The Journal of Supercomputing

https://doi.org/10.1007/s11227-019-03049-4

Securing smart vehicles from relay attacks using machine

learning

Usman Ahmad1 · Hong Song1 · Awais Bilal1 · Mamoun Alazab2 ·

Alireza Jolfaei3

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Abstract
Due to the rapid developments in intelligent transportation systems, modern vehicles
have turned into intelligent transportation means which are able to exchange data
through various communication protocols. Today’s vehicles portray best example of
a cyber-physical system because of their integration of computational components
and physical systems. As the IoT and data remain intrinsically linked together, the
evolving nature of the transportation network comes with a risk of virtual vehicle
hijacking. In this paper, we propose a combination of machine learning techniques
to mitigate the relay attacks on Passive Keyless Entry and Start (PKES) systems.
The proposed algorithm uses a set of key fob features that accurately profiles the
PKES system and a set of driving features to identify the driver. First relay attack
detection is performed, and if a relay attack is not detected, the vehicle is unlocked
and algorithm proceeds to gain the driving features and use neural networks to iden-
tify whether the current driver is whom he/she claims to be. To assess the machine
learning model, we compared the decision tree, SVM, and KNN method using a
three-month log of a PKES system. Our test results confirm the effectiveness of the
proposed method in recognizing relayed messages. The proposed methods achieve
99.8% accuracy rate. We used a Long Short-Term Memory recurrent neural net-
work for driver identification based on the real-world driving data, which are col-
lected from a driver who drives the vehicles on several routes in real-world traffic
conditions.

Keywords Machine learning · Neural networks · PKES · Relay attacks · Driver

identification · Security

* Alireza Jolfaei
[email protected]
Extended author information available on the last page of the article

13
Vol.:(0123456789)
 U. Ahmad et al.

1 Introduction

A cyber-physical system (CPS) refers to tightly coupled computational compo-

nents and physical systems, enabling humans with advanced capabilities to man-
age and interact with physical world. CPS application areas are not only limited
to the power, industry, and health care, but have also included automobile sec-
tor. Today, most of the research that is being conducted in automotive domain
is in electronics and software, rather than in mechanical engineering. Therefore,
automotive cyber-physical systems have transformed cars from electro-mechani-
cal units into advanced and modern means of transport offering safety, security,
efficiency, and convenience. Automotive cyber-physical systems in modern high-
end cars are complex, hosting multiple electronic control units (ECU), millions
of lines of code and internal networks connecting sensors with control units and
actuators. However, this correlation between cyber and physical world also poses
new security challenges. Since attacks in cyber world can have devastating effects
in the physical world, ensuring security in automotive cyber-physical systems is
important to provide availability, reliability, and dependability.
Modern vehicles contain new connected technologies that aim to provide
improved fuel economy, safety features, and seamless connected experience.
Despite the benefits of such technologies, vehicle’s increasing autonomy and con-
nectivity carry new cyber threats. Recently, the national highway traffic safety
administration and the department of transportation, and the Federal Bureau of
Investigation (FBI) jointly released a report about the increasing graph of vulner-
abilities in the modern vehicles with respect to remote exploits [1]. Locking the
car doors, disabling the brake system, and shutting down the engine are examples
of vehicle’s security attacks [2]. The hackers only need to be within the proximity
range of the vehicle’s communications to implement their attacks.
Waraksa et al. introduced the concept of PKES [3], and the algorithm was first
used by Mercedes-Benz [4]. Since then, many car manufacturers have employed
similar PK systems. Despite the comfort of PKES, it is prone to man-in-the-
middle attacks [5, 6]. People, who have the PKES system in their vehicles, have
started keeping their key fobs in faraday cages or freezers to protect it from relay
attacks. The thieves use inexpensive power amplifiers (which could cost less than
15 USD) to relay the signals and break into the vehicles. Figure 1 shows such
attacks. The main reason for the success of relay attacks is that PKES systems

