal and the sampled noise, decodes the response signal and checks whether the response signal matches the response signal that is to be expected (S7). If not, it leaves the vehicle locked (S11), and otherwise the device 1 installed in the vehicle also decodes the ambient noise signal sequences (S8) sampled by the radio key 2.
The device 1 installed in the vehicle now compares the ambient noise signal sequences received and the ambient noise signal sequences received by the radio key 2 with cross-correlation (S9) and rates a result thereof, to distinguish between the following three cases:
Weak cross-correlation, as illustrated in graphs c) and d) in
Strong cross-correlation and large phase shift as in graph b) in
Strong cross-correlation with small phase shift as in graph a) in
While exemplary embodiments are described above, it is not intended that these embodiments describe all possible forms of the disclosure. Rather, the words used in the specification are words of description rather than limitation, and it is understood that various changes may be made without departing from the spirit and scope of the disclosure. Additionally, the features of various implementing embodiments may be combined to form further embodiments of the disclosure.
Number | Date | Country | Kind |
---|---|---|---|
10 2017 200 378 | Jan 2017 | DE | national |
Number | Name | Date | Kind |
---|---|---|---|
8195422 | Wilcox | Jun 2012 | B2 |
8976005 | Zivkovic et al. | Mar 2015 | B2 |
9875589 | Buttolo | Jan 2018 | B1 |
20060255909 | Pavatith et al. | Nov 2006 | A1 |
20100321154 | Ghabra et al. | Dec 2010 | A1 |
20130078906 | Ben Hamida et al. | Mar 2013 | A1 |
20140067161 | Conner et al. | Mar 2014 | A1 |
20140240088 | Robinette et al. | Aug 2014 | A1 |
20160200291 | Kim et al. | Jul 2016 | A1 |
20160234684 | Hekstra | Aug 2016 | A1 |
20160302074 | Hekstra | Oct 2016 | A1 |
20160323246 | Zivkovic | Nov 2016 | A1 |
20180194322 | Mueller | Jul 2018 | A1 |
20180254870 | Dutz | Sep 2018 | A1 |
20180254910 | Dutz | Sep 2018 | A1 |
20180254923 | Dutz | Sep 2018 | A1 |
Number | Date | Country |
---|---|---|
4440855 | May 1996 | DE |
102009014975 | Sep 2010 | DE |
1690758 | Aug 2006 | EP |
2015026001 | Feb 2015 | WO |
Number | Date | Country | |
---|---|---|---|
20180194322 A1 | Jul 2018 | US |