Paper 2010/332

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Aurelien Francillon, Boris Danev, and Srdjan Capkun


We demonstrate relay attacks on Passive Keyless Entry and Start (PKES) systems used in modern cars. We build two efficient and inexpensive attack realizations, wired and wireless physical-layer relays, that allow the attacker to enter and start a car by relaying messages between the car and the smart key. Our relays are completely independent of the modulation, protocol, or presence of strong authentication and encryption. We perform an extensive evaluation on 10 car models from 8 manufacturers. Our results show that relaying the signal in one direction only (from the car to the key) is sufficient to perform the attack while the true distance between the key and car remains large (tested up to 50 meters, non line-of-sight). We also show that, with our setup, the smart key can be excited from up to 8 meters. This removes the need for the attacker to get close to the key in order to establish the relay. We further analyze and discuss critical system characteristics. Given the generality of the relay attack and the number of evaluated systems, it is likely that all PKES systems based on similar designs are also vulnerable to the same attack. Finally, we propose immediate mitigation measures that minimize the risk of relay attacks as well as recent solutions that may prevent relay attacks while preserving the convenience of use, for which PKES systems were initially introduced.

Available format(s)
Publication info
Published elsewhere. To Appear In Proceedings of NDSS (Network and Distributed System Security Symposium), 2011
cryptographic protocols
Contact author(s)
capkuns @ inf ethz ch
2010-10-21: last of 5 revisions
2010-06-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Aurelien Francillon and Boris Danev and Srdjan Capkun},
      title = {Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars},
      howpublished = {Cryptology ePrint Archive, Paper 2010/332},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.