Fig. 1  Relay attack on a PKES system

13
Securing smart vehicles from relay attacks using machine…

only verify the proximity of key fob rather than the physical location of the key
fob.
A large number of cryptographic and authentication techniques have been pro-
posed to encrypt the communication between the key fob and vehicle to authenticate
the key fob. However, the PKES system is still vulnerable to relay attack because
the attackers do not need to decrypt or modify the communication. In fact, they just
boost the communication signal between the vehicle and key fob to ultra-high fre-
quency. Moreover, computationally strong encryption or decryption can be very
resource- and time-consuming [7, 8], which is an important concern in a real-time
transportation system [9]. The past literature also shows other solutions such as dis-
tance bounding protocols [10] and location-based authentication mechanism [11].
The location-based authentication mechanism does not protect against the relay
attack, because the attackers can still relay the real key fob data.
This paper proposes a double security layer. Firstly, we protect the PKES system
from well-known relay attacks using key fob features. Secondly, we complement the
method by adding a driver identification mechanism which uses driving behavior/
features. We extract a set of key fob features and driving features. Key fob features
include time, date, location, type of day, elapsed time, key fob acceleration, and sig-
nal strength. Driving features include accelerator pedal positions, brake pedal posi-
tions, and following distance. The proposed security layer employs machine learn-
ing techniques to identify whether a key fob signal follows the pattern of relayed
signals. To improve the rate of detection accuracy, we used tenfold cross-validation.
We compared the performance of three well-known algorithms of machine learning,
including the decision tree, support vector machine (SVM), and k-nearest neighbors
(KNN) with respect to training time, prediction time, accuracy rate, and confusion
matrix. We tested our method using a three-month log of a PKES system. If a relay
attack is not detected, the vehicle is unlocked, and the algorithm proceeds to gain
the driving features. The algorithm uses neural networks to identify whether the cur-
rent driver is who they claim to be. We used the LSTM recurrent neural network for
driver identification based on the real-world driving data which are collected from a
driver who drives the vehicles on 12 routes in real-world traffic conditions. Figure 2
demonstrates the block diagram of our proposed solution. Our driver identification
solution even works, if a robber snatches the car by threat of force or terrifying the
driver.

Fig. 2  Block diagram of the proposed solution

13
 U. Ahmad et al.

The remainder of the paper is organized as follows: Section 2 reviews the related
work. Section 3 describes the methodology of the proposed solution. Section 4
assesses our solution and shows the comparative analysis of machine learning and
neural network model. Section 5 illustrates the experimental setup using real-world
data. Finally, Sect. 6 concludes the paper.

2 Related work

The recent increase in thefts of smart vehicles [12] has raised demands for more
secure PKES systems. Vehicle manufacturers and insurances companies require
secure systems to decrease theft rates. In [13], Miller and Valasek highlighted sev-
eral security vulnerabilities [14], and as a proof of concept, they performed vari-
ous remote attacks against the 2014 Jeep Cherokee. In [15, 16], the authors dem-
onstrated the relay attack on a PKES system by amplifying the low-frequency radio
signals between the key fob and vehicle.
In [10], the authors proposed the distance bounding protocols, which calculate
the distance between the key fob and vehicle by measuring the round trip and the
time of flight of the signal. Asmar et al. [11] developed a location-based authentica-
tion mechanism for the PKES system, which continuously determines the location
of the key fob after the vehicle is unlocked and on the move. But this solution does
not protect against the relay attack, because the attackers can still relay the real key
fob data. In [17], Guan et al. used hardware-based encryption method transactional
memory to encrypt the communication. Guan et al.’s method continuously monitors
and protects the encryption key [18] from any malicious program that tries to access
it. In [11, 19–21], to prevent man-in-the-middle attacks, the use of cryptographic
solutions was suggested. However, computationally strong encryption or decryption
can be very resource- and time-consuming, which is an important concern in a real-
time transportation system [22–24].
The study of the literature shows that machine learning and deep learning have
extensively been used for securing the key fob communications. In [25], the author
used the fuzzy-based machine learning system to learn the good and bad signal
behavior. In [26], the author used an active machine learning approach to improve
the performance by reducing the false positive rates for on-road vehicle recogni-
tion and tracking. In [27], the authors proposed a framework using machine learn-
ing based on a set of security features that accurately profile the PKES system and
identify irregular PKES behavior. The log of IoT devices as a dataset for the imple-
mentation of machine learning and neural networks and for prediction is an useful
method.
In [28], the authors proposed a driver identification algorithm based on the prin-
cipal component analysis (PCA) approach, using lateral and longitudinal accelera-
tions. In [29], the authors proposed a solution for real-time driver identification
using a combination of unsupervised anomaly detection and neural networks. In
[30], the authors developed an online status-aware solution for driver identification
based on unlabeled data named SafeDrive.

