WO2001025060A9 - Relay attach detection of a secure vehicle command communication - Google Patents

Relay attach detection of a secure vehicle command communication

Info

Publication number
WO2001025060A9
WO2001025060A9 PCT/US2000/027098 US0027098W WO0125060A9 WO 2001025060 A9 WO2001025060 A9 WO 2001025060A9 US 0027098 W US0027098 W US 0027098W WO 0125060 A9 WO0125060 A9 WO 0125060A9
Authority
WO
WIPO (PCT)
Prior art keywords
frequency
challenge
signal
response
fob
Prior art date
Application number
PCT/US2000/027098
Other languages
French (fr)
Other versions
WO2001025060A2 (en
WO2001025060A3 (en
Inventor
Tejas Desai
Original Assignee
Siemens Automotive Corp Lp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Automotive Corp Lp filed Critical Siemens Automotive Corp Lp
Priority to EP00967230A priority Critical patent/EP1216172A2/en
Priority to JP2001528027A priority patent/JP2003512218A/en
Publication of WO2001025060A2 publication Critical patent/WO2001025060A2/en
Publication of WO2001025060A3 publication Critical patent/WO2001025060A3/en
Publication of WO2001025060A9 publication Critical patent/WO2001025060A9/en

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/24Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S13/00Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
    • G01S13/74Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems
    • G01S13/82Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems wherein continuous-type signals are transmitted
    • G01S13/825Systems using reradiation of radio waves, e.g. secondary radar systems; Analogous systems wherein continuous-type signals are transmitted with exchange of information between interrogator and responder
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01SRADIO DIRECTION-FINDING; RADIO NAVIGATION; DETERMINING DISTANCE OR VELOCITY BY USE OF RADIO WAVES; LOCATING OR PRESENCE-DETECTING BY USE OF THE REFLECTION OR RERADIATION OF RADIO WAVES; ANALOGOUS ARRANGEMENTS USING OTHER WAVES
    • G01S13/00Systems using the reflection or reradiation of radio waves, e.g. radar systems; Analogous systems using reflection or reradiation of waves whose nature or wavelength is irrelevant or unspecified
    • G01S13/02Systems using reflection of radio waves, e.g. primary radar systems; Analogous systems
    • G01S13/06Systems determining position data of a target
    • G01S13/08Systems for measuring distance only
    • G01S13/32Systems for measuring distance only using transmission of continuous waves, whether amplitude-, frequency-, or phase-modulated, or unmodulated
    • G01S13/34Systems for measuring distance only using transmission of continuous waves, whether amplitude-, frequency-, or phase-modulated, or unmodulated using transmission of continuous, frequency-modulated waves while heterodyning the received signal, or a signal derived therefrom, with a locally-generated signal related to the contemporaneously transmitted signal
    • G01S13/343Systems for measuring distance only using transmission of continuous waves, whether amplitude-, frequency-, or phase-modulated, or unmodulated using transmission of continuous, frequency-modulated waves while heterodyning the received signal, or a signal derived therefrom, with a locally-generated signal related to the contemporaneously transmitted signal using sawtooth modulation
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • G07C2009/00388Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks code verification carried out according to the challenge/response method
    • G07C2009/00396Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks code verification carried out according to the challenge/response method starting with prompting the keyless data carrier
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C9/00309Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
    • G07C2009/00555Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks comprising means to detect or avoid relay attacks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C2009/00753Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys
    • G07C2009/00769Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys with data transmission performed by wireless means
    • G07C2009/00793Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated by active electrical keys with data transmission performed by wireless means by Hertzian waves
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/00174Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
    • G07C2009/00968Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys shape of the data carrier
    • G07C2009/00984Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys shape of the data carrier fob
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C2209/00Indexing scheme relating to groups G07C9/00 - G07C9/38
    • G07C2209/60Indexing scheme relating to groups G07C9/00174 - G07C9/00944
    • G07C2209/61Signal comprising different frequencies, e.g. frequency hopping

