Key is in the Air: Hacking Remote Keyless Entry Systems

  • Omar Adel IbrahimEmail author
  • Ahmed Mohamed HussainEmail author
  • Gabriele OligeriEmail author
  • Roberto Di PietroEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11552)


A Remote Keyless Systems (RKS) is an electronic lock that controls access to a building or vehicle without using a traditional mechanical key. Although RKS have become more and more robust over time, in this paper we show that specifically designed attack strategies are still effective against them. In particular, we show how RKS can be exploited to efficiently hijack cars’ locks.

Our new attack strategy—inspired to a previously introduced strategy named jam-listen-replay—only requires a jammer and a signal logger. We prove the effectiveness of our attack against six different car models. The attack is successful in all of the tested cases, and for a wide range of system parameters. We further compare our solution against state of the art attacks, showing that the discovered vulnerabilities enhance over past attacks, and conclude that RKS solutions cannot be considered secure, calling for further research on the topic.


  1. 1.
    Gqrx SDR. Accessed 26 June 2018
  2. 2.
    Remote Keyless Systems. Accessed 26 June 2018
  3. 3.
    Alrabady, A.I., Mahmud, S.M.: Some attacks against vehicles’ passive entry security systems and their solutions. IEEE Trans. Veh. Technol. 52(2), 431–439 (2003)CrossRefGoogle Scholar
  4. 4.
    van de Beek, S., Leferink, F.: Vulnerability of remote keyless-entry systems against pulsed electromagnetic interference and possible improvements. IEEE Trans. Electromagnet. Compat. 58(4), 1259–1265 (2016)CrossRefGoogle Scholar
  5. 5.
    van de Beek, S., Vogt-Ardatjew, R., Leferink, F.: Robustness of remote keyless entry systems to intentional electromagnetic interference. In: 2014 International Symposium on Electromagnetic Compatibility, pp. 1242–1245, September 2014Google Scholar
  6. 6.
    Di Pietro, R., Oligeri, G.: Jamming mitigation in cognitive radio networks. IEEE Netw. 27(3), 10–15 (2013)CrossRefGoogle Scholar
  7. 7.
    Di Pietro, R., Oligeri, G.: Freedom of speech: thwarting jammers via a probabilistic approach. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec 2015, pp. 4:1–4:6. ACM, New York (2015)Google Scholar
  8. 8.
    Di Pietro, R., Oligeri, G.: Silence is golden: exploiting jamming and radio silence to communicate. ACM Trans. Inf. Syst. Secur. 17(3), 9:1–9:24 (2015)CrossRefGoogle Scholar
  9. 9.
    Di Pietro, R., Oligeri, G.: Enabling broadcast communications in presence of jamming via probabilistic pairing. Comput. Netw. 116, 33–46 (2017)CrossRefGoogle Scholar
  10. 10.
    Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). Eidgenössische Technische Hochschule Zürich, Department of Computer Science (2011)Google Scholar
  11. 11.
    Kamkar, S.: Drive it like you hacked it: new attacks and tools to wirelessly steal cars. In: DEFCON 23 (2015)Google Scholar
  12. 12.
    Wang, X., Hou, X., Rios, R., Hallgren, P., Tippenhauer, N.O., Ochoa, M.: Location proximity attacks against mobile targets: analytical bounds and attacker strategies. In: Proceedings of the European Symposium on Research in Computer Security (ESORICS), September 2018Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Division of Information and Computing Technology, College of Science and EngineeringHamad Bin Khalifa UniversityDohaQatar
  2. 2.Electrical Engineering Department, College of EngineeringQatar UniversityDohaQatar

Personalised recommendations