13
Securing smart vehicles from relay attacks using machine…

3 Methodology

The proposed solution can be divided into two consecutive stages, as shown in
Fig. 3: relay attack detection on a PKES system based on supervised machine learn-
ing model and driving behavior identification using neural networks. Firstly, relay
attack on PKES is detected on the seven key fob security features (KF) includ-
ing time, date, location, type of day, elapsed time, key fob acceleration, and sig-
nal strength, to detect irregular key fob behavior. If a relay attack is detected, the

Fig. 3  Flow chart of proposed solution

13
 U. Ahmad et al.

Table 1  Key fob features (KF)

Feature Description

Location Location of key fob when transmitting the unlock signal

Time Time at which the key fob sends the unlock signal
Date Date at which the key fob sends the unlock signal
Type of day Indicates weekend or working day
Elapsed time Elapsed time since the occurrence of last unlock action
Signal strength Strength of the key fob signal
Key fob acceleration Indicates that the driver is moving while unlock signal is transmitted

Table 2  Driving features (DF)

Feature Description

Acceleration Change in accelerator pedals position (0 to 10 level)

Breaking Change in brake pedals position (0 to 10 level)
Following distance Following distance from the very next vehicle (meters)

algorithm does not unlock the vehicle and generate an alarm, else, proceeds to driver
identification. The neural network model is then built to identify the driver’s behav-
ior using three driving features (DF): acceleration, brake, and following distance.
The classification and regression tree (CART) is a powerful machine learning
model for both classification and regression [31]. We used an optimized version of
the CART algorithm using key fob security features to detect the abnormal behavior
of key fob. We have used the LSTM recurrent neural network, a variance of neural
networks introduced by Hochreiter et al. [32], for driver identification. We choose a
recurrent neural network because it performs better on sequential data as we have a
sequential dataset of acceleration, brake, and following distance.

3.1 Security features

We extract two types of security features: key fob features and driving features as
summarized in Tables 1 and 2, respectively.

3.1.1 Key fob security features

Two key fob security features: key fob acceleration and location, are embedded in
the PKES response message, and they are transmitted with the unlock code. The
rest of the five features including time, date, type of day, elapsed time, and signal
strength are obtained from vehicle’s ECU. The key fob security features used in pro-
filing the normal behavior are outlined below:

13
Securing smart vehicles from relay attacks using machine…

Key fob acceleration (KF1 ) It is the most significant attribute to detect the relay
attack. For example, if the key fob is on the office table, then its acceleration rate
must be zero. In such a case, the vehicle must not be unlocked. If the key fob accel-
eration rate was not zero, it would imply the driver is moving toward the vehicle. We
define KF1 = {1, 0} as the key fob is accelerating or not, respectively.
Signal strength (KF2 ) This feature represents the strength of the key fob signal.
A significant change in the signal strength could potentially indicate relay attacks
because the signal transmitted by the relay device would normally have a higher or
lower signal strength compared to the original key fob signal that is transmitted from
a proximity range. Thus, the signal strength must be within a certain range, and any
out-of-range deviation could point to potential relay attacks. We represent the signal
strength using the set {0, 1, 2}, where 0, 1, and 2 denote low, normal, and strong,
respectively.
Location (KF3 ) This attribute determines the current location of the key fob while
transmitting the unlock signal. This attribute ensures that the key fob is near the
vehicle. We define KF3 = {0, 1}, where 1 and 0 denote that the key fob is near the
vehicle or not, respectively.
Time (KF4 ), date (KF5 ) and day of unlock action (KF6 ) These attributes state
the time, the date, and the day at which the unlock signal is transmitted from the
key fob. The time of unlocking can be at any time. When we add the feature of the
day with the time, it becomes more meaningful. This is mainly because the time of
unlocking is strongly correlated with the working hours of the driver. For example,
the unlocking habits are normally different on weekdays and weekends. Moreover,
the attribute of date will enhance the learning performance during the holidays. For
the time KF4, 24 values are labeled for representing hours as {1, 2, 3, … , 23, 24}.
For the date KF5, there are two categories {1, 0} which denote holiday and workday.
For the type of day KF6, we have seven days in a week {1, 2, 3, 4, 5, 6, 7} as Monday,
Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday, respectively.
Elapsed time since the occurrence of last action (KF7 ) This feature states the time
passed since the happening of an unlock action and determines the frequency of the
action. It is used to assess whether there is any significant change in the regularity
of an unlock action. For the elapsed time KF7, we classify it into four categories
{1, 2, 3, 4} which denote less than 8 hours (office timing), less than a day, less than
three days, and less than one week, respectively.

3.1.2 Driving security features

Classification of driving behaviors based on driving features has been studied using
various statistical and computing models [29, 30]. Automatic driver’s behavior can be
detected whether a vehicle has been attacked. A change in accelerator pedals positions,
brake, and steering wheel control indicates a shift in driving patterns which deviate
from normal driving behavior. Different vehicle manufacturers use differing CAN-BUS
models and protocols, and thus, it is not easy to collect the driving features data. Hence,
we construct our model based on such attributes that can be collected from almost
any kind of vehicles and they are directly influenced by driving behaviors. We extract
three driving features: acceleration, brake, and following distance, as listed in Table 2.