Definitions

  • the present invention relates to a vehicle security system, and more particularly to a passive remote entry system that is resistant to relay attacks.
  • Remote control units such as key fobs for remotely controlling functions of vehicles are well known.
  • the original equipment for many vehicles includes a wireless transmitter for arming/disarming the car alarm and/or locking or unlocking the car doors.
  • other systems are available which control these and other functions, such as energizing the car starter to start the engine.
  • a relay attack scheme may allow an unauthorized attack to defeat the security.
  • a first attacker is located adjacent the vehicle while a second attacker follows the vehicle owner who has left the vicinity of the vehicle and is carrying the passive remote fob.
  • the first attacker triggers the desired vehicle function such as unlock or start engine and receives the challenge signal from the vehicle.
  • the first attacker captures the challenge signal with a scanner type device and transmits the challenge signal to the second attacker.
  • the second attacker receives the challenge signal from the first attacker and retransmits the challenge signal to the vehicle owner.
  • the passive remote fob carried by the owner receives the vehicle challenge and responds with a proper response signal.
  • the response signal is captured by the second attacker who then relays the signal back to the first attacker.
  • the first attacker receives the response signal from the first attacker and retransmits the response signal to the vehicle.
  • the first attacker then has access to the desired vehicle function.
  • This sort of attack will defeat most encryption systems as the proper response signal is obtained from the true owner. Accordingly, it is desirable to provide a passive remote system which will defeat such a two-way relay attack.
  • the present invention provides a passive remote system which will defeat the two-way relay attack described above.
  • the present invention defeats the two- way relay attack by determining the amount of delay between the challenge signal and the response signal.
  • the fob of the present invention utilizes the incoming wireless signal from the vehicle as its reference isolator, upon which the frequency of the transmitted signal from the fob is based.
  • the vehicle security system cam determine how much delay there is between the change in the frequency of the challenge signal and the change in the frequency in the response signal from the fob. The vehicle security system accomplishes this by mixing its reference signal with a derivative of the signal received from the fob and evaluating the difference in frequency.
  • the base signal in the vehicle security system is preferably a ramp oscillating signal, increasing in frequency.
  • the fob utilizes the signal received from the vehicle security system as its reference signal, the signal from the fob is also increasing in frequency (although preferably at a much higher frequency).
  • the vehicle security system compares the signal received from the fob to its base signal (the ramp oscillator). The amount by which the frequency of the base ramp oscillator and the signal from the fob differ is representative of the delay from the time the signal is transmitted from the vehicle security system to the fob, through the circuitry in the fob, and back to the vehicle security system. If this air frequency exceeds a predetermined threshold, the delay is to great, identification fails and the access to the vehicle is denied.
  • the fob transmits at a frequency several orders have made it to greater than that transmitted the vehicle.
  • the ramp oscillator signal received by the fob must be stepped up several orders of magnitude before being transmitted by the fob and stepped down several orders of magnitude before being compared by the vehicle security system. This introduces some minor delay, which can be accounted for. However, this introduces a much greater delay in the circuitry in the would be attackers.
  • Figure 1 is a high level schematic of the passive remote entry system of the present invention, as implemented in a vehicle.
  • Figure 2 is an example of a more detailed schematic for implementing the passive remote entry system of the present invention.
  • Figure 3 is a graph illustrating the challenge and response signal of the passive remote entry system.
  • the present invention provides a passive remote entry system 10 for a vehicle 12, shown generally in Figure 1.
  • the passive remote entry system 10 includes a vehicle security system 14 installed on vehicle 12 and controlling access to and the operation of the vehicle operation of the vehicle 12 in a known matter, including operation of door latches, door locks, and the ignition and/or operation of the vehicle engine.
  • the pass remote entry system 10 further includes a passive key fob 16 that is portable relative to the vehicle 12 and carried by the user.
  • the present invention generally utilizes a challenge/response method for implementing passive remote entry.
  • the vehicle security system 14 generates a wireless challenge signal, such as in response to attempted operation of a door latch, vehicle motion, or the detection of a presence near the vehicle.
  • the wireless challenge signal is received by the fob 16, which in turn responds with a wireless response signal. If the proper response signal is received by the vehicle security system 14, identification is successfull and access to the vehicle 12 is permitted.
  • the vehicle security system 14 and fob 16 may use any of numerous known techniques, including encryption or rolling codes.
  • the vehicle security system 14 evaluates the delay between the challenge signal that it transmitted and the response signal it received. This is accomplished by using the challenge signal from the vehicle security system as the reference oscillator for the response signal transmitted by the fob 16. By changing the frequency of the challenge signal and comparing the frequency of the challenge signal with the frequency of the response signal from the fob 16, the difference in frequency is representative of the delay between the challenge signal and the response signal.
