Block the Car Door Relay Hack with a Faraday Cage

Is your car door safe from electronic hackers? If you’ve seen the news lately (Wired; New York Times), you might be worried that bad guys are now able to steal the electronic codes you car key sends when it unlocks your car from a distance using your remote. Or in some cases, even when you don’t press the button on the remote, but when you use your car’s keyless entry system.

But all is not lost. In fact, to prevent the proximity keyless entry exploit, in which a bad guy can — theoretically, anyway — use your car key to unlock your door even if it’s not right next to your car as it is supposed to be, all you really need is a metal box.

The keyless entry hack, called a “relay” hack, is postulated to work by boosting the signal between your car and its key. Normally, when your key is more than a foot or two from your car, the radio signal the car uses to activate the key is too weak, and the keyless feature won’t work. But if there’s a specialized signal amplifier between your car and the key — or, as some people theorize, two amplifiers, one near the key and one near the house — the car can be tricked into thinking the key is next to it, and it will unlock.

Here’s how to thwart this attack: Just put the key in a metal box so the hacker’s booster can’t communicate with it. Technically you’re putting it in a Faraday cage, a box through which the necessary radio signals can’t penetrate.

We made a Faraday cage with aluminum foil and a small box. It worked well. With the key in the box, the touch-to-open access of the car did not work at all.

A prettier solution

But our tinfoil box was really ugly, so we tried other metal boxes. First, a cookie tin. Then an Altoids box. Both of them blocked the signal when they were a foot or more from the car, but not 100% of the time when held right next to them. We also tried making a box out of a more attractive copper metal mesh. That worked better than the tin boxes: It blocked the signal most of the time when the key was in the box right next to the car, and all the time from more than about 1.5 feet out.

In other words, our ugly foil box was the best blocker for the relay attack, while tins and copper mesh boxes blocked the signal considerably, but not completely.

By the way, science and radio engineering tells us that if you want to make your own Faraday cage, you want to use a highly conductive metal, like copper or aluminum (but not anodized aluminum). If you use a mesh, make sure the holes are smaller than 1/10 the wavelength of the signal. In North America and Japan, car remotes transmit at 315 megahertz, which is a wavelength of about .95 meters, so a mesh with holes smaller than 9.5 centimeters should work. Other countries use key fobs that work at 433.92 MHz, for a wavelength of .69 meters, so holes under 7cm are what you’re looking for. Those are pretty big holes. In our mesh box they were a lot smaller.

And the one thing you must do when making a Faraday enclosure for your key is to make sure the box closes. Otherwise, the radio signal will get in, and the relay exploit could still work.

Science notwithstanding, our experience tells us your best protection against the relay attack is to line a box with aluminum foil. It’s more reliable, even though a nice mesh box probably works well enough and certainly looks cooler.

Only one kind of protection

The Faraday cage protects against the Relay Hack attack on keyless entry systems, in which you touch the car door handle to unlock the car while the key stays in your pocket or purse.

The other theoretical hack is called RollJam, and it works by stealing the coded unlock command your key sends to your car when you actively press its unlock button. For this attack, a Faraday box won’t help. If your car can receive the signals, then so can an attacker’s device, and that’s when you can get compromised.

But if you’re paying attention, you might at least notice that an attack could be underway. If you press your remote and the car doesn’t unlock the first time, but does the second time, there is the possibility that your code was just stolen. RollJam works by stealing your code and then jamming the signal so your car doesn’t unlock the first time, but it does the second time. So if you never press the unlock button on your remote, RollJam won’t work. Yes, that means you might want to use the physical key part of your key fob… if you have one. Be sure to read Anatomy of the RollJam Wireless Car Hack for more on this attack.