Relay Attack Prevention Using a DS3/DS3+ or DS4/DS4+ System

VOXX Electronics | Blog
Relay Attack Prevention Using a DS3/DS3+ or DS4/DS4+ System

1.) Vehicle’s oem key fob transmits unique short-range RFID identification to control the vehicle.

2.) Thief with RF amplificartion relay attack device picks up the OEM key fob transmission and relays the unique transmission to the thief at the vehicle.

3.) Thief at the vehicle with the accompanying relay attack device receives the relayed OEM key fob transmission and broadcasts the OEM key fobs unique RF transmission to the vehicle.

4.) The thief at the vehicle is then able to unlock it, get in and start it, because the vehicle believes that the OEM key fob is in the vehicle, authorizing the start and control of the vehicle.

Although it is not possible to prevent thieves from accessing the interior of the vehicle using this relay attack

method, we can however, prevent them from starting the vehicle with this attack.

To prevent them from starting the car there are few important parts that we will cover:

PART 1 - Starter-Kill: To prevent the vehicle from being started using this relay attack method, a starter-kill interrupt must be wired into the application. A properly functioning starter-kill is the most important part of overcoming this attack, without it there is nothing that can be done to prevent thieves from starting the vehicle and driving off with it.

PART 2 - Aftermarket Remote or SmartStart Required: In most of our digital firmware solutions we enable the OEM key fob to control our system, which is convenient to the end user. When trying to solve the issue of relay attacks on the vehicle, this creates the ability for that attack to disarm our system as well, which disengages the starter-kill. To prevent that from happening, we need to disable the ability of the OEM key fob from being able to disarm our system, which requires the use of an aftermarket remote or SmartStart to control the system.

PART 3 - Configuring The System: When configuring the system there are some important settings that will need checked or changed to ensure the alarm cannot be easily overridden, that the starter-kill is enabled, and that The OEM key fob has had the ability to disarm our system disabled.

When configuring your system, the following settings will be needed for prevention of relay attacks:

1.) In the Security Feature menu, set the Override pulse count setting to 5. (This is the default setting on all firmware versions on core 198.9 and higher, but if you are using any previous versions be sure to check this setting and change it accordingly).

2.) In the Security Features menu, make sure the Starter Kill Option is set to either Active or Passive. (On all firmware versions with core 198.9 and higher, when flashing for either Security Only or Remote Start + Security, the default setting will be set to Active, but if you are using any previous versions be sure to check this setting and change it accordingly).

3.) To disable the oem key fob from controlling our system there are 3 settings in the Data Sense Configuration menu that will need changed. The ‘Sense OEM unlock’, ‘Sense OEM lock’, and ‘Sense OEM trunk’ settings need to be Disabled. This will prevent a relay attack, because with these changes the OEM key fob will no longer control our system.

When these settings are configured in this fashion, the OEM key fob and the aftermarket system will work independent of each other. This will allow the end-user to be able to decide when they want to use our system for preventing the possibility of these attacks. In situations where the end-user feels their vehicle is not at risk, they can simply arm and disarm the vehicle using the OEM key fob or door handle buttons on the exterior of the vehicle. When parking in an unsafe location, such as an airport or larger public area, they would arm and disarm the vehicle using the aftermarket remote or SMARTSTART device.

What if the end-user wants to have the 3X-Lock-Start option?

For the end-user to be able to use the 3X-Lock-Start function, set the ‘Sense OEM Lock” option to Enabled. This will allow our system to monitor the lock messages from the OEM key fob to allow activation of remote start with the 3X-Lock-Start function. However, this now means the OEM key fob and our system are not completely independent of each other. Anytime the OEM key fob lock message occurs, it will lock and arm both the vehicle and our system. In this configuration, the aftermarket remote or SmartStart must always be used to unlock the vehicle and disarm our system.