  • the passive remote entry system 10 of the present invention first utilizes a more typical challenge/response technique in which the vehicle security system 14 transmits an encrypted challenge signal, to which the fob 16 responds with an encrypted response signal, which is evaluated by the vehicle security system 14. If the proper response signal is received, then the passive remote entry system 10 subsequently proceeds with the evaluation of delay, in which the fob 16 then uses the challenge signal as a reference oscillator and the vehicle security system 14 compares the frequencies of the challenge signal and response signal.
  • the challenge signals transmitted from the vehicle security system is low frequency, preferably less then one MHz, and preferably around 125 kHz. This reduces the range of the challenge signal to the area immediately adjacent the vehicle 12.
  • the fob 16 preferably transmits the response signals at a frequency several orders of magnitude greater than that of the challenge signals.
  • the response signals are transmitted at a frequency greater than 100 MHz and more preferably at or around 315 MHz.
  • the challenge signal is first stepped up several orders of magnitude.
  • the frequency of the response signal must be stepped down several orders of magnitude. This introduces a slight delay from the circuitry in the fob 16 in vehicle security system 14, but several orders of magnitude lower than the delay which would be introduced by the circuitry of the would-be relay attackers.
  • the vehicle security system 14 includes a micro controller 20 which implements the rolling codes or encrypted codes and controls operation of the vehicle security system 14.
  • a coded challenge signal is first sent from micro controller 20 to switch 22 to send an amplitude shift keyed code via the antenna 24 based upon a reference oscillator 26, which may be a voltage controlled oscillator. Initially, the oscillator 26 is operating at a 125 kHz.
  • the 125 kHz signal is received by fob 16 on antenna 30 and amplified by buffers 32.
  • the coded signal is then demodulated by detector 34 and sent to micro controller 36 which evaluates the code.
  • the micro controller 36 using the same encryption or rolling code technique as the micro controller 20 in the vehicle security system 14, sends a proper coded response signal using amplitude shift keying on switch 38 which is connected to the oscillator 40 which is controlled by crystal 42.
  • a switch 43 connects the crystal-controlled oscillator 40 to the amplitude shift key switch 38.
  • This high frequency signal from oscillator 40 is stepped down by frequency divider 44 prior to the amplitude shift keying by switch 38 and then transmitted via the antenna 46.
  • the 315 MHz amplitude shift key coded response signal transmitted from the antenna 46 on the fob 16 is received by the receiving antenna 50 on vehicle security system 14.
  • a 9.509375 GHz crystal 52 controls oscillator 54 to provide an oscillating signal which is stepped down by frequency divider 56 to provide a 304.3 MHz signal which is mixed with the 315 MHz signal received from the fob 16 on antenna 15.
  • Resulting 10J MHz signal 58 is buffered by buffers 60, and evaluated by micro controller 20. If the proper coded response signal is received by micro controller 20, then the micro controller 20 proceeds to an evaluation of the delay during a subsequent challenge and response signal, which may also use encryption or rolling codes.
  • the micro controller 20 then controls voltage control oscillator 26 to provide a ramp oscillating signal, preferably centered around 125 kHz.
  • the signal is transmitted by antenna 24 and received by antenna 30 of the fob 16.
  • Micro controller 36 controls switch 43 to utilize the incoming signal on antenna 30 as the reference oscillator (rather than oscillator 40 with crystal 42).
  • This low frequency signal centered around 125 kHz, is stepped up by frequency multiplier 70, stepped down by frequency divider 44 and amplitude shift key modulated by switch 38 and micro controller 36 and transmitted by antenna 46.
  • the oscillating signal from voltage-controlled oscillator 26 is amplitude shift key modulated by switch 22 in micro controller 20 and transmitted by antenna 24.
  • the response signal from the fob 16 changes accordingly.
  • This response signal is received by antenna 50 on the vehicle system 14 and mixed down to 125 kHz .
  • This signal is then mixed with the signal from the voltage controlled oscillator 26 by mixer 76.
  • the resulting signal is an error frequency 78, the frequency of which is equal to the difference between the frequency of voltage controlled oscillator 26 and that of the step down frequency of the response signal from the fob 16.
  • This error frequency 78 is evaluated by micro controller 20 and/or additional hard- wired circuitry. If the error frequency 78 exceeds a predetermined threshold, then the delay between the challenge signal and response signal is determined to be to great and identification fails and access is denied to the vehicle 12.
  • the stepped down frequency of the response signal would match the frequency of the voltage control oscillator 26 and the error frequency 78 would be zero (or dc).
  • the frequency of the voltage controlled oscillator 26 is increasing, delay between the challenge signal and response signal results in the frequency of the voltage controlled oscillator 26 being higher than that of the stepped down response signal at mixer 78, and thus a higher error frequency 78.
  • the frequency of the challenge signal increases over time (preferably, but not necessarily linearly).
  • the slope of the response signal from the fob 16 (shown stepped down to the 125 kHz range) is the same if that of the challenge signal, although shifted to the right by the amount of delay, shown as delta t.
  • the error frequency which as can be seen, is directly representative of the delay, delta t. It is anticipated that delta t for a proper response signal from the fob 16 would be on the order of 100 ns. While the delta t for a relay attack signal would be on the order of several microseconds, and would thus result in a much higher error frequency (depending upon the slope of the challenge signal).

