Once the door was unlocked, the researchers would bring the first antenna inside the vehicle and either press the brake pedal or the start engine button, to cause the car to send a 'start engine' message to the key. The key would then respond with a command to start the car in each case, the researchers said.
Two sets of tests were conducted. In one, the researchers linked the two antennas using standard co-axial cables; in the second, the antennas were linked wirelessly.
They said the tests demonstrated more than just a theoretical threat. For example, the equipment used for the test could be used in a parking lot to steal keyless-enabled vehicles.
In this scenario, the attackers could place one relay antenna close to a corridor, a payment machine, or an elevator, the researchers said. When a user parks and leaves a car with a keyless system, an attacker could quickly place a second antenna to the door handle of the vehicle. This antenna would then begin communicating with the previously placed relay antenna.
"When the car owner passes in front of this second antenna with his key in the pocket, the key will receive the signals from the car and will send the 'open' command to the car," the researchers said. "Once that the attacker has access to the car, the signals from within the car are relayed and the key will now believe it is inside the car and emit the 'allow start' message," they said.
One immediate countermeasure that drivers can take is to put their keys within a protective metallic envelope to prevent it from emitting signals.
Removing the battery from the key fob can also disable the active wireless communications, the paper noted. It also discussed hardware and software modifications that manufactures can take to mitigate the threat.
Sign up for Computerworld eNewsletters.