13
 U. Ahmad et al.

Acceleration and brake pedal positions are digitized to 0 to 10 levels, such that 10 cor-
responded to full acceleration or completely braked position. The distance from the
very next vehicle is calculated in meters.

3.2 CART algorithm

The CART algorithm constructs binary trees using the feature and thresholds that yield
the largest information gain at each node. The information gain is based on the decrease
in entropy after a dataset is split on a feature. For a training vector X = [x1 , x2 , … , xn ]t
and a label vector Y = [y1 , y2 , … , yl ]t, where for (1 ≤ i ≤ n) and (1 ≤ j ≤ l), xi and yj
belong to ℝ. Given training vectors and their corresponding label vectors, a decision
tree recursively partitions the space, such that samples with the same labels are grouped
together. Let Q denote the data at node m. For each candidate split 𝜃 = (j, tm ), where j
represents a feature and tm denotes a threshold, the data are partitioned into Qleft (𝜃) and
Qright (𝜃) subsets as below:

Qleft (𝜃) ={(x, y)|xj ≤ tm , y ∈ Rl }, (1)

Qright (𝜃) = Q ⧵ Qleft (𝜃). (2)

The impurity of node m is computed using the impurity function H(⋅), the choice of
which depends on the task being solved (classification or regression) and in our case
it is classification
nleft nright
G(Q, 𝜃) = H(Qleft (𝜃)) + H(Qright (𝜃)). (3)
Nm Nm
To select the parameters that minimize the impurity,
𝜃 ∗ = argmin𝜃 G(Q, 𝜃). (4)
The subsets Qleft (𝜃 ) and Qright (𝜃 ) are recursed until the maximum allowable depth
∗ ∗

is reached, that is, Nm < minsamples or Nm = 1.

Node m denotes a region Rm with Nm observations. In node m, the proportion of
training observations in the mth region that are from the kth class is

1 ∑
pmk = I(yi ), (5)
Nm x ∈R
i m

where I(yi = k) = 1 and I(yi ≠ k) = 0.

The impurity function H(Xm ) is a measure of total variance across the K classes,
defined as
K
∑
H(Xm ) = pmk (1 − pmk ), (6)
k=1

13
Securing smart vehicles from relay attacks using machine…

where Xm is the training data in node m. A small value of H(Xm ) shows that node m
contains predominantly observations from a single class.
The cross entropy is given by
K
∑
H(Xm ) = − pmk log(pmk ). (7)
k=1

The misclassification rate in node m is computed as

E(Xm ) = 1 − max{pmk }, (8)

m

where Xm is the training data in node m.

4 Experiments and evaluation

We used the Python programming language for machine learning and neural net-
works implementations. The decision tree is designed and trained by using scikit-
learn-based machine learning library. The LSTM recurrent neural network is
designed and trained in Keras, a TensorFlow-based deep learning library. Decision
tree graph is generated on the dataset of key fob features, as shown in Fig. 4. We
compared the decision tree algorithm with well-known machine learning algo-
rithms, including SVM and KNN with respect to accuracy rate, confusion matrix,
training time, and prediction time. We used k-fold cross-validation for generating
independent datasets to evaluate the decision tree results.

4.1 Data collection

The observed features can be categorized into two groups: 1) key fob features:
KF1 , KF2 , KF3 , … , KF7; 2) driving features: DF1 , DF2 , and DF3. The features were
collected using the Toyota Prius. The key fob dataset contains 500 records which are
derived from a three-month log of PKES system. The driving dataset consists of 12
driving trips of 5 minutes from a driver where each trip comprises approximately
300 records, so the total observations are 3600. We have preprocessed the driving
dataset to create time series of input data that represent driving behaviors over 1 sec.
to enhance the classification capability. The line graph of an example of the accel-
erator and brake pedal position of a 5-min (300 s) vehicle’s trip is shown in Fig. 5.

4.2 Machine learning results

We used 80% of the key fob dataset for training and the rest of it for testing. Figure 6
shows a comparison of the relay attack detection accuracy rate of the decision tree,
SVM, and KNN.

13
 U. Ahmad et al.

Fig. 4  Decision tree graph

4.2.1 Train/test split

Figure 6 compares the detection accuracy rates of the decision tree with that of
SVM and KNN algorithms. The test results show that the decision tree has the
best performance compared to SVM and KNN algorithms. The decision tree and
KNN have same and comparatively fast training speed among all, that is, 1 ms.
The SVM demonstrates a slower training speed, that is, 9 ms. The decision tree
and SVM have the fast prediction speed, that is, 1 ms and 0.5 ms, respectively,
where KNN has 2 ms.