Abstract

A passive remote entry system evaluates the delay between a challenge signal from security system and a response signal from the passive fob. If the delay exceeds a threshold identification fails and the access is denied. The fob utilizes the signal from the security system as a reference signal for transmitting its response signal. The security system generates a challenge signal with a changing frequency, which is compared to the frequency of the response signal. Any lag in the change of the frequency in the response signal compared to the change in the frequency of the challenge signal is indicative of the amount of delay between the challenge and response signal.

Description

RELAY ATTACH DETECTION OF A SECURE VEHICLE COMMAND
COMMUNICATION
BACKGROUND OF THE INVENTION The present invention relates to a vehicle security system, and more particularly to a passive remote entry system that is resistant to relay attacks.
Remote control units such as key fobs for remotely controlling functions of vehicles are well known. Currently, the original equipment for many vehicles includes a wireless transmitter for arming/disarming the car alarm and/or locking or unlocking the car doors. Furthermore, other systems are available which control these and other functions, such as energizing the car starter to start the engine.
The user selects the desired function by pressing the associated button on the transmitter keypad, and the transmitter responds by transmitting the appropriate signal and/or code. However, this requires a user to have access to the transmitter and press the associated button. Passive systems have been developed which automatically activate a vehicle system when the key fob is within a predefined distance of the vehicle. Commonly, passive systems provide an encrypted challenge response two- way communication system to prevent unauthorized activation.
A relay attack scheme may allow an unauthorized attack to defeat the security. In such a two-way relay attack, a first attacker is located adjacent the vehicle while a second attacker follows the vehicle owner who has left the vicinity of the vehicle and is carrying the passive remote fob. The first attacker triggers the desired vehicle function such as unlock or start engine and receives the challenge signal from the vehicle. The first attacker captures the challenge signal with a scanner type device and transmits the challenge signal to the second attacker. The second attacker receives the challenge signal from the first attacker and retransmits the challenge signal to the vehicle owner. The passive remote fob carried by the owner receives the vehicle challenge and responds with a proper response signal. The response signal is captured by the second attacker who then relays the signal back to the first attacker. The first attacker receives the response signal from the first attacker and retransmits the response signal to the vehicle. The first attacker then has access to the desired vehicle function. This sort of attack will defeat most encryption systems as the proper response signal is obtained from the true owner. Accordingly, it is desirable to provide a passive remote system which will defeat such a two-way relay attack.
SUMMARY OF THE INVENTION The present invention provides a passive remote system which will defeat the two-way relay attack described above. Generally, the present invention defeats the two- way relay attack by determining the amount of delay between the challenge signal and the response signal. However, rather than simply measuring time of flight directly, the fob of the present invention utilizes the incoming wireless signal from the vehicle as its reference isolator, upon which the frequency of the transmitted signal from the fob is based. Generally, by changing the frequency transmitted from the vehicle security system, the vehicle security system cam determine how much delay there is between the change in the frequency of the challenge signal and the change in the frequency in the response signal from the fob. The vehicle security system accomplishes this by mixing its reference signal with a derivative of the signal received from the fob and evaluating the difference in frequency.
For example, the base signal in the vehicle security system is preferably a ramp oscillating signal, increasing in frequency. Because the fob utilizes the signal received from the vehicle security system as its reference signal, the signal from the fob is also increasing in frequency (although preferably at a much higher frequency). The vehicle security system then compares the signal received from the fob to its base signal (the ramp oscillator). The amount by which the frequency of the base ramp oscillator and the signal from the fob differ is representative of the delay from the time the signal is transmitted from the vehicle security system to the fob, through the circuitry in the fob, and back to the vehicle security system. If this air frequency exceeds a predetermined threshold, the delay is to great, identification fails and the access to the vehicle is denied.
Preferably, the fob transmits at a frequency several orders have made it to greater than that transmitted the vehicle. Thus, the ramp oscillator signal received by the fob must be stepped up several orders of magnitude before being transmitted by the fob and stepped down several orders of magnitude before being compared by the vehicle security system. This introduces some minor delay, which can be accounted for. However, this introduces a much greater delay in the circuitry in the would be attackers.
