Fusing Layers

A couple a weeks ago I posted on authentication and how important it was from a security standpoint. One example (other than GNSS) is car entry / access. Today all cars are opened / closed wirelessly. The older ones require a press of a button on a key fob, the newer ones are "automatic" in a sense that it is enough that the key fob is close to the car. A digital handshake takes place and the door is opened.

The automatic key fobs have one drawback though... they do not require any explicit action (such as a press of a button) - that is the whole purpose of this system. Which opens an interesting vulnerability: a thief may bring an "amplifier" that will amplify the signals between the fob and the car, making them both "think" they are close to each other... and voila: the car unlocks. You can see how easy that is - on this video: one guy brings the signal booster close to the window and the key fob (that probably lies somewhere on the kitchen table) is brought "in range" of the car.

The number of thefts using this technique increases and even the most prominent brands are vulnerable.

And probably the only protection against this form of a relay attack is to precisely measure the time that the radio signals take to travel back and forth. This is called time-of-flight.

ToF is inherently a property of a very low layer - present at the radio link. Layers up the protocol stack often do not care what the low layers do and to some extent this is the essence of a layered architecture: allow layers to be interchangeable.

But sometimes fusing the layers is the only way to solve a particular problem, such as this relayed message attack. The car should unlock only if the digital handshake is validated AND the time of flight of the signal there and back is within acceptable range.