4.2.2 K‑Fold cross‑validation

We used a tenfold cross-validation to overcome the limitations of the train/test

split procedure. We have evaluated decision tree algorithm based on the following
standard performance measures [33, 34]:

1. True Positive (TP) Number of the correctly predicted key fob

2. True Negative (TN) Number of the correctly predicted relay attack

13
Securing smart vehicles from relay attacks using machine…

Fig. 5  An example of accelerator and brake pedal position of a 5-min (300 s) vehicle’s trip

3. False Positive (FP) Number of the incorrectly predicted key fob

4. False Negative (FN) Number of the incorrectly predicted relay attack
5. True detection rate (TP rate) Percentage of correctly predicted key fob, that is,
TP
TPRate = . (9)
TP + FN
6. False alarm rate (FP rate) Percentage of incorrectly predicted key fob, that is,
FP
FPRate = . (10)
FP + TN

13
 U. Ahmad et al.

Fig. 6  Comparison of machine learning algorithm’s relay attack detection accuracy rate

7. F-Measure Combines the recall and precision scores into a single measure of
performance. F-measure is a number between 0 and 1; the closer it is to 1, the
better the accuracy of the test is and vice versa. F-measure is
Precision × Recall
F =2× . (11)
Precision + Recall
8. Overall Accuracy Percentage of the correct prediction, that is,
TP + TN
OverallAccuracy = . (12)
TP + TN + FP + FN
The tenfold cross-validation eventually uses all observations in dataset for both
training and testing. The accuracy of the decision tree is slightly improved to 99.8%,
which was at 99% on train/test split. The accuracy rate of SVM and KNN has also
improved and achieved 92.8% and 94.4% accuracy, respectively.

4.3 Neural networks results

In our recurrent neural network model, we have four hidden layers, including two
LSTM layers and two dense layers. Both of the LSTM layers contain 64 hidden
units (neurons), where first and second dense layers contain 32 and 1 hidden units,
respectively. We used 400 iterations (epochs) to train our model. The feature vectors
are sampled at regular 1 s time intervals with three features per vector, which are
fed into the recurrent neural network sequentially. The Adam optimizer [35] is used

13
Securing smart vehicles from relay attacks using machine…

Fig. 7  LSTM recurrent neural network’s driver identification accuracy on 12 trips

with default arguments. Figure 7 shows the accuracy of the LSTM recurrent neural
network algorithm on each trip, and the overall achieved accuracy is 81% ± 7.5%.

5 Testing environment

In this section, we outline the architecture of the PKES communication protocol and
our experimental setup using Arduino that is an open source platform to test the
scenario.

5.1 PKES communication protocol

The PKES system consists of a control module, a base station (vehicle), and a tran-
sponder (key fob). This system uses a low-frequency field to communicate with a
key fob. The communication is based on a series of unidirectional data transfers
between the key fob and vehicle. The control module is connected directly to the
engine control module (ECU) and is used as an authentication unit to open the doors
and also enable engine start. The control module issues challenges and evaluates
responses from the key to enable or disable access. The vehicle acts as a gateway
between the key fob and the control module. It communicates with the key via its
physical interface. The key fob receives data from the vehicle, including commands
and payload data and responds accordingly. The secret key that is internally stored in
the key fob is used to encrypt challenges before the key fob replies with a response
before authentication.
The PKES protocol varies among the car manufacturers. Also, different car mod-
els may use a different data structure for the PKES frame. Table 3 lists the size of
PKES frame in different car models [36, 37]. Despite the slight variations in the

13
 U. Ahmad et al.

Fig. 8  PKES data structure

Table 3  PKES frame size in Manufacturer Car model Year PKES frame
different car models size (bits)

GAC Group Trumpchi GS4 2017 104

BMW X1 2014 80
Volkswagen Golf Mk5 2004 60
Audi AG TT 2008 96

protocol and data size, the overall structure of the PKES frame is almost the same,
and it contains similar components. Figure 8 depicts the general layout of PKES
data, which is transmitted from the key fob to the vehicle through a unidirectional
RF link. The protocol incorporates a secure rolling counter algorithm, where each
message is unique in a sense that it includes an incrementing counter value. This can
protect PKES communications from replay attacks [38, 39]. Each message contains
a unique identification (UID), a counter value (CNTR), a command and control data
(CMD), a message authentication code (MAC) which could be based on AES-128
and an error detection code such as a checksum (CHK). The PKES payload follows
a preamble that is used for synchronization. The preamble precedes the transmission
of the actual data which is used as a token for a receiver wakeup to detect an incom-
ing data string.
Car manufacturers use various low-power and high-performance designs for
PKES, some of which are ADF7023 [40] and Atmel ATA5795 [41]. Following the
European ETSI EN300-220, the North American FCC (Part 15), and the Chinese
short-range wireless regulatory standards [42], the key fob transceiver operates
between 315 MHz and 928 MHz frequency bands, which are within the worldwide
license-free industrial, scientific, and medical radio (ISM) bands. In addition, data
(baud) rates may vary between 1 kbps and 300 kbps. Given that the maximum data
rate of a PKES transceiver is 300 kbps and the minimum size of PKES frame is 60
bits (Table 3), the transmission latency of PKES is at least 200 μs. In practice, the
transmission latency could be higher, because the PKES signal should travel a dis-
tance between the key fob and the antenna.