BRIEF DESCRIPTION OF THE DRAWINGS
The various features and advantages of this invention will become apparent to those skilled in the art from the following detailed description of the currently preferred embodiment. The drawings that accompany the detailed description can be briefly described as follows: Figure 1 is a high level schematic of the passive remote entry system of the present invention, as implemented in a vehicle.
Figure 2 is an example of a more detailed schematic for implementing the passive remote entry system of the present invention.
Figure 3 is a graph illustrating the challenge and response signal of the passive remote entry system.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
The present invention provides a passive remote entry system 10 for a vehicle 12, shown generally in Figure 1. The passive remote entry system 10 includes a vehicle security system 14 installed on vehicle 12 and controlling access to and the operation of the vehicle operation of the vehicle 12 in a known matter, including operation of door latches, door locks, and the ignition and/or operation of the vehicle engine. The pass remote entry system 10 further includes a passive key fob 16 that is portable relative to the vehicle 12 and carried by the user. As in known passive remote entry systems, the present invention generally utilizes a challenge/response method for implementing passive remote entry. Generally, the vehicle security system 14 generates a wireless challenge signal, such as in response to attempted operation of a door latch, vehicle motion, or the detection of a presence near the vehicle. The wireless challenge signal is received by the fob 16, which in turn responds with a wireless response signal. If the proper response signal is received by the vehicle security system 14, identification is successfull and access to the vehicle 12 is permitted. The vehicle security system 14 and fob 16 may use any of numerous known techniques, including encryption or rolling codes.
According to the present invention, to prevent relay attacks, the vehicle security system 14 evaluates the delay between the challenge signal that it transmitted and the response signal it received. This is accomplished by using the challenge signal from the vehicle security system as the reference oscillator for the response signal transmitted by the fob 16. By changing the frequency of the challenge signal and comparing the frequency of the challenge signal with the frequency of the response signal from the fob 16, the difference in frequency is representative of the delay between the challenge signal and the response signal.
Preferably, the passive remote entry system 10 of the present invention first utilizes a more typical challenge/response technique in which the vehicle security system 14 transmits an encrypted challenge signal, to which the fob 16 responds with an encrypted response signal, which is evaluated by the vehicle security system 14. If the proper response signal is received, then the passive remote entry system 10 subsequently proceeds with the evaluation of delay, in which the fob 16 then uses the challenge signal as a reference oscillator and the vehicle security system 14 compares the frequencies of the challenge signal and response signal.
Preferably, the challenge signals transmitted from the vehicle security system is low frequency, preferably less then one MHz, and preferably around 125 kHz. This reduces the range of the challenge signal to the area immediately adjacent the vehicle 12. The fob 16 preferably transmits the response signals at a frequency several orders of magnitude greater than that of the challenge signals. Preferably, the response signals are transmitted at a frequency greater than 100 MHz and more preferably at or around 315 MHz. Thus, for the fob 16 to use the challenge signal as a reference oscillator, the challenge signal is first stepped up several orders of magnitude. Similarly, before the vehicle security system 14 can compare the frequency of the response signal with the frequency of its reference oscillator, the frequency of the response signal must be stepped down several orders of magnitude. This introduces a slight delay from the circuitry in the fob 16 in vehicle security system 14, but several orders of magnitude lower than the delay which would be introduced by the circuitry of the would-be relay attackers.
Sample circuits which could be utilized for the vehicle security system 14 and fob 16 of the present invention are shown schematically in Figure 2. The values shown in the schematic are for purposes for illustrating the preferred embodiment in which the challenge signal is transmitted at a 125 kHz and the response signal is transmitted at 315 MHz. Of course, other values and other circuits could be utilized. The vehicle security system 14 includes a micro controller 20 which implements the rolling codes or encrypted codes and controls operation of the vehicle security system 14. A coded challenge signal is first sent from micro controller 20 to switch 22 to send an amplitude shift keyed code via the antenna 24 based upon a reference oscillator 26, which may be a voltage controlled oscillator. Initially, the oscillator 26 is operating at a 125 kHz.
