Disclosure: This post may contain affiliate links. If you make a purchase through these links, I may earn a small commission at no additional cost to you.

The Invisible Key: Understanding Keyless Entry Relay Attacks

We love convenience. The ability to walk up to your car, pull the handle, and hop in without ever taking the keys out of your pocket feels like magic. But like most technological magic, it relies on a specific set of rules—and if you know those rules, you can bend them.

Recently, I decided to test the security of my own vehicle's keyless entry system. Using a Software Defined Radio (SDR) and a Raspberry Pi hooked up via its GPIO pins, I successfully executed a proof-of-concept relay attack. I managed to capture the key fob's signal and relay it, unlocking my car without the physical key present.

While it sounds like a scene out of a heist movie, the underlying mechanics are surprisingly straightforward. Here is how these attacks work, why they are so prevalent, and most importantly, how you can protect your vehicle.

---

The Mechanics of a Relay Attack

Traditional keyless entry systems rely on radio frequencies to communicate. When you touch your car's door handle, the car sends out a low-frequency (LF) signal looking for the key fob. If the fob is close enough, it hears this signal and responds with a high-frequency (HF) authorization code.

A relay attack exploits the car's inability to determine the true distance of the key fob. It simply tricks the car into thinking the key is right next to the door by "extending" the radio range.

How the Attack Flows:

1. The Car-Side Node: An attacker stands next to the car and pulls the handle, prompting the car to send its "Where is the key?" signal.
2. The Relay: A device captures this signal and transmits it over a longer distance (Wi-Fi or long-range radio) to a second device.
3. The Fob-Side Node: This second device is placed near where the keys are likely kept (e.g., a front door or a pocket in a cafe). It broadcasts the signal to the key fob.
4. The Response: The key fob, thinking the car is right there, transmits its authorization code. This code is relayed back to the car-side node.
5. Access Granted: The car verifies the code and unlocks.

---

The Hardware Setup: RTL-SDR and rpitx

To handle the two-way communication required for this research, I utilized a modular hardware stack centered around the Raspberry Pi.

Technical Setup:

• Compute Node: Raspberry Pi 4 Model B — The "brain" of the operation.
• Signal Capture (RX): Nooelec NESDR Smart v5 — A community-standard RTL-SDR for stable signal analysis.
• Signal Emulation (TX): The rpitx library — Software-defined transmission via GPIO Pin 4. By combining these, the Pi acts as a "digital bridge"—receiving a signal on the SDR and re-broadcasting it via the GPIO pin.

⚠️ Warning: Never transmit with rpitx without a band-pass filter

---

How to Defend Against Relay Attacks

The good news is that preventing a relay attack is entirely possible with a few simple habit changes and technological upgrades:

• Faraday Pouches: The most cost-effective solution. These pouches are lined with conductive material that blocks all radio signals.
• Signal Time-out: Check if your key fob has a "motion sensor." Many modern fobs stop broadcasting if they haven't moved for several minutes.
• Physical Deterrents: A steering wheel lock doesn't stop the signal, but it prevents the car from being driven away even if the doors are unlocked.
• Ultra-Wideband (UWB): Newer vehicles use UWB technology, which measures the "Time of Flight" of the signal. If the signal takes too long to travel (because it's being relayed), the car will reject the entry.

---

Further Reading

If you enjoyed the hardware aspect of this post and want to learn more about bridging the gap between containerized software and physical pins, check out my technical guide:

• Hardware in Containers: Accessing Raspberry Pi GPIO Pins with Docker – A deep dive into safely exposing your Pi's hardware to Docker containers for more robust IoT deployments.