5.2 Experimental setup using real‑world data

We have used the Arduino, an open source platform to test the scenario. It supports
both tangible programmable microcontrollers including the circuit board and a soft-
ware programming language. Particularly, we have used two Arduino UNO boards,
one to act as a key fob and second for the vehicle. We have used accelerometer and

13
Securing smart vehicles from relay attacks using machine…

gyroscope sensor (GY-521 module) to detect key fob acceleration rate. The GY-521
module is an analog device which notes the corresponding values if the key fob
moves in any direction. An accelerometer measures the non-gravitational accel-
eration when key fob moves from a standstill to any velocity, and gyroscope uses
earth’s gravity to determine the orientation. We also attached the GPS module with
the key fob to determine the current location of the key fob. We have used the RF
modules that are the small electronic devices to transmit and receive signals between
the key fob and vehicle. RC Switch Arduino library is used to send and receive data
over an RF medium. The RC Switch natively supports devices such as a 433 MHz
AM transmitter and a receiver which we used for data transmission between the key
fob and vehicle. The vehicle (RF receiver) periodically scans the key fob and trans-
mits a wake-up call to determine the proximity of the key fob (RF transmitter). Once
the key fob confirms its proximity, the vehicle sends a challenge message with its
ID. Upon the receipt of the true response from the key fob, the vehicle unlocks itself.

5.2.1 Time and space analysis

Key fob acceleration and location are embedded (one bit for each) in the response
message. The key fob transmits 1 or 0 as the key fob is accelerating or not, respec-
tively. The vehicle sends its current location to the key fob while locking the vehicle
when the user walks away or touches the car on exit. The key fob stores this location
and uses it while sending the unlock signal. So at the time of unlocking, the key fob
compares the current location of the key fob with the vehicle’s location. The key
fob transmits 1 or 0 denote that the key fob is near the vehicle or not, respectively.
Despite the slight variations in the protocol and data size, the overall structure of
the PKES frame is almost the same, and it contains similar components [36, 37].
We embed 1-bit for key fob acceleration (ACC) and 1-bit for location (LOC) in the
PKES data frame, as depicted in Fig. 9. As discussed above, the decision tree has a
fast prediction speed, that is, 1 ms for 100 test observations. (We used 20% of data-
set as a test dataset.) Hence, it will take only 0.01 ms to predict one record.

5.2.2 Implementation constraints

The implementation of our proposed solution is quick and effective. Location and
key fob acceleration are implemented on the key fob side and transmitted to the car
with the unlocking code. The rest of the five parameters and the machine learning

Fig. 9  PKES test frame

13
 U. Ahmad et al.

algorithm are used inside the unlocking mechanism on the vehicle side. When the
vehicle detects an irregular key fob behavior, it sends a passive response and will
not unlock. The vehicle would also send a warning notification to owner’s hand-
held device or other personal devices through the cellular network inside the vehicle.
Although our proposed detection method has high accuracy, there might be false
positive instances. In the case of false positives, we suggest the use of a button on
the key fob to open the car or the use of the owner’s mobile phone to unlock the
vehicle. To detect communication errors, we suggest the use of an error detection
code, that is, checksum, in the key fob message packet.

6 Conclusion

In this paper, we proposed a relay attack detection method by making use of a CART
algorithm that uses seven security features for profiling normal key fob messages.
The proposed algorithm can identify the legitimate drivers using three driving fea-
tures and an LSTM recurrent neural network. We used a three-month log of a PKES
system, and the driving data are collected from a driver who drives the vehicles on
12 routes in real-world traffic conditions. First, a relay attack is detected using the
CART algorithm to assess whether the driving behaviors deviate from expected
ones. We compared our CART algorithm with SVM and KNN learning algorithms,
and the result of our tests demonstrated that our method outperforms other learn-
ing techniques. The proposed algorithm proceeds to gain the driving features for
driver identification if a relay attack is not found. Our solution achieves the best
relay attack detection accuracy rate, that is, 99.8%, and it can identify the legitimate
drivers with 81% accuracy rate. One remaining challenge is to adapt the proposed
solution for multiple drivers, as the proposed solution only uses a three-month data-
set of the key fob rather than the driver-specific data. As future work, we will take
into account the deep learning approaches to secure the remote attack vectors for
modern vehicles such as tire pressure monitoring system (TPMS), Bluetooth, Wi-Fi,
cellular, radio data system, and telematics.