The 125 kHz signal is received by fob 16 on antenna 30 and amplified by buffers 32. The coded signal is then demodulated by detector 34 and sent to micro controller 36 which evaluates the code. The micro controller 36, using the same encryption or rolling code technique as the micro controller 20 in the vehicle security system 14, sends a proper coded response signal using amplitude shift keying on switch 38 which is connected to the oscillator 40 which is controlled by crystal 42. As controlled by the micro controller 36, a switch 43 connects the crystal-controlled oscillator 40 to the amplitude shift key switch 38. This high frequency signal from oscillator 40 is stepped down by frequency divider 44 prior to the amplitude shift keying by switch 38 and then transmitted via the antenna 46.
The 315 MHz amplitude shift key coded response signal transmitted from the antenna 46 on the fob 16 is received by the receiving antenna 50 on vehicle security system 14. A 9.509375 GHz crystal 52 controls oscillator 54 to provide an oscillating signal which is stepped down by frequency divider 56 to provide a 304.3 MHz signal which is mixed with the 315 MHz signal received from the fob 16 on antenna 15. Resulting 10J MHz signal 58 is buffered by buffers 60, and evaluated by micro controller 20. If the proper coded response signal is received by micro controller 20, then the micro controller 20 proceeds to an evaluation of the delay during a subsequent challenge and response signal, which may also use encryption or rolling codes. The micro controller 20 then controls voltage control oscillator 26 to provide a ramp oscillating signal, preferably centered around 125 kHz. The signal is transmitted by antenna 24 and received by antenna 30 of the fob 16. Micro controller 36 controls switch 43 to utilize the incoming signal on antenna 30 as the reference oscillator (rather than oscillator 40 with crystal 42). This low frequency signal, centered around 125 kHz, is stepped up by frequency multiplier 70, stepped down by frequency divider 44 and amplitude shift key modulated by switch 38 and micro controller 36 and transmitted by antenna 46. The oscillating signal from voltage-controlled oscillator 26 is amplitude shift key modulated by switch 22 in micro controller 20 and transmitted by antenna 24. Because the fob 16 is now using the received challenge signal (centered around 125 kHz) as its reference oscillator, the response signal from the fob 16 (centered around 215 MHz) changes accordingly. This response signal is received by antenna 50 on the vehicle system 14 and mixed down to 125 kHz . This signal is then mixed with the signal from the voltage controlled oscillator 26 by mixer 76. The resulting signal is an error frequency 78, the frequency of which is equal to the difference between the frequency of voltage controlled oscillator 26 and that of the step down frequency of the response signal from the fob 16. This error frequency 78 is evaluated by micro controller 20 and/or additional hard- wired circuitry. If the error frequency 78 exceeds a predetermined threshold, then the delay between the challenge signal and response signal is determined to be to great and identification fails and access is denied to the vehicle 12.
For example, if there were zero delay in the circuitry of the vehicle security system 14 and the fob 16 and zero delay between the two circuits, the stepped down frequency of the response signal would match the frequency of the voltage control oscillator 26 and the error frequency 78 would be zero (or dc). However, because the frequency of the voltage controlled oscillator 26 is increasing, delay between the challenge signal and response signal results in the frequency of the voltage controlled oscillator 26 being higher than that of the stepped down response signal at mixer 78, and thus a higher error frequency 78. This is illustrated in the graph of Figure 3. As can be seen in Figure 3, the frequency of the challenge signal increases over time (preferably, but not necessarily linearly). The slope of the response signal from the fob 16 (shown stepped down to the 125 kHz range) is the same if that of the challenge signal, although shifted to the right by the amount of delay, shown as delta t. What the present invention measures, however, is the error frequency, which as can be seen, is directly representative of the delay, delta t. It is anticipated that delta t for a proper response signal from the fob 16 would be on the order of 100 ns. While the delta t for a relay attack signal would be on the order of several microseconds, and would thus result in a much higher error frequency (depending upon the slope of the challenge signal).
In accordance with the provisions of the patent statutes and jurisprudence, exemplary configurations described above are considered to represent a preferred embodiment of the invention. However, it should be noted that the invention can be practiced otherwise than as specifically illustrated and described without departing from its spirit or scope. Alphanumeric labels on method steps in the claims below are for convenience of reference by dependent claims, and do not signify a required order of performance of the method steps.

Claims

1. A method for providing remote wireless identification including the steps of: a) transmitting a wireless challenge signal; b) receiving the challenge signal; c) transmitting a wireless response signal in response to said step b); d) receiving said response signal; and e) evaluating a delay between said step a) and said step d).
2. The method of claim 1 further including the step of: f) denying identification based upon said step e).
3. The method of claim 1 further including the steps of: f) transmitting the wireless challenge signal at a challenge frequency in said step a); g) using the challenge signal challenge frequency as a reference frequency for a response frequency, wherein the response frequency is based upon the challenge frequency; and h) transmitting the wireless response signal in said step c) at the response frequency.
4. The method of claim 3 wherein the response frequency is a multiple of the challenge frequency.
5. The method of claim 4 further including the step of: h) changing the challenge frequency and the response frequency over time.
6. The method of claim 5 further including the step of increasing the challenge frequency and response frequency over time.
7. The method of claim 6 wherein said step e) further includes the step of evaluating a difference between the challenge frequency and response frequency to determine the delay.
8. The method of claim 7 wherein the challenge frequency is a low frequency.
9. The method of claim 8 wherein the challenge frequency is less than 1 MHz.
10. The method of claim 8 wherein the response frequency is at least one thousand times the challenge frequency.
11. A method for providing remote wireless identification including the steps of: a) transmitting a wireless challenge signal at a challenge frequency; b) changing the challenge frequency of the challenge signal during said step a); c) receiving the challenge signal; d) determining a response frequency based upon the challenge frequency using the challenge frequency as a reference; e) transmitting a wireless response signal at the response frequency in response to said step b).
12. The method of claim 11 wherein the response frequency is a multiple of the challenge frequency.
13. The method of claim 11 further including the step of: i) changing the challenge frequency and the response frequency over time.
14. The method of claim 13 further including the step of increasing the challenge frequency and response frequency over time.
15. The method of claim 14 further including the step of evaluating a difference between the challenge frequency and response frequency to determine a delay.
16. The method of claim 15 further including the step of denying identification based upon the delay exceeding a threshold.
17. A security system comprising:
A first transmitter and first receiver in a security system, said first transmitter sending a challenge signal at a challenge frequency;
A second transmitter and second receiver on a fob, portable relative to the security system, said second transmitter sending a response signal in response to the challenge signal, said second transmitter sending said response signal at a response frequency based upon said challenge frequency, using said challenge frequency as a reference oscillator.
PCT/US2000/027098 1999-10-01 2000-10-02 Relay attach detection of a secure vehicle command communication WO2001025060A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP00967230A EP1216172A2 (en) 1999-10-01 2000-10-02 Relay attack detection of a secure vehicle command communication
JP2001528027A JP2003512218A (en) 1999-10-01 2000-10-02 Relay Attack Detection for Secure Communication of Vehicle Commands

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15706099P 1999-10-01 1999-10-01
US60/157,060 1999-10-01

Publications (3)

Publication Number Publication Date
WO2001025060A2 WO2001025060A2 (en) 2001-04-12
WO2001025060A3 WO2001025060A3 (en) 2001-12-27
WO2001025060A9 true WO2001025060A9 (en) 2002-10-03

Family

ID=22562201

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/027098 WO2001025060A2 (en) 1999-10-01 2000-10-02 Relay attach detection of a secure vehicle command communication

Country Status (3)

Country Link
EP (1) EP1216172A2 (en)
JP (1) JP2003512218A (en)
WO (1) WO2001025060A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8872619B2 (en) 2001-07-10 2014-10-28 Xatra Fund Mx, Llc Securing a transaction between a transponder and a reader

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3909226B2 (en) 2001-06-29 2007-04-25 アルプス電気株式会社 Passive entry with anti-theft function
FR2827694B1 (en) * 2001-07-20 2004-01-23 Pierre Bonzom ELECTRONIC IDENTIFICATION DEVICE
DE10261097A1 (en) * 2002-12-20 2004-07-15 Siemens Ag Method for releasing a data transmission between a read / write device and at least one mobile data memory, as well as read / write device and identification system for such a method
CN1813271B (en) 2003-06-25 2010-12-01 Nxp股份有限公司 Method and arrangements for increasing the security of transponder systems, particularly for access to automobiles
GB0426446D0 (en) 2004-12-02 2005-01-05 Koninkl Philips Electronics Nv Measuring the distance between devices
US7791457B2 (en) 2006-12-15 2010-09-07 Lear Corporation Method and apparatus for an anti-theft system against radio relay attack in passive keyless entry/start systems
EP1978667B1 (en) 2007-04-05 2017-10-11 Kabushiki Kaisha Tokai Rika Denki Seisakusho System for controlling wireless communication between portable device and communication controller
US8587403B2 (en) 2009-06-18 2013-11-19 Lear Corporation Method and system of determining and preventing relay attack for passive entry system
DE112014003366T5 (en) 2013-07-22 2016-03-31 Trw Automotive U.S. Llc FREQUENCY FEATURES WITH AMPLITUDE LEVEL CONTROL USING KEYLESS ANTI-THEFT REMOTE CONTROL ACCESS SYSTEM
JP6427321B2 (en) * 2014-02-05 2018-11-21 株式会社Soken Control system, portable machine
US9485609B2 (en) * 2015-02-06 2016-11-01 Nxp B.V. Pulse frequency control for wireless communications and ranging
CN109076487B (en) 2016-04-14 2021-03-19 苹果公司 Method and architecture for secure ranging
EP3306576B1 (en) * 2016-10-05 2023-03-15 The Swatch Group Research and Development Ltd Method and system for secure access to a determined space by means of a portable object
DE102017001092A1 (en) * 2017-02-07 2018-08-09 Giesecke+Devrient Mobile Security Gmbh Protection against a relay attack
JP6866818B2 (en) * 2017-09-27 2021-04-28 トヨタ自動車株式会社 Terminals, vehicle control systems, and vehicle control methods
US11368845B2 (en) 2017-12-08 2022-06-21 Carrier Corporation Secure seamless access control
US10885729B2 (en) * 2018-10-12 2021-01-05 Denso International America, Inc. Passive entry/passive start systems using continuous wave tones and synchronization words for detecting range extender type relay station attacks
US11055941B1 (en) 2020-03-31 2021-07-06 Nxp B.V. System and method of improving security during backup functionality of electronic control key