References
1. Internet crime complaint centre (IC3), motor vehicles increasingly vulnerable to remote exploits.
http://www.ic3.gov/media​/2016/16031​7.aspx. Accessed 17 Mar 2016
2. Eiza MH, Ni Q (2017) Driving with sharks: rethinking connected vehicles with vehicle cybersecu-
rity. IEEE Veh Technol Mag 12(2):45–51
3. Waraksa TJ, Fraley KD, Kiefer RE, Douglas DG, Gilbert LH (1990) Passive keyless entry system,
US Patent 4,942,393
4. Choi W, Seo M, Lee DH (2018) Sound-proximity: 2-factor authentication against relay
attack on passive keyless entry and start system. J Adv Transp 2018:1935974. https​://doi.
org/10.1155/2018/19359​74
5. Fu K, Xu W (2018) Risks of trusting the physics of sensors. Commun ACM 61(2):20–23
6. Sommer F, Dürrwang J, Kriesten R (2019) Survey and classification of automotive security attacks.
Information 10(4):148

13
Securing smart vehicles from relay attacks using machine…

7. Jolfaei A, Vizandan A, Mirghadri A (2012) Image encryption using HC-128 and HC-256 stream
ciphers. Int J Electron Secur Digit Forensics 4(1):19–42
8. Jolfaei A, Wu X-W, Muthukkumarasamy V (2015) A secure lightweight texture encryption scheme.
Image and video technology. Springer, Berlin, pp 344–356
9. Jolfaei A, Kant K (2019) Data security in multiparty edge computing environments. In:
GOMACTech Conference, Artificial Intelligence and Cyber Security: Challenges and Opportunities
for the Government, Albuquerque, NM, USA, pp 17–22
10. Ranganathan A, Capkun S (2017) Are we really close? Verifying proximity in wireless systems.
IEEE Secur Priv. https​://doi.org/10.1109/MSP.2017.26509​3234
11. Asmar RY, Proefke DT, Bongiorno CJ, Creguer AP (2017) Method and system for authenticating
vehicle equipped with passive keyless system, US Patent 9,710,983
12. Udo GJ (2001) Privacy and security concerns as major barriers for e-commerce: a survey study. Inf
Manag Comput Secur 9(4):165–174
13. Miller C, Valasek C (2015) Remote exploitation of an unaltered passenger vehicle Black Hat USA,
vol 2015
14. Ur-Rehman A, Gondal I, Kamruzzuman J, Jolfaei A (Feb 2019) Vulnerability modelling for hybrid
it systems. In: 2019 IEEE International Conference on Industrial Technology (ICIT), pp 1186–1191
15. Francillon A, Danev B, Capkun S (2011) Relay attacks on passive keyless entry and start systems in
modern cars. In: Proceedings of the Network and Distributed System Security Symposium (NDSS).
Eidgenössische Technische Hochschule Zürich, Department of Computer Science
16. Garcia FD, Oswald D, Kasper T, Pavlidès P (2016) Lock it and still lose it-on the (in) security of
automotive remote keyless entry systems. In: USENIX Security Symposium
17. Guan L, Lin J, Luo B, Jing J, Wang J (2015) Protecting private keys against memory disclosure
attacks using hardware transactional memory. In: IEEE Symposium on Security and Privacy, pp
3–19
18. Jolfaei A, Mirghadri A (2011) Substitution-permutation based image cipher using chaotic henon and
baker’s maps. Int Rev Comput Softw 6(1):40–54
19. Van Herrewege A, Singelee D, Verbauwhede I (2011) Canauth-a simple, backward compatible
broadcast authentication protocol for can bus. In: ECRYPT Workshop on Lightweight Cryptogra-
phy, vol 2011
20. Groza B, Murvay S, Van Herrewege A, Verbauwhede I, (2012) Libra-can: a lightweight broadcast
authentication protocol for controller area networks. In: International Conference on Cryptology and
Network Security, pp 185–200
21. Hartkopp O, Schilling RM (2012) Message authenticated can. In: Escar Conference, Berlin,
Germany
22. Jolfaei A, Kant K (2019) Privacy and security of connected vehicles in intelligent transportation
system. In: 49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN
2019)
23. Ghane S, Jolfaei A, Kulik L, Ramamohanarao, K (2019) Differentially private streaming to
untrusted edge servers in intelligent transportation system In: 18th IEEE International Conference
on Trust, Security and Privacy in Computing and Communications
24. Jolfaei A, Kant K, Shafei H (2019) Secure data streaming to untrusted road side units in intelligent
transportation system. In: 18th IEEE International Conference on Trust, Security and Privacy in
Computing and Communications
25. Park J, Chen Z, Kiliaris L, Kuang ML, Masrur MA, Phillips AM, Murphey YL (2009) Intelligent
vehicle power control based on machine learning of optimal control parameters and prediction of
road type and traffic congestion. IEEE Trans Veh Technol 58(9):4741–4756
26. Sivaraman S, Trivedi MM (2010) A general active-learning framework for on-road vehicle recogni-
tion and tracking. IEEE Trans Intell Transp Syst 11(2):267–276
27. Ahmad U, Song H, Bilal A, Alazab M, Jolfaei A (2018) Secure passive keyless entry and start sys-
tem using machine learning. In: 11th International Conference and Satellite Workshops, SpaCCS
2018, Melbourne, NSW, Australia, December 11–13, 2018, Proceedings, 12 2018, pp 304–313
28. Saiprasert C, Thajchayapong S (2015) Remote driver identification using minimal sensory data.
IEEE Commun Lett 19(10):1706–1709
29. Tanprasert T, Saiprasert C, Thajchayapong S (2017) Combining unsupervised anomaly detec-
tion and neural networks for driver identification. J Adv Transp 2017:6057830. https​://doi.
org/10.1155/2017/60578​30

13
 U. Ahmad et al.

30. Zhang M, Chen C, Wo T, Xie T, Bhuiyan MZA, Lin X (2017) Safedrive: online driving anomaly
detection from large-scale vehicle data. IEEE Trans Ind Inf 13(4):2087–2096
31. Breiman L (1996) Bagging predictors. Mach Learn 24(2):123–140
32. Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural Comput 9(8):1735–1780
33. Kaur M, Kaur G, Sharma PK, Jolfaei A, Singh D (2019) Binary cuckoo search metaheuristic-based
supercomputing framework for human behavior analysis in smart home. J Supercomput 1:1–24
34. Vinayakumar R, Alazab M, Jolfaei A, Soman K, Poornachandran P (2019) Ransomware triage using
deep learning: twitter as a case study In: International Conference on Cybersecurity and Cyberfo-
rensics Conference (CCC), 2019, pp 67–73
35. Cho K, Van Merriënboer B, Bahdanau D, Bengio Y (2014) On the properties of neural machine
translation: encoder-decoder approaches arXiv preprint arXiv​:1409.1259
36. Benadjila R, Renard M, Lopes-Esteves J, Kasmi C (2017) One car, two frames: attacks on hitag-2
remote keyless entry systems revisited. In: 11th USENIX Workshop on Offensive Technologies
WOOT 17
37. Liu H-L, Zhu S-Y, Lu Z-J, Liu Z-L et al. (2018) Practical contactless attacks on hitag2-based
immobilizer and rke systems. In: DEStech Transactions on Computer Science and Engineering, no.
CCNT
38. Jolfaei A, Kant K (2017) A lightweight integrity protection scheme for fast communications in
smart grid. In: International Conference on Security and Cryptography, 2017, pp 31–42
39. Jolfaei A, Kant K (2019) A lightweight integrity protection scheme for low latency smart grid appli-
cations. Comput Secur 86:471–483
40. Devices Analog (2012) High performance, low power, ism band fsk/gfsk/ook/msk/gmsk transceiver
ic. in Data Sheet, 2012, pp 1–113
41. Goings J, Prescott T, Hahnen M, Militzer K (2010) Design and security considerations for passive
immobilizer systems. Atmel publication, pp 1–11
42. Retz G, Shanan H, Mulvaney K, O’Mahony S, Chanca M, Crowley P, Billon C, Khan MK, Orive
JJL, Quinlan P (2009) Radio transceivers for wireless personal area networks using IEEE802.15.4.
IEEE Commun Mag 47(9):150–158

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published
maps and institutional affiliations.

Affiliations

Usman Ahmad1 · Hong Song1 · Awais Bilal1 · Mamoun Alazab2 ·

Alireza Jolfaei3
Usman Ahmad
[email protected]
Hong Song
[email protected]
Awais Bilal
[email protected]
Mamoun Alazab
[email protected]
1
School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081,
China
2
Charles Darwin University, Darwin, Australia
3
Macquarie University, Sydney, Australia

13