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB8806455D0 (en) * 1988-03-18 1988-04-20 Gen Electric Co Plc Position determining equipment
US5796362A (en) * 1994-06-13 1998-08-18 Hittite Microwave Corporation Post launch on-board identification friend or foe system
DE4430360C1 (en) * 1994-08-26 1995-10-05 Siemens Ag Anti-theft system for automobile
DE19632025C2 (en) * 1996-08-08 1998-07-23 Daimler Benz Ag Authentication device with electronic authentication communication
EP1109981B1 (en) * 1998-09-01 2003-07-30 Leopold Kostal GmbH & Co. KG Method for carrying out a keyless access authorisation check and keyless access authorisation check device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8872619B2 (en) 2001-07-10 2014-10-28 Xatra Fund Mx, Llc Securing a transaction between a transponder and a reader

Also Published As

Publication number Publication date
WO2001025060A2 (en) 2001-04-12
EP1216172A2 (en) 2002-06-26
WO2001025060A3 (en) 2001-12-27
JP2003512218A (en) 2003-04-02

Similar Documents

Publication Publication Date Title
WO2001025060A9 (en) Relay attach detection of a secure vehicle command communication
US7791457B2 (en) Method and apparatus for an anti-theft system against radio relay attack in passive keyless entry/start systems
US6437683B1 (en) Keyless security entry control method for motor vehicles
US7647031B2 (en) Vehicle receiver system in which a single receiver circuit is controlled to receive signals transmitted from a plurality of remote devices having respectively different transmission frequencies
US5723911A (en) Keyless access control device
US7944340B1 (en) System and method for two-way remote activation with adaptive protocol
CN105966353B (en) Vehicle wireless communication system, controller of vehicle and portable machine
US7365633B2 (en) Vehicle remote control apparatus and vehicle remote control system using the same
EP1184236A2 (en) Radio system
US20010038328A1 (en) Multifunction and multiple range RKE system and method
US20030014164A1 (en) Apparatus and method for disabling a remote control unit of an automobile
KR102225967B1 (en) Defense of a relay attack
JP2000185627A (en) User discrimination device for car
JP2008127887A (en) Radiocommunication system, its control method and program
CN108068759B (en) System and method for preventing relay attack
CN111542460A (en) Method and system for joining motion for preventing relay attack
US9902369B2 (en) Apparatus and method for dual range detection in a vehicle
US11945402B2 (en) Method and system for relay attack prevention incorporating channel coherence
EP1969566B1 (en) Method for passive keyless entry of a motor vehicle especially of an industrial vehicle
GB2576133A (en) Remote keyless system security device
US6850154B2 (en) Method and device for protecting motor vehicles against theft
JP3216586B2 (en) Vehicle remote control device and system thereof
JP2012122249A (en) Electronic key system
US6580354B1 (en) Control system and method for controlling motor vehicle functions
US10762730B2 (en) Method for secure access to a motor vehicle

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): JP

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): JP

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

WWE Wipo information: entry into national phase

Ref document number: 2000967230

Country of ref document: EP

ENP Entry into the national phase in:

Ref country code: JP

Ref document number: 2001 528027

Kind code of ref document: A

Format of ref document f/p: F

WWP Wipo information: published in national office

Ref document number: 2000967230

Country of ref document: EP

AK Designated states

Kind code of ref document: C2

Designated state(s): JP

AL Designated countries for regional patents

Kind code of ref document: C2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

COP Corrected version of pamphlet

Free format text: PAGES 1/2-2/2, DRAWINGS, REPLACED BY NEW PAGES 1/2-2/2; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE

WWW Wipo information: withdrawn in national office

Ref document number: 2000967230

Country